This last issue we had an article about diving into Gentoo, and the
response was great. What I'd like to see is some of you send us in some
more great 2c Tips!
about things that are specific to your
favorite distribution, with a neat little description that describes
why they're so handy.
People can spend hours surfing the man pages
or reading the "get started guide" in their boxed product - but we
all know that a lot of linuxers get started with a disc from friends
and some simple enthusiasm. So... let's Make Linux A Little More Fun
for them
I'd love to see an article describing how a company really got interested
in open source, a bit of the thought processes and internal changes that
went with looking at it, considering if it worked for them. I believe
such an article would be equally useful if it described why one didn't,
or did, take it on in various departments, and how much of it the company
was able to let in.
Obviously, how completely it worked out after implementation would be
great to hear about. We see occasional tidbits of this sort of thing
offered as "case studies" and so on, but rather few of them have more
than a sound byte here and there from anyone who really lived through the
changes, drove the meetings, pondered the legal entanglements and so on.
Contact articles@lists.linuxgazette.net if you've got something for us. Get whatever
internal approvals you need, and if you decide to make $company anonymous,
don't forget to sanitize tidbits like any IP addresses or partner companies
you mention, too.
I just stumbled across something interesting (to me, anyway), while
reading Groklaw. I had mentioned in a msg to TAG a while back that I was
getting an boot time error msg on this Inspiron:
"Dell Inspiron with broken BIOS detected. Refusing to enable the local
APIC."
That's with a 2.4 kernel. I had resigned myself to the fact that there
was a flaw in the BIOS, while wondering why they had never bothered to fix
such a problem in all of the BIOS revisions that Dell has issued for the
machine.
I've noticed that the error is absent when I boot from a recent 2.6
kernel, so figured that there was something relevant and long standing in
Linux ACPI support that had been fixed in 2.6 kernels. But now it seems
that the kernel developers may have just discovered how to deal with
Dell's (intentionally quirky) implementation of the standard. Actually,
the whole Groklaw post was interesting, so I'll include it here, but the
last paragraph is what my post is about. Note: the general theme of the
thread is about trying to buy a Dell with Linux pre-loaded. For more more
info see:
I was on a plane recently, sitting next to a guy who claimed to be a Dell
senior sales VP. I mentioned I had bypassed Dell for a purchase a week or
so before, because they don't support Linux. He acted surprised, and said
I should visit their web site. I told him I had visited the site (and saw
what PJ reported here); despite a claim to support Linux, it is almost
impossible to buy a Dell machine with Linux.
He continued to act surprised. I told him to visit his own website from a
customer POV and he'd see what I meant.
Don't trust Dell: they make nice machines, but they are on their knees for
Gates. I put Dell in the same category as HP (broken ACPI (nonstandard),
that they only tell Microsoft how to get around). 2+ years after Presario
release, they have still not fixed it.
I just read your article in Linux Gazette online on Installing Gentoo,
and thought I could help with a few of the problems you have experienced.
If OpenOffice did not compile, you could try openoffice-bin.
I'm not sure if I can help with package documentation. There is good
general documentation on how Gentoo-specific nuances work by following
the "Docs" link from the top of the home page.
We moved a handful of his - and other Gentoo using readers' tips - into
our 2c Tips section, so they're easier to search for. Thanks to everybody
who wrote in, especially those of you who don't see your name in lights;
many Tips were repeats, and we tried to take the best explanations.
-- Heather
I hope these suggestions help. I have found the Gentoo documentation and
the Forums to be infinitely helpful. Now this former Windows advocate
compiles his own kernel on a regular basis including software RAID and
bootsplash tweaks. It's addicting!
Some tips, too, but go see the 2c tips section for that.
-- Heather
Whenever there's a problem, I've almost always found the answer by
searching forums.gentoo.org - even though the search feature in phpBB does
not work very well, when there's so many posts as in this case. I've
written a small and easy howto, about how they could make it indexable by
google (see http://klavsen.info/simpleurls ) but they haven't picked it
up, even though I've written it to gentoo-dev. This unfortunatley means
the forums, which are a true treasure of knowledge, goes unknown to many
If the problem isn't solved by searching/posting to forums, a post to
bugs.gentoo.org usually quickly resolves it (if it's a bug ofcourse, but
it you don't get an answer in the forums, it most usually is
All in all, a very important part of Gentoo, is the fact that besides, the
great documentation, there's so many competent users in the forums and on
the mailinglists, so getting help finding a solution (and learning a lot
in the process) seems almost inevitable (if ones open for learning -
Gentoo is IMHO not minded for people who does not want to learn how things
really work - but just want something that "just works").
By using Gentoo I've learned a lot, that I can make good use of, with
other distributions as well, so it is a good learning experience, not only
in Gentoo - but also with Linux. This same thing is why the
forums.gentoo.org should be google indexed, as the knowledge does not only
apply to Gentoo.
--
Regards,
Klavs Klavsen, GSEC
"Open Source Software - Sometimes you get more than you paid for."
Just saw your article on Gentoo Installation, by coincidence, just as I was in the process of giving up on my own install of Gentoo. Been working on it off and on all day, finally got the kernel compiled. Yeah, I did it manually. Think I got it right, although the manual does not look the kernel config I was running. Wonder why? (the latest .4 kernel, r9, just downloaded today.)
Then I noted that loading some of the kernel packages like the Nvidia packages may well drag in stuff I wanted excluded in the USE variable, so I should use the pretend option to see what might possibly go wrong. This made me feel dizzy, even dizzier as I looked at what still lies ahead. In my present ill-tempered state, I feel like making the snide remark that so far I have not done anything far as I can tell that a good installation script could not do.
Guess I'll go get something to eat, replenish my blood sugar, and then think about it. I am learning quite a lot ... probably good for me ... but ... what keeps occurring to me is, since I am doing all this the long way around, why am I not installing FreeBSD instead? Keeping in mind that I am starving and the question may not be rational:
Eh ... not putting you on the spot ... but in a sentence or two, why would I want to run Gentoo instead of FreeBSD, nevermind that one is Linux and one is Berkeley UNIX. And both Gentoo and FreeBSD seem to have outstandingly brilliant groups of people supporting them. Just curious.
And don't ask if I'm a man or a mouse! "Got any cheese, sir? Squeak! Squeak!"
Thanks for the counterpoint view, William. There's lots of people, and no need to do things just one way. For that matter ... this may be Linux Gazette, but those BSDers are fellow open source'rers too. (If this makes you wonder where their magazine is, dear readers, it's called DaemonNews - http://ezine.daemonnews.org and it's a good read.)
-- Heather
Thanks for the article on tripwire in Linux Gazette.
Hi Greg,
First of all, thanks for the feedback. It's always good to know someone
is reading the articles!
A fun and informative chat back and forth ensues... see this month's
Answer Gang column for the juicy bits.
-- Heather
Would you have any objections if I forwarded your e-mail and my
response onto TAG (The Answer Gang)? Heather and the other editors use
material from TAG to put together the one-cent tips, mailbag, etc.
It's perfectly fine to say no.
Thanks again for the feedback,
no objections.
thanks again for the dialog.
We're very pleased you said yes, Greg. Thanks bunches!
-- Heather
This page edited and maintained by the Editors of Linux Gazette HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/
Then in Yast2 select "Install and Remove Software". The package selections
will now have been updated to include all the packages in the updated kde.
The packages for which a newer version than the one you have installed will
appear in either red or blue (I can't remember which).
Select the packages you want to upgrade (no 'upgrade everything' button
available I'm afraid). Let Yast2 sort out package dependencies for you and
off you go.
Yast2 will then download, install and configure all the packages for you.
Bit like the extremely good apt that is available on Debian. apt4rpm is also
available for SuSE if you'd rather have that flexibility.
If the download site is too slow an alternative one can be selected. Go to
suse's site and find the list of ftp servers and choose an alternative.
All the best,
Jethro Cramp
Thanks! That's a piece of info I've been missing. I've been told that
you can do it directly inside Yast, but couldn't figure out how. I'm
going to forward your tip to the Answer Gang, so everybody can benefit.
Gentoo must have other users who commented on the "packages.debian.org"
web page, because Gentoo adopted the same thing a couple of months ago.
http://packages.gentoo.org is a similar page where you can find lots of
info including searching by category or name.
[Frodo]
but I am the first to admit, it is not nearly as powerful as the Debian site.
[Robert Krig]
There is a link to this on the main page. Although it is easily
overlooked.
If you want to know what version of a package you have installed, just
open a terminal, and type
emerge -pv packagename
The -p tells portage to pretend to emerge and the -v tells it to be
verbose about it. In effect this will show you the package version it
would like to install, and next to it in brackets it will show which
version of the package you currently have installed. It should also show
you any dependencies that need to be upgraded in case there is a newer
version. And of course the -v option will show you possible use flags.
Thanks to everybody who wrote in with this one
-- Heather
This will search for anything with "packagename" in its packagename,
i.e. emerge -s mozilla
would list mozilla, mozilla-bin, mozilla-thunderbird, mozilla-firefox,
etc. You get the picture.
emerge -S packagename
will search the descriptions for the word specified, however this tends
to take quite a while.
Gentoo's package query tools (equery and qpkg) aren't complete.
They'll list the files a package contains but several other
features are marked "not implemented". There didn't seem to be
a way to quickly see which version of a package is installed:
something equivalent to "rpm PACKAGE" or "dpkg -l PACKAGE".
"emerge search PACKAGE" does it, but it takes several seconds,
and you have to page through other information and entries for
any other packages the substring matches.
You might want to emerge app-portage/esearch - it provides about the
same functionality as emerge search, but uses a search-index, which
makes it a lot faster. (Of course, the index has to be built, which
takes time, but can be done with a cronjob.)
If you are used to rpm - you can use the tool epm which emulates rpm's
features. To list all packages installed (incl. versionnr.) do epm -qa. to
list info of one package - do epm -qi packagename etc. etc. It even does
the epm -V (verify md5sum etc. from install-time is still the same - ie. a
"small intrusion detection" tool).
As far nvidia gfx cards are concerned, seems for some it works without a
hitch, for others there seem to be problems. Although it seems to me
that proportionally many more users have no trouble with nvidia cards
than the ones that do.
Just a few pointers about nvidia cards under gentoo:
Whenever you recompile your kernel, you need to re-emerge
nvidia-kernel AND nvidia-glx
you should then also always run
opengl-update nvidia
Also in the /etc/X11/xorg.conf file, in the "Device" section, the driver
is called "nvidia" and not "nv".
Xorg's nvidia driver is used if you define it as "nv", nvidia's binary
driver is used if you define it as "nvidia".
Also, if you are using a 2.6 kernel, make sure that you dont have "4k
stacks" option active. I think its somewhere in the basic kernel config.
The default should be 8k stacks, and the nvidia drivers dont work well
if at all with 4k stacks. This info should be displayed at the end of
emerge nvidia-kernel.
On a little side note, ever since I've switched from xfree86 to xorg and
from kernel 2.4 to 2.6.8, my framerate in Quake3 Urban Terror has
increased by 20+-30+fps.
Dont know if your a gamer, but I thought that was pretty cool.
As far as samba problems are concerned, have you tried using
LinNeighborhood? Using that program, I have no problems mounting windows
shares.
emerge LinNeighborhood
You mentioned that when you mount a samba share, then you are denied
access. Have you tried accessing them as root? Still, in case you havent
yet, try LinNeighborhood.
I have read somewhere that Window's samba implementation can be screwey
depending on which version of windows it is. Some like scrambled
passwords, some dont. I'm sure you can find more info on the net.
Windows 95 didn't even have the ability to encrypt its passwords, later 98 insisted on it (and wouldn't work without, unless you applied a patch to it). With other mswin versions your mileage may vary. "lanman compatibility" seemed to mean "mention the password twice on the wire, the really old way and whatever new way du jour" - so I recommend any mswin admins out there try to avoid that, you lose enough bandwidth as it is, and it doesn't really help samba any.
-- Heather
A note on genkernel. It can be very screwey depending on your setup.
genkernel --menuconfig all
this command will allow you to make modifcations to the default
genkernel setup. Although I would still recommend to everyone to
compile your own kernel.
Building your own optimal kernel is not only a good way to learn more about linux but boot time usually feels a lot faster with generic support for things you don't even own left out entirely - since it never gets probed for anymore. Surely both knowledge and speed are a Good Thing for gentoo fans
-- Heather
By the way.
It is not recommended to blindly issue the "update all" portage command.
Sometimes new stuff, can break some old stuff, and there have been
plenty of cases where people simply did a emerge -u -deep world
and found their system not working anymore.
I find that the best way to update your system is to do a
emerge -upv -deep world.
This will show me which packages COULD be updated and then I just
manually upgrade from there. Very handy if for example a newer version
of an app has been ported from gtk to gtk2 or to qt or whatever, and you
dont want to compile all this extra stuff.
Secondly, often enough when you update any packages, portage will tell
you that you need to run etc-update in order to update the config files.
Be VERY careful here as well. Since 90% of the time the only change to
config file is to label it as "version x.x.x".
However the process if not done carefully, will overwrite to specific
config file with defaults.
etc-update offers you options to manually select inside the file, what
can be removed and what not, but its quite confusing to read. I would
suggest, when it comes to etc-update, certain config files can be
overwritten no problem, e.g. all the ones that you havent changed in any
way. But always keep a current backup of all the configs that you
edited. e.g. make.conf, smb.conf, rc.conf, lilo.conf, etc.
I usually make copies, let etc-update overwrite them, and then manually
copy+paste relevant stuff back into the new file.
I'm sure there is a much better way to do this, and I recall that I read
something about that in the forums.
Either way, just letting you know to take care when etc-updating.
But then again, I think its always wise not to blindly update everything
as soon as it comes out. Unless its a much needed security fix.
Mike, in your article.
You mentioned that the day before your install, KDE3.3 came out and it
was still in the "masked" section.
Just to clear things up. Masked, does not automatically mean unstable,
it also means "testing". More often than not apps in "masked" simply
havent been tested enough. Doesnt have to mean that this package will
definately fail to build or even crash once you use it.
However sometimes you need to use an obscure app which hasn't been
included in portage until recently, and the only version available is
masked. Although sometimes it can happen that a dependancy required by
the app is still masked.
Usually I would say, stick to the main portage tree as much as you can.
Recompiling small apps, once theyre moved from "masked" to "stable"
shouldn't be too big of a deal.
Using distcc is actually quite easy - one just has to ensure that if
you use f.ex. hardened (stack smashing protection and friends) your gcc on
all distcc machines (can even be a windows machine some of them) has to
have the same abilities. You can even use distcc to do all the compiling
on another machine, if you are installing on an older machine, it
sometimes makes most sense to let someone else do the hard work
The /etc/portage/package.mask package.unmask package.use and
package.keywords files you really should know about - they are great tools
to make portage do exactly what you want. Say you thrust that newest
releases of kde is stable enough for you to use (you can have several
versions installed - so you can just select the on you want to use
globally in /etc/rc.conf) you just add the kde packages to the
package.keywords files. A search in the forums, will show you exactly what
format to use
Later, after you've installed X, you simply "emerge links"
again, and it will rebuild itself with the X support.
I realize you are using an example where you only temporarily set $USE,
but it might be worth noting that one can also set specific options for
separate packages, in a more permanent way, using
/etc/portage/package.use.
Some other interesting files in that directory are package.mask,
package.unmask and package.keywords. The last one is, btw, the preferred
way to add experimental packages, while running stable mostly.
The best way to implement a package differently than the package
maintainer intended is to create a local overlay of the portage tree.
This should be is the docs, but here's my quick notes:
Uncomment the "PORTAGE_OVERLAY" option in /etc/make.conf
mkdir -p /usr/local/portage/dev-php/php/files
Copy /usr/portage/dev-php/php/php/php-<version>.ebuild to /usr/local/portage/dev-php/php - I suggest changing the build version or release number to identify your version
Tweak the ebuild file
Run 'ebuild /usr/local/portage/dev-php/php/php-<version>.ebuild digest'
Now, if you use "emerge -pv php" you should see your build and a
notation that the ebuild is coming from the /usr/local/portage overlay
location. The biggest problem with all this is that now you are a
package maintainer but it's on your local system. Keeping your changes
in sync with new ebuilds from Portage can be a hassle. It's a good idea
to request a new USE flag for your desired ./configure arguments in
http://bugs.gentoo.org and let the official package maintainer worry
about it going forward.
Using distcc is actually quite easy - one just has to ensure that if
you use f.ex. hardened (stack smashing protection and friends) your gcc on
all distcc machines (can even be a windows machine some of them) has to
have the same abilities. You can even use distcc to do all the compiling
on another machine, if you are installing on an older machine, it
sometimes makes most sense to let someone else do the hard work
Another Gentoo tidbit - revised boot ISO available
I'd seen people with problems a couple of times recently, but had no answer
to the problem of non-booting but "good" (as in MD5SUM) images. It appears
that the Gentoo folks came up with a possible solution, and did a respin of
the 2004-2 minimal install ISO that was "rebuilt to solve the problem of
certain buggy BIOS versions not booting the Minimal LiveCD."
If people write in with similar problems installing from the small Gentoo
ISO images, we could do worse than point them in the direction of the
revised image. Here's a link to such on one of the mirrors:
This is a ugly hack that I am using to search the google from command
line. Any decent Python programmer would be able to make it much better.
You need to have Pygoogle (http://pygoogle.sourceforge.net) module
installed. In its unaltered form, the script will require Python2.3 to
run. However, if you remove the #--ugly hack part (see the comments in
the code), it will run with Python2.2 too.
#!/usr/bin/python2.3
import google,sys,codecs
from sgmllib import SGMLParser
# HTML Stripper class to strip out html from the google search
# returned. shamelessly copy pasted from
# http://mail.python.org/pipermail/tutor/2002-September/017573.html
class HTMLStripper(SGMLParser):
def __init__(self):
SGMLParser.__init__(self)
self._text = []
def handle_data(self, data):
self._text.append(data)
def read_text(self):
return ".join(self._text)"
def strip_html(text):
stripper = HTMLStripper()
stripper.feed(text)
return stripper.read_text()
print "Searching the World Live Web "
google.setLicense('your google key') # must get your own key from
http://www.google.com/apis/ -> free but requires registration
n_show_results = 10 #change the number of search results that are shown
from here
codecs.register_error('xml', codecs.xmlcharrefreplace_errors)
search_str = ""
for i in range(1,len(sys.argv)):
search_str = search_str + " " + sys.argv[i]
print "Searching for " ,search_str
data = google.doGoogleSearch(search_str,0,n_show_results)
print 'Search took %f time and I found a total of %d results\n' % \
(data.meta.searchTime, data.meta.estimatedTotalResultsCount)
for result in data.results:
# if you are going to call this script from within emacs, replace
# this part with the code within the #begin hack -- #end hack code
print 'Title\t:', strip_html(result.title)
print 'URL\t:', result.URL
print
#-- begin hack
# if you want to call this script from within emacs, then you have
#to put in this ugly hack. Other wise emacs will stop with an
#error message "UnicodeEncodeError: 'ascii' codec can't encode
#character u'\xfc' in position 1: ordinal not in range(128)"
# see http://www.informit.com/articles/article.asp?p=31272&seqNum=5
# to know why this ugly hack is needed
## temp = result.title
## in_tuple=codecs.getencoder('ASCII')(temp, 'xml')
## in_str = str(in_tuple)
## print 'Title\t:', strip_html(in_str)
## print 'URL\t:', result.URL
## print
#-- end hack
print "\n "
Raj Shekhar
System Administrator, programmer and slacker
I read your article on upgrading to kde 3.3 today. The reason I'm mailing you is because I'm one of the developers for Superkaramba. I noticed your article mentioned that the Superkaramba widgets are "always on top". This has been resolved in the latest release, 0.34, and in CVS, with our pending release of 0.35. You would need to recompile for KDE 3.3, as the code needed for the two versions are different and detect your version upon compilation.
This page edited and maintained by the Editors of Linux Gazette HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/
The Answer Gang
Linux Gazette 107: The Answer Gang (TWDT)The Answer Gang 107:
...making Linux just a little more fun!
The Answer Gang By Jim Dennis, Karl-Heinz Herrmann, Breen, Chris, and...
(meet the Gang) ...
the Editors of Linux Gazette...
and
You!
We have guidelines for asking and answering questions. Linux questions only, please.
We make no guarantees about answers, but you can be anonymous on request. See also: The Answer Gang's
Knowledge Base
and the LGSearch Engine
Greetings, everyone, and welcome once again to the world of The Answer
Gang.
I had plans for this month on a wonderful blurb about the nature of advocacy
in the linux world.... by which I really mean, not just how you get one person
here or there introduced to the time of their life and being in more control of
their personal computer than they ever had before with The Beast From Redmond,
but how you generally behave so as not to make the average person who is willing
to chat computers because "hey you look like a techie, I was wondering...?"
think "gawd, I don't want to be like or deal with these kind of people, Linux
must make them crazy."
Yet I find it's just as important to consider how to behave inside your local
user group. New people drop into these places. Do they see a batch of people
having a great time yakking about xine versus mplayer and whether nvidia frame
rates make you dizzy now that you've installed the driver? Or do they see
people playing "my distro's better than yours" games that rival the recent
political "debates" and make everyone look like control freaks? They look
at whatever they find, and sure, they're going to ask their questions about
the lil' penguin and his OS, but they are also thinking to themselves, is this
going to be fun for me?
This is October, and in past years there's been tons of fuss on "Halloween"
documents. Leaks and spooky measures to rival the cigar filled rooms
cough cough of an earlier era. What sort of light
does this put on us? I'd rather see Tux as the defender of freedom than the
whisperer among spooks. But people are spooked by all sorts of things these
days.
Be good to each other, people. Have a good month.
I love Linux
From Jason Creighton
Answered By: Thomas Adam, Ben Okopnik
I wanted a photo off my parent's digital camera. They have Windows ME. I
don't know if ME's USB support is seriously flaky or what, but only one
USB device has even worked consistently with that computer (a scanner).
Windows was hanging on me, not working, making me mad and in general
doing the things it's good at.
Enter Linux. I install libusb, libgphoto2, and gphoto2. I compile the
usbcore module[1], and then try to use gphoto2. It can't see the camera.
I fiddle with things awhile, and it "doesn't work".
Had I read Crux's (my distro) README for libusb more carefully, I would
have seen I need usbfs. Enable that option, recompile the kernel
modules, install 'em, modprobe, and IT WORKS! I can download photos, and
it just works. No need to use some stupid kludged-up vender-enforced
GUI.
[Ben]
Wow, nice. Took me several net searches and a good bit of luck - I ran
across exactly one discussion of this, but it was exactly what I
needed, including the fine details. This was, in fact, the first time I
ever got a USB-to-camera connection to work with Linux (not that I'd
tried a whole lot of times previously, but it was once or twice at least
over a couple of years.) I'd never seen any standard documentation for
it, and kudos to the Crux folks for writing it.
I love Linux.
[1] I have an uptime of 35 days, which is the longest I've managed to
get between me wanting to try new kernels, the efforts of the power
company and well-meaning family members.
So I really didn't want to compile a new kernel and have to reboot. So I
just added the usb kernel module to my kernel config, did a "make
modules && make modules_install"[2] and modprobe'd the modules into the
running kernel, which is the same version and was built from the same
source-tree[3]. Is that a good idea? I mean, everything appears to
work fine, but will enabling a module ever require you to rebuild the
kernel itself?
[Thomas]
No, not unless the module relies on an option that you need to statically
compile into the kernel and have not already done so -- an isolated case, so
you should be fine.
As to whether it is a good idea, module loading works by looking at the
module's symbol information, which matches the version of your current running
kernel. If the version of the module is the same as `uname -r`, then it will
load quite happily, whether it was compiled at the same time as the kernel or
ten months afterwards.
But what also happens is that the compiler versions that were used to compile
the kernel, and the new modules have to match exactly. If they don't, then
loading the module(s) simply will not work.
[Ben]
Since you specified "ever", the answer is "yes". But far from always.
If, for example, you were to enable the entire Ethernet category (which
had been disabled in the last compile), build some driver modules, and
attempt to laod them, I can just about guarantee failure; the running
kernel would be missing the "hooks" for the whole Ethernet category.
However, if the category had been enabled previously and you just added
a specific card driver to the ones that you'd compiled previously,
chances are high that you wouldn't need to reboot. Either way, there's
no harm in trying; in the worst case, you'll get a whole bunch of
"Undefined symbol" messages when you try to load the module.
[2] It occurs to me as I write this that I could have typed
"make modules modules_install" but oh well.
[Ben]
Yup. Note that with 2.5 and above, there's no need to do "modules"; it's
part of "make". My preference, if I was going to do the above, is to go
ahead and run "make", then "make modules_install install"; that way, if
the module does fail to load, all I do is "sudo reboot".
[3] Correct term? I mean, I extracted the linux-2.4.20 tarball to
/usr/src, and I built these modules from that as well as the kernel I'm
running now.
[Thomas]
Correct term. You should also run 'depmod -a' after the modules_install part
so that the kernel knows of their existence properly.
Reading/writing large buffers to Fibre Channel
From Jimen Ching
Answered By: Jimmy O'Regan
Hi TAG,
I have a problem of reading and writing very large (4MB) buffers to a disk
via Fibre Channel. Fibre Channel works best when you send large amounts
of data over the wire (light).
I've done google searches and found approaches like O_DIRECT and mmap.
Mmap doesn't sound like what I'm looking for, because it still uses the
buffer cache. And with 4MB of data, I don't want the extra copy. Also, I
won't be reading the data back from the disk. So the buffer cache doesn't
buy me anything...
The O_DIRECT approach sounds better. But it requires aligned buffers, and
some people say the throughput is worst than non-O_DIRECT. My target
throughput is 95MB/s. This shouldn't be a problem for the hardware since
I'm using the CompactPCI bus and SCSI RAID over Fibre Channel with
theoretical throughput of 150MB/s. The aligned buffers issue is only a
problem because of the file header that I must prefix to the 4MB raw data.
It would be preferable if I didn't have to align my buffers. But I can
work around it if it is absolutely necessary.
I've done some basic benchmarks using regular fopen/fread/fwrite, and I'm
only getting 50MB/s with ext3fs. This is half the throughput I need and
1/3th the theoretical throughput of the hardware. So I was wondering if
your team has come across any ideas on how to solve this problem. Note,
I'm not setting any special options. So this benchmark is just the
baseline. I'm looking for ways to optimize the reading and writing of
this 4MB data buffer.
[Jimmy]
If you have enough RAM, try using a ramdisk - create a filesystem as
usual, but on one of the ramdisk devices - /dev/ram* or /dev/rd/*
The ramdisk will be 4M by default, but if you have it compiled as a
module you can specify the size as an option to insmod:
insmod rd rd_size=20000
(which sets it as 20M) or as an option in /etc/conf.modules
options rd rd_size=20000
[Thomas] Note that it used to be the case that /etc/conf.modules was synmlinked to
/etc/modules.conf . On many systems this is not usually the case anymore, and
so /etc/modules.conf is generally the prefered location.
[Jimmy]
If your ramdisk support is compiled into the kernel, you'll need to set
the size at boot. You can append the option (in LILO, or as a boot
option) like this:
ramdisk_size=20000
I'm not sure I understand the answer. Or maybe I didn't explain my
question clearly.
[Jimmy]
No, I the misunderstanding was on my part. I was simply answering this:
"I'm looking for ways to optimize the reading and writing of
this 4MB data buffer."
I want to write raw data to a disk via Fibre Channel. Each block of raw
data is 4MB large. I need to write 95MB/s of data for about half an hour
or so. 95MB/s, at 60 sec per minute, and 30 minutes equals 171Gig.
I guess I could put one second worth of raw data into ramdisk, and do a
copy to the Fibre Channel SCSI RAID. Then write the next second of raw
data to another ramdisk and switch back-and-forth. But I'm not sure if a
cp is any faster than a fwrite. Is this what you're suggesting?
[Jimmy]
No, I was placing more importance on the step where you add a file
header to the data in the buffer.
Going by this: http://linuxgazette.net/102/piszcz.html you'd be much
better off accessing the disk as ext2 instead of ext3 - the journal is
probably what's slowing you down.
cannot talk using "talk"
From Sanjib Roy
Answered By: Thomas Adam
how can i set up talk facility in my lan ( 1 server 9 clients with dns)
when i want to talk to my server talk display folloing mesg
remote host does not recognize us
[Thomas]
Well... can you possibly start over and explain things in more detail? Only
what you have provided is very little to go on, not to metion I am having to
now make guesses as to what you're using...
The "talk" command is/was used initially by BSD to allow users on a LAN to
talk to one another. But what you also need is talkd -- which is the remote
user authentication tool. "Talkd" has to be spawned from inetd if it is to
work, this something like the following [1]:
(note that of you are using RH/Fedora, the chances are you're using xinetd).
Then all you do is connect, using 'talk' (man pages help here).
One thing you should also know is that 'talk' is rather limited, and as such
lots of alternatives exist. I'll name drop, although most are an enhancement
on BSD-talk:
utalk
ytalk
etalk (emacs)
gtalk (GTK front-end)
but when i want to talk from one client to another client no connect is
made
[Thomas]
You need to be much more precise here. What errors are you getting? You don't
even say which distribution you're using. Before you reply to this, as I hope
you will, read the following:
[Thomas]
Sorry, but when you start demanding, my patience decreases. Don't do it. We
owe you nothing. I'm sure you mean well, but it doesn't come across as very
good when you think that you should be placed above all others for help. I
treat everyone with the same level of help, regardless of their 'issue'.
[1] This is from memory and so is possibly inaccurate. Either way, the entries
may well already be installed into the file: /etc/inetd.conf - and if no such
entries exist, those lines should be added to this file.
Tripwire
From Greg Bell
Answered By Barry
[Heather] An honorary answerbubble for Greg Bell. Good stuff here, and thanks to
article auther Barry O'Donovan for forwarding the thread to us.
One thing that
I've been suspicious of with tripwire is: if the hacker is "in",
aren't there all sorts of things he can do to neuter tripwire?
To save an argument I could simple say yes... but I won't! First of
all, running tripwire (or another intrusion detection system (IDS)) is
immeasurably better than running no IDS at all.
thanks for the dialog. no arguments here, although my counter-points
to your points may appear argumentative
a lot of things that seem burdensome for a hacker to do can be
wrapped up nicely in a script and bam - 1000s of intruders now have
the capability.
These scripts usually take advantage of an existing exploit to place a
root kit, backdoor, etc. If your tripwire set-up is unique (i.e. place
the tripwire binary somewhere besides the defualt, use a different
configuration file name and directory, place the db on a floppy, remote
site, etc) then the script won't affect tripwire or if it does it'll be
immediately noticed. Most of these scipt-kiddies go for the "easy hack"
- the poor fools who take no preventative measures. There's so many of
these guys that the script-kiddies are unlikely to invest the time in
created a "be-all and end-all" script to do everything including
disable tripwire in a way that it's not noticed.
He can
remove the cron/anacron job, and send you fake mail every day saying
everything checked "OK".
That's a lot more difficult than it sounds. First of all, he'd need to
know what the usual "all is okay e-mail" looks like for YOUR system.
When you're running tripwire and checking the e-mails you'll get used
to seeing and recognising a lot of numbers such as the total objects
scanned, etc. If you're sending these daily e-mails to another server
then he won't have access to an existing report and he won't be able to
view the saved report files in /var/lib/tripwire without your passphrase.
i am admittedly paranoid about this sort of thing, thanks to reading
about how clever these guys can be, and how it seems to be a
never-ending escalation and arms race (leading towards EVERYTHING
being encrypted, and EVERYTHING being authenticated with biometrics).
a lot of things that seem burdensome for a hacker to do can be wrapped
up nicely in a script and bam - 1000s of intruders now have the
capability.
Secondly whether you're running tripwire on a server or a desktop
machine, you're liable to have to update at least one package at least
once a week. When you do this you'll expect a problem from tripwire and
if he's sending fake e-mails you'll start to question whther tripwire
is working or not.
some things i think would be appropriate for tripwire to watch would be
/etc/passwd and /etc/crontab - two things that can change often, but
that are also prime candidates for a hacker to change.
Most distributions default tripwire config will check these - especially
passwd. If it doesn't, then ammend the policy file so that it does.
so it seems to
me than whenever one of these needs to be changed, you've got to run
tripwire on the file to make sure its unchanged, unplug your net
connection, change it, update tripwire, reconnect to the net. sounds
bizarre but its not improbably that in the hours between your update
and tripwire's next run, a break-in occurs, changing the same file.
Again, it's all a matter of just how paranoid you are or how far you're
willing to go.
he can replace the tripwire binary itself.
Tripwire checks itself too! The stats for the tripwire binary will
reside in the database which an intruder cannot change unless he has
your local passphrase. I suppose an intruder could replace the binary
with one that's programmed to not check itself but if you're really
this paranoid you can put the binary on a remote HTTP server and have
your cronjob download it with wget before checking.
the "in" hacker would just disable the wget and have the local one be
used.
He'd also have to asscertain that you use wget to download a fresh
binary and simulate the output from your wget cronjob so you wouldn't
miss it.
Some servers will mount /usr as read-only to increase access speeds and
security. This would help out here too.
if he's got root, he can just remount r/w.
he can update the database
He can't. He'll have to have your local passphrase to do this.
which an "in" hacker can get with a keycatcher.
But he'd probably have been spotted by a run of tripwire before hand as
you'd need a reason to input your tripwire passphrase.
(especially if its on a CD-RW like you suggest).
I never said leave the CD-RW in a CD-RW drive. I said "a
re-writable CD in a CD-ROM drive (read-only drive)." i.e. only place
the CD in the CD-RW drive when updating, then put it back in the CD-ROM
drive.
got it. smart.
The bottom line is that tripwire will probably catch an intruder 99 out
of a 100 times. If not more. You'll NEVER be 100% secure. That's just a
simple fact of life. But you can strive to be as secure as possible and
using tripwire will be a huge help here.
absolutely.
seems to me we might be moving towards a world where an off-site system
does the security check for a particular machine - sort of a checks and
balances setup. it would host the tripwire binaries, database,
signatures, etc. and while its there, it should receive the mails from
tripwire, as well as host the syslog remotely. even so, rootkit
hunters would still have to be run on the secure machine, and some
amount of manual checking would have to be done to make sure any
number of checks hadn't been faked or disabled.
Submitters, send your News Bytes items in
PLAIN TEXT
format. Other formats may be rejected without reading. You have been
warned! A one- or two-paragraph summary plus URL gets you a better
announcement than an entire press release. Submit items to
bytes@lists.linuxgazette.net
Legislation and More Legislation
Patents
Patents are a recurring theme here, and there is a lot of good commentary on the net related to this topic.
A recent development that has stirred some further debate is the release of a report by
Open Source Risk Management outlining their reading of the patent
issues surrounding Free and Open Source Software. OSRM has a business model built around selling legal support and
indemnification to clients in the Open Source community.
Some criticism of the report has focused on the
potential it has to create feelings of uncertainty among businesses operating in this arena. While this is a valid concern,
it is not a reason to avoid discussion of these matters. Indeed, as pointed out in Linux Weekly News,
these matters of patents and possible infringements
affect proprietary software developers just as much as open source software developers.
A useful
article at O'Reilly's linux devcenter gives a good overview of some of the issues raised by the report,
and also includes responses from OSRM's Dan Ravicher to some of the criticisms and queries prompted by his work.
One way or another, discussion and debate around this issue is a good thing.
Voting
LinuxWorld.com.au has
reported on the fortunes of Free software in the implementation of Australian e-voting.
Encouragingly, the initial system implemented was released under the GPL, however Software Improvements, the company
behind the software, has decided to release future versions under a more restrictive licence that will only
allow officials to view the code. This is particularly disheartening since the Australian Capital Territory Electoral commission
had ordered that the software be open source. To see the deal reneged on (in spirit if not in the legal sense)
is a setback for open source software, and for
e-voting in general.
Two Degrees of Freedom,
George and Freeman Dyson at OSCON 2004. Discussion includes
biotechnology, physics, the fate of the universe, and the value of
physical tinkering.
Custom Email Queries
for handling the diverse data and file-types that turn up in your
inbox.
The OpenCD project has
announced the availability of TheOpenCD v1.4.1,
a special edition for Software Freedom Day 2004 (August
28th).
TheOpenCD is a collection of Free and Open Source software for Windows,
and it is a good way to introduce Windows users to the world of Free
software. As well as TheOpenCD, the Software Freedom Pack to be
distributed on SFD will include a remastered Knoppix live CD aimed at a
non-Linux using audience.
Distro News
Kanotix
Kanotix is a live GNU/Linux CD based
on Knoppix and Debian, and using mostly pure Debian/sid. Since it's a
live CD, it is easy to try out without risk. Linux.com has recently
reviewed the distribution.
SuSE
SuSE has
announced the launch
of SuSE Linux Enterprise Server (SLES) 9, based on the new Linux 2.6
kernel.
Support for free and open mediatypes, e.g. Ogg Vorbis/Theora, H261
Mozilla browser plug-in
RTSP streaming
Real Player 10 for Linux adds the following features:
RealAudio 10 / RealVideo 10
MP3, Flash playback
More robust RTSP via RDT
LTSP
The Linux Terminal Server Project has announced the release of
LTSP 4.1.
It includes the following:
New installer 'ltspadmin'. This new installer makes it much easier for us to update packages, and for you to install them. The installer will know which version of the packages you have installed, and it will query the package repository to see if there are updates available.
Change from XFree86 to Xorg. LTSP is now using the Xservers and libraries from the Xorg project, rather than the XFree86 project.
Local CD-Rom and Floppy support. Using Supermount and Samba on the client, and the auto-mounter on the server, we can now make the CD-Rom and floppy drives available to the users.
Sound support with esd and nasd. The client-side sound daemons are now included for esound and nasd.
snmpd agent. We now have an snmpd agent on the client. You just need to enable it in lts.conf, with the following entries:
New kernel, based on 2.4.26. Also, the kernel is now installed via the ltspadmin utility, as part of the ltsp installation procedure.
Originally hailing from Ireland, Michael is currently living in Baden,
Switzerland. There he works with ABB Corporate Research as a
Marie-Curie fellow, developing software for the simulation and design
of electrical power-systems equipment.
Before this, Michael worked as a lecturer in the Department of
Mechanical Engineering, University College Dublin; the same
institution that awarded him his PhD. The topic of this PhD research
was the use of Lamb waves in nondestructive testing. GNU/Linux has
been very useful in his past work, and Michael has a strong interest
in applying free software solutions to other problems in engineering.
Knoppix with 2.6.7 kernel from non-bootable CD-ROM
You want to start Knoppix and your CD-ROM cannot boot either for
technical or administrative reasons. You can try to start the
Knoppix CD from a floppy drive. For that you need a Knoppix boot
diskette.
The recent Knoppix 3.4 of May 2004 relies on kernel 2.4.x but has
kernel 2.6.6 as an option. Likewise, Knoppix 3.7 of August 20 has the
2.6.7 kernel as an option. This last release is - for the time being -
only available in Germany as a CD from a computer magazine. However,
a general release, possibly with kernel 2.6.8, is coming and so it is
sensible to refer to the new kernel because its size is growing and
growing and causing diskette distress.
We will refer to the new Knoppix kernel as knoppix26 using the same
name as in the CD boot configuration. Unfortunately, knoppix26 does
not boot from one diskette, it needs two.
When running, knoppix26 has a script in
/KNOPPPIX/usr/sbin/mkbootfloppy
that does make these two floppies - despite the singular
name. However, the diskettes so generated depend on the kernel in
use. If you want them in order to be able to boot 2.6.x, you have
to write them while running 2.6.x - which is a bit of a catch-22.
Modifying the script is catch-22 again since the script is not
directly accessible on the Knoppix distribution CD and becomes only
readable when Knoppix is running. It can be found on the web in
editable form but making sensible use of it will be more laborious
than the advice found in this article, especially in respect to
kernel 2.6.7 which does not fit on a 1.4M diskette at all.
So if your CD-ROM will not boot, how are you going to boot
knoppix26 from the floppy drive?
Pre-requisite
You must have some familiarity with syslinux. Fortunately, it
can be acquired on the fly, check http://syslinux.zytor.com.
Both of them can create a boot diskette that starts a (bootable)
CD even if the CD-ROM is unable to boot. In the particular case of
the Knoppix CD, the good news is that they both will boot it from a
non-bootable CD-ROM.
This is your friend if you want to minimize preliminary work.
Unfortunately, if you are not installing Knoppix to hard disk, you
may end up doing quite a lot of typing at the command line every
time you boot.
[Please do not misunderstand the remark above as a criticism of
the two boot loaders. They come in very handy in other situations
as well.]
Option 2
The biggest hurdle is the kernel size starting with release
2.6.7. In the 2.6.6 release, the Knoppix kernel would fit on a 1.4M
diskette. Now you need to format the diskette to 1.68M - the same
size Microsoft uses occasionally for its diskettes. For that purpose,
you can use winimage under Windows, fdformat under
DOS or superformat/fdformat under Linux. Good luck
to you because diskettes sold for the 1.4M capacity do not necessarily
agree to a flawless format at higher capacity. My experience is that you
need a box of ten to get one such tolerant diskette. If you want strict
verification, use winimage and you will see the massacre.
When you have formatted the diskette, make it a syslinux boot
diskette. This can be done from DOS, Windows, Linux - it's up to
you. No further help is offered here for it. This boot diskette
will contain only one small file, ldlinux.sys.
In the Knoppix CD 3.7, there is a directory /boot/isolinux
where you will find the following files among others:
This is now a boot diskette for the 2.6.x kernel, the initial
ramdisk being read from a second diskette. Type knoppix26 at the
boot prompt. It will quickly ask you to insert the second diskette
so you must have it ready.
The second diskette must be a raw copy of minirt26.gz. Which
is to say, you cannot format it with a file system and put
minirt26.gz into the file system. When syslinux reads the
diskette it expects the binary content of minirt26.gz and
nothing else. It won't assume a file system and look for a file in it.
The question is: how do you copy the file raw to the floppy?
Here is the command (run under Linux from the Knoppix CD,
/boot/isolinux directory):
dd if=minirt26.gz of=/dev/fd0 bs=18k
The bs value is not essential, it just determines the size of
portions read and written. (A high-density 3.5" diskette has a
track of 18k.) The floppy may or may not be mounted. If not
mounted, it does not even need to be formatted since the formatting
will be destroyed anyway.
By the way, the raw copy can also be done under DOS/Windows with
a utility that can write to a physical sector disregarding the file
system. One such utility is the Norton Disk Editor.
After inserting the second boot diskette, knoppix26 will
boot.
The shape of things to come
Evidently, option 2 cannot be recommended to anybody, too much of a
hassle. The chain boot loaders listed above are the way to go. Note
that Microsoft has just turned to a chain boot for their XP CDs' to
handle non-bootable CDROMs.
Still, we have here some developments to watch. With the Linux
kernel too big for a normal 1.4M diskette, syslinux is going to be
relegated to rescue diskettes, it won't help any longer for the
current Linux releases.
And even lilo gets an encouraging kick to the exit. With kernel 2.4.x, a
lilo diskette could still quickly boot a Knoppix installed to a
non-bootable partition: you had Windows as normal straight boot from hard
disk, Knoppix also on hard disk but booted from diskette, no clashes. This
may still be doable for kernel 2.6.x if the hardware does not require any
special drivers at boot time and the initial ram disk can be dispensed
with. If you need an initial ram disk, expect its size to be in the region
of 4M: you will have to customize it so as to fit it on a diskette, in
which case you have again an approach like Option 2. If not possible then
the initial ram disk would have to be on the hard disk and lilo is simply
not able to find it.
Exit syslinux, exit lilo, everything points to grub. And maybe
they will throw in a CD boot from diskette as a bonus?
I ran across this piece of software while searching
for an Open Source alternative to the commercial "shopping cart" software
(which was mostly poorly written, and in a number of cases, badly broken.)
Chris's approach impressed me with its simplicity, utility, and ease of
installation - and fit my requirements perfectly.
One of the arguments that the opponents of Linux
use, over and over, is that "Linux doesn't support business". IBM, Novell,
Oracle, SAP, and countless other companies have been proving them wrong in
the corporate world; by soliciting articles from authors of software that
caters to the small and mid-sized business, such as Chris Fleizach's
closedShop, I hope to cut the feet from under
this part of their argument as well.
-- Ben
About three years ago I was faced with the challenge of putting
together an e-commerce site that would not require online credit
card processing. Although I searched briefly, I only found
expensive solutions. Thus I began work on closedShop, an open
source shopping cart. Over the past three years, there have been
over 13,000 downloads spread across 9 releases. Basically,
closedShop is a free shopping cart written in Perl, using the mySQL
database as a back-end, that allows anyone to set up shop with no
online credit card processing necessary. They can process the
credit cards manually, as most businesses already have a manual
credit card processor.
Before we go into a tutorial on how to set it up and start
accepting orders, it's good to know what closedShop offers:
Add/Edit/Remove Products
View/Process Orders
View Sales Reports
View Customers/Email Customers
eBay integration for adding products
PayPal integration
Wish lists for customers
Searching capabilities
Total customization through templates
SSL capable
Language support for English and Tongan (those are the only
languages I know)
Backup/Exporting features
Product Importing from flat-file or Excel worksheets
Gift Certificates
Sub-Categories
Thumbnail or Text view of categories
Inventory Tracking
State/National/Country Taxes
Shipment Tracking for major carriers
If that's what you need, then closedShop is a pretty good solution for
you. The first thing you need to do is download the latest version from
SourceForge.
After downloading, unzip the contents into your cgi-bin
directory. Make sure the all the files have 755 permissions
(closedShop doesn't work very well on Windows-based servers, only *nix
types). Most FTP programs allow you to change permissions (via the 'chmod'
command). You'll want to make all the files read-write-execute for
the owner, read-execute for the group, and read-execute for
everyone else. This set of permissions is also known as 755.
You also need to make sure that the web server is allowed to
write to the directory that closedShop is saved in. This is very
important since the program needs to save some data in flat-text
files. Most web hosting services allow this automatically. If your server
does not allow it, closedShop will tell you so and will not attempt
the installation. If you see this message you may need to contact
your hosting service and tell them you'd like to allow the web server to
write to the directory that closedShop is in (usually the cgi-bin
directory.)
[ Previously, Chris' article got sidelined due to the
security concerns with the instructions in the above paragraph during our
technical review; making "cgi-bin" world-writeable is not usually
adviseable. However, I eventually decided that it wasn't all that
insecure in the first place (someone would have to crack the webserver to
get access), and that a simple
modification of closedShop would get rid of the above requirement in
any case. Open Source in action, at your service. :) -- Ben ]
Assuming you have passed that main hurdle, you will now go to
your web browser and access the file called Install.pl. If
you put closedShop in your cgi-bin directory (and assuming your site is
located at "www.yoursite.com"), then to access
Install.pl, you'd type
http://www.yoursite.com/cgi-bin/Install.pl
A web page will come up and ask you to enter some important
information. Some of it will be about your company, some about taxes,
some about how you would like your tables to appear. For most of the
data you can leave the default. The most important information is
about the mySQL database. You must have access to a mySQL database
before installation. Most web hosting services allow this access, but
you may need to request it beforehand. Then they will send you a mySQL
username/password and database name. You put this information into
the mySQL database section.
The other important section is the admin password and merchant
password. The admin user will allow you to make all changes to the
program, while the merchant account shows fewer administrative
changes and is more for processing orders. It allows two people to
log on at the same time as well. Remember those passwords, you will
need them to log in.
After you fill out the rest of the data, click 'Install' and it will
take about 30 seconds to prepare everything. Afterwards, you'll see a
screen that says go to the Admin.pl script. There are four
scripts that do the different functions. Admin.pl handles
administrative tasks. Cart.pl is for the shopping cart
and checkout procedures. User.pl is for individual clients
to login and watch the order tracking as well as manage their wish
list. Item.pl displays items and categories and also allows
for searching.
Once you log into Admin.pl you will see the different
options. You may want to edit category information first for the
categories you entered in the Install. Note: if you want to add
more categories or change the name, then go to "Edit Program
Variables". Other information about categories can be viewed as
well in the "Edit Categories" section. After editing categories,
you should start adding products, either through the "Add Product"
option or through importing. When adding a product, you also have
the option of posting the item to eBay at the same time. The eBay
information will be below the main information and is not
required.
Finally, you need to integrate closedShop into your site. You'll
find important links under the "View Important Links" option. This
tells you the URLs for each category, Searching, User logon and the
Shopping Cart. If you have a standard design for your site you can allow
closedShop to use that design with the header and footer variables in
the "Edit Program Variables". The header is a file that contains the
top part of the HTML for your design. The footer is a file that will
contains the bottom part of the HTML for your design. closedShop will
insert itself into the middle. These files could be made and put in the
cgi-bin directory. Normally, you would name them header.html
and footer.html and put those respective values into your
program variables.
You should then take the links you want to use, like Searching,
and link them into your design. An example of this can be found at
Demo Site on the closedShop web site (http://closedshop.sourceforge.net)
Of course, you should also use SSL if possible. Customers will
be entering their credit cards over the site and you will be
viewing them. If you're not using SSL capabilities then there is a
greater possibility of having the data stolen. Most web hosting services
allow customers to use their SSL certificates and SSL processing.
It may be a different link than what you are used to seeing, though,
something that looks like it is from the hosting service. In this case,
you'll want to change the program variables and change the names of
the files to use the https:// and then type in the full
URL to the secure location. You'll also need to change the image
directory URL to the secure path, otherwise users may get messages
complaining about a mixture of secure and non-secure. You should
always access the Admin.pl script using the secure
connection, otherwise you leave yourself vulnerable to thieves.
The program has been designed to be as straight-forward as
possible. If you go to each script, you will see the default screen
appear initially. There is also more information in the
documentation that comes with each release. Of particular interest
might be the template features, which allow you to mix in Perl
programming with your template in order to totally customize the
look and feel of Item and categories.
If there are any questions, comments, concerns, or suggestions,
they can always be directed to .
Chris is a Peace Corps volunteer in the Kingdom of Tonga and has been
bringing them the world of Open Source for almost two years. He is also a
founding member of FightLiteracy.com,
the only organization in the world dedicated towards ending literacy.
Stunnel is an SSL encryption
wrapper that allows what are normally plain text and insecure
communications to be encrypted during transmission. Stunnel recently
went through some major changes and the current version (4.x) has a
completely different architecture than previous versions. In this
article I will be dealing exclusively with the new version.
One of Stunnel's most common uses is encrypting communications between POP or
IMAP mail servers and e-mail clients. Both of these protocols require users
to authenticate themselves with a username and a password. In the majority of
cases, these usernames and passwords are the same ones as they would use for
logging into the machine locally or remotely via SSH. Without using Stunnel
to encrypt this data, anyone intercepting the transmission could now log into
your server and gain elevated privileges much easier than a local exploit
would require.
2. Getting and Installing Stunnel
Stunnel is generally included as a precompiled package with most common
distributions and is possibly already installed on your system. If not,
locate the package on your distribution's installation CDs or download
it from the distribution's website.
The source code is released under the GNU General Public License and, as
such, is freely available for download and installation. The current
version (which at time of going to press was 4.05) can be downloaded
from ftp://stunnel.mirt.net/stunnel/.
To compile and install Stunnel, download the source code tarball from here and
then execute the following commands:
$ tar zxf stunnel-4.XX.tar.gz
$ cd stunnel-4.XX
$ ./configure
$ make
$ make install (as root)
3. Generating a Self-Signed Certificate
In order to use Stunnel we must first have a certificate-key pair. If you
compiled from sources then such a pair will have been created for you
automatically (stunnel.pem). Some pre-built binary packages may
include a certificate-key pair, some may generate one as part of the
installation procedure and others may leave it up to the user to generate one.
The easiest way of generating a certificate-key pair is by using a script
provided with Stunnel's source code. If you're compiling from the tarball,
just issue the following additional commands in the source directory:
$ cd tools
$ make stunnel.pem
I have decided to put the specific details outside the scope of this article,
but if you are interested in the actual details then have a look at the
Makefile in the "tools" directory.
4. Using Stunnel to Encrypt POP3/IMAP
This method can be used to encrypt any similar service where
SSL-enabled clients exist and are readily available. Most e-mail clients
are SSL-enabled for POP3, IMAP and SMTP, most internet clients (web
browsers) are enabled for HTTPS, etc.
Once Stunnel is installed and you have generated a certificate-key pair,
you are only a simple configuration file away from using Stunnel to encrypt
your communications. A simple one that would encrypt POP3 and IMAP
communications would be:
# Sample stunnel configuration file for POP3/IMAP
# Provide the full path to your certificate-key pair file
cert = /usr/local/etc/stunnel/stunnel.pem
# lock the process into a chroot jail
chroot = /usr/local/var/run/stunnel/
# and create the PID file in this jail
pid = /stunnel.pid
# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody
# Configure our secured POP3 and IMAP services
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
Using this configuration, any encrypted connection coming in on port 995
(POP3s) will be decrypted and forwarded to the local service (POP3) on port
110. When the local POP3 service responds, it will be encrypted by Stunnel
and transmitted back through port 995. Similarly for IMAPs on port 993.
Stunnel operates as a daemon service by default, so to start it off with this
configuration we can simply execute:
stunnel stunnel-secure-email.conf
where stunnel-secure-email.conf is the text file containing the
above configuration; ensure you change the paths so that they are correct
for your system.
We can set up Stunnel to start during boot-up by placing the appropriate
command in the rc.local file that is usually contained in
/etc/rc.d/. This file is the last file executed during a system
boot and it is generally used by system administrators for their own
initialisation stuff. When placing commands in this script, use fully
qualified paths such as:
/path/to/stunnel /path/to/the/configuration-file
[ For Debian and similar distros without an 'rc.local',
the procedure varies slightly: modify a copy of "/etc/init.d/skeleton"
(named, e.g., "/etc/init.d/stunnel") to run the above and create a link to
it from the appropriate runlevel (usually /etc/rc2.d/). -- Ben ]
Stunnel can also be used with (x)inetd if
preferred. You can find further details in Stunnel's man page.
5. Using Stunnel to Encrypt MySQL Transactions
This method can be used to encrypt any service where neither
the server nor the client are SSL-enabled. Common examples include CVS, MySQL,
etc.
In the example with POP3 and IMAP above, we were only concerned with
providing the server with SSL encryption as the clients generally have this
built in. However, neither the standard MySQL server nor client have SSL
capabilities - but we can still use Stunnel to provide this.
It involves using a Stunnel daemon on both the server's machine and the
client's machine. The configuration for the server side is similar to the one
we used above for POP3/IMAP. The default MySQL port is 3306, and since no
port is reserved for secure MySQL connections, I will use 3307:
# Sample stunnel configuration file for securing MySQL (server side)
# Provide the full path to your certificate-key pair file
cert = /usr/local/etc/stunnel/stunnel.pem
# lock the process into a chroot jail
chroot = /usr/local/var/run/stunnel/
# and create the PID file in this jail
pid = /stunnel.pid
# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody
# Configure our secured MySQL server
[mysqls]
accept = 3307
connect = 3306
I can now start the Stunnel daemon on the server machine with:
$ stunnel stunnel-mysql-server.conf
where stunnel-mysql-server.conf is a text file containing the
above configuration. We also need to set up an Stunnel daemon on the client
machine with the following configuration:
# Sample stunnel configuration file for securing MySQL (client side)
# Provide the full path to your certificate-key pair file
cert = /usr/local/etc/stunnel/stunnel.pem
# lock the process into a chroot jail
chroot = /usr/local/var/run/stunnel/
# and create the PID file in this jail
pid = /stunnel.pid
# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody
# enable client mode
client = yes
# Configure our secured MySQL client
[mysqls]
accept = 3306
connect = 1.2.3.4:3307
You'll notice that I have used a new option: client = yes - this
enables "client mode" which lets Stunnel know that the remote service uses
SSL. Our local Stunnel daemon will now listen for connections on the local
MySQL port (3306), encrypt them and forward them to our MySQL server machine (say
1.2.3.4) where another Stunnel is listening on port 3307. The remote Stunnel
will decrypt the transmission and forward it to the MySQL server listening on
port 3306 of the same machine. All responses will be sent back through the
same encrypted channel.
Save the client configuration as stunnel-mysql-client.conf and
start off Stunnel with:
$ stunnel stunnel-mysql-client.conf
and then you can connect to the remote MySQL server through the encrypted
channel by connecting to the local Stunnel daemon (which is listening on
MySQL's 3306 port):
$ mysql -h 127.0.0.1 -u username -p
6. Trouble Shooting
Stunnel can be a bit tricky about permissions - especially when using a
chroot jail and reducing your user and group ID to nobody (some
systems might need nogroup for setgid). Ensure your
chrooted directory is writable by the nobody user and/or the
nobody (or nogroup) group.
Stunnel runs in the background by default and doesn't show any error
messages. This means you won't know if it worked or not from the command
line! You can check that the process is running by searching the output of
the ps command:
Stunnel can also be instructed to run in the foreground by adding the
following command to the configuration file (above the service configuration):
foreground = yes
As with all services, the best method of diagnosing problems is through
the service's log messages. You can enable Stunnel's logging facilities
by adding the following commands to the configuration file (above the
service configuration):
debug = 7
output = /tmp/stunnel.log
If you are running in the foreground for testing/debugging, then you
might prefer to send the log messages to standard out:
debug = 7
output = /dev/stdout
7. Further Reading/References
There are many other commands that can be used in the configuration
files and these are all listed in Stunnel's man page
(STUNNEL(8)).
As always, I appreciate any feedback on this or previous articles and suggestions/requests for future ones. You'll find my e-mail address by clicking on my name at the beginning of the article.
Barry O'Donovan graduated from the National University of Ireland, Galway
with a B.Sc. (Hons) in computer science and mathematics. He is currently
completing a Ph.D. in computer science with the Information Hiding Laboratory, University
College Dublin, Ireland in the area of audio watermarking.
Barry has been using Linux since 1997 and his current flavor of choice
is Fedora Core. He is a member of the Irish
Linux Users Group. Whenever he's not doing his Ph.D. he can usually be
found supporting his finances by doing some work for Open Hosting, in the pub with friends or running in the local
park.
When programming, in any language, the capability to spawn worker
threads is integral to the performance of any application. Whether it be
running a separate thread to handle user interaction in a GUI app, while
running a potentially blocking process in the background (like your browser is
doing now), threading is essential. This document attempts to show what is
possible and what not while Threading in Python.
1.Why Threading in Python?
Let us say you write, in Python, a nifty utility that lets you filter your
mail.
You build a GUI Frontend using PyGTK. Now if you embed the filter code in the
frontend, you risk making the application unresponsive (you still have a dial up
connection, and any server interaction entails a considerable waiting time).
Since you don't work at Microsoft, you decide this is unacceptable and thus you
start a separate thread each time you want to filter your mail.
Thus threads increase the responsiveness of your programs. Threads also
increase efficiency and speed of a program, not to mention the algorithmic
simplicity.
Combined with the power of python, this makes programming in python very
attractive indeed.
2.The Basics
Let us first see how to start a simple thread. Threading is supported via
the thread and threading modules.
These modules are supposed to be optional, but if you use an OS that doesn't
support threading, you'd better switch to Linux.
The code given below runs a simple thread in the background.
(Text version)
#!/usr/bin/env python
import time
import thread
def myfunction(string,sleeptime,*args):
while 1:
print string
time.sleep(sleeptime) #sleep for a specified amount of time.
if __name__=="__main__":
thread.start_new_thread(myfunction,("Thread No:1",2))
while 1:pass
We start a new thread by using the start_new_thread() function
which takes the address of the object to be run, along with arguments to be
passed to the object, which are passed in a tuple.
2.1 Locks
Now that we have one thread running, running multiple threads is as simple
as calling start_new_thread() multiple times. The problem now would
be to synchronize the many threads which we would be running. Synchronization
is done using a Lock object. Locks are created using the
allocate_lock() factory function.
Locks are used as mutex objects, and are used for handling critical
sections of code. A thread enters the critical section by calling the
acquire() method, which can either be blocking or non-blocking. A
thread exits the critical section, by calling the release() method.
The following listing shows how to use the Lock object.
(Text version)
#!/usr/bin/env python
import time
import thread
def myfunction(string,sleeptime,lock,*args):
while 1:
#entering critical section
lock.acquire()
print string," Now Sleeping after Lock acquired for ",sleeptime
time.sleep(sleeptime)
print string," Now releasing lock and then sleeping again"
lock.release()
#exiting critical section
time.sleep(sleeptime) # why?
if __name__=="__main__":
lock=thread.allocate_lock()
thread.start_new_thread(myfunction,("Thread No:1",2,lock))
thread.start_new_thread(myfunction,("Thread No:2",2,lock))
while 1:pass
The code given above is fairly straight forward. We call
lock.acquire() just before entering the critical section and then
call lock.release() to exit the critical section.
The inquisitive reader now may be wondering why we sleep after exiting the
critical section.
Let us examine the output of the above listing.
Output.
Thread No:2 Now Sleeping after Lock acquired for 2
Thread No:2 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:2 Now Sleeping after Lock acquired for 2
Thread No:2 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:2 Now Sleeping after Lock acquired for 2
Here every thread is given an opportunity to enter the critical section. But
the same cannot be said if we remove time.sleep(sleeptime)
from the above listing.
Output without time.sleep(sleeptime)
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Thread No:1 Now releasing lock and then sleeping again
Thread No:1 Now Sleeping after Lock acquired for 2
Why does this happen? The answer lies in the fact that Python is
not fully threadsafe.
Unlike Java, where threading was considered to be so important that it is a
part of the syntax, in Python threads were laid down at the altar of
Portability.
In fact the documentation reads:
Not all built-in functions that may block waiting for I/O allow other threads
to run. (The most popular ones (time.sleep(),
file.read(), select.select()) work as expected.)
It is not possible to interrupt the acquire() method on a lock
-- the KeyboardInterrupt exception will happen after the lock has been acquired.
What this means is that quite probably any code like the following:
while 1:
lock.acquire()
.....
#some operation
.....
lock.release()
will cause starvation of one or more threads.
3. The Global Interpreter Lock
Currently, The Python Interpreter (Python 2.3.4) is not thread safe.
There are no priorities, no thread groups. Threads cannot be stopped and
suspended, resumed or interrupted. That is, the support provided is very much
basic. However a lot can still be accomplished with this meager support, with
the use of the threading module, as we shall see in the following
sections. One of the main reasons is that in actuality only one thread is
running at a time. This is because of some thing called a Global Interpreter
Lock (GIL). In order to support multi-threaded Python programs, there's a
global lock that must be held by the current thread before it can safely access
Python objects. Without the lock competing threads could cause havoc, for
example: when two threads simultaneously increment the reference count of the
same object, the reference count could end up being incremented only once
instead of twice. Thus only the thread that has acquired the GIL may operate on
Python Objects or call Python C API functions.
In order to support multi threaded Python programs the interpreter regularly
releases and reacquires the lock, by default every 10 bytecode instructions.
This can however be changed using the sys.setcheckinterval()
function. The lock is also released and reacquired around potentially
blocking I/O operations like reading or writing a file, so that other threads
can run while the thread that requests the I/O is waiting for the I/O operation
to complete.
In particular note:
C extensions can release the GIL.
Blocking I/O can release the GIL.
The Python Interpreter keeps some book keeping info per thread, for which it
uses a data structure called PyThreadState. Earlier the state was
stored in global variables and switching threads could cause problems. In
particular, exception handling is now thread safe when the application uses
sys.exc_info() to access the exception last raised in the current
thread. There's one global variable left, however: the pointer to the current
PyThreadState structure. While most thread packages have a way to
store ``per-thread global data,'' Python's internal platform independent thread
abstraction doesn't support this yet. Therefore, the current thread state must
be manipulated explicitly. The global interpreter lock is used to protect the
pointer to the current thread state. When releasing the lock and saving the
thread state, the current thread state pointer must be retrieved before the
lock is released (since another thread could immediately acquire the lock and
store its own thread state in the global variable). Conversely, when acquiring
the lock and restoring the thread state, the lock m
Why let Gentoo fans get all the fun?
Re: Upgrading KDE on SuSE 9.0 - A better way.
I love Linux
Tripwire
Greetings from Heather Stern
Patents ![[Picture]](../gx/2002/tagbio/conry.jpg)
Originally hailing from Ireland, Michael is currently living in Baden,
Switzerland. There he works with ABB Corporate Research as a
Marie-Curie fellow, developing software for the simulation and design
of electrical power-systems equipment.
.![[BIO]](../gx/2002/note.png)
Chris is a Peace Corps volunteer in the Kingdom of Tonga and has been
bringing them the world of Open Source for almost two years. He is also a
founding member of ![[BIO]](../gx/authors/odonovan.jpg)
Barry O'Donovan graduated from the National University of Ireland, Galway
with a B.Sc. (Hons) in computer science and mathematics. He is currently
completing a Ph.D. in computer science with the