Petter Reinholdtsen

Thoughts on roaming laptop setup for Debian Edu

Wed, 28 Apr 2010 20:40:00 +0200

For some years now, I have wondered how we should handle laptops in -Debian Edu. The Debian Edu infrastructure is mostly designed to -handle stationary computers, and less suited for computers that come -and go.

- -

Now I finally believe I have an sensible idea on how to adjust -Debian Edu for laptops, by introducing a new profile for them, for -example called Roaming Workstations. Here are my thought on this. -The setup would consist of the following:

- -

During installation, the user name of the owner / primary usre of - the laptop is requested and a local home directory is set up for - the user, with uid and gid information fetched from the LDAP - server. This allow the user to work also when offline. The - central home directory can be available in a subdirectory on - request, for example mounted via CIFS. It could be mounted - automatically when a user log in while on the Debian Edu network, - and unmounted when the machine is taken away (network down, - hibernate, etc), it can be set up to do automatic mounting on - request (using autofs), or perhaps some GUI button on the desktop - can be used to access it when needed. Perhaps it is enough to use - the fish protocol in KDE?
Password checking is set up to use LDAP or Kerberos - authentication when the machine is on the Debian Edu network, and - to cache the password for offline checking when the machine unable - to reach the LDAP or Kerberos server. This can be done using - libpam-ccreds - or the Fedora developed - System - Security Services Daemon packages.
File synchronisation with the central home directory is set up - using a shared directory in both the local and the central home - directory, using unison.
Printing should be set up to print to all printers broadcasting - their existence on the local network, and should then work out of - the box with CUPS. For sites needing accurate printer quotas, some - system with Kerberos authentication or printing via ssh could be - implemented.
For users that should have local root access to their laptop, - sudo should be used to allow this to the local user.
It would be nice if user and group information from LDAP is - cached on the client, but given that there are entries for the - local user and primary group in /etc/, it should not be needed.

- -

I believe all the pieces to implement this are in Debian/testing at -the moment. If we work quickly, we should be able to get this ready -in time for the Squeeze release to freeze. Some of the pieces need -tweaking, like libpam-ccreds should get support for pam-auth-update -(#566718) and nslcd (or -perhaps debian-edu-config) should get some integration code to stop -its daemon when the LDAP server is unavailable to avoid long timeouts -when disconnected from the net. If we get Kerberos enabled, we need -to make sure we avoid long timeouts there too.

- -

If you want to help out with implementing this for Debian Edu, -please contact us on debian-edu@lists.debian.org.

In the Debian +popularity-contest numbers, the adobe-flashplugin package the +second most popular used package that is missing in Debian. The sixth +most popular is flashplayer-mozilla. This is a clear indication that +working flash is important for Debian users. Around 10 percent of the +users submitting data to popcon.debian.org have this package +installed.

+ +

In the report written by Lars Risan in August 2008 +(Â«Skolelinux +i bruk â Rapport for Hurum kommune, Universitetet i Agder og +stiftelsen SLX Debian LabsÂ»), one of the most important problems +schools experienced with Debian +Edu/Skolelinux was the lack of working Flash. A lot of educational +web sites require Flash to work, and lacking working Flash support in +the web browser and the problems with installing it was perceived as a +good reason to stay with Windows.

+ +

I once saw a funny and sad comment in a web forum, where Linux was +said to be the retarded cousin that did not really understand +everything you told him but could work fairly well. This was a +comment regarding the problems Linux have with proprietary formats and +non-standard web pages, and is sad because it exposes a fairly common +understanding of whose fault it is if web pages that only work in for +example Internet Explorer 6 fail to work on Firefox, and funny because +it explain very well how annoying it is for users when Linux +distributions do not work with the documents they receive or the web +pages they want to visit.

+ +

This is part of the reason why I believe it is important for Debian +and Debian Edu to have a well working Flash implementation in the +distribution, to get at least popular sites as Youtube and Google +Video to working out of the box. For Squeeze, Debian have the chance +to include the latest version of Gnash that will make this happen, as +the new release 0.8.8 was published a few weeks ago and is resting in +unstable. The new version work with more sites that version 0.8.7. +The Gnash maintainers have asked for a freeze exception, but the +release team have not had time to reply to it yet. I hope they agree +with me that Flash is important for the Debian desktop users, and thus +accept the new package into Squeeze.

Great book: "Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future"

Mon, 19 Apr 2010 17:10:00 +0200

The last few weeks i have had the pleasure of reading a -thought-provoking collection of essays by Cory Doctorow, on topics -touching copyright, virtual worlds, the future of man when the -conscience mind can be duplicated into a computer and many more. The -book titled "Content: Selected Essays on Technology, Creativity, -Copyright, and the Future of the Future" is available with few -restrictions on the web, for example from -his own site. I read the -epub-version from -feedbooks using -fbreader and my N810. I -strongly recommend this book.

This evening I made my first Perl GUI application. The last few +days I have worked on a Perl module for controlling my recently +aquired Spykee robots, and the module is now getting complete enought +that it is possible to use it to control the robot driving at least. +It was now time to figure out how to use it to create some GUI to +allow me to drive the robot around. I picked PerlQt as I have had +positive experiences with the Qt API before, and spent a few minutes +browsing the web for examples. Using Qt Designer seemed like a short +cut, so I ended up writing the perl GUI using Qt Designer and +compiling it into a perl program using the puic program from +libqt-perl. Nothing fancy yet, but it got buttons to connect and +drive around.

+ +

The perl module I have written provide a object oriented API for +controlling the robot. Here is an small example on how to use it:

+ +

+use Spykee;
+Spykee::discover(sub {$robot{$_[0]} = $_[1]});
+my $host = (keys %robot)[0];
+my $spykee = Spykee->new();
+$spykee->contact($host, "admin", "admin");
+$spykee->left();
+sleep 2;
+$spykee->right();
+sleep 2;
+$spykee->forward();
+sleep 2;
+$spykee->back();
+sleep 2;
+$spykee->stop();
+

+ +

Thanks to the release of the source of the robot firmware, I could +peek into the implementation at the other end to figure out how to +implement the protocol used by the robot. I've implemented several of +the commands the robot understand, but is still missing the camera +support to make it possible to control the robot from remote. First I +want to implement support for uploading new firmware and configuring +the wireless network, to make it possible to bootstrap a Spykee robot +without the producers Windows and MacOSX software (I only have Linux, +so I had to ask a friend to come over to get the robot testing +going. :).

+ +

Will release the source to the public soon, but need to figure out +where to make it available first. I will add a link to +the NUUG wiki for +those that want to check back later to find it.

Kerberos for Debian Edu/Squeeze?

Wed, 14 Apr 2010 17:20:00 +0200

Yesterdays -NUUG presentation about Kerberos was inspiring, and reminded me -about the need to start using Kerberos in Skolelinux. Setting up a -Kerberos server seem to be straight forward, and if we get this in -place a long time before the Squeeze version of Debian freezes, we -have a chance to migrate Skolelinux away from NFSv3 for the home -directories, and over to an architecture where the infrastructure do -not have to trust IP addresses and machines, and instead can trust -users and cryptographic keys instead.

- -

A challenge will be integration and administration. Is there a -Kerberos implementation for Debian where one can control the -administration access in Kerberos using LDAP groups? With it, the -school administration will have to maintain access control using flat -files on the main server, which give a huge potential for errors.

- -

A related question I would like to know is how well Kerberos and -pam-ccreds (offline password check) work together. Anyone know?

- -

Next step will be to use Kerberos for access control in Lwat and -Nagios. I have no idea how much work that will be to implement. We -would also need to document how to integrate with Windows AD, as such -shared network will require two Kerberos realms that need to cooperate -to work properly.

- -

I believe a good start would be to start using Kerberos on the -skolelinux.no machines, and this way get ourselves experience with -configuration and integration. A natural starting point would be -setting up ldap.skolelinux.no as the Kerberos server, and migrate the -rest of the machines from PAM via LDAP to PAM via Kerberos one at the -time.

- -

If you would like to contribute to get this working in Skolelinux, -I recommend you to see the video recording from yesterdays NUUG -presentation, and start using Kerberos at home. The video show show -up in a few days.

Ble tipset i dag om at et forslag om Ã¥ stoppe forsÃ¸kene med +elektronisk stemmegiving utenfor valglokaler er +til +behandling i Stortinget. +Forslaget +er fremmet av Erna Solberg, Michael Tetzschner og Trond Helleland.

+ +

HÃ¥per det fÃ¥r flertall.

PÃ¥ vegne av vanvitting mange, Aftenposten!

Sat, 6 Mar 2010 21:15:00 +0100

Aftenposten -melder pÃ¥ forsiden av webavisen sin at de tror Erling Fossen -provoserer nordlendinger med sine uttalelser pÃ¥ -fotballtinget. Jeg er utflyttet nordlending, og mÃ¥ innrÃ¸mme at jeg -ikke kjennet sÃ¥ mye som et snev av provokasjon fra denne litt morsomme -uttalelsen til Hr. Fossen. Lurer pÃ¥ om Aftenposten har noen kilder -utenom redaksjonen for sin pÃ¥stand om at nordledinger er provosert av -Hr. Fossen. MÃ¥ innrÃ¸mme at jeg tviler pÃ¥ det.

- -

Det hele bringer tankene tilbake til Sture Hansen i Hallo i Uken.

Just got an email from Tobias Gruetzmacher as a followup on my +previous +post about sshfs. He reported another problem with sshfs. It +fail to handle hard links properly. A simple way to spot this is to +look at the . and .. entries in the directory tree. These should have +a link count >1, but on sshfs the count is 1. I just tested to see +what happen when trying to hardlink, and this fail as well:

+ +

+% ln foo bar
+ln: creating hard link `bar' => `foo': Function not implemented
+%
+

+ +

I have not yet found time to implement a test for this in my file +system test code, but believe having working hard links is useful to +avoid surprised unix programs. Not as useful as working file locking +and symlinks, which are required to get a working desktop, but useful +nevertheless. :)

+ +

The latest version of the file system test code is available via +git from +http://github.com/gebi/fs-test

After 6 years of waiting, the Xreset.d feature is implemented

Sat, 6 Mar 2010 18:15:00 +0100

6 years ago, as part of the Debian Edu development I am involved -in, I asked for a hook in the kdm and gdm setup to run scripts as root -when the user log out. A bug was submitted against the xfree86-common -package in 2004 (#230422), -and revisited every time Debian Edu was working on a new release. -Today, this finally paid off.

- -

The framework for this feature was today commited to the git -repositry for the xorg package, and the git repository for xdm has -been updated to use this framework. Next on my agenda is to make sure -kdm and gdm also add code to use this framework.

- -

In Debian Edu, we want to ability to run commands as root when the -user log out, to get rid of runaway processes and do general cleanup -after a user. With this framework in place, we finally can do that in -a generic way that work with all display managers using this -framework. My goal is to get all display managers in Debian use it, -similar to how they use the Xsession.d framework today.

Jeg skrev for et halvt Ã¥r siden hvordan +samfunnet +kaster bort ressurser pÃ¥ sikkerhetstiltak som ikke fungerer. Kom +nettopp over en +historie +fra en pilot fra USA som kommenterer det samme. Jeg mistenker det +kun er uvitenhet og autoritetstro som gjÃ¸r at sÃ¥ fÃ¥ protesterer. Har +veldig sans for piloten omtalt i Aftenposten 2007-10-23, +og skulle Ã¸nske flere rettet oppmerksomhet mot problemet. Det gir +ikke meg trygghetsfÃ¸lelse pÃ¥ flyplassene nÃ¥r jeg ser at +flyplassadministrasjonen kaster bort folk, penger og tid pÃ¥ tull i +stedet for ting som bidrar til reell Ã¸kning av sikkerheten. Det +forteller meg jo at vurderingsevnen til de som burde bidra til Ã¸kt +sikkerhet er svÃ¦rt sviktende, noe som ikke taler godt for de andre +tiltakene.

+ +

Mon tro hva som skjer hvis det fantes en enkel brosjyre Ã¥ skrive ut +fra Internet som forklarte hva som er galt med sikkerhetsopplegget pÃ¥ +flyplassene, og folk skrev ut og la en bunke pÃ¥ flyplassene nÃ¥r de +passerte. Kanskje det ville fÃ¥tt flere til Ã¥ fÃ¥ Ã¸ynene opp for +problemet.

+ +

Personlig synes jeg flyopplevelsen er blitt sÃ¥ avskyelig at jeg +forsÃ¸ker Ã¥ klare meg med tog, bil og bÃ¥t for Ã¥ slippe ubehaget. Det +er dog noe vanskelig i det langstrakte Norge og for Ã¥ kunne besÃ¸ke de +delene av verden jeg Ã¸nsker Ã¥ nÃ¥. Mistenker at flere har det slik, og +at dette gÃ¥r ut over inntjeningen til flyselskapene. Det er antagelig +en god ting sett fra et miljÃ¸perspektiv, men det er en annen sak.

Digitale bÃ¸ker uten digitale restriksjonsmekanismer (DRM) bÃ¸r fÃ¥ mva-fritak

Wed, 3 Mar 2010 19:00:00 +0100

Den norske bokbransjen har -bedt om at -digitale bÃ¸ker mÃ¥ fÃ¥ mva-fritak slik papirbÃ¸ker har det, og -finansdepartementet -har sagt nei. Det er et interessant spÃ¸rsmÃ¥l om digitale bÃ¸ker -bÃ¸r ha mva-fritak eller ikke, og svaret er ikke sÃ¥ enkelt som et ja -eller nei. -Enkelte -medlemmer av bokbransjen truer med Ã¥ droppe den planlagte -lanseringen av norske digitale bÃ¸ker med digitale restriksjonsmekanismer -(DRM) som de har snakket om Ã¥ gjennomfÃ¸re nÃ¥ i vÃ¥r, og det mÃ¥ de -gjerne gjÃ¸re for min del.

- -

PapirbÃ¸ker har mva-fritak pga. at de fremmer kultur- og -kunnskapsspredning. Digitale bÃ¸ker uten digitale -restriksjonsmekanismer (DRM) fremmer kultur- og kunnskapsspredning, -mens digitale bÃ¸ker med DRM hindrer kultur og kunnskapsspredning. -Digitale bÃ¸ker uten DRM bÃ¸r fÃ¥ mva-fritak da det er salg av bÃ¸ker pÃ¥ -lik linje med salg av papirbÃ¸ker, mens digitale bÃ¸ker med DRM ikke bÃ¸r -fÃ¥ det da det er utleie av bÃ¸ker og ikke salg.

- -

Jeg foretrekker Ã¥ kjÃ¸pe bÃ¸ker, og velger dermed Ã¥ la vÃ¦re Ã¥ bruke -DRM-belastede digitale bÃ¸ker. Vet ikke helt hva jeg ville vÃ¦re villig -til Ã¥ betale for Ã¥ leie en bok, men tror ikke det er mange kronene. -Heldigvis er det mye bÃ¸ker tilgjengelig uten slike restriksjoner, og -de som vil ha tak i engelske bÃ¸ker kan laste ned bÃ¸ker som er -tilgjengelig uten bruksbegresninger fra The -Internet Archive. Der er det pr. i dag 1 889 313 bÃ¸ker -tilgjengelig. De er tilgjengelig i flere formater. BesÃ¸k -oversikten over tekster -der for Ã¥ se hva de har. +

Denne hÃ¸sten skal endelig alle Osloskolene fÃ¥ mulighet til Ã¥ bruke +Skolelinux. Ny IT-lÃ¸sning +har vÃ¦rt rullet ut i noen mÃ¥neder nÃ¥, og sÃ¥ vidt jeg fikk vite fÃ¸r +sommeren skulle alle skoler ha nytt opplegg pÃ¥ plass fÃ¸r oppstart nÃ¥ i +hÃ¸st. PÃ¥ alle skolene skal en kunne velge ved installasjon om en skal +ha Windows eller Skolelinux pÃ¥ maskinene, og en kan i tillegg +PXE-boote maskinene over nett som tynne klienter eller disklÃ¸se +arbeidsstasjoner. Jeg er spent pÃ¥ hvor mange skoler som velger Ã¥ ta i +bruk Skolelinux, og gleder meg til Ã¥ se hvordan dette utvikler seg. +LÃ¸sningen leveres av +Logica med +Skolelinux Drift AS som +underleverandÃ¸r, og jeg har vÃ¦rt involvert i utviklingen av lÃ¸sningen +via Skolelinux Drift AS siden prosjektet starter. Jeg synes det er +fantastisk at Skolelinux er kommet sÃ¥ langt siden vi startet i 2001 at +alle elevene i Osloskolene nÃ¥ skal fÃ¥ mulighet til Ã¥ bruke +lÃ¸sningen. Jeg hÃ¥per de vil sette pris pÃ¥ alle de +fantastiske +brukerprogrammene som er tilgjengelig i Skolelinux.

Debian Edu / Skolelinux based on Lenny released, work continues

Thu, 11 Feb 2010 17:15:00 +0100

On Tuesday, the Debian/Lenny based version of -Skolelinux was finally -shipped. This was a major leap forward for the project, and I am very -pleased that we finally got the release wrapped up. Work on the first -point release starts imediately, as we plan to get that one out a -month after the major release, to include all fixes for bugs we found -and fixed too late in the release process to include last Tuesday.

- -

Perhaps it even is time for some partying?

- -

After this first point release, my plan is to focus again on the -next major release, based on Squeeze. We will try to get as many of -the fixes we need into the official Debian packages before the freeze, -and have just a few weeks or months to make it happen.

My file system sematics program +presented +a few days ago is very useful to verify that a file system can +work as a unix home directory,and today I had to extend it a bit. I'm +looking into alternatives for home directory access here at the +University of Oslo, and one of the options is sshfs. My friend +Finn-Arne mentioned a while back that they had used sshfs with Debian +Edu, but stopped because of problems. I asked today what the problems +where, and he mentioned that sshfs failed to handle umask properly. +Trying to detect the problem I wrote this addition to my fs testing +script:

+ +

+mode_t touch_get_mode(const char *name, mode_t mode) {
+  mode_t retval = 0;
+  int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE, mode);
+  if (-1 != fd) {
+    unlink(name);
+    struct stat statbuf;
+    if (-1 != fstat(fd, &statbuf)) {
+      retval = statbuf.st_mode & 0x1ff;
+    }
+    close(fd);
+  }
+  return retval;
+}
+
+/* Try to detect problem discovered using sshfs */
+int test_umask(void) {
+  printf("info: testing umask effect on file creation\n");
+
+  mode_t orig_umask = umask(000);
+  mode_t newmode;
+  if (0666 != (newmode = touch_get_mode("foobar", 0666))) {
+    printf("  error: Wrong file mode %o when creating using mode 666 and umask 000\n",
+           newmode);
+  }
+  umask(007);
+  if (0660 != (newmode = touch_get_mode("foobar", 0666))) {
+    printf("  error: Wrong file mode %o when creating using mode 666 and umask 007\n",
+           newmode);
+  }
+
+  umask (orig_umask);
+  return 0;
+}
+
+int main(int argc, char **argv) {
+  [...]
+  test_umask();
+  return 0;
+}
+

+ +

Sure enough. On NFS to a netapp, I get this result:

+ +

+Testing POSIX/Unix sematics on file system
+info: testing symlink creation
+info: testing subdirectory creation
+info: testing fcntl locking
+  Read-locking 1 byte from 1073741824
+  Read-locking 510 byte from 1073741826
+  Unlocking 1 byte from 1073741824
+  Write-locking 1 byte from 1073741824
+  Write-locking 510 byte from 1073741826
+  Unlocking 2 byte from 1073741824
+info: testing umask effect on file creation
+

+ +

When mounting the same directory using sshfs, I get this +result:

+ +

+Testing POSIX/Unix sematics on file system
+info: testing symlink creation
+info: testing subdirectory creation
+info: testing fcntl locking
+  Read-locking 1 byte from 1073741824
+  Read-locking 510 byte from 1073741826
+  Unlocking 1 byte from 1073741824
+  Write-locking 1 byte from 1073741824
+  Write-locking 510 byte from 1073741826
+  Unlocking 2 byte from 1073741824
+info: testing umask effect on file creation
+  error: Wrong file mode 644 when creating using mode 666 and umask 000
+  error: Wrong file mode 640 when creating using mode 666 and umask 007
+

+ +

So, I can conclude that sshfs is better than smb to a Netapp or a +Windows server, but not good enough to be used as a home +directory.

+ +

Update 2010-08-26: Reported the issue in +BTS report #594498

+ +

Update 2010-08-27: Michael Gebetsroither report that he found the +script so useful that he created a GIT repository and stored it in +http://github.com/gebi/fs-test.

Danmark gÃ¥r for ODF?

Fri, 29 Jan 2010 12:00:00 +0100

Ble nettopp gjort oppmerksom pÃ¥ en -nyhet fra Version2 -fra Danmark, der det hevdes at Folketinget har vedtatt at ODF skal -brukes som dokumentutvekslingsformat i Staten.

- -

Hyggelig lesning, spesielt hvis det viser seg at de av vedtatt -kravlisten for hva som skal aksepteres som referert i kommentarfeltet -til artikkelen og -en -annen artikkel i samme nett-avis. Liker spesielt godt denne:

- -

Det skal demonstreres, at standarden i sin helhed kan -implementeres af alle direkte i sin helhed pÃ¥ flere -platforme.

- -

Noe slikt burde vÃ¦re et krav ogsÃ¥ i Norge.

I Norge pÃ¥gÃ¥r en prosess for Ã¥ +innfÃ¸re elektronisk +stemmegiving ved kommune- og stortingsvalg. Dette skal +introduseres i 2011. Det er all grunn til Ã¥ tro at valg i Norge ikke +vil vÃ¦re til Ã¥ stole pÃ¥ hvis dette blir gjennomfÃ¸rt. Da det hele var +oppe til hÃ¸ring i 2006 forfattet jeg +en +hÃ¸ringsuttalelse fra NUUG (og EFN som hengte seg pÃ¥) som skisserte +hvilke punkter som mÃ¥ oppfylles for at en skal kunne stole pÃ¥ et valg, +og elektronisk stemmegiving mangler flere av disse. Elektronisk +stemmegiving er for alle praktiske formÃ¥l Ã¥ putte ens stemme i en sort +boks under andres kontroll, og satse pÃ¥ at de som har kontroll med +boksen er til Ã¥ stole pÃ¥ - uten at en har mulighet til Ã¥ verifisere +dette selv. Det er ikke slik en gjennomfÃ¸rer demokratiske valg.

+ +

Da problemet er fundamentalt med hvordan elektronisk stemmegiving +mÃ¥ fungere for at ogsÃ¥ ikke-krypografer skal kunne delta, har det vÃ¦rt +mange rapporter om hvordan elektronisk stemmegiving har sviktet i land +etter land. En +liten +samling referanser finnes pÃ¥ NUUGs wiki. Den siste er fra India, +der valgkomisjonen har valgt +Ã¥ +pusse politiet pÃ¥ en forsker som har dokumentert svakheter i +valgsystemet.

+ +

Her i Norge har en valgt en annen tilnÃ¦rming, der en forsÃ¸ker seg +med teknobabbel for Ã¥ fÃ¥ befolkningen til Ã¥ tro at dette skal bli +sikkert. Husk, elektronisk stemmegiving underminerer de demokratiske +valgene i Norge, og bÃ¸r ikke innfÃ¸res.

+ +

Den offentlige diskusjonen blir litt vanskelig av at media har +valgt Ã¥ kalle dette "evalg", som kan sies Ã¥ bÃ¥de gjelde elektronisk +opptelling av valget som Norge har gjort siden 60-tallet og som er en +svÃ¦rt god ide, og elektronisk opptelling som er en svÃ¦rt dÃ¥rlig ide. +Diskusjonen gir ikke mening hvis en skal diskutere om en er for eller +mot "evalg", og jeg forsÃ¸ker derfor Ã¥ vÃ¦re klar pÃ¥ at jeg snakker om +elektronisk stemmegiving og unngÃ¥ begrepet "evalg".

Automatic Munin and Nagios configuration

Wed, 27 Jan 2010 15:15:00 +0100

One of the new features in the next Debian/Lenny based release of -Debian Edu/Skolelinux, which is scheduled for release in the next few -days, is automatic configuration of the service monitoring system -Nagios. The previous release had automatic configuration of trend -analysis using Munin, and this Lenny based release take that a step -further.

- -

When installing a Debian Edu Main-server, it is automatically -configured as a Munin and Nagios server. In addition, it is -configured to be a server for the -SiteSummary -system I have written for use in Debian Edu. The SiteSummary -system is inspired by a system used by the University of Oslo where I -work. In short, the system provide a centralised collector of -information about the computers on the network, and a client on each -computer submitting information to this collector. This allow for -automatic information on which packages are installed on each machine, -which kernel the machines are using, what kind of configuration the -packages got etc. This also allow us to automatically generate Munin -and Nagios configuration.

- -

All computers reporting to the sitesummary collector with the -munin-node package installed is automatically enabled as a Munin -client and graphs from the statistics collected from that machine show -up automatically on http://www/munin/ on the Main-server.

- -

All non-laptop computers reporting to the sitesummary collector are -automatically monitored for network presence (ping and any network -services detected). In addition, all computers (also laptops) with -the nagios-nrpe-server package installed and configured the way -sitesummary would configure it, are monitored for full disks, software -raid status, swap free and other checks that need to run locally on -the machine.

- -

The result is that the administrator on a school using Debian Edu -based on Lenny will be able to check the health of his installation -with one look at the Nagios settings, without having to spend any time -keeping the Nagios configuration up-to-date.

- -

The only configuration one need to do to get Nagios up and running -is to set the password used to get access via HTTP. The system -administrator need to run "htpasswd /etc/nagios3/htpasswd.users -nagiosadmin" to create a nagiosadmin user and set a password for -it to be able to log into the Nagios web pages. After that, -everything is taken care of.

I dag fikk jeg endelig tittet litt pÃ¥ mine nyinnkjÃ¸pte roboter, og +har brukt noen timer til Ã¥ google etter interessante referanser og +aktuell kildekode for bruk pÃ¥ Linux. Det mest lovende sÃ¥ langt er +ispykee, som har en +BSD-lisensiert linux-daemon som stÃ¥r som mellomledd mellom roboter pÃ¥ +lokalnettet og en sentral tjeneste der en iPhone kan koble seg opp for +Ã¥ fjernstyre roboten. Linux-daemonen implementerer deler av +protokollen som roboten forstÃ¥r. Etter Ã¥ ha knotet litt med Ã¥ oppnÃ¥ +kontakt med roboten (den oppretter et eget ad-hoc wifi-nett, sÃ¥ jeg +mÃ¥tte gÃ¥ av mitt vanlige nett for Ã¥ fÃ¥ kontakt), og kommet frem til at +den lytter pÃ¥ IP-port 9000 og 9001, gikk jeg i gang med Ã¥ finne ut +hvordan jeg kunne snakke med roboten vha. disse portene. Robotbiten +av protokollen er publisert av produsenten med GPL-lisens, slik at det +er mulig Ã¥ se hvordan protokollen fungerer. Det finnes en java-klient +for Android som sÃ¥ ganske snasen ut, men fant ingen kildekode for +denne. Derimot hadde iphone-lÃ¸sningen kildekode, sÃ¥ jeg tok +utgangspunkt i den.

+ +

Daemonen ville i utgangspunktet forsÃ¸ke Ã¥ kontakte den sentrale +tjenesten som iphone-programmet kobler seg til. Jeg skrev dette om +til i stedet Ã¥ sette opp en nettverkstjeneste pÃ¥ min lokale maskin, +som jeg kan koble meg opp til med telnet og gi kommandoer til roboten +(act, forward, right, left, etc). Det involverte i praksis Ã¥ bytte ut +socket()/connect() med socket()/bind()/listen()/accept() for Ã¥ gjÃ¸re +klienten om til en tjener.

+ +

Mens jeg har forsÃ¸kt Ã¥ fÃ¥ roboten til Ã¥ bevege seg har min samboer +skrudd sammen resten av roboten for Ã¥ fÃ¥ montert kamera og plastpynten +(armer, plastfiber for lys). NÃ¥ er det hele montert, og roboten er +klar til bruk. MÃ¥ fÃ¥ flyttet den over til mitt vanlige trÃ¥dlÃ¸snett +fÃ¸r det blir praktisk, men de bitene av protokollen er ikke +implementert i ispykee-daemonen, sÃ¥ der mÃ¥ jeg enten fÃ¥ tak i en mac +eller en windows-maskin, eller implementere det selv.

+ +

Vi var tre som kjÃ¸pte slike roboter, og vi har blitt enige om Ã¥ +samle notater og referanser pÃ¥ NUUGs wiki. Ta en titt +der hvis du er nysgjerrig.

Sikkerhet, teater, og hvordan gjÃ¸re verden sikrere

Wed, 30 Dec 2009 16:35:00 +0100

Via Slashdot fant jeg en -nydelig -kommentar fra Bruce Schneier som ble publisert hos CNN i gÃ¥r. Den -forklarer forbilledlig hvorfor sikkerhetsteater og innfÃ¸ring av -totalitÃ¦re politistatmetoder ikke er lÃ¸sningen for Ã¥ gjÃ¸re verden -sikrere. Anbefales pÃ¥ det varmeste.

- -

Oppdatering: Kom over -nok -en kommentar om den manglende effekten av dagens sikkerhetsteater -pÃ¥ flyplassene.

Jeg kjÃ¸pte nettopp to +Spykee-roboter, for test og +leking. KjÃ¸pte to da det var sÃ¥ billige, og gir meg mulighet til Ã¥ +eksperimentere uten Ã¥ vÃ¦re veldig redd for Ã¥ Ã¸delegge alt ved Ã¥ bytte +ut firmware og slikt. Oppdaget at lekebutikken pÃ¥ Bryn senter hadde +en liten stabel pÃ¥ lager som de ikke hadde klart Ã¥ selge ut etter +fjorÃ¥rets juleinnkjÃ¸p, og var villig til Ã¥ selge for en femtedel av +vanlig pris. Jeg, Ronny og Jarle har skaffet oss restbeholdningen, og +det blir morsomt Ã¥ se hva vi fÃ¥r ut av dette.

+ +

Roboten har belter styrt av to motorer, kamera, hÃ¸ytaler, mikrofon +og wifi-tilkobling. Det hele styrt av en GPL-lisensiert databoks som +jeg mistenker kjÃ¸rer linux. Firmware-kildekoden ble visst publisert i +mai. Eneste utfordringen er at kontroller-programvaren kun finnes til +Windows, men det mÃ¥ en kunne jobbe seg rundt nÃ¥r vi har kildekoden til +firmwaren. :)

+ +