X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/7d45bc77474335f56a123d3d83da3f6aa94d0889..b930b26ee67546bfbe60cde22ac5051e9e51e9ea:/blog/index.html diff --git a/blog/index.html b/blog/index.html index e9b7901ac8..fe3f46cc65 100644 --- a/blog/index.html +++ b/blog/index.html @@ -20,771 +20,903 @@
-
One step closer to single signon in Debian Edu
-
2010-07-25 10:00
+
How to test if a laptop is working with Linux
+
2010-12-22 14:55
-

The last few months I have been working hard to get the -Debian/Squeeze based version of Debian Edu/Skolelinux into shape. -This future version will use Kerberos for authentication, and services -are slowly migrated to single sign, getting rid of password questions -one at the time.

- -

It will also feature a roaming workstation profile with local home -directory, for laptops that are only some times on the Skolelinux -network, and for this profile a shortcut is created in Gnome and KDE -to gain access to the users home directory on the file server. This -shortcut uses SMB at the moment, and yesterday I had time to test if -SMB mounting had started working in KDE after we added the cifs-utils -package. I was surprised how well it worked.

- -

Thanks to the recent changes to our samba configuration to get it -to use Kerberos for authentication, there were no question about user -password when mounting the SMB volume. A simple click on the shortcut -in the KDE menu, and a window with the home directory popped -up. :)

- -

One step closer to a single signon solution out of the box in -Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now -also Samba. Next step is Cups and hopefully also NFS.

- -

We had planned a alpha0 release of Debian Edu for today, but thanks -to the autobuilder administrators for some architectures being slow to -sign packages, we are still missing the fixed LTSP package we need for -the release. It was uploaded three days ago with urgency=high, and if -it had entered testing yesterday we would have been able to test it in -time for a alpha0 release today. As the binaries for ia64 and powerpc -still not uploaded to the Debian archive, we need to delay the alpha -release another day.

- -

If you want to help out with implementing Kerberos for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

The last few days I have spent at work here at the University of oslo testing if the new +batch of computers will work with Linux. Every year for the last few +years the university have organized shared bid of a few thousand +computers, and this year HP won the bid. Two different desktops and +five different laptops are on the list this year. We in the UNIX +group want to know which one of these computers work well with RHEL +and Ubuntu, the two Linux distributions we currently handle at the +university.

+ +

My test method is simple, and I share it here to get feedback and +perhaps inspire others to test hardware as well. To test, I PXE +install the OS version of choice, and log in as my normal user and run +a few applications and plug in selected pieces of hardware. When +something fail, I make a note about this in the test matrix and move +on. If I have some spare time I try to report the bug to the OS +vendor, but as I only have the machines for a short time, I rarely +have the time to do this for all the problems I find.

+ +

Anyway, to get to the point of this post. Here is the simple tests +I perform on a new model.

+ + + +

By now I suspect you are really curious what the test results are +for the HP machines I am testing. I'm not done yet, so I will report +the test results later. For now I can report that HP 8100 Elite work +fine, and hibernation fail with HP EliteBook 8440p on Ubuntu Lucid, +and audio fail on RHEL6. Ubuntu Maverik worked with 8440p. As you +can see, I have most machines left to test. One interesting +observation is that Ubuntu Lucid has almost twice the framerate than +RHEL6 with glxgears. No idea why.

- Tags: debian edu, english, nuug. + Tags: debian, debian edu, english.
-
Digitale restriksjonsmekanismer fikk meg til å slutte å kjøpe musikk
-
2010-07-22 23:50
+
Some thoughts on BitCoins
+
2010-12-11 15:10
-

For mange år siden slutte jeg å kjøpe musikk-CDer. Årsaken var at -musikkbransjen var godt i gang med å selge platene sine med DRM som -gjorde at jeg ikke fikk spilt av musikken jeg kjøpte på utstyret jeg -hadde tilgjengelig, dvs. min datamaskin. Det var umulig å se på en -plate om den var ødelagt eller ikke, og jeg hadde jo allerede en -anseelig samling med plater, så jeg bestemme meg for å slutte å gi -penger til en bransje som åpenbart ikke respekterte meg.

- -

Jeg har mange titalls dager med musikk på CD i dag. Det meste er -lagt i et stort arkiv som kan spilles av fra husets datamaskiner (har -ikke rukket rippe alt). Jeg ser dermed ikke behovet for å skaffe mer -musikk. De fleste av mine favoritter er i hus, og jeg er dermed godt -fornøyd.

- -

Hvis musikkbransjen ønsker mine penger, så må de demonstrere at de -setter pris på meg som kunde, og ikke skremme meg bort med DRM og -antydninger om at kundene er kriminelle.

- -

Filmbransjen er like ille, men mens musikk gjerne varer lenge, er -filmer mer ferskvare. Har dermed ikke helt sluttet å kjøpe filmer, men -holder meg til DVD-filmer som kan spilles av på mine Linuxbokser. -Kommer neppe til å ta i bruk Blueray, og ei heller de nye DRM-greiene -«Ultraviolet» som be annonsert her om dagen.

+

As I continue to explore +BitCoin, I've starting to wonder +what properties the system have, and how it will be affected by laws +and regulations here in Norway. Here are some random notes.

+ +

One interesting thing to note is that since the transactions are +verified using a peer to peer network, all details about a transaction +is known to everyone. This means that if a BitCoin address has been +published like I did with mine in my initial post about BitCoin, it is +possible for everyone to see how many BitCoins have been transfered to +that address. There is even a web service to look at the details for +all transactions. There I can see that my address +15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b +have received 16.06 Bitcoin, the +1LfdGnGuWkpSJgbQySxxCWhv8MHqvwst3 +address of Simon Phipps have received 181.97 BitCoin and the address +1MCwBbhNGp5hRm5rC1Aims2YFRe2SXPYKt +of EFF have received 2447.38 BitCoins so far. Thank you to each and +every one of you that donated bitcoins to support my activity. The +fact that anyone can see how much money was transfered to a given +address make it more obvious why the BitCoin community recommend to +generate and hand out a new address for each transaction. I'm told +there is no way to track which addresses belong to a given person or +organisation without the person or organisation revealing it +themselves, as Simon, EFF and I have done.

+ +

In Norway, and in most other countries, there are laws and +regulations limiting how much money one can transfer across the border +without declaring it. There are money laundering, tax and accounting +laws and regulations I would expect to apply to the use of BitCoin. +If the Skolelinux foundation +(SLX +Debian Labs) were to accept donations in BitCoin in addition to +normal bank transfers like EFF is doing, how should this be accounted? +Given that it is impossible to know if money can across the border or +not, should everything or nothing be declared? What exchange rate +should be used when calculating taxes? Would receivers have to pay +income tax if the foundation were to pay Skolelinux contributors in +BitCoin? I have no idea, but it would be interesting to know.

+ +

For a currency to be useful and successful, it must be trusted and +accepted by a lot of users. It must be possible to get easy access to +the currency (as a wage or using currency exchanges), and it must be +easy to spend it. At the moment BitCoin seem fairly easy to get +access to, but there are very few places to spend it. I am not really +a regular user of any of the vendor types currently accepting BitCoin, +so I wonder when my kind of shop would start accepting BitCoins. I +would like to buy electronics, travels and subway tickets, not herbs +and books. :) The currency is young, and this will improve over time +if it become popular, but I suspect regular banks will start to lobby +to get BitCoin declared illegal if it become popular. I'm sure they +will claim it is helping fund terrorism and money laundering (which +probably would be true, as is any currency in existence), but I +believe the problems should be solved elsewhere and not by blaming +currencies.

+ +

The process of creating new BitCoins is called mining, and it is +CPU intensive process that depend on a bit of luck as well (as one is +competing against all the other miners currently spending CPU cycles +to see which one get the next lump of cash). The "winner" get 50 +BitCoin when this happen. Yesterday I came across the obvious way to +join forces to increase ones changes of getting at least some coins, +by coordinating the work on mining BitCoins across several machines +and people, and sharing the result if one is lucky and get the 50 +BitCoins. Check out +BitCoin Pool +if this sounds interesting. I have not had time to try to set up a +machine to participate there yet, but have seen that running on ones +own for a few days have not yield any BitCoins througth mining +yet.

+ +

Update 2010-12-15: Found an interesting +criticism of bitcoin. Not quite sure how valid it is, but thought +it was interesting to read. The arguments presented seem to be +equally valid for gold, which was used as a currency for many years.

- Tags: fildeling, norsk, nuug, opphavsrett, personvern. + Tags: bitcoin, debian, english, personvern, sikkerhet.
-
OpenStreetmap one step closer to having routing on its front page
-
2010-07-18 16:45
+
Pornoskannerne på flyplassene bedrer visst ikke sikkerheten
+
2010-12-11 10:45
-

Thanks to -todays -opengeodata blog entry, I just discovered that the -OpenStreetmap.org site have gotten -support -for calculating routes. The support is still experimental and -only available from the development server, until more experience is -gathered on the user interface and any scalability issues.

- -

Earlier, the routing I knew about using the OpenStreetmap.org data -was provided by Cloudmade, -but having it on the main page is required to make everyone aware of -the issue. I've had people reject Openstreetmap.org as a viable -alternative for them because the front page lacked routing support, -and I hope their needs will be catered for when routing show up on the -www.openstreetmap.org front page.

+

Via en +blogpost fra Simon Phipps i går, fant jeg en referanse til +en +artikkel i Washington Times som igjen refererer til en artikkel i +det fagfellevurderte tidsskriftet Journal of Transportation Security +med tittelen +"An +evaluation of airport x-ray backscatter units based on image +characteristics" som enkelt konstaterer at +pornoscannerne +som kler av reisende på flyplasser ikke er i stand til å avsløre det +produsenten og amerikanske myndigheter sier de skal avsløre. Kort +sagt, de bedrer ikke sikkerheten. Reisende må altså la ansatte på +flyplasser se dem +nakne eller la seg beføle i skrittet uten grunn. Jeg vil +fortsette å nekte å bruke disse pornoskannerne, unngå flyplasser der +de er tatt i bruk, og reise med andre transportmidler enn fly hvis jeg +kan.

- Tags: english, kart, web. + Tags: norsk, personvern, sikkerhet.
-
What are they searching for - PowerDNS and ISC DHCP in LDAP
-
2010-07-17 21:00
+
Martin Bekkelund: En stille bønn om Datalagringsdirektivet
+
2010-12-09 21:25
-

This is a -followup -on my -previous -work on -merging -all the computer related LDAP objects in Debian Edu.

- -

As a step to try to see if it possible to merge the DNS and DHCP -LDAP objects, I have had a look at how the packages pdns-backend-ldap -and dhcp3-server-ldap in Debian use the LDAP server. The two -implementations are quite different in how they use LDAP.

- -To get this information, I started slapd with debugging enabled and -dumped the debug output to a file to get the LDAP searches performed -on a Debian Edu main-server. Here is a summary. - -

powerdns

- -Clues -on how to set up PowerDNS to use a LDAP backend is available on -the web. - -

PowerDNS have two modes of operation using LDAP as its backend. -One "strict" mode where the forward and reverse DNS lookups are done -using the same LDAP objects, and a "tree" mode where the forward and -reverse entries are in two different subtrees in LDAP with a structure -based on the DNS names, as in tjener.intern and -2.2.0.10.in-addr.arpa.

- -

In tree mode, the server is set up to use a LDAP subtree as its -base, and uses a "base" scoped search for the DNS name by adding -"dc=tjener,dc=intern," to the base with a filter for -"(associateddomain=tjener.intern)" for the forward entry and -"dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa," with a filter for -"(associateddomain=2.2.0.10.in-addr.arpa)" for the reverse entry. For -forward entries, it is looking for attributes named dnsttl, arecord, -nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord, -txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord, -srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord, -ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord, -spfrecord and modifytimestamp. For reverse entries it is looking for -the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord, -ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord, -locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent -ldapsearch commands could look like this:

- -
-ldapsearch -h ldap \
-  -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
-
-ldapsearch -h ldap \
-  -b dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
-  -s base -x '(associateddomain=2.2.0.10.in-addr.arpa)'
-  dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
-  hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
-  srvrecord naptrrecord modifytimestamp
-
- -

In Debian Edu/Lenny, the PowerDNS tree mode is used with -ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two -example LDAP objects used there. In addition to these objects, the -parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no -also exist.

- -
-dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain
-objectclass: domainrelatedobject
-dc: tjener
-arecord: 10.0.2.2
-associateddomain: tjener.intern
-
-dn: dc=2,dc=2,dc=0,dc=10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
-objectclass: top
-objectclass: dnsdomain2
-objectclass: domainrelatedobject
-dc: 2
-ptrrecord: tjener.intern
-associateddomain: 2.2.0.10.in-addr.arpa
-
- -

In strict mode, the server behaves differently. When looking for -forward DNS entries, it is doing a "subtree" scoped search with the -same base as in the tree mode for a object with filter -"(associateddomain=tjener.intern)" and requests the attributes dnsttl, -arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, -mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord, -naptrrecord and modifytimestamp. For reverse entires it also do a -subtree scoped search but this time the filter is "(arecord=10.0.2.2)" -and the requested attributes are associateddomain, dnsttl and -modifytimestamp. In short, in strict mode the objects with ptrrecord -go away, and the arecord attribute in the forward object is used -instead.

- -

The forward and reverse searches can be simulated using ldapsearch -like this:

- -
-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(associateddomain=tjener.intern)' dNSTTL aRecord nSRecord \
-  cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
-  rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
-  nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
-  rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
-
-ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
-  '(arecord=10.0.2.2)' associateddomain dnsttl modifytimestamp
-
- -

In addition to the forward and reverse searches , there is also a -search for SOA records, which behave similar to the forward and -reverse lookups.

- -

A thing to note with the PowerDNS behaviour is that it do not -specify any objectclass names, and instead look for the attributes it -need to generate a DNS reply. This make it able to work with any -objectclass that provide the needed attributes.

- -

The attributes are normally provided in the cosine (RFC 1274) and -dnsdomain2 schemas. The latter is used for reverse entries like -ptrrecord and recent DNS additions like aaaarecord and srvrecord.

- -

In Debian Edu, we have created DNS objects using the object classes -dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS -attributes) and domainrelatedobject (for associatedDomain). The use -of structural object classes make it impossible to combine these -classes with the object classes used by DHCP.

- -

There are other schemas that could be used too, for example the -dnszone structural object class used by Gosa and bind-sdb for the DNS -attributes combined with the domainrelatedobject object class, but in -this case some unused attributes would have to be included as well -(zonename and relativedomainname).

- -

My proposal for Debian Edu would be to switch PowerDNS to strict -mode and not use any of the existing objectclasses (dnsdomain, -dnsdomain2 and dnszone) when one want to combine the DNS information -with DHCP information, and instead create a auxiliary object class -defined something like this (using the attributes defined for -dnsdomain and dnsdomain2 or dnszone):

- -
-objectclass ( some-oid NAME 'dnsDomainAux'
-    SUP top
-    AUXILIARY
-    MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
-          DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
-          TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
-          NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
-          A6Record $ DNAMERecord
-    ))
-
- -

This will allow any object to become a DNS entry when combined with -the domainrelatedobject object class, and allow any entity to include -all the attributes PowerDNS wants. I've sent an email to the PowerDNS -developers asking for their view on this schema and if they are -interested in providing such schema with PowerDNS, and I hope my -message will be accepted into their mailing list soon.

- -

ISC dhcp

- -

The DHCP server searches for specific objectclass and requests all -the object attributes, and then uses the attributes it want. This -make it harder to figure out exactly what attributes are used, but -thanks to the working example in Debian Edu I can at least get an idea -what is needed without having to read the source code.

- -

In the DHCP server configuration, the LDAP base to use and the -search filter to use to locate the correct dhcpServer entity is -stored. These are the relevant entries from -/etc/dhcp3/dhcpd.conf:

- -
-ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
-ldap-dhcp-server-cn "dhcp";
-
- -

The DHCP server uses this information to nest all the DHCP -configuration it need. The cn "dhcp" is located using the given LDAP -base and the filter "(&(objectClass=dhcpServer)(cn=dhcp))". The -search result is this entry:

- -
-dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
-cn: dhcp
-objectClass: top
-objectClass: dhcpServer
-dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-
- -

The content of the dhcpServiceDN attribute is next used to locate the -subtree with DHCP configuration. The DHCP configuration subtree base -is located using a base scope search with base "cn=DHCP -Config,dc=skole,dc=skolelinux,dc=no" and filter -"(&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))". -The search result is this entry:

- -
-dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: DHCP Config
-objectClass: top
-objectClass: dhcpService
-objectClass: dhcpOptions
-dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
-dhcpStatements: ddns-update-style none
-dhcpStatements: authoritative
-dhcpOption: smtp-server code 69 = array of ip-address
-dhcpOption: www-server code 72 = array of ip-address
-dhcpOption: wpad-url code 252 = text
-
- -

Next, the entire subtree is processed, one level at the time. When -all the DHCP configuration is loaded, it is ready to receive requests. -The subtree in Debian Edu contain objects with object classes -top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions, -top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options -and information about netmasks, dynamic range etc. Leaving out the -details here because it is not relevant for the focus of my -investigation, which is to see if it is possible to merge dns and dhcp -related computer objects.

- -

When a DHCP request come in, LDAP is searched for the MAC address -of the client (00:00:00:00:00:00 in this example), using a subtree -scoped search with "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" as -the base and "(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet -00:00:00:00:00:00))" as the filter. This is what a host object look -like:

- -
-dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-cn: hostname
-objectClass: top
-objectClass: dhcpHost
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname
-
- -

There is less flexiblity in the way LDAP searches are done here. -The object classes need to have fixed names, and the configuration -need to be stored in a fairly specific LDAP structure. On the -positive side, the invidiual dhcpHost entires can be anywhere without -the DN pointed to by the dhcpServer entries. The latter should make -it possible to group all host entries in a subtree next to the -configuration entries, and this subtree can also be shared with the -DNS server if the schema proposed above is combined with the dhcpHost -structural object class. - -

Conclusion

- -

The PowerDNS implementation seem to be very flexible when it come -to which LDAP schemas to use. While its "tree" mode is rigid when it -come to the the LDAP structure, the "strict" mode is very flexible, -allowing DNS objects to be stored anywhere under the base cn specified -in the configuration.

- -

The DHCP implementation on the other hand is very inflexible, both -regarding which LDAP schemas to use and which LDAP structure to use. -I guess one could implement ones own schema, as long as the -objectclasses and attributes have the names used, but this do not -really help when the DHCP subtree need to have a fairly fixed -structure.

- -

Based on the observed behaviour, I suspect a LDAP structure like -this might work for Debian Edu:

- -
-ou=services
-  cn=machine-info (dhcpService) - dhcpServiceDN points here
-    cn=dhcp (dhcpServer)
-    cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
-      cn=10.0.2.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
-      cn=192.168.0.0 (dhcpSubnet)
-        cn=group1 (dhcpGroup/dhcpOptions)
-    ou=machines - PowerDNS base points here
-      cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
-
- -

This is not tested yet. If the DHCP server require the dhcpHost -entries to be in the dhcpGroup subtrees, the entries can be stored -there instead of a common machines subtree, and the PowerDNS base -would have to be moved one level up to the machine-info subtree.

- -

The combined object under the machines subtree would look something -like this:

- -
-dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
-dc: hostname
-objectClass: top
-objectClass: dhcpHost
-objectclass: domainrelatedobject
-objectclass: dnsDomainAux
-associateddomain: hostname.intern
-arecord: 10.11.12.13
-dhcpHWAddress: ethernet 00:00:00:00:00:00
-dhcpStatements: fixed-address hostname.intern
-
- -

One could even add the LTSP configuration associated with a given -machine, as long as the required attributes are available in a -auxiliary object class.

+

Martin Bekkelund ved +friprog-senteret har skrevet +følgende +korte +oppsummering rundt datalagringsdirektivet, som jeg videreformidler +her.

+ +

Det pågår i disse dager en intens diskusjon om +innføring av Datalagringsdirektivet (DLD) i norsk rett. Kanskje +har du gjort deg opp en mening, kanskje er du usikker. I begge +tilfeller ber jeg deg lese videre.

+ +

Samtlige fagmiljøer, både i Norge og EU, har konkludert med at +DLD ikke bør +innføres på nåværende tidspunkt. Den tekniske kvaliteten på direktivet +er dårlig, det griper uforholdsmessig inn i personvernet, det har +store mangler og viktige spørsmål som hvem som skal ha tilgang og +hvordan data skal lagres er fortsatt uavklart.

+ + + +

Jeg liker å tro at jeg er en hyggelig fyr. Jeg har et rent +rulleblad, og med unntak av to fartsbøter har jeg aldri vært en byrde +for samfunnet. Det akter jeg å fortsette med. Det er mange som meg, +lovlydige, pliktoppfyllende borgere som aldri vil utgjøre en trussel +mot noe som helst. Vi synes derfor det er trist og sårende at all vår +atferd skal overvåkes døgnkontinuerlig.

+ +

Understøttet av faglige vurderinger kan du trygt si nei til +DLD.

+ +

Ta kontakt med meg +hvis du har spørsmål om DLD, uansett hva det måtte +gjelde.

+ +

Denne teksten er å anse som Public +Domain. Spre den videre til alle som kan ha nytte av +den!

+

+ +

Siste melding +fra Nettavisen er at regjeringen planlegger å fremme sitt forslag +til implementering av datalagringsdirektivet i morgen, i ly av +fredprisutdelingen for å få minst mulig pressedekning om saken. Vi +får snart se om det stemmer.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: norsk, personvern.
-
Combining PowerDNS and ISC DHCP LDAP objects
-
2010-07-14 23:45
+
Student group continue the work on my Reprap 3D printer
+
2010-12-09 19:30
-

For a while now, I have wanted to find a way to change the DNS and -DHCP services in Debian Edu to use the same LDAP objects for a given -computer, to avoid the possibility of having a inconsistent state for -a computer in LDAP (as in DHCP but no DNS entry or the other way -around) and make it easier to add computers to LDAP.

- -

I've looked at how powerdns and dhcpd is using LDAP, and using this -information finally found a solution that seem to work.

- -

The old setup required three LDAP objects for a given computer. -One forward DNS entry, one reverse DNS entry and one DHCP entry. If -we switch powerdns to use its strict LDAP method (ldap-method=strict -in pdns-debian-edu.conf), the forward and reverse DNS entries are -merged into one while making it impossible to transfer the reverse map -to a slave DNS server.

- -

If we also replace the object class used to get the DNS related -attributes to one allowing these attributes to be combined with the -dhcphost object class, we can merge the DNS and DHCP entries into one. -I've written such object class in the dnsdomainaux.schema file (need -proper OIDs, but that is a minor issue), and tested the setup. It -seem to work.

- -

With this test setup in place, we can get away with one LDAP object -for both DNS and DHCP, and even the LTSP configuration I suggested in -an earlier email. The combined LDAP object will look something like -this:

- -
-  dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
-  cn: hostname
-  objectClass: dhcphost
-  objectclass: domainrelatedobject
-  objectclass: dnsdomainaux
-  associateddomain: hostname.intern
-  arecord: 10.11.12.13
-  dhcphwaddress: ethernet 00:00:00:00:00:00
-  dhcpstatements: fixed-address hostname
-  ldapconfigsound: Y
-
- -

The DNS server uses the associateddomain and arecord entries, while -the DHCP server uses the dhcphwaddress and dhcpstatements entries -before asking DNS to resolve the fixed-adddress. LTSP will use -dhcphwaddress or associateddomain and the ldapconfig* attributes.

- -

I am not yet sure if I can get the DHCP server to look for its -dhcphost in a different location, to allow us to put the objects -outside the "DHCP Config" subtree, but hope to figure out a way to do -that. If I can't figure out a way to do that, we can still get rid of -the hosts subtree and move all its content into the DHCP Config tree -(which probably should be renamed to be more related to the new -content. I suspect cn=dnsdhcp,ou=services or something like that -might be a good place to put it.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

A few days ago, I was introduces to some students in the robot +student assosiation Robotica +Osloensis at the University of Oslo where I work, who planned to +get their own 3D printer. They wanted to learn from me based on my +work in the area. After having a short lunch meeting with them, I +offered them to borrow my reprap kit, as I never had time to complete +the build and this seem unlike to change any time soon. I look +forward to see how this goes. This monday their volunteer driver +picked up my kit and drove it to their lab, and tomorrow I am told the +last exam is over so they can start work on getting the 3D printer +operational.

+ +

The robotic group have already build several robots on their own, +and seem capable of getting the reprap operational. I really look +forward to being able to print all the cool 3D designs published on +Thingiverse. I even got +some 3D scans I got made during Dagen@IFI when one of the groups at +the computer science department at the university demonstrated their +very cool 3D scanner.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: 3d-printer, english, reprap.
-
Idea for storing LTSP configuration in LDAP
-
2010-07-11 22:00
+
Debian Edu development gathering and General Assembly for FRiSK
+
2010-11-29 18:40
-

Vagrant mentioned on IRC today that ltsp_config now support -sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin -clients, and that this can be used to fetch configuration from LDAP if -Debian Edu choose to store configuration there.

- -

Armed with this information, I got inspired and wrote a test module -to get configuration from LDAP. The idea is to look up the MAC -address of the client in LDAP, and look for attributes on the form -ltspconfigsetting=value, and use this to export SETTING=value to the -LTSP clients.

- -

The goal is to be able to store the LTSP configuration attributes -in a "computer" LDAP object used by both DNS and DHCP, and thus -allowing us to store all information about a computer in one place.

- -

This is a untested draft implementation, and I welcome feedback on -this approach. A real LDAP schema for the ltspClientAux objectclass -need to be written. Comments, suggestions, etc?

- -
-# Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
-#
-# Fetch LTSP client settings from LDAP based on MAC address
-#
-# Uses ethernet address as stored in the dhcpHost objectclass using
-# the dhcpHWAddress attribute or ethernet address stored in the
-# ieee802Device objectclass with the macAddress attribute.
-#
-# This module is written to be schema agnostic, and only depend on the
-# existence of attribute names.
-#
-# The LTSP configuration variables are saved directly using a
-# ltspConfig prefix and uppercasing the rest of the attribute name.
-# To set the SERVER variable, set the ltspConfigServer attribute.
-#
-# Some LDAP schema should be created with all the relevant
-# configuration settings.  Something like this should work:
-# 
-# objectclass ( 1.1.2.2 NAME 'ltspClientAux'
-#     SUP top
-#     AUXILIARY
-#     MAY ( ltspConfigServer $ ltsConfigSound $ ... )
-
-LDAPSERVER=$(debian-edu-ldapserver)
-if [ "$LDAPSERVER" ] ; then
-    LDAPBASE=$(debian-edu-ldapserver -b)
-    for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk '{print $5}'|sort -u) ; do
-	filter="(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))"
-	ldapsearch -h "$LDAPSERVER" -b "$LDAPBASE" -v -x "$filter" | \
-	    grep '^ltspConfig' | while read attr value ; do
-	    # Remove prefix and convert to upper case
-	    attr=$(echo $attr | sed 's/^ltspConfig//i' | tr a-z A-Z)
-	    # bass value on to clients
-	    eval "$attr=$value; export $attr"
-	done
-    done
-fi
-
- -

I'm not sure this shell construction will work, because I suspect -the while block might end up in a subshell causing the variables set -there to not show up in ltsp-config, but if that is the case I am sure -the code can be restructured to make sure the variables are passed on. -I expect that can be solved with some testing. :)

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

- -

Update 2010-07-17: I am aware of another effort to store LTSP -configuration in LDAP that was created around year 2000 by -PC -Xperience, Inc., 2000. I found its -files on a -personal home page over at redhat.com.

+

On friday, the first Debian Edu / Skolelinux +development +gathering in a long time take place here in Oslo, Norway. I +really look forward to seeing all the good people working on the +Squeeze release. The gathering is open for everyone interested in +learning more about Debian Edu / Skolelinux.

+ +

On Saturday, the Norwegian member organization taking care of +organizing these development gatherings, Fri Programvare i Skolen, +will hold its +General Assembly +for 2010. Membership is open for all, and currently there are 388 +people registered as members. Last year 32 members cast their vote in +the memberdb based election system. I hope more people find time to +vote this year.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian edu, english, nuug.
-
jXplorer, a very nice LDAP GUI
-
2010-07-09 12:55
+
Why isn't Debian Edu using VLC?
+
2010-11-27 11:30
-

Since -my -last post about available LDAP tools in Debian, I was told about a -LDAP GUI that is even better than luma. The java application -jXplorer is claimed to be capable of -moving LDAP objects and subtrees using drag-and-drop, and can -authenticate using Kerberos. I have only tested the Kerberos -authentication, but do not have a LDAP setup allowing me to rewrite -LDAP with my test user yet. It is -available in -Debian testing and unstable at the moment. The only problem I -have with it is how it handle errors. If something go wrong, its -non-intuitive behaviour require me to go through some query work list -and remove the failing query. Nothing big, but very annoying.

+

In the latest issue of Linux Journal, the readers choices were +presented, and the winner among the multimedia player were VLC. +Personally, I like VLC, and it is my player of choice when I first try +to play a video file or stream. Only if VLC fail will I drag out +gmplayer to see if it can do better. The reason is mostly the failure +model and trust. When VLC fail, it normally pop up a error message +reporting the problem. When mplayer fail, it normally segfault or +just hangs. The latter failure mode drain my trust in the program.

+ +

But even if VLC is my player of choice, we have choosen to use +mplayer in Debian +Edu/Skolelinux. The reason is simple. We need a good browser +plugin to play web videos seamlessly, and the VLC browser plugin is +not very good. For example, it lack in-line control buttons, so there +is no way for the user to pause the video. Also, when I +last +tested the browser plugins available in Debian, the VLC plugin +failed on several video pages where mplayer based plugins worked. If +the browser plugin for VLC was as good as the gecko-mediaplayer +package (which uses mplayer), we would switch.

+ +

While VLC is a good player, its user interface is slightly +annoying. The most annoying feature is its inconsistent use of +keyboard shortcuts. When the player is in full screen mode, its +shortcuts are different from when it is playing the video in a window. +For example, space only work as pause when in full screen mode. I +wish it had consisten shortcuts and that space also would work when in +window mode. Another nice shortcut in gmplayer is [enter] to restart +the current video. It is very nice when playing short videos from the +web and want to restart it when new people arrive to have a look at +what is going on.

- Tags: debian, debian edu, english, ldap, nuug. + Tags: debian, debian edu, english, multimedia, video, web.
-
MS Word krøller det til for politiet?
-
2010-07-08 14:00
+
DND hedrer overvåkning av barn med Rosingsprisen
+
2010-11-23 14:15
-

De siste dagene har Aftenposten -fortalt -hvordan -politet har brukt skriveverktøy som ikke håndterer arabisk tekst og -tekst som skal skrives fra høyre mot venstre når de har laget -løpeseddel for å be om informasjon fra publikum. Resultatet har vært -en uleselig arabisk-bit på løpeseddelen. Feilen har oppstått når -teksten har blitt "kopiert inn i programvare som ikke har støtte for -språk som skrives fra høyre mot venstre", og jeg er ganske sikker på -at det er snakk om Microsoft Office i dette tilfellet. Er det slik at -MS Office i norsk språkdrakt ikke har støtte for tekst som skal -skrives fra høyre mot venstre? Jeg tror alle utgaver av -OpenOffice.org har slik støtte, og det er jo ikke veldig vanskelig å -la slik støtte finnes i alle utgaver av et program hvis støtten først -er utviklet. Aftenpostens melding får meg til å undre om problemet -ville vært unngått hvis politiet brukte OpenOffice.org i stedet for MS -Office.

- -

Mon tro om det er flere eksempler på at MS Office har ødelagt for -offentlig myndighet?

+

Jeg registrerer med vond smak i munnen at Den Norske Dataforening +hedrer +overvåkning av barn med Rosingsprisen for kreativitet i år. Jeg +er glad jeg nå er meldt ut av DND.

+ +

Å elektronisk overvåke sine barn er ikke å gjøre dem en tjeneste, +men et overgrep mot individer i utvikling som bør læres opp til å ta +egne valg.

+ +

For å sitere Datatilsynets nye leder, Bjørn Erik Thon, i +et intervju +med Computerworld Norge:

+ +

+- For alle som har barn, meg selv inkludert, er førstetanken at det +hadde vært fint å vite hvor barnet sitt er til enhver tid. Men ungene +har ikke godt av det. De er små individer som skal søke rundt og finne +sine små gjemmesteder og utvide horisonten, uten at foreldrene ser dem +i kortene. Det kan være fristende, men jeg ville ikke gått inn i +dette. +

+ +

Det er skremmende å se at DND mener en tjeneste som legger opp til +slike overgrep bør hedres. Å flytte oppveksten for barn inn i en +virtuell +Panopticon er et +grovt overgrep og vil gjøre skade på barnenes utvikling, og foreldre +burde tenke seg godt om før de gir etter for sine instinkter her.

+ +

Blipper-tjenesten får meg til å tenke på bøkene til +John Twelve +Hawks, som forbilledlig beskriver hvordan et totalitært +overvåkningssamfunn bygges sakte men sikkert rundt oss, satt sammen av +gode intensjoner og manglende bevissthet om hvilke prinsipper et +liberalt demokrati er fundamentert på. Jeg har hatt stor glede av å +lese alle de tre bøkene.

- Tags: norsk. + Tags: norsk, personvern, sikkerhet.
-
Lenny->Squeeze upgrades, apt vs aptitude with the Gnome desktop
-
2010-07-03 23:55
+
Lenny->Squeeze upgrades of the Gnome and KDE desktop, now with apt-get autoremove
+
2010-11-22 14:15
-

Here is a short update on my my -Debian Lenny->Squeeze upgrade testing. Here is a summary of the -difference for Gnome when it is upgraded by apt-get and aptitude. I'm -not reporting the status for KDE, because the upgrade crashes when -aptitude try because of missing conflicts -(#584861 and -#585716).

- -

At the end of the upgrade test script, dpkg -l is executed to get a -complete list of the installed packages. Based on this I see these -differences when I did a test run today. As usual, I do not really -know what the correct set of packages would be, but thought it best to -publish the difference.

+

Michael Biebl suggested to me on IRC, that I changed my automated +upgrade testing of the +Lenny +Gnome and KDE Desktop to do apt-get autoremove when using apt-get. +This seem like a very good idea, so I adjusted by test scripts and +can now present the updated result from today:

+ +

This is for Gnome:

+ +

Installed using apt-get, missing with aptitude

+ +

+ apache2.2-bin + aptdaemon + baobab + binfmt-support + browser-plugin-gnash + cheese-common + cli-common + cups-pk-helper + dmz-cursor-theme + empathy + empathy-common + freedesktop-sound-theme + freeglut3 + gconf-defaults-service + gdm-themes + gedit-plugins + geoclue + geoclue-hostip + geoclue-localnet + geoclue-manual + geoclue-yahoo + gnash + gnash-common + gnome + gnome-backgrounds + gnome-cards-data + gnome-codec-install + gnome-core + gnome-desktop-environment + gnome-disk-utility + gnome-screenshot + gnome-search-tool + gnome-session-canberra + gnome-system-log + gnome-themes-extras + gnome-themes-more + gnome-user-share + gstreamer0.10-fluendo-mp3 + gstreamer0.10-tools + gtk2-engines + gtk2-engines-pixbuf + gtk2-engines-smooth + hamster-applet + libapache2-mod-dnssd + libapr1 + libaprutil1 + libaprutil1-dbd-sqlite3 + libaprutil1-ldap + libart2.0-cil + libboost-date-time1.42.0 + libboost-python1.42.0 + libboost-thread1.42.0 + libchamplain-0.4-0 + libchamplain-gtk-0.4-0 + libcheese-gtk18 + libclutter-gtk-0.10-0 + libcryptui0 + libdiscid0 + libelf1 + libepc-1.0-2 + libepc-common + libepc-ui-1.0-2 + libfreerdp-plugins-standard + libfreerdp0 + libgconf2.0-cil + libgdata-common + libgdata7 + libgdu-gtk0 + libgee2 + libgeoclue0 + libgexiv2-0 + libgif4 + libglade2.0-cil + libglib2.0-cil + libgmime2.4-cil + libgnome-vfs2.0-cil + libgnome2.24-cil + libgnomepanel2.24-cil + libgpod-common + libgpod4 + libgtk2.0-cil + libgtkglext1 + libgtksourceview2.0-common + libmono-addins-gui0.2-cil + libmono-addins0.2-cil + libmono-cairo2.0-cil + libmono-corlib2.0-cil + libmono-i18n-west2.0-cil + libmono-posix2.0-cil + libmono-security2.0-cil + libmono-sharpzip2.84-cil + libmono-system2.0-cil + libmtp8 + libmusicbrainz3-6 + libndesk-dbus-glib1.0-cil + libndesk-dbus1.0-cil + libopal3.6.8 + libpolkit-gtk-1-0 + libpt2.6.7 + libpython2.6 + librpm1 + librpmio1 + libsdl1.2debian + libsrtp0 + libssh-4 + libtelepathy-farsight0 + libtelepathy-glib0 + libtidy-0.99-0 + media-player-info + mesa-utils + mono-2.0-gac + mono-gac + mono-runtime + nautilus-sendto + nautilus-sendto-empathy + p7zip-full + pkg-config + python-aptdaemon + python-aptdaemon-gtk + python-axiom + python-beautifulsoup + python-bugbuddy + python-clientform + python-coherence + python-configobj + python-crypto + python-cupshelpers + python-elementtree + python-epsilon + python-evolution + python-feedparser + python-gdata + python-gdbm + python-gst0.10 + python-gtkglext1 + python-gtksourceview2 + python-httplib2 + python-louie + python-mako + python-markupsafe + python-mechanize + python-nevow + python-notify + python-opengl + python-openssl + python-pam + python-pkg-resources + python-pyasn1 + python-pysqlite2 + python-rdflib + python-serial + python-tagpy + python-twisted-bin + python-twisted-conch + python-twisted-core + python-twisted-web + python-utidylib + python-webkit + python-xdg + python-zope.interface + remmina + remmina-plugin-data + remmina-plugin-rdp + remmina-plugin-vnc + rhythmbox-plugin-cdrecorder + rhythmbox-plugins + rpm-common + rpm2cpio + seahorse-plugins + shotwell + software-center + system-config-printer-udev + telepathy-gabble + telepathy-mission-control-5 + telepathy-salut + tomboy + totem + totem-coherence + totem-mozilla + totem-plugins + transmission-common + xdg-user-dirs + xdg-user-dirs-gtk + xserver-xephyr +

+ +

Installed using apt-get, removed with aptitude

+ +

+ cheese + ekiga + eog + epiphany-extensions + evolution-exchange + fast-user-switch-applet + file-roller + gcalctool + gconf-editor + gdm + gedit + gedit-common + gnome-games + gnome-games-data + gnome-nettool + gnome-system-tools + gnome-themes + gnuchess + gucharmap + guile-1.8-libs + libavahi-ui0 + libdmx1 + libgalago3 + libgtk-vnc-1.0-0 + libgtksourceview2.0-0 + liblircclient0 + libsdl1.2debian-alsa + libspeexdsp1 + libsvga1 + rhythmbox + seahorse + sound-juicer + system-config-printer + totem-common + transmission-gtk + vinagre + vino +

+ +

Installed using aptitude, missing with apt-get

+ +

+ gstreamer0.10-gnomevfs +

+ +

Installed using aptitude, removed with apt-get

+ +

+[nothing] +

+ +

This is for KDE:

Installed using apt-get, missing with aptitude

- at-spi cpp-4.3 finger gnome-spell gstreamer0.10-gnomevfs - libatspi1.0-0 libcupsys2 libeel2-data libgail-common libgdl-1-common - libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin - libgtksourceview-common libpt-1.10.10-plugins-alsa - libpt-1.10.10-plugins-v4l libservlet2.4-java libxalan2-java - libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip - python-4suite-xml python-eggtrayicon python-gtkhtml2 - python-gtkmozembed svgalibg1 xserver-xephyr zip + ksmserver

Installed using apt-get, removed with aptitude

- bluez-utils dhcdbd djvulibre-desktop epiphany-gecko - gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager - libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-50 - libbluetooth2 libcamel1.2-11 libcdio7 libcucul0 libcurl3 - libdirectfb-1.0-0 libdvdread3 libedata-cal1.2-6 libedataserver1.2-9 - libeel2-2.20 libepc-1.0-1 libepc-ui-1.0-1 libexchange-storage1.2-3 - libfaad0 libgd2-noxpm libgda3-3 libgda3-common libggz2 libggzcore9 - libggzmod4 libgksu1.2-0 libgksuui1.0-1 libgmyth0 libgnome-desktop-2 - libgnome-pilot2 libgnomecups1.0-1 libgnomeprint2.2-0 - libgnomeprintui2.2-0 libgpod3 libgraphviz4 libgtkhtml2-0 - libgtksourceview1.0-0 libgucharmap6 libhesiod0 libicu38 libisccc50 - libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++10 - libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4 - libneon27 libnm-glib0 libnm-util0 libopal-2.2 libosp5 - libparted1.8-10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3 - libpt-1.10.10 libraw1394-8 libsensors3 libsmbios2 libsoup2.2-8 - libssh2-1 libsuitesparse-3.1.0 libswfdec-0.6-90 libtalloc1 - libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj - libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3 - mysql-common swfdec-gnome totem-gstreamer wodim + kwin + network-manager-kde

Installed using aptitude, missing with apt-get

- gnome gnome-desktop-environment hamster-applet python-gnomeapplet - python-gnomekeyring python-wnck rhythmbox-plugins xorg - xserver-xorg-input-all xserver-xorg-input-evdev - xserver-xorg-input-kbd xserver-xorg-input-mouse - xserver-xorg-input-synaptics xserver-xorg-video-all - xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati - xserver-xorg-video-chips xserver-xorg-video-cirrus - xserver-xorg-video-dummy xserver-xorg-video-fbdev - xserver-xorg-video-glint xserver-xorg-video-i128 - xserver-xorg-video-i740 xserver-xorg-video-mach64 - xserver-xorg-video-mga xserver-xorg-video-neomagic - xserver-xorg-video-nouveau xserver-xorg-video-nv - xserver-xorg-video-r128 xserver-xorg-video-radeon - xserver-xorg-video-radeonhd xserver-xorg-video-rendition - xserver-xorg-video-s3 xserver-xorg-video-s3virge - xserver-xorg-video-savage xserver-xorg-video-siliconmotion - xserver-xorg-video-sis xserver-xorg-video-sisusb - xserver-xorg-video-tdfx xserver-xorg-video-tga - xserver-xorg-video-trident xserver-xorg-video-tseng - xserver-xorg-video-vesa xserver-xorg-video-vmware - xserver-xorg-video-voodoo + arts + dolphin + freespacenotifier + google-gadgets-gst + google-gadgets-xul + kappfinder + kcalc + kcharselect + kde-core + kde-plasma-desktop + kde-standard + kde-window-manager + kdeartwork + kdeartwork-emoticons + kdeartwork-style + kdeartwork-theme-icon + kdebase + kdebase-apps + kdebase-workspace + kdebase-workspace-bin + kdebase-workspace-data + kdeeject + kdelibs + kdeplasma-addons + kdeutils + kdewallpapers + kdf + kfloppy + kgpg + khelpcenter4 + kinfocenter + konq-plugins-l10n + konqueror-nsplugins + kscreensaver + kscreensaver-xsavers + ktimer + kwrite + libgle3 + libkde4-ruby1.8 + libkonq5 + libkonq5-templates + libnetpbm10 + libplasma-ruby + libplasma-ruby1.8 + libqt4-ruby1.8 + marble-data + marble-plugins + netpbm + nuvola-icon-theme + plasma-dataengines-workspace + plasma-desktop + plasma-desktopthemes-artwork + plasma-runners-addons + plasma-scriptengine-googlegadgets + plasma-scriptengine-python + plasma-scriptengine-qedje + plasma-scriptengine-ruby + plasma-scriptengine-webkit + plasma-scriptengines + plasma-wallpapers-addons + plasma-widget-folderview + plasma-widget-networkmanagement + ruby + sweeper + update-notifier-kde + xscreensaver-data-extra + xscreensaver-gl + xscreensaver-gl-extra + xscreensaver-screensaver-bsod

Installed using aptitude, removed with apt-get

- deskbar-applet xserver-xorg xserver-xorg-core - xserver-xorg-input-wacom xserver-xorg-video-intel - xserver-xorg-video-openchrome + ark + google-gadgets-common + google-gadgets-qt + htdig + kate + kdebase-bin + kdebase-data + kdepasswd + kfind + klipper + konq-plugins + konqueror + ksysguard + ksysguardd + libarchive1 + libcln6 + libeet1 + libeina-svn-06 + libggadget-1.0-0b + libggadget-qt-1.0-0b + libgps19 + libkdecorations4 + libkephal4 + libkonq4 + libkonqsidebarplugin4a + libkscreensaver5 + libksgrd4 + libksignalplotter4 + libkunitconversion4 + libkwineffects1a + libmarblewidget4 + libntrack-qt4-1 + libntrack0 + libplasma-geolocation-interface4 + libplasmaclock4a + libplasmagenericshell4 + libprocesscore4a + libprocessui4a + libqalculate5 + libqedje0a + libqtruby4shared2 + libqzion0a + libruby1.8 + libscim8c2a + libsmokekdecore4-3 + libsmokekdeui4-3 + libsmokekfile3 + libsmokekhtml3 + libsmokekio3 + libsmokeknewstuff2-3 + libsmokeknewstuff3-3 + libsmokekparts3 + libsmokektexteditor3 + libsmokekutils3 + libsmokenepomuk3 + libsmokephonon3 + libsmokeplasma3 + libsmokeqtcore4-3 + libsmokeqtdbus4-3 + libsmokeqtgui4-3 + libsmokeqtnetwork4-3 + libsmokeqtopengl4-3 + libsmokeqtscript4-3 + libsmokeqtsql4-3 + libsmokeqtsvg4-3 + libsmokeqttest4-3 + libsmokeqtuitools4-3 + libsmokeqtwebkit4-3 + libsmokeqtxml4-3 + libsmokesolid3 + libsmokesoprano3 + libtaskmanager4a + libtidy-0.99-0 + libweather-ion4a + libxklavier16 + libxxf86misc1 + okteta + oxygencursors + plasma-dataengines-addons + plasma-scriptengine-superkaramba + plasma-widget-lancelot + plasma-widgets-addons + plasma-widgets-workspace + polkit-kde-1 + ruby1.8 + systemsettings + update-notifier-common

-

I was told on IRC that the xorg-xserver package was -changed -in git today to try to get apt-get to not remove xorg completely. -No idea when it hits Squeeze, but when it does I hope it will reduce -the difference somewhat. +

Running apt-get autoremove made the results using apt-get and +aptitude a bit more similar, but there are still quite a lott of +differences. I have no idea what packages should be installed after +the upgrade, but hope those that do can have a look.

@@ -797,213 +929,87 @@ the difference somewhat.
-
Caching password, user and group on a roaming Debian laptop
-
2010-07-01 11:40
+
Migrating Xen virtual machines using LVM to KVM using disk images
+
2010-11-22 11:20
-

For a laptop, centralized user directories and password checking is -a bit troubling. Laptops are typically used also when not connected -to the network, and it is vital for a user to be able to log in or -unlock the screen saver also when a central server is unavailable. -This is possible by caching passwords and directory information (user -and group attributes) locally, and the packages to do so are available -in Debian. Here follow two recipes to set this up in Debian/Squeeze. -It is also possible to set up in Debian/Lenny, but require more manual -setup there because pam-auth-update is missing in Lenny.

- -

LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir

- -This is the traditional method with a twist. The password caching is -provided by libpam-ccreds (version 10-4 or later is needed on -Squeeze), and the directory caching is done by nscd. The directory -lookup and password checking is done using LDAP. If one want to use -Kerberos for password checking the libpam-ldapd package can be -replaced with libpam-krb5 or libpam-heimdal. If one is happy having a -local home directory with the path listed in LDAP, one can use the -pam_mkhomedir module from pam-modules to make this happen instead of -using libpam-mklocaluser. A setup for pam-auth-update to enable -pam_mkhomedir will have to be written until a fix for -bug #568577 is in the -archive. Because I believe it is a bad idea to have local home -directories using misleading paths like /site/server/partition/, I -prefer to create a local user with the home directory in /home/. This -is done using the libpam-mklocaluser package.

- -

These packages need to be installed and configured

- -
-libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
-
- -

The ldapd packages will ask for LDAP connection information, and -one have to fill in the values that fits ones own site. Make sure the -PAM part uses encrypted connections, to make sure the password is not -sent in clear text to the LDAP server. I've been unable to get TLS -certificate checking for a self signed certificate working, which make -LDAP authentication unsafe for Debian Edu (nslcd is not checking if it -is talking to the correct LDAP server), and very much welcome feedback -on how to get this working.

- -

Because nscd do not have a default configuration fit for offline -caching until bug #485282 -is fixed, this configuration should be used instead of the one -currently in /etc/nscd.conf. The changes are in the fields -reload-count and positive-time-to-live, and is based on the -instructions I found in the -LDAP for Mobile Laptops -instructions by Flyn Computing.

- -
-	debug-level		0
-	reload-count		unlimited
-	paranoia		no
-
-	enable-cache		passwd		yes
-	positive-time-to-live	passwd		2592000
-	negative-time-to-live	passwd		20
-	suggested-size		passwd		211
-	check-files		passwd		yes
-	persistent		passwd		yes
-	shared			passwd		yes
-	max-db-size		passwd		33554432
-	auto-propagate		passwd		yes
-
-	enable-cache		group		yes
-	positive-time-to-live	group		2592000
-	negative-time-to-live	group		20
-	suggested-size		group		211
-	check-files		group		yes
-	persistent		group		yes
-	shared			group		yes
-	max-db-size		group		33554432
-	auto-propagate		group		yes
-
-	enable-cache		hosts		no
-	positive-time-to-live	hosts		2592000
-	negative-time-to-live	hosts		20
-	suggested-size		hosts		211
-	check-files		hosts		yes
-	persistent		hosts		yes
-	shared			hosts		yes
-	max-db-size		hosts		33554432
-
-	enable-cache		services	yes
-	positive-time-to-live	services	2592000
-	negative-time-to-live	services	20
-	suggested-size		services	211
-	check-files		services	yes
-	persistent		services	yes
-	shared			services	yes
-	max-db-size		services	33554432
-
- -

While we wait for a mechanism to update /etc/nsswitch.conf -automatically like the one provided in -bug #496915, the file -content need to be manually replaced to ensure LDAP is used as the -directory service on the machine. /etc/nsswitch.conf should normally -look like this:

- -
-passwd:         files ldap
-group:          files ldap
-shadow:         files ldap
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
-networks:       files
-protocols:      files
-services:       files
-ethers:         files
-rpc:            files
-netgroup:       files ldap
-
- -

The important parts are that ldap is listed last for passwd, group, -shadow and netgroup.

- -

With these changes in place, any user in LDAP will be able to log -in locally on the machine using for example kdm, get a local home -directory created and have the password as well as user and group -attributes cached. - -

LDAP/Kerberos + nss-updatedb + libpam-ccreds + - libpam-mklocaluser/pam_mkhomedir

- -

Because nscd have had its share of problems, and seem to have -problems doing proper caching, I've seen suggestions and recipes to -use nss-updatedb to copy parts of the LDAP database locally when the -LDAP database is available. I have not tested such setup, because I -discovered sssd.

- -

LDAP/Kerberos + sssd + libpam-mklocaluser

- -

A more flexible and robust setup than the nscd combination -mentioned earlier that has shown up recently, is the -sssd package from Redhat. -It is part of the FreeIPA project -to provide a Active Directory like directory service for Linux -machines. The sssd system combines the caching of passwords and user -information into one package, and remove the need for nscd and -libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version -1.2 do not support netgroups, but it is said that it will support this -in version 1.5 expected to show up later in 2010. Because the -sssd package -was missing in Debian, I ended up co-maintaining it with Werner, and -version 1.2 is now in testing. - -

These packages need to be installed and configured to get the -roaming setup I want

- -
-libpam-sss libnss-sss libpam-mklocaluser
-
- -The complete setup of sssd is done by editing/creating -/etc/sssd/sssd.conf. - -
-[sssd]
-config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
-domains = INTERN
-
-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[domain/INTERN]
-enumerate = false
-cache_credentials = true
-
-id_provider = ldap
-auth_provider = ldap
-chpass_provider = ldap
-
-ldap_uri = ldap://ldap
-ldap_search_base = dc=skole,dc=skolelinux,dc=no
-ldap_tls_reqcert = never
-ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
-
- -

I got the same problem here with certificate checking. Had to set -"ldap_tls_reqcert = never" to get it working.

- -

With the libnss-sss package in testing at the moment, the -nsswitch.conf file is update automatically, so there is no need to -modify it manually.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

+

Most of the computers in use by the +Debian Edu/Skolelinux project +are virtual machines. And they have been Xen machines running on a +fairly old IBM eserver xseries 345 machine, and we wanted to migrate +them to KVM on a newer Dell PowerEdge 2950 host machine. This was a +bit harder that it could have been, because we set up the Xen virtual +machines to get the virtual partitions from LVM, which as far as I +know is not supported by KVM. So to migrate, we had to convert +several LVM logical volumes to partitions on a virtual disk file.

+ +

I found +a +nice recipe to do this, and wrote the following script to do the +migration. It uses qemu-img from the qemu package to make the disk +image, parted to partition it, losetup and kpartx to present the disk +image partions as devices, and dd to copy the data. I NFS mounted the +new servers storage area on the old server to do the migration.

+ +
+#!/bin/sh
+
+# Based on
+# http://searchnetworking.techtarget.com.au/articles/35011-Six-steps-for-migrating-Xen-virtual-machines-to-KVM
+
+set -e
+set -x
+
+if [ -z "$1" ] ; then
+    echo "Usage: $0 <hostname>"
+    exit 1
+else
+    host="$1"
+fi
+
+if [ ! -e /dev/vg_data/$host-disk ] ; then
+    echo "error: unable to find LVM volume for $host"
+    exit 1
+fi
+
+# Partitions need to be a bit bigger than the LVM LVs.  not sure why.
+disksize=$( lvs --units m | grep $host-disk | awk '{sum = sum + $4} END { print int(sum * 1.05) }')
+swapsize=$( lvs --units m | grep $host-swap | awk '{sum = sum + $4} END { print int(sum * 1.05) }')
+totalsize=$(( ( $disksize + $swapsize ) ))
+
+img=$host.img
+#dd if=/dev/zero of=$img bs=1M count=$(( $disksize + $swapsize ))
+qemu-img create $img ${totalsize}MMaking room on the Debian Edu/Sqeeze DVD
+
+parted $img mklabel msdos
+parted $img mkpart primary linux-swap 0 $disksize
+parted $img mkpart primary ext2 $disksize $totalsize
+parted $img set 1 boot on
+
+modprobe dm-mod
+losetup /dev/loop0 $img
+kpartx -a /dev/loop0
+
+dd if=/dev/vg_data/$host-disk of=/dev/mapper/loop0p1 bs=1M
+fsck.ext3 -f /dev/mapper/loop0p1 || true
+mkswap /dev/mapper/loop0p2
+
+kpartx -d /dev/loop0
+losetup -d /dev/loop0
+
+ +

The script is perhaps so simple that it is not copyrightable, but +if it is, it is licenced using GPL v2 or later at your discretion.

+ +

After doing this, I booted a Debian CD in rescue mode in KVM with +the new disk image attached, installed grub-pc and linux-image-686 and +set up grub to boot from the disk image. After this, the KVM machines +seem to work just fine.

- Tags: debian edu, english, ldap, nuug. + Tags: debian, debian edu, english.
@@ -1035,7 +1041,17 @@ please contact us on debian-edu@lists.debian.org.

  • June (14)
    • -
  • July (10)
    • +
  • July (12)
    • + +
  • August (13)
    • + +
  • September (7)
    • + +
  • October (9)
    • + +
  • November (13)
    • + +
  • December (5)
    • @@ -1084,66 +1100,70 @@ please contact us on debian-edu@lists.debian.org.

    Tags

    -Created by Chronicle v3.7 +Created by Chronicle v3.2