1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries tagged english
</title>
5 <description>Entries tagged english
</description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
10 <title>The sorry state of multimedia browser plugins in Debian
</title>
11 <link>http://people.skolelinux.org/pere/blog/The_sorry_state_of_multimedia_browser_plugins_in_Debian.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/The_sorry_state_of_multimedia_browser_plugins_in_Debian.html
</guid>
13 <pubDate>Tue,
25 Nov
2008 00:
10:
00 +
0100</pubDate>
15 <p
>Recently I have spent some time evaluating the multimedia browser
16 plugins available in Debian Lenny, to see which one we should use by
17 default in Debian Edu. We need an embedded video playing plugin with
18 control buttons to pause or stop the video, and capable of streaming
19 all the multimedia content available on the web. The test results and
20 notes are available on
21 <a href=
"http://wiki.debian.org/DebianEdu/BrowserMultimedia
">the
22 Debian wiki
</a
>. I was surprised how few of the plugins are able to
23 fill this need. My personal video player favorite, VLC, has a really
24 bad plugin which fail on a lot of the test pages. A lot of the MIME
25 types I would expect to work with any free software player (like
26 video/ogg), just do not work. And simple formats like the
27 audio/x-mplegurl format (m3u playlists), just isn
't supported by the
28 totem and vlc plugins. I hope the situation will improve soon. No
29 wonder sites use the proprietary Adobe flash to play video.
</p
>
31 <p
>For Lenny, we seem to end up with the mplayer plugin. It seem to
32 be the only one fitting our needs. :/
</p
>
37 <title>Devcamp brought us closer to the Lenny based Debian Edu release
</title>
38 <link>http://people.skolelinux.org/pere/blog/Devcamp_brought_us_closer_to_the_Lenny_based_Debian_Edu_release.html
</link>
39 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Devcamp_brought_us_closer_to_the_Lenny_based_Debian_Edu_release.html
</guid>
40 <pubDate>Sun,
7 Dec
2008 12:
00:
00 +
0100</pubDate>
42 <p
>This weekend we had a small developer gathering for Debian Edu in
43 Oslo. Most of Saturday was used for the general assemly for the
44 member organization, but the rest of the weekend I used to tune the
45 LTSP installation. LTSP now work out of the box on the
10-network.
46 Acer Aspire One proved to be a very nice thin client, with both
47 screen, mouse and keybard in a small box. Was working on getting the
48 diskless workstation setup configured out of the box, but did not
49 finish it before the weekend was up.
</p
>
51 <p
>Did not find time to look at the
4 VGA cards in one box we got from
52 the Brazilian group, so that will have to wait for the next
53 development gathering. Would love to have the Debian Edu installer
54 automatically detect and configure a multiseat setup when it find one
55 of these cards.
</p
>
60 <title>Software video mixer on a USB stick
</title>
61 <link>http://people.skolelinux.org/pere/blog/Software_video_mixer_on_a_USB_stick.html
</link>
62 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Software_video_mixer_on_a_USB_stick.html
</guid>
63 <pubDate>Sun,
28 Dec
2008 15:
40:
00 +
0100</pubDate>
65 <p
>The
<a href=
"http://www.nuug.no/
">Norwegian Unix User Group
</a
> is
66 recording our montly presentation on video, and recently we have
67 worked on improving the quality of the recordings by mixing the slides
68 directly with the video stream. For this, we use the
69 <a href=
"http://dvswitch.alioth.debian.org/
">dvswitch
</a
> package from
70 the Debian video team. As this require quite one computer per video
71 source, and NUUG do not have enough laptops available, we need to
72 borrow laptops. And to avoid having to install extra software on
73 these borrwed laptops, I have wrapped up all the programs needed on a
74 bootable USB stick. The software required is dvswitch with assosiated
75 source, sink and mixer applications and
76 <a href=
"http://www.kinodv.org/
">dvgrab
</a
>. To allow this setup to
77 work without any configuration, I
've patched dvswitch to use
78 <a href=
"http://www.avahi.org/
">avahi
</a
> to connect the various parts
79 together. And to allow us to use laptops without firewire plugs, I
80 upgraded dvgrab to the one from Debian/unstable to get one that work
81 with USB sources. We have not yet tested this setup in a production
82 setup, but I hope it will work properly, and allow us to set up a
83 video mixer in a very short time frame. We will need it for
84 <a href=
"http://www.goopen.no/
">Go Open
2009</a
>.
</p
>
86 <p
><a href=
"http://www.nuug.no/pub/video/bin/usbstick-dvswitch.img.gz
">The
87 USB image
</a
> is for a
1 GB memory stick, but can be used on any
88 larger stick as well.
</p
>
93 <title>When web browser developers make a video player...
</title>
94 <link>http://people.skolelinux.org/pere/blog/When_web_browser_developers_make_a_video_player___.html
</link>
95 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/When_web_browser_developers_make_a_video_player___.html
</guid>
96 <pubDate>Sat,
17 Jan
2009 18:
50:
00 +
0100</pubDate>
98 <p
>As part of the work we do in
<a href=
"http://www.nuug.no
">NUUG
</a
>
99 to publish video recordings of our monthly presentations, we provide a
100 page with embedded video for easy access to the recording. Putting a
101 good set of HTML tags together to get working embedded video in all
102 browsers and across all operating systems is not easy. I hope this
103 will become easier when the
&lt;video
&gt; tag is implemented in all
104 browsers, but I am not sure. We provide the recordings in several
105 formats, MPEG1, Ogg Theora, H
.264 and Quicktime, and want the
106 browser/media plugin to pick one it support and use it to play the
107 recording, using whatever embed mechanism the browser understand.
108 There is at least four different tags to use for this, the new HTML5
109 &lt;video
&gt; tag, the
&lt;object
&gt; tag, the
&lt;embed
&gt; tag and
110 the
&lt;applet
&gt; tag. All of these take a lot of options, and
111 finding the best options is a major challenge.
</p
>
113 <p
>I just tested the experimental Opera browser available from
<a
114 href=
"http://labs.opera.com
">labs.opera.com
</a
>, to see how it handled
115 a
&lt;video
&gt; tag with a few video sources and no extra attributes.
116 I was not very impressed. The browser start by fetching a picture
117 from the video stream. Not sure if it is the first frame, but it is
118 definitely very early in the recording. So far, so good. Next,
119 instead of streaming the
76 MiB video file, it start to download all
120 of it, but do not start to play the video. This mean I have to wait
121 for several minutes for the downloading to finish. When the download
122 is done, the playing of the video do not start! Waiting for the
123 download, but I do not get to see the video? Some testing later, I
124 discover that I have to add the controls=
"true
" attribute to be able
125 to get a play button to pres to start the video. Adding
126 autoplay=
"true
" did not help. I sure hope this is a misfeature of the
127 test version of Opera, and that future implementations of the
128 &lt;video
&gt; tag will stream recordings by default, or at least start
129 playing when the download is done.
</p
>
131 <p
>The test page I used (since changed to add more attributes) is
132 <a href=
"http://www.nuug.no/aktiviteter/
20090113-foredrag-om-foredrag/
">available
133 from the nuug site
</a
>. Will have to test it with the new Firefox
136 <p
>In the test process, I discovered a missing feature. I was unable
137 to find a way to get the URL of the playing video out of Opera, so I
138 am not quite sure it picked the Ogg Theora version of the video. I
139 sure hope it was using the announced Ogg Theora support. :)
</p
>
144 <title>Using bar codes at a computing center
</title>
145 <link>http://people.skolelinux.org/pere/blog/Using_bar_codes_at_a_computing_center.html
</link>
146 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Using_bar_codes_at_a_computing_center.html
</guid>
147 <pubDate>Fri,
20 Feb
2009 08:
50:
00 +
0100</pubDate>
149 <p
>At work with the University of Oslo, we have several hundred computers
150 in our computing center. This give us a challenge in tracking the
151 location and cabling of the computers, when they are added, moved and
152 removed. Some times the location register is not updated when a
153 computer is inserted or moved and we then have to search the room for
154 the
"missing
" computer.
</p
>
156 <p
>In the last issue of Linux Journal, I came across a project
157 <a href=
"http://www.libdmtx.org/
">libdmtx
</a
> to write and read bar
158 code blocks as defined in the
159 <a href=
"http://en.wikipedia.org/wiki/Data_Matrix
">The Data Matrix
160 Standard
</a
>. This is bar codes that can be read with a normal
161 digital camera, for example that on a cell phone, and several such bar
162 codes can be read by libdmtx from one picture. The bar code standard
163 allow up to
2 KiB to be written in the tag. There is another project
164 with
<a href=
"http://www.terryburton.co.uk/barcodewriter/
">a bar code
165 writer written in postscript
</a
> capable of creating such bar codes,
166 but this was the first time I found a tool to read these bar
169 <p
>It occurred to me that this could be used to tag and track the
170 machines in our computing center. If both racks and computers are
171 tagged this way, we can use a picture of the rack and all its
172 computers to detect the rack location of any computer in that rack.
173 If we do this regularly for the entire room, we will find all
174 locations, and can detect movements and removals.
</p
>
176 <p
>I decided to test if this would work in practice, and picked a
177 random rack and tagged all the machines with their names. Next, I
178 took pictures with my digital camera, and gave the dmtxread program
179 these JPEG pictures to see how many tags it could read. This worked
180 fairly well. If the pictures was well focused and not taken from the
181 side, all tags in the image could be read. Because of limited space
182 between the racks, I was unable to get a good picture of the entire
183 rack, but could without problem read all tags from a picture covering
184 about half the rack. I had to limit the search time used by dmtxread
185 to
60000 ms to make sure it terminated in a reasonable time frame.
</p
>
187 <p
>My conclusion is that this could work, and we should probably look
188 at adjusting our computer tagging procedures to use bar codes for
189 easier automatic tracking of computers.
</p
>
194 <title>Checking server hardware support status for Dell, HP and IBM servers
</title>
195 <link>http://people.skolelinux.org/pere/blog/Checking_server_hardware_support_status_for_Dell__HP_and_IBM_servers.html
</link>
196 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Checking_server_hardware_support_status_for_Dell__HP_and_IBM_servers.html
</guid>
197 <pubDate>Sat,
28 Feb
2009 23:
50:
00 +
0100</pubDate>
199 <p
>At work, we have a few hundred Linux servers, and with that amount
200 of hardware it is important to keep track of when the hardware support
201 contract expire for each server. We have a machine (and service)
202 register, which until recently did not contain much useful besides the
203 machine room location and contact information for the system owner for
204 each machine. To make it easier for us to track support contract
205 status, I
've recently spent time on extending the machine register to
206 include information about when the support contract expire, and to tag
207 machines with expired contracts to make it easy to get a list of such
208 machines. I extended a perl script already being used to import
209 information about machines into the register, to also do some screen
210 scraping off the sites of Dell, HP and IBM (our majority of machines
211 are from these vendors), and automatically check the support status
212 for the relevant machines. This make the support status information
213 easily available and I hope it will make it easier for the computer
214 owner to know when to get new hardware or renew the support contract.
215 The result of this work documented that
27% of the machines in the
216 registry is without a support contract, and made it very easy to find
217 them.
27% might seem like a lot, but I see it more as the case of us
218 using machines a bit longer than the
3 years a normal support contract
219 last, to have test machines and a platform for less important
220 services. After all, the machines without a contract are working fine
221 at the moment and the lack of contract is only a problem if any of
222 them break down. When that happen, we can either fix it using spare
223 parts from other machines or move the service to another old
226 <p
>I believe the code for screen scraping the Dell site was originally
227 written by Trond Hasle Amundsen, and later adjusted by me and Morten
228 Werner Forsbring. The HP scraping was written by me after reading a
229 nice article in ;login: about how to use WWW::Mechanize, and the IBM
230 scraping was written by me based on the Dell code. I know the HTML
231 parsing could be done using nice libraries, but did not want to
232 introduce more dependencies. This is the current incarnation:
</p
>
240 sub get_support_info {
241 my ($machine, $model, $serial, $productnumber) = @_;
244 if ( $model =~ m/^Dell / ) {
245 # fetch website from Dell support
246 my $url =
"http://support.euro.dell.com/support/topics/topic.aspx/emea/shared/support/my_systems_info/no/details?c=no
&amp;cs=nodhs1
&amp;l=no
&amp;s=dhs
&amp;ServiceTag=$serial
";
247 my $webpage = get($url);
248 return undef unless ($webpage);
251 my @lines = split(/\n/, $webpage);
252 foreach my $line (@lines) {
253 next unless ($line =~ m/Beskrivelse/);
254 $line =~ s/
&lt;[^
>]+?
>/;/gm;
255 $line =~ s/^.+?;(Beskrivelse;)/$
1/;
257 my @f = split(/\;/, $line);
259 my $lastend =
"";
260 while ($f[
3] eq
"DELL
") {
261 my ($type, $startstr, $endstr, $days) = @f[
0,
5,
7,
10];
263 my $start = POSIX::strftime(
"%Y-%m-%d
",
264 localtime(str2time($startstr)));
265 my $end = POSIX::strftime(
"%Y-%m-%d
",
266 localtime(str2time($endstr)));
267 $str .=
"$type $start -
> $end
";
269 $lastend = $end if ($end gt $lastend);
271 my $today = POSIX::strftime(
"%Y-%m-%d
", localtime(time));
272 tag_machine_unsupported($machine)
273 if ($lastend lt $today);
275 } elsif ( $model =~ m/^HP / ) {
276 my $mech = WWW::Mechanize-
>new();
278 'http://www1.itrc.hp.com/service/ewarranty/warrantyInput.do
';
281 'BODServiceID
' =
> 'NA
',
282 'RegisteredPurchaseDate
' =
> '',
283 'country
' =
> 'NO
',
284 'productNumber
' =
> $productnumber,
285 'serialNumber1
' =
> $serial,
287 $mech-
>submit_form( form_number =
> 2,
288 fields =
> $fields );
289 # Next step is screen scraping
290 my $content = $mech-
>content();
292 $content =~ s/
&lt;[^
>]+?
>/;/gm;
293 $content =~ s/\s+/ /gm;
294 $content =~ s/;\s*;/;;/gm;
295 $content =~ s/;[\s;]+/;/gm;
297 my $today = POSIX::strftime(
"%Y-%m-%d
", localtime(time));
299 while ($content =~ m/;Warranty Type;/) {
300 my ($type, $status, $startstr, $stopstr) = $content =~
301 m/;Warranty Type;([^;]+);.+?;Status;(\w+);Start Date;([^;]+);End Date;([^;]+);/;
302 $content =~ s/^.+?;Warranty Type;//;
303 my $start = POSIX::strftime(
"%Y-%m-%d
",
304 localtime(str2time($startstr)));
305 my $end = POSIX::strftime(
"%Y-%m-%d
",
306 localtime(str2time($stopstr)));
308 $str .=
"$type ($status) $start -
> $end
";
310 tag_machine_unsupported($machine)
313 } elsif ( $model =~ m/^IBM / ) {
314 # This code ignore extended support contracts.
315 my ($producttype) = $model =~ m/.*-\[(.{
4}).+\]-/;
316 if ($producttype
&amp;
&amp; $serial) {
318 get(
"http://www-
947.ibm.com/systems/support/supportsite.wss/warranty?action=warranty
&amp;brandind=
5000008&amp;Submit=Submit
&amp;type=$producttype
&amp;serial=$serial
");
320 $content =~ s/
&lt;[^
>]+?
>/;/gm;
321 $content =~ s/\s+/ /gm;
322 $content =~ s/;\s*;/;;/gm;
323 $content =~ s/;[\s;]+/;/gm;
325 $content =~ s/^.+?;Warranty status;//;
326 my ($status, $end) = $content =~ m/;Warranty status;([^;]+)\s*;Expiration date;(\S+) ;/;
328 $str .=
"($status) -
> $end
";
330 my $today = POSIX::strftime(
"%Y-%m-%d
", localtime(time));
331 tag_machine_unsupported($machine)
340 <p
>Here are some examples on how to use the function, using fake
341 serial numbers. The information passed in as arguments are fetched
342 from dmidecode.
</p
>
345 print get_support_info(
"hp.host
",
"HP ProLiant BL460c G1
",
"1234567890"
346 "447707-B21
");
347 print get_support_info(
"dell.host
",
"Dell Inc. PowerEdge
2950",
"1234567");
348 print get_support_info(
"ibm.host
",
"IBM eserver xSeries
345 -[
867061X]-
",
349 "1234567");
352 <p
>I would recommend this approach for tracking support contracts for
353 everyone with more than a few computers to administer. :)
</p
>
355 <p
>Update
2009-
03-
06: The IBM page do not include extended support
356 contracts, so it is useless in that case. The original Dell code do
357 not handle extended support contracts either, but has been updated to
363 <title>Time for new LDAP schemas replacing RFC
2307?
</title>
364 <link>http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html
</link>
365 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html
</guid>
366 <pubDate>Sun,
29 Mar
2009 20:
30:
00 +
0200</pubDate>
368 <p
>The state of standardized LDAP schemas on Linux is far from
369 optimal. There is RFC
2307 documenting one way to store NIS maps in
370 LDAP, and a modified version of this normally called RFC
2307bis, with
371 some modifications to be compatible with Active Directory. The RFC
372 specification handle the content of a lot of system databases, but do
373 not handle DNS zones and DHCP configuration.
</p
>
375 <p
>In
<a href=
"http://www.skolelinux.org/
">Debian Edu/Skolelinux
</a
>,
376 we would like to store information about users, SMB clients/hosts,
377 filegroups, netgroups (users and hosts), DHCP and DNS configuration,
378 and LTSP configuration in LDAP. These objects have a lot in common,
379 but with the current LDAP schemas it is not possible to have one
380 object per entity. For example, one need to have at least three LDAP
381 objects for a given computer, one with the SMB related stuff, one with
382 DNS information and another with DHCP information. The schemas
383 provided for DNS and DHCP are impossible to combine into one LDAP
384 object. In addition, it is impossible to implement quick queries for
385 netgroup membership, because of the way NIS triples are implemented.
386 It just do not scale. I believe it is time for a few RFC
387 specifications to cleam up this mess.
</p
>
389 <p
>I would like to have one LDAP object representing each computer in
390 the network, and this object can then keep the SMB (ie host key), DHCP
391 (mac address/name) and DNS (name/IP address) settings in one place.
392 It need to be efficently stored to make sure it scale well.
</p
>
394 <p
>I would also like to have a quick way to map from a user or
395 computer and to the net group this user or computer is a member.
</p
>
397 <p
>Active Directory have done a better job than unix heads like myself
398 in this regard, and the unix side need to catch up. Time to start a
399 new IETF work group?
</p
>
404 <title>Returning from Skolelinux developer gathering
</title>
405 <link>http://people.skolelinux.org/pere/blog/Returning_from_Skolelinux_developer_gathering.html
</link>
406 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Returning_from_Skolelinux_developer_gathering.html
</guid>
407 <pubDate>Sun,
29 Mar
2009 21:
00:
00 +
0200</pubDate>
409 <p
>I
'm sitting on the train going home from this weekends Debian
410 Edu/Skolelinux development gathering. I got a bit done tuning the
411 desktop, and looked into the dynamic service location protocol
412 implementation avahi. It look like it could be useful for us. Almost
413 30 people participated, and I believe it was a great environment to
414 get to know the Skolelinux system. Walter Bender, involved in the
415 development of the Sugar educational platform, presented his stuff and
416 also helped me improve my OLPC installation. He also showed me that
417 his Turtle Art application can be used in standalone mode, and we
418 agreed that I would help getting it packaged for Debian. As a
419 standalone application it would be great for Debian Edu. We also
420 tried to get the video conferencing working with two OLPCs, but that
421 proved to be too hard for us. The application seem to need more work
422 before it is ready for me. I look forward to getting home and relax
428 <title>Standardize on protocols and formats, not vendors and applications
</title>
429 <link>http://people.skolelinux.org/pere/blog/Standardize_on_protocols_and_formats__not_vendors_and_applications.html
</link>
430 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Standardize_on_protocols_and_formats__not_vendors_and_applications.html
</guid>
431 <pubDate>Mon,
30 Mar
2009 11:
50:
00 +
0200</pubDate>
433 <p
>Where I work at the University of Oslo, one decision stand out as a
434 very good one to form a long lived computer infrastructure. It is the
435 simple one, lost by many in todays computer industry: Standardize on
436 open network protocols and open exchange/storage formats, not applications.
437 Applications come and go, while protocols and files tend to stay, and
438 thus one want to make it easy to change application and vendor, while
439 avoiding conversion costs and locking users to a specific platform or
440 application.
</p
>
442 <p
>This approach make it possible to replace the client applications
443 independently of the server applications. One can even allow users to
444 use several different applications as long as they handle the selected
445 protocol and format. In the normal case, only one client application
446 is recommended and users only get help if they choose to use this
447 application, but those that want to deviate from the easy path are not
448 blocked from doing so.
</p
>
450 <p
>It also allow us to replace the server side without forcing the
451 users to replace their applications, and thus allow us to select the
452 best server implementation at any moment, when scale and resouce
453 requirements change.
</p
>
455 <p
>I strongly recommend standardizing - on open network protocols and
456 open formats, but I would never recommend standardizing on a single
457 application that do not use open network protocol or open formats.
</p
>
462 <title>Recording video from cron using VLC
</title>
463 <link>http://people.skolelinux.org/pere/blog/Recording_video_from_cron_using_VLC.html
</link>
464 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Recording_video_from_cron_using_VLC.html
</guid>
465 <pubDate>Sun,
5 Apr
2009 10:
00:
00 +
0200</pubDate>
467 <p
>One think I have wanted to figure out for a along time is how to
468 run vlc from cron to do recording of video streams on the net. The
469 task is trivial with mplayer, but I do not really trust the security
470 of mplayer (it crashes too often on strange input), and thus prefer
471 vlc. I finally found a way to do it today. I spent an hour or so
472 searching the web for recipes and reading the documentation. The
473 hardest part was to get rid of the GUI window, but after finding the
474 dummy interface, the command line finally presented itself:
</p
>
476 <blockquote
><pre
>URL=http://www.ping.uio.no/video/rms-oslo_2009.ogg
478 DISPLAY= vlc -q $URL \
479 --sout=
"#duplicate{dst=std{access=file,url=
'$SAVEFILE
'},dst=nodisplay}
" \
480 --intf=dummy
</pre
></blockquote
>
482 <p
>The command stream the URL and store it in the SAVEFILE by
483 duplicating the output stream to
"nodisplay
" and the file, using the
484 dummy interface. The dummy interface and the nodisplay output make
485 sure no X interface is needed.
</p
>
487 <p
>The cron job then need to start this job with the appropriate URL
488 and file name to save, sleep for the duration wanted, and then kill
489 the vlc process with SIGTERM. Here is a complete script
490 <tt
>vlc-record
</tt
> to use from
<tt
>at
</tt
> or
<tt
>cron
</tt
>:
</p
>
492 <blockquote
><pre
>#!/bin/sh
495 SAVEFILE=
"$
2"
496 DURATION=
"$
3"
497 DISPLAY= vlc -q
"$URL
" \
498 --sout=
"#duplicate{dst=std{access=file,url=
'$SAVEFILE
'},dst=nodisplay}
" \
499 --intf=dummy
< /dev/null
> /dev/null
2>&1 &
503 wait $pid
</pre
></blockquote
>
508 <title>No patch is not better than a useless patch
</title>
509 <link>http://people.skolelinux.org/pere/blog/No_patch_is_not_better_than_a_useless_patch.html
</link>
510 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/No_patch_is_not_better_than_a_useless_patch.html
</guid>
511 <pubDate>Tue,
28 Apr
2009 09:
30:
00 +
0200</pubDate>
513 <p
>Julien Blache
514 <a href=
"http://blog.technologeek.org/
2009/
04/
12/
214">claim that no
515 patch is better than a useless patch
</a
>. I completely disagree, as a
516 patch allow one to discuss a concrete and proposed solution, and also
517 prove that the issue at hand is important enough for someone to spent
518 time on fixing it. No patch do not provide any of these positive
519 properties.
</p
>
524 <title>Two projects that have improved the quality of free software a lot
</title>
525 <link>http://people.skolelinux.org/pere/blog/Two_projects_that_have_improved_the_quality_of_free_software_a_lot.html
</link>
526 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Two_projects_that_have_improved_the_quality_of_free_software_a_lot.html
</guid>
527 <pubDate>Sat,
2 May
2009 15:
00:
00 +
0200</pubDate>
529 <p
>There are two software projects that have had huge influence on the
530 quality of free software, and I wanted to mention both in case someone
531 do not yet know them.
</p
>
533 <p
>The first one is
<a href=
"http://valgrind.org/
">valgrind
</a
>, a
534 tool to detect and expose errors in the memory handling of programs.
535 It is easy to use, all one need to do is to run
'valgrind program
',
536 and it will report any problems on stdout. It is even better if the
537 program include debug information. With debug information, it is able
538 to report the source file name and line number where the problem
539 occurs. It can report things like
'reading past memory block in file
540 X line N, the memory block was allocated in file Y, line M
', and
541 'using uninitialised value in control logic
'. This tool has made it
542 trivial to investigate reproducible crash bugs in programs, and have
543 reduced the number of this kind of bugs in free software a lot.
545 <p
>The second one is
546 <a href=
"http://en.wikipedia.org/wiki/Coverity
">Coverity
</a
> which is
547 a source code checker. It is able to process the source of a program
548 and find problems in the logic without running the program. It
549 started out as the Stanford Checker and became well known when it was
550 used to find bugs in the Linux kernel. It is now a commercial tool
551 and the company behind it is running
552 <a href=
"http://www.scan.coverity.com/
">a community service
</a
> for the
553 free software community, where a lot of free software projects get
554 their source checked for free. Several thousand defects have been
555 found and fixed so far. It can find errors like
'lock L taken in file
556 X line N is never released if exiting in line M
', or
'the code in file
557 Y lines O to P can never be executed
'. The projects included in the
558 community service project have managed to get rid of a lot of
559 reliability problems thanks to Coverity.
</p
>
561 <p
>I believe tools like this, that are able to automatically find
562 errors in the source, are vital to improve the quality of software and
563 make sure we can get rid of the crashing and failing software we are
564 surrounded by today.
</p
>
569 <title>Debian boots quicker and quicker
</title>
570 <link>http://people.skolelinux.org/pere/blog/Debian_boots_quicker_and_quicker.html
</link>
571 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Debian_boots_quicker_and_quicker.html
</guid>
572 <pubDate>Wed,
24 Jun
2009 21:
40:
00 +
0200</pubDate>
574 <p
>I spent Monday and tuesday this week in London with a lot of the
575 people involved in the boot system on Debian and Ubuntu, to see if we
576 could find more ways to speed up the boot system. This was an Ubuntu
578 <a href=
"https://wiki.ubuntu.com/FoundationsTeam/BootPerformance/DebianUbuntuSprint
">developer
579 gathering
</a
>. It was quite productive. We also discussed the future
580 of boot systems, and ways to handle the increasing number of boot
581 issues introduced by the Linux kernel becoming more and more
582 asynchronous and event base. The Ubuntu approach using udev and
583 upstart might be a good way forward. Time will show.
</p
>
585 <p
>Anyway, there are a few ways at the moment to speed up the boot
586 process in Debian. All of these should be applied to get a quick
591 <li
>Use dash as /bin/sh.
</li
>
593 <li
>Disable the init.d/hwclock*.sh scripts and make sure the hardware
594 clock is in UTC.
</li
>
596 <li
>Install and activate the insserv package to enable
597 <a href=
"http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot
">dependency
598 based boot sequencing
</a
>, and enable concurrent booting.
</li
>
602 These points are based on the Google summer of code work done by
603 <a href=
"http://initscripts-ng.alioth.debian.org/soc2006-bootsystem/
">Carlos
606 <p
>Support for makefile-style concurrency during boot was uploaded to
607 unstable yesterday. When we tested it, we were able to cut
6 seconds
608 from the boot sequence. It depend on very correct dependency
609 declaration in all init.d scripts, so I expect us to find edge cases
610 where the dependences in some scripts are slightly wrong when we start
611 using this.
</p
>
613 <p
>On our IRC channel for this effort, #pkg-sysvinit, a new idea was
614 introduced by Raphael Geissert today, one that could affect the
615 startup speed as well. Instead of starting some scripts concurrently
616 from rcS.d/ and another set of scripts from rc2.d/, it would be
617 possible to run a of them in the same process. A quick way to test
618 this would be to enable insserv and run
'mv /etc/rc2.d/S* /etc/rcS.d/;
619 insserv
'. Will need to test if that work. :)
</p
>
624 <title>Taking over sysvinit development
</title>
625 <link>http://people.skolelinux.org/pere/blog/Taking_over_sysvinit_development.html
</link>
626 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Taking_over_sysvinit_development.html
</guid>
627 <pubDate>Wed,
22 Jul
2009 23:
00:
00 +
0200</pubDate>
629 <p
>After several years of frustration with the lack of activity from
630 the existing sysvinit upstream developer, I decided a few weeks ago to
631 take over the package and become the new upstream. The number of
632 patches to track for the Debian package was becoming a burden, and the
633 lack of synchronization between the distribution made it hard to keep
634 the package up to date.
</p
>
636 <p
>On the new sysvinit team is the SuSe maintainer Dr. Werner Fink,
637 and my Debian co-maintainer Kel Modderman. About
10 days ago, I made
638 a new upstream tarball with version number
2.87dsf (for Debian, SuSe
639 and Fedora), based on the patches currently in use in these
640 distributions. We Debian maintainers plan to move to this tarball as
641 the new upstream as soon as we find time to do the merge. Since the
642 new tarball was created, we agreed with Werner at SuSe to make a new
643 upstream project at
<a href=
"http://savannah.nongnu.org/
">Savannah
</a
>, and continue
644 development there. The project is registered and currently waiting
645 for approval by the Savannah administrators, and as soon as it is
646 approved, we will import the old versions from svn and continue
647 working on the future release.
</p
>
649 <p
>It is a bit ironic that this is done now, when some of the involved
650 distributions are moving to upstart as a syvinit replacement.
</p
>
655 <title>Debian has switched to dependency based boot sequencing
</title>
656 <link>http://people.skolelinux.org/pere/blog/Debian_has_switched_to_dependency_based_boot_sequencing.html
</link>
657 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Debian_has_switched_to_dependency_based_boot_sequencing.html
</guid>
658 <pubDate>Mon,
27 Jul
2009 23:
50:
00 +
0200</pubDate>
660 <p
>Since this evening, with the upload of sysvinit version
2.87dsf-
2,
661 and the upload of insserv version
1.12.0-
10 yesterday, Debian unstable
662 have been migrated to using dependency based boot sequencing. This
663 conclude work me and others have been doing for the last three days.
664 It feels great to see this finally part of the default Debian
665 installation. Now we just need to weed out the last few problems that
666 are bound to show up, to get everything ready for Squeeze.
</p
>
668 <p
>The next step is migrating /sbin/init from sysvinit to upstart, and
669 fixing the more fundamental problem of handing the event based
670 non-predictable kernel in the early boot.
</p
>
675 <title>ISO still hope to fix OOXML
</title>
676 <link>http://people.skolelinux.org/pere/blog/ISO_still_hope_to_fix_OOXML.html
</link>
677 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/ISO_still_hope_to_fix_OOXML.html
</guid>
678 <pubDate>Sat,
8 Aug
2009 14:
00:
00 +
0200</pubDate>
680 <p
>According to
<a
681 href=
"http://twerner.blogspot.com/
2009/
08/defects-of-office-open-xml.html
">a
682 blog post from Torsten Werner
</a
>, the current defect report for ISO
683 29500 (ISO OOXML) is
809 pages. His interesting point is that the
684 defect report is
71 pages more than the full ODF
1.1 specification.
685 Personally I find it more interesting that ISO still believe ISO OOXML
686 can be fixed in ISO. Personally, I believe it is broken beyon repair,
687 and I completely lack any trust in ISO for being able to get anywhere
688 close to solving the problems. I was part of the Norwegian committee
689 involved in the OOXML fast track process, and was not impressed with
690 Standard Norway and ISO in how they handled it.
</p
>
692 <p
>These days I focus on ODF instead, which seem like a specification
693 with the future ahead of it. We are working in NUUG to organise a ODF
694 seminar this autumn.
</p
>
699 <title>Relative popularity of document formats (MS Office vs. ODF)
</title>
700 <link>http://people.skolelinux.org/pere/blog/Relative_popularity_of_document_formats__MS_Office_vs__ODF_.html
</link>
701 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Relative_popularity_of_document_formats__MS_Office_vs__ODF_.html
</guid>
702 <pubDate>Wed,
12 Aug
2009 15:
50:
00 +
0200</pubDate>
704 <p
>Just for fun, I did a search right now on Google for a few file ODF
705 and MS Office based formats (not to be mistaken for ISO or ECMA
706 OOXML), to get an idea of their relative usage. I searched using
707 'filetype:odt
' and equvalent terms, and got these results:
</P
>
710 <tr
><th
>Type
</th
><th
>ODF
</th
><th
>MS Office
</th
></tr
>
711 <tr
><td
>Tekst
</td
> <td
>odt:
282000</td
> <td
>docx:
308000</td
></tr
>
712 <tr
><td
>Presentasjon
</td
> <td
>odp:
75600</td
> <td
>pptx:
183000</td
></tr
>
713 <tr
><td
>Regneark
</td
> <td
>ods:
26500 </td
> <td
>xlsx:
145000</td
></tr
>
716 <p
>Next, I added a
'site:no
' limit to get the numbers for Norway, and
717 got these numbers:
</p
>
720 <tr
><th
>Type
</th
><th
>ODF
</th
><th
>MS Office
</th
></tr
>
721 <tr
><td
>Tekst
</td
> <td
>odt:
2480 </td
> <td
>docx:
4460</td
></tr
>
722 <tr
><td
>Presentasjon
</td
> <td
>odp:
299 </td
> <td
>pptx:
741</td
></tr
>
723 <tr
><td
>Regneark
</td
> <td
>ods:
187 </td
> <td
>xlsx:
372</td
></tr
>
726 <p
>I wonder how these numbers change over time.
</p
>
728 <p
>I am aware of Google returning different results and numbers based
729 on where the search is done, so I guess these numbers will differ if
730 they are conduced in another country. Because of this, I did the same
731 search from a machine in California, USA, a few minutes after the
732 search done from a machine here in Norway.
</p
>
736 <tr
><th
>Type
</th
><th
>ODF
</th
><th
>MS Office
</th
></tr
>
737 <tr
><td
>Tekst
</td
> <td
>odt:
129000</td
> <td
>docx:
308000</td
></tr
>
738 <tr
><td
>Presentasjon
</td
> <td
>odp:
44200</td
> <td
>pptx:
93900</td
></tr
>
739 <tr
><td
>Regneark
</td
> <td
>ods:
26500 </td
> <td
>xlsx:
82400</td
></tr
>
742 <p
>And with
'site:no
':
745 <tr
><th
>Type
</th
><th
>ODF
</th
><th
>MS Office
</th
></tr
>
746 <tr
><td
>Tekst
</td
> <td
>odt:
2480</td
> <td
>docx:
3410</td
></tr
>
747 <tr
><td
>Presentasjon
</td
> <td
>odp:
175</td
> <td
>pptx:
604</td
></tr
>
748 <tr
><td
>Regneark
</td
> <td
>ods:
186 </td
> <td
>xlsx:
296</td
></tr
>
751 <p
>Interesting difference, not sure what to conclude from these
757 <title>Automatic Munin and Nagios configuration
</title>
758 <link>http://people.skolelinux.org/pere/blog/Automatic_Munin_and_Nagios_configuration.html
</link>
759 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Automatic_Munin_and_Nagios_configuration.html
</guid>
760 <pubDate>Wed,
27 Jan
2010 15:
15:
00 +
0100</pubDate>
762 <p
>One of the new features in the next Debian/Lenny based release of
763 Debian Edu/Skolelinux, which is scheduled for release in the next few
764 days, is automatic configuration of the service monitoring system
765 Nagios. The previous release had automatic configuration of trend
766 analysis using Munin, and this Lenny based release take that a step
769 <p
>When installing a Debian Edu Main-server, it is automatically
770 configured as a Munin and Nagios server. In addition, it is
771 configured to be a server for the
772 <a href=
"http://wiki.debian.org/DebianEdu/HowTo/SiteSummary
">SiteSummary
773 system
</a
> I have written for use in Debian Edu. The SiteSummary
774 system is inspired by a system used by the University of Oslo where I
775 work. In short, the system provide a centralised collector of
776 information about the computers on the network, and a client on each
777 computer submitting information to this collector. This allow for
778 automatic information on which packages are installed on each machine,
779 which kernel the machines are using, what kind of configuration the
780 packages got etc. This also allow us to automatically generate Munin
781 and Nagios configuration.
</p
>
783 <p
>All computers reporting to the sitesummary collector with the
784 munin-node package installed is automatically enabled as a Munin
785 client and graphs from the statistics collected from that machine show
786 up automatically on http://www/munin/ on the Main-server.
</p
>
788 <p
>All non-laptop computers reporting to the sitesummary collector are
789 automatically monitored for network presence (ping and any network
790 services detected). In addition, all computers (also laptops) with
791 the nagios-nrpe-server package installed and configured the way
792 sitesummary would configure it, are monitored for full disks, software
793 raid status, swap free and other checks that need to run locally on
794 the machine.
</p
>
796 <p
>The result is that the administrator on a school using Debian Edu
797 based on Lenny will be able to check the health of his installation
798 with one look at the Nagios settings, without having to spend any time
799 keeping the Nagios configuration up-to-date.
</p
>
801 <p
>The only configuration one need to do to get Nagios up and running
802 is to set the password used to get access via HTTP. The system
803 administrator need to run
"<tt
>htpasswd /etc/nagios3/htpasswd.users
804 nagiosadmin
</tt
>" to create a nagiosadmin user and set a password for
805 it to be able to log into the Nagios web pages. After that,
806 everything is taken care of.
</p
>
811 <title>Debian Edu / Skolelinux based on Lenny released, work continues
</title>
812 <link>http://people.skolelinux.org/pere/blog/Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html
</link>
813 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Debian_Edu___Skolelinux_based_on_Lenny_released__work_continues.html
</guid>
814 <pubDate>Thu,
11 Feb
2010 17:
15:
00 +
0100</pubDate>
816 <p
>On Tuesday, the Debian/Lenny based version of
817 <a href=
"http://www.skolelinux.org/
">Skolelinux
</a
> was finally
818 shipped. This was a major leap forward for the project, and I am very
819 pleased that we finally got the release wrapped up. Work on the first
820 point release starts imediately, as we plan to get that one out a
821 month after the major release, to include all fixes for bugs we found
822 and fixed too late in the release process to include last Tuesday.
</p
>
824 <p
>Perhaps it even is time for some partying?
</p
>
826 <p
>After this first point release, my plan is to focus again on the
827 next major release, based on Squeeze. We will try to get as many of
828 the fixes we need into the official Debian packages before the freeze,
829 and have just a few weeks or months to make it happen.
</p
>
834 <title>After
6 years of waiting, the Xreset.d feature is implemented
</title>
835 <link>http://people.skolelinux.org/pere/blog/After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html
</link>
836 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/After_6_years_of_waiting__the_Xreset_d_feature_is_implemented.html
</guid>
837 <pubDate>Sat,
6 Mar
2010 18:
15:
00 +
0100</pubDate>
839 <p
>6 years ago, as part of the Debian Edu development I am involved
840 in, I asked for a hook in the kdm and gdm setup to run scripts as root
841 when the user log out. A bug was submitted against the xfree86-common
842 package in
2004 (
<a href=
"http://bugs.debian.org/
230422">#
230422</a
>),
843 and revisited every time Debian Edu was working on a new release.
844 Today, this finally paid off.
</p
>
846 <p
>The framework for this feature was today commited to the git
847 repositry for the xorg package, and the git repository for xdm has
848 been updated to use this framework. Next on my agenda is to make sure
849 kdm and gdm also add code to use this framework.
</p
>
851 <p
>In Debian Edu, we want to ability to run commands as root when the
852 user log out, to get rid of runaway processes and do general cleanup
853 after a user. With this framework in place, we finally can do that in
854 a generic way that work with all display managers using this
855 framework. My goal is to get all display managers in Debian use it,
856 similar to how they use the Xsession.d framework today.
<p
>
861 <title>Kerberos for Debian Edu/Squeeze?
</title>
862 <link>http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</link>
863 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Kerberos_for_Debian_Edu_Squeeze_.html
</guid>
864 <pubDate>Wed,
14 Apr
2010 17:
20:
00 +
0200</pubDate>
866 <p
><a href=
"http://www.nuug.no/aktiviteter/
20100413-kerberos/
">Yesterdays
867 NUUG presentation
</a
> about Kerberos was inspiring, and reminded me
868 about the need to start using Kerberos in Skolelinux. Setting up a
869 Kerberos server seem to be straight forward, and if we get this in
870 place a long time before the Squeeze version of Debian freezes, we
871 have a chance to migrate Skolelinux away from NFSv3 for the home
872 directories, and over to an architecture where the infrastructure do
873 not have to trust IP addresses and machines, and instead can trust
874 users and cryptographic keys instead.
</p
>
876 <p
>A challenge will be integration and administration. Is there a
877 Kerberos implementation for Debian where one can control the
878 administration access in Kerberos using LDAP groups? With it, the
879 school administration will have to maintain access control using flat
880 files on the main server, which give a huge potential for errors.
</p
>
882 <p
>A related question I would like to know is how well Kerberos and
883 pam-ccreds (offline password check) work together. Anyone know?
</p
>
885 <p
>Next step will be to use Kerberos for access control in Lwat and
886 Nagios. I have no idea how much work that will be to implement. We
887 would also need to document how to integrate with Windows AD, as such
888 shared network will require two Kerberos realms that need to cooperate
889 to work properly.
</p
>
891 <p
>I believe a good start would be to start using Kerberos on the
892 skolelinux.no machines, and this way get ourselves experience with
893 configuration and integration. A natural starting point would be
894 setting up ldap.skolelinux.no as the Kerberos server, and migrate the
895 rest of the machines from PAM via LDAP to PAM via Kerberos one at the
898 <p
>If you would like to contribute to get this working in Skolelinux,
899 I recommend you to see the video recording from yesterdays NUUG
900 presentation, and start using Kerberos at home. The video show show
901 up in a few days.
</p
>
906 <title>Great book:
"Content: Selected Essays on Technology, Creativity, Copyright, and the Future of the Future
"</title>
907 <link>http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</link>
908 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Great_book___Content__Selected_Essays_on_Technology__Creativity__Copyright__and_the_Future_of_the_Future_.html
</guid>
909 <pubDate>Mon,
19 Apr
2010 17:
10:
00 +
0200</pubDate>
911 <p
>The last few weeks i have had the pleasure of reading a
912 thought-provoking collection of essays by Cory Doctorow, on topics
913 touching copyright, virtual worlds, the future of man when the
914 conscience mind can be duplicated into a computer and many more. The
915 book titled
"Content: Selected Essays on Technology, Creativity,
916 Copyright, and the Future of the Future
" is available with few
917 restrictions on the web, for example from
918 <a href=
"http://craphound.com/content/
">his own site
</a
>. I read the
920 <a href=
"http://www.feedbooks.com/book/
2883">feedbooks
</a
> using
921 <a href=
"http://www.fbreader.org/
">fbreader
</a
> and my N810. I
922 strongly recommend this book.
</p
>
927 <title>Thoughts on roaming laptop setup for Debian Edu
</title>
928 <link>http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</link>
929 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html
</guid>
930 <pubDate>Wed,
28 Apr
2010 20:
40:
00 +
0200</pubDate>
932 <p
>For some years now, I have wondered how we should handle laptops in
933 Debian Edu. The Debian Edu infrastructure is mostly designed to
934 handle stationary computers, and less suited for computers that come
937 <p
>Now I finally believe I have an sensible idea on how to adjust
938 Debian Edu for laptops, by introducing a new profile for them, for
939 example called Roaming Workstations. Here are my thought on this.
940 The setup would consist of the following:
</p
>
944 <li
>During installation, the user name of the owner / primary user of
945 the laptop is requested and a local home directory is set up for
946 the user, with uid and gid information fetched from the LDAP
947 server. This allow the user to work also when offline. The
948 central home directory can be available in a subdirectory on
949 request, for example mounted via CIFS. It could be mounted
950 automatically when a user log in while on the Debian Edu network,
951 and unmounted when the machine is taken away (network down,
952 hibernate, etc), it can be set up to do automatic mounting on
953 request (using autofs), or perhaps some GUI button on the desktop
954 can be used to access it when needed. Perhaps it is enough to use
955 the fish protocol in KDE?
</li
>
957 <li
>Password checking is set up to use LDAP or Kerberos
958 authentication when the machine is on the Debian Edu network, and
959 to cache the password for offline checking when the machine unable
960 to reach the LDAP or Kerberos server. This can be done using
961 <a href=
"http://www.padl.com/OSS/pam_ccreds.html
">libpam-ccreds
</a
>
962 or the Fedora developed
963 <a href=
"https://fedoraproject.org/wiki/Features/SSSD
">System
964 Security Services Daemon
</a
> packages.
</li
>
966 <li
>File synchronisation with the central home directory is set up
967 using a shared directory in both the local and the central home
968 directory, using unison.
</li
>
970 <li
>Printing should be set up to print to all printers broadcasting
971 their existence on the local network, and should then work out of
972 the box with CUPS. For sites needing accurate printer quotas, some
973 system with Kerberos authentication or printing via ssh could be
974 implemented.
</li
>
976 <li
>For users that should have local root access to their laptop,
977 sudo should be used to allow this to the local user.
</li
>
979 <li
>It would be nice if user and group information from LDAP is
980 cached on the client, but given that there are entries for the
981 local user and primary group in /etc/, it should not be needed.
</li
>
985 <p
>I believe all the pieces to implement this are in Debian/testing at
986 the moment. If we work quickly, we should be able to get this ready
987 in time for the Squeeze release to freeze. Some of the pieces need
988 tweaking, like libpam-ccreds should get support for pam-auth-update
989 (
<a href=
"http://bugs.debian.org/
566718">#
566718</a
>) and nslcd (or
990 perhaps debian-edu-config) should get some integration code to stop
991 its daemon when the LDAP server is unavailable to avoid long timeouts
992 when disconnected from the net. If we get Kerberos enabled, we need
993 to make sure we avoid long timeouts there too.
</p
>
995 <p
>If you want to help out with implementing this for Debian Edu,
996 please contact us on debian-edu@lists.debian.org.
</p
>
1001 <title>Forcing new users to change their password on first login
</title>
1002 <link>http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html
</link>
1003 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html
</guid>
1004 <pubDate>Sun,
2 May
2010 13:
47:
00 +
0200</pubDate>
1006 <p
>One interesting feature in Active Directory, is the ability to
1007 create a new user with an expired password, and thus force the user to
1008 change the password on the first login attempt.
</p
>
1010 <p
>I
'm not quite sure how to do that with the LDAP setup in Debian
1011 Edu, but did some initial testing with a local account. The account
1012 and password aging information is available in /etc/shadow, but
1013 unfortunately, it is not possible to specify an expiration time for
1014 passwords, only a maximum age for passwords.
</p
>
1016 <p
>A freshly created account (using adduser test) will have these
1017 settings in /etc/shadow:
</p
>
1019 <blockquote
><pre
>
1020 root@tjener:~# chage -l test
1021 Last password change : May
02,
2010
1022 Password expires : never
1023 Password inactive : never
1024 Account expires : never
1025 Minimum number of days between password change :
0
1026 Maximum number of days between password change :
99999
1027 Number of days of warning before password expires :
7
1029 </pre
></blockquote
>
1031 <p
>The only way I could come up with to create a user with an expired
1032 account, is to change the date of the last password change to the
1033 lowest value possible (January
1th
1970), and the maximum password age
1034 to the difference in days between that date and today. To make it
1035 simple, I went for
30 years (
30 *
365 =
10950) and January
2th (to
1036 avoid testing if
0 is a valid value).
</p
>
1038 <p
>After using these commands to set it up, it seem to work as
1041 <blockquote
><pre
>
1042 root@tjener:~# chage -d
1 test; chage -M
10950 test
1043 root@tjener:~# chage -l test
1044 Last password change : Jan
02,
1970
1045 Password expires : never
1046 Password inactive : never
1047 Account expires : never
1048 Minimum number of days between password change :
0
1049 Maximum number of days between password change :
10950
1050 Number of days of warning before password expires :
7
1052 </pre
></blockquote
>
1054 <p
>So far I have tested this with ssh and console, and kdm (in
1055 Squeeze) login, and all ask for a new password before login in the
1056 user (with ssh, I was thrown out and had to log in again).
</p
>
1058 <p
>Perhaps we should set up something similar for Debian Edu, to make
1059 sure only the user itself have the account password?
</p
>
1061 <p
>If you want to comment on or help out with implementing this for
1062 Debian Edu, please contact us on debian-edu@lists.debian.org.
</p
>
1064 <p
>Update
2010-
05-
02 17:
20: Paul Tötterman tells me on IRC that the
1065 shadow(
8) page in Debian/testing now state that setting the date of
1066 last password change to zero (
0) will force the password to be changed
1067 on the first login. This was not mentioned in the manual in Lenny, so
1068 I did not notice this in my initial testing. I have tested it on
1069 Squeeze, and
'<tt
>chage -d
0 username
</tt
>' do work there. I have not
1070 tested it on Lenny yet.
</p
>
1072 <p
>Update
2010-
05-
02-
19:
05: Jim Paris tells me via email that an
1073 equivalent command to expire a password is
'<tt
>passwd -e
1074 username
</tt
>', which insert zero into the date of the last password
1080 <title>Parallellizing the boot in Debian Squeeze - ready for wider testing
</title>
1081 <link>http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html
</link>
1082 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html
</guid>
1083 <pubDate>Thu,
6 May
2010 23:
25:
00 +
0200</pubDate>
1085 <p
>These days, the init.d script dependencies in Squeeze are quite
1086 complete, so complete that it is actually possible to run all the
1087 init.d scripts in parallell based on these dependencies. If you want
1088 to test your Squeeze system, make sure
1089 <a href=
"http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot
">dependency
1090 based boot sequencing
</a
> is enabled, and add this line to
1091 /etc/default/rcS:
</p
>
1093 <blockquote
><pre
>
1094 CONCURRENCY=makefile
1095 </pre
></blockquote
>
1097 <p
>That is it. It will cause sysv-rc to use the startpar tool to run
1098 scripts in parallel using the dependency information stored in
1099 /etc/init.d/.depend.boot, /etc/init.d/.depend.start and
1100 /etc/init.d/.depend.stop to order the scripts. Startpar is configured
1101 to try to start the kdm and gdm scripts as early as possible, and will
1102 start the facilities required by kdm or gdm as early as possible to
1103 make this happen.
</p
>
1105 <p
>Give it a try, and see if you like the result. If some services
1106 fail to start properly, it is most likely because they have incomplete
1107 init.d script dependencies in their startup script (or some of their
1108 dependent scripts have incomplete dependencies). Report bugs and get
1109 the package maintainers to fix it. :)
</p
>
1111 <p
>Running scripts in parallel could be the default in Debian when we
1112 manage to get the init.d script dependencies complete and correct. I
1113 expect we will get there in Squeeze+
1, if we get manage to test and
1114 fix the remaining issues.
</p
>
1116 <p
>If you report any problems with dependencies in init.d scripts to
1117 the BTS, please usertag the report to get it to show up at
1118 <a href=
"http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org
">the
1119 list of usertagged bugs related to this
</a
>.
</p
>
1124 <title>systemd, an interesting alternative to upstart
</title>
1125 <link>http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html
</link>
1126 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html
</guid>
1127 <pubDate>Thu,
13 May
2010 22:
20:
00 +
0200</pubDate>
1129 <p
>The last few days a new boot system called
1130 <a href=
"http://www.freedesktop.org/wiki/Software/systemd
">systemd
</a
>
1132 <a href=
"http://
0pointer.de/blog/projects/systemd.html
">introduced
</a
>
1134 to the free software world. I have not yet had time to play around
1135 with it, but it seem to be a very interesting alternative to
1136 <a href=
"http://upstart.ubuntu.com/
">upstart
</a
>, and might prove to be
1137 a good alternative for Debian when we are able to switch to an event
1138 based boot system. Tollef is
1139 <a href=
"http://bugs.debian.org/
580814">in the process
</a
> of getting
1140 systemd into Debian, and I look forward to seeing how well it work. I
1141 like the fact that systemd handles init.d scripts with dependency
1142 information natively, allowing them to run in parallel where upstart
1143 at the moment do not.
</p
>
1145 <p
>Unfortunately do systemd have the same problem as upstart regarding
1146 platform support. It only work on recent Linux kernels, and also need
1147 some new kernel features enabled to function properly. This means
1148 kFreeBSD and Hurd ports of Debian will need a port or a different boot
1149 system. Not sure how that will be handled if systemd proves to be the
1150 way forward.
</p
>
1152 <p
>In the mean time, based on the
1153 <a href=
"http://lists.debian.org/debian-devel/
2010/
05/msg00122.html
">input
1154 on debian-devel@
</a
> regarding parallel booting in Debian, I have
1155 decided to enable full parallel booting as the default in Debian as
1156 soon as possible (probably this weekend or early next week), to see if
1157 there are any remaining serious bugs in the init.d dependencies. A
1158 new version of the sysvinit package implementing this change is
1159 already in experimental. If all go well, Squeeze will be released
1160 with parallel booting enabled by default.
</p
>
1165 <title>Sitesummary tip: Listing MAC address of all clients
</title>
1166 <link>http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html
</link>
1167 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html
</guid>
1168 <pubDate>Fri,
14 May
2010 21:
10:
00 +
0200</pubDate>
1170 <p
>In the recent Debian Edu versions, the
1171 <a href=
"http://wiki.debian.org/DebianEdu/HowTo/SiteSummary
">sitesummary
1172 system
</a
> is used to keep track of the machines in the school
1173 network. Each machine will automatically report its status to the
1174 central server after boot and once per night. The network setup is
1175 also reported, and using this information it is possible to get the
1176 MAC address of all network interfaces in the machines. This is useful
1177 to update the DHCP configuration.
</p
>
1179 <p
>To give some idea how to use sitesummary, here is a one-liner to
1180 ist all MAC addresses of all machines reporting to sitesummary. Run
1181 this on the collector host:
</p
>
1183 <blockquote
><pre
>
1184 perl -MSiteSummary -e
'for_all_hosts(sub { print join(
" ", get_macaddresses(shift)),
"\n
"; });
'
1185 </pre
></blockquote
>
1187 <p
>This will list all MAC addresses assosiated with all machine, one
1188 line per machine and with space between the MAC addresses.
</p
>
1190 <p
>To allow system administrators easier job at adding static DHCP
1191 addresses for hosts, it would be possible to extend this to fetch
1192 machine information from sitesummary and update the DHCP and DNS
1193 tables in LDAP using this information. Such tool is unfortunately not
1194 written yet.
</p
>
1199 <title>Parallellized boot is now the default in Debian/unstable
</title>
1200 <link>http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html
</link>
1201 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html
</guid>
1202 <pubDate>Fri,
14 May
2010 22:
40:
00 +
0200</pubDate>
1204 <p
>Since this evening, parallel booting is the default in
1205 Debian/unstable for machines using dependency based boot sequencing.
1206 Apparently the testing of concurrent booting has been wider than
1207 expected, if I am to believe the
1208 <a href=
"http://lists.debian.org/debian-devel/
2010/
05/msg00122.html
">input
1209 on debian-devel@
</a
>, and I concluded a few days ago to move forward
1210 with the feature this weekend, to give us some time to detect any
1211 remaining problems before Squeeze is frozen. If serious problems are
1212 detected, it is simple to change the default back to sequential boot.
1213 The upload of the new sysvinit package also activate a new upstream
1216 More information about
1217 <a href=
"http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot
">dependency
1218 based boot sequencing
</a
> is available from the Debian wiki. It is
1219 currently possible to disable parallel booting when one run into
1220 problems caused by it, by adding this line to /etc/default/rcS:
</p
>
1222 <blockquote
><pre
>
1224 </pre
></blockquote
>
1226 <p
>If you report any problems with dependencies in init.d scripts to
1227 the BTS, please usertag the report to get it to show up at
1228 <a href=
"http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org
">the
1229 list of usertagged bugs related to this
</a
>.
</p
>
1234 <title>Pieces of the roaming laptop puzzle in Debian
</title>
1235 <link>http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html
</link>
1236 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html
</guid>
1237 <pubDate>Wed,
19 May
2010 19:
00:
00 +
0200</pubDate>
1239 <p
>Today, the last piece of the puzzle for roaming laptops in Debian
1240 Edu finally entered the Debian archive. Today, the new
1241 <a href=
"http://packages.qa.debian.org/libp/libpam-mklocaluser.html
">libpam-mklocaluser
</a
>
1242 package was accepted. Two days ago, two other pieces was accepted
1244 <a href=
"http://packages.qa.debian.org/p/pam-python.html
">pam-python
</a
>
1245 package needed by libpam-mklocaluser, and the
1246 <a href=
"http://packages.qa.debian.org/s/sssd.html
">sssd
</a
> package
1247 passed NEW on Monday. In addition, the
1248 <a href=
"http://packages.qa.debian.org/libp/libpam-ccreds.html
">libpam-ccreds
</a
>
1249 package we need is in experimental (version
10-
4) since Saturday, and
1250 hopefully will be moved to unstable soon.
</p
>
1252 <p
>This collection of packages allow for two different setups for
1253 roaming laptops. The traditional setup would be using libpam-ccreds,
1254 nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
1255 which should work out of the box if the configuration changes proposed
1256 for nscd in
<a href=
"http://bugs.debian.org/
485282">BTS report
1257 #
485282</a
> is implemented. The alternative setup is to use sssd with
1258 libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
1259 care of the caching of passwords and group information.
</p
>
1261 <p
>I have so far been unable to get sssd to work with the LDAP server
1262 at the University, but suspect the issue is some SSL/GnuTLS related
1263 problem with the server certificate. I plan to update the Debian
1264 package to version
1.2, which is scheduled for next week, and hope to
1265 find time to make sure the next release will include both the
1266 Debian/Ubuntu specific patches. Upstream is friendly and responsive,
1267 and I am sure we will find a good solution.
</p
>
1269 <p
>The idea is to set up the roaming laptops to authenticate using
1270 LDAP or Kerberos and create a local user with home directory in /home/
1271 when a usre in LDAP logs in via KDM or GDM for the first time, and
1272 cache the password for offline checking, as well as caching group
1273 memberhips and other relevant LDAP information. The
1274 libpam-mklocaluser package was created to make sure the local home
1275 directory is in /home/, instead of /site/server/directory/ which would
1276 be the home directory if pam_mkhomedir was used. To avoid confusion
1277 with support requests and configuration, we do not want local laptops
1278 to have users in a path that is used for the same users home directory
1279 on the home directory servers.
</p
>
1281 <p
>One annoying problem with gdm is that it do not show the PAM
1282 message passed to the user from libpam-mklocaluser when the local user
1283 is created. Instead gdm simply reject the login with some generic
1284 message. The message is shown in kdm, ssh and login, so I guess it is
1285 a bug in gdm. Have not investigated if there is some other message
1286 type that can be used instead to get gdm to also show the message.
</p
>
1288 <p
>If you want to help out with implementing this for Debian Edu,
1289 please contact us on debian-edu@lists.debian.org.
</p
>
1294 <title>More flexible firmware handling in debian-installer
</title>
1295 <link>http://people.skolelinux.org/pere/blog/More_flexible_firmware_handling_in_debian_installer.html
</link>
1296 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/More_flexible_firmware_handling_in_debian_installer.html
</guid>
1297 <pubDate>Sat,
22 May
2010 21:
30:
00 +
0200</pubDate>
1299 <p
>After a long break from debian-installer development, I finally
1300 found time today to return to the project. Having to spend less time
1301 working dependency based boot in debian, as it is almost complete now,
1302 definitely helped freeing some time.
</p
>
1304 <p
>A while back, I ran into a problem while working on Debian Edu. We
1305 include some firmware packages on the Debian Edu CDs, those needed to
1306 get disk and network controllers working. Without having these
1307 firmware packages available during installation, it is impossible to
1308 install Debian Edu on the given machine, and because our target group
1309 are non-technical people, asking them to provide firmware packages on
1310 an external medium is a support pain. Initially, I expected it to be
1311 enough to include the firmware packages on the CD to get
1312 debian-installer to find and use them. This proved to be wrong.
1313 Next, I hoped it was enough to symlink the relevant firmware packages
1314 to some useful location on the CD (tried /cdrom/ and
1315 /cdrom/firmware/). This also proved to not work, and at this point I
1316 found time to look at the debian-installer code to figure out what was
1317 going to work.
</p
>
1319 <p
>The firmware loading code is in the hw-detect package, and a closer
1320 look revealed that it would only look for firmware packages outside
1321 the installation media, so the CD was never checked for firmware
1322 packages. It would only check USB sticks, floppies and other
1323 "external
" media devices. Today I changed it to also look in the
1324 /cdrom/firmware/ directory on the mounted CD or DVD, which should
1325 solve the problem I ran into with Debian edu. I also changed it to
1326 look in /firmware/, to make sure the installer also find firmware
1327 provided in the initrd when booting the installer via PXE, to allow us
1328 to provide the same feature in the PXE setup included in Debian
1331 <p
>To make sure firmware deb packages with a license questions are not
1332 activated without asking if the license is accepted, I extended
1333 hw-detect to look for preinst scripts in the firmware packages, and
1334 run these before activating the firmware during installation. The
1335 license question is asked using debconf in the preinst, so this should
1336 solve the issue for the firmware packages I have looked at so far.
</p
>
1338 <p
>If you want to discuss the details of these features, please
1339 contact us on debian-boot@lists.debian.org.
</p
>
1344 <title>Parallellized boot seem to hold up well in Debian/testing
</title>
1345 <link>http://people.skolelinux.org/pere/blog/Parallellized_boot_seem_to_hold_up_well_in_Debian_testing.html
</link>
1346 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Parallellized_boot_seem_to_hold_up_well_in_Debian_testing.html
</guid>
1347 <pubDate>Thu,
27 May
2010 23:
55:
00 +
0200</pubDate>
1349 <p
>A few days ago, parallel booting was enabled in Debian/testing.
1350 The feature seem to hold up pretty well, but three fairly serious
1351 issues are known and should be solved:
1355 <li
>The wicd package seen to
1356 <a href=
"http://bugs.debian.org/
508289">break NFS mounting
</a
> and
1357 <a href=
"http://bugs.debian.org/
581586">network setup
</a
> when
1358 parallel booting is enabled. No idea why, but the wicd maintainer
1359 seem to be on the case.
</li
>
1361 <li
>The nvidia X driver seem to
1362 <a href=
"http://bugs.debian.org/
583312">have a race condition
</a
>
1363 triggered more easily when parallel booting is in effect. The
1364 maintainer is on the case.
</li
>
1366 <li
>The sysv-rc package fail to properly enable dependency based boot
1367 sequencing (the shutdown is broken) when old file-rc users
1368 <a href=
"http://bugs.debian.org/
575080">try to switch back
</a
> to
1369 sysv-rc. One way to solve it would be for file-rc to create
1370 /etc/init.d/.legacy-bootordering, and another is to try to make
1371 sysv-rc more robust. Will investigate some more and probably upload a
1372 workaround in sysv-rc to help those trying to move from file-rc to
1373 sysv-rc get a working shutdown.
</li
>
1375 </ul
></p
>
1377 <p
>All in all not many surprising issues, and all of them seem
1378 solvable before Squeeze is released. In addition to these there are
1379 some packages with bugs in their dependencies and run level settings,
1380 which I expect will be fixed in a reasonable time span.
</p
>
1382 <p
>If you report any problems with dependencies in init.d scripts to
1383 the BTS, please usertag the report to get it to show up at
1384 <a href=
"http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org
">the
1385 list of usertagged bugs related to this
</a
>.
</p
>
1387 <p
>Update: Correct bug number to file-rc issue.
</p
>
1392 <title>KDM fail at boot with NVidia cards - and no one try to fix it?
</title>
1393 <link>http://people.skolelinux.org/pere/blog/KDM_fail_at_boot_with_NVidia_cards___and_no_one_try_to_fix_it_.html
</link>
1394 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/KDM_fail_at_boot_with_NVidia_cards___and_no_one_try_to_fix_it_.html
</guid>
1395 <pubDate>Tue,
1 Jun
2010 17:
05:
00 +
0200</pubDate>
1397 <p
>It is strange to watch how a bug in Debian causing KDM to fail to
1398 start at boot when an NVidia video card is used is handled. The
1399 problem seem to be that the nvidia X.org driver uses a long time to
1400 initialize, and this duration is longer than kdm is configured to
1403 <p
>I came across two bugs related to this issue,
1404 <a href=
"http://bugs.debian.org/
583312">#
583312</a
> initially filed
1405 against initscripts and passed on to nvidia-glx when it became obvious
1406 that the nvidia drivers were involved, and
1407 <a href=
"http://bugs.debian.org/
524751">#
524751</a
> initially filed against
1408 kdm and passed on to src:nvidia-graphics-drivers for unknown reasons.
</p
>
1410 <p
>To me, it seem that no-one is interested in actually solving the
1411 problem nvidia video card owners experience and make sure the Debian
1412 distribution work out of the box for these users. The nvidia driver
1413 maintainers expect kdm to be set up to wait longer, while kdm expect
1414 the nvidia driver maintainers to fix the driver to start faster, and
1415 while they wait for each other I guess the users end up switching to a
1416 distribution that work for them. I have no idea what the solution is,
1417 but I am pretty sure that waiting for each other is not it.
</p
>
1419 <p
>I wonder why we end up handling bugs this way.
</p
>
1424 <title>Sitesummary tip: Listing computer hardware models used at site
</title>
1425 <link>http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_computer_hardware_models_used_at_site.html
</link>
1426 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_computer_hardware_models_used_at_site.html
</guid>
1427 <pubDate>Thu,
3 Jun
2010 12:
05:
00 +
0200</pubDate>
1429 <p
>When using sitesummary at a site to track machines, it is possible
1430 to get a list of the machine types in use thanks to the DMI
1431 information extracted from each machine. The script to do so is
1432 included in the sitesummary package, and here is example output from
1433 the Skolelinux build servers:
</p
>
1435 <blockquote
><pre
>
1436 maintainer:~# /usr/lib/sitesummary/hardware-model-summary
1438 Dell Computer Corporation
1
1441 eserver xSeries
345 -[
8670M1X]-
1
1445 </pre
></blockquote
>
1447 <p
>The quality of the report depend on the quality of the DMI tables
1448 provided in each machine. Here there are Intel machines without model
1449 information listed with Intel as vendor and mo model, and virtual Xen
1450 machines listed as [no-dmi-info]. One can add -l as a command line
1451 option to list the individual machines.
</p
>
1453 <p
>A larger list is
1454 <a href=
"http://narvikskolen.no/sitesummary/
">available from the the
1455 city of Narvik
</a
>, which uses Skolelinux on all their shools and also
1456 provide the basic sitesummary report publicly. In their report there
1457 are ~
1400 machines. I know they use both Ubuntu and Skolelinux on
1458 their machines, and as sitesummary is available in both distributions,
1459 it is trivial to get all of them to report to the same central
1460 collector.
</p
>
1465 <title>A manual for standards wars...
</title>
1466 <link>http://people.skolelinux.org/pere/blog/A_manual_for_standards_wars___.html
</link>
1467 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/A_manual_for_standards_wars___.html
</guid>
1468 <pubDate>Sun,
6 Jun
2010 14:
15:
00 +
0200</pubDate>
1471 <a href=
"http://feedproxy.google.com/~r/robweir/antic-atom/~
3/QzU4RgoAGMg/weekly-links-
10.html
">blog
1472 of Rob Weir
</a
> I came across the very interesting essay named
1473 <a href=
"http://faculty.haas.berkeley.edu/shapiro/wars.pdf
">The Art of
1474 Standards Wars
</a
> (PDF
25 pages). I recommend it for everyone
1475 following the standards wars of today.
</p
>
1480 <title>Upstart or sysvinit - as init.d scripts see it
</title>
1481 <link>http://people.skolelinux.org/pere/blog/Upstart_or_sysvinit___as_init_d_scripts_see_it.html
</link>
1482 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Upstart_or_sysvinit___as_init_d_scripts_see_it.html
</guid>
1483 <pubDate>Sun,
6 Jun
2010 23:
55:
00 +
0200</pubDate>
1485 <p
>If Debian is to migrate to upstart on Linux, I expect some init.d
1486 scripts to migrate (some of) their operations to upstart job while
1487 keeping the init.d for hurd and kfreebsd. The packages with such
1488 needs will need a way to get their init.d scripts to behave
1489 differently when used with sysvinit and with upstart. Because of
1490 this, I had a look at the environment variables set when a init.d
1491 script is running under upstart, and when it is not.
</p
>
1493 <p
>With upstart, I notice these environment variables are set when a
1494 script is started from rcS.d/ (ignoring some irrelevant ones like
1497 <blockquote
><pre
>
1503 UPSTART_EVENTS=startup
1505 UPSTART_JOB=rc-sysinit
1506 </pre
></blockquote
>
1508 <p
>With sysvinit, these environment variables are set for the same
1511 <blockquote
><pre
>
1512 INIT_VERSION=sysvinit-
2.88
1517 </pre
></blockquote
>
1519 <p
>The RUNLEVEL and PREVLEVEL environment variables passed on from
1520 sysvinit are not set by upstart. Not sure if it is intentional or not
1521 to not be compatible with sysvinit in this regard.
</p
>
1523 <p
>For scripts needing to behave differently when upstart is used,
1524 looking for the UPSTART_JOB environment variable seem to be a good
1530 <title>Automatic upgrade testing from Lenny to Squeeze
</title>
1531 <link>http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html
</link>
1532 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html
</guid>
1533 <pubDate>Fri,
11 Jun
2010 22:
50:
00 +
0200</pubDate>
1535 <p
>The last few days I have done some upgrade testing in Debian, to
1536 see if the upgrade from Lenny to Squeeze will go smoothly. A few bugs
1537 have been discovered and reported in the process
1538 (
<a href=
"http://bugs.debian.org/
585410">#
585410</a
> in nagios3-cgi,
1539 <a href=
"http://bugs.debian.org/
584879">#
584879</a
> already fixed in
1540 enscript and
<a href=
"http://bugs.debian.org/
584861">#
584861</a
> in
1541 kdebase-workspace-data), and to get a more regular testing going on, I
1542 am working on a script to automate the test.
</p
>
1544 <p
>The idea is to create a Lenny chroot and use tasksel to install a
1545 Gnome or KDE desktop installation inside the chroot before upgrading
1546 it. To ensure no services are started in the chroot, a policy-rc.d
1547 script is inserted. To make sure tasksel believe it is to install a
1548 desktop on a laptop, the tasksel tests are replaced in the chroot
1549 (only acceptable because this is a throw-away chroot).
</p
>
1551 <p
>A naive upgrade from Lenny to Squeeze using aptitude dist-upgrade
1552 currently always fail because udev refuses to upgrade with the kernel
1553 in Lenny, so to avoid that problem the file /etc/udev/kernel-upgrade
1554 is created. The bug report
1555 <a href=
"http://bugs.debian.org/
566000">#
566000</a
> make me suspect
1556 this problem do not trigger in a chroot, but I touch the file anyway
1557 to make sure the upgrade go well. Testing on virtual and real
1558 hardware have failed me because of udev so far, and creating this file
1559 do the trick in such settings anyway. This is a
1560 <a href=
"http://www.linuxquestions.org/questions/debian-
26/failed-dist-upgrade-due-to-udev-config_sysfs_deprecated-nonsense-
804130/
">known
1561 issue
</a
> and the current udev behaviour is intended by the udev
1562 maintainer because he lack the resources to rewrite udev to keep
1563 working with old kernels or something like that. I really wish the
1564 udev upstream would keep udev backwards compatible, to avoid such
1565 upgrade problem, but given that they fail to do so, I guess
1566 documenting the way out of this mess is the best option we got for
1567 Debian Squeeze.
</p
>
1569 <p
>Anyway, back to the task at hand, testing upgrades. This test
1570 script, which I call
<tt
>upgrade-test
</tt
> for now, is doing the
1573 <blockquote
><pre
>
1577 if [
"$
1" ] ; then
1586 exec
&lt; /dev/null
1588 mirror=http://ftp.skolelinux.org/debian
1589 tmpdir=chroot-$from-upgrade-$to-$desktop
1591 debootstrap $from $tmpdir $mirror
1592 chroot $tmpdir aptitude update
1593 cat
> $tmpdir/usr/sbin/policy-rc.d
&lt;
&lt;EOF
1597 chmod a+rx $tmpdir/usr/sbin/policy-rc.d
1601 mount -t proc proc $tmpdir/proc
1602 # Make sure proc is unmounted also on failure
1603 trap exit_cleanup EXIT INT
1605 chroot $tmpdir aptitude -y install debconf-utils
1607 # Make sure tasksel autoselection trigger. It need the test scripts
1608 # to return the correct answers.
1609 echo tasksel tasksel/desktop multiselect $desktop | \
1610 chroot $tmpdir debconf-set-selections
1612 # Include the desktop and laptop task
1613 for test in desktop laptop ; do
1614 echo
> $tmpdir/usr/lib/tasksel/tests/$test
&lt;
&lt;EOF
1618 chmod a+rx $tmpdir/usr/lib/tasksel/tests/$test
1621 DEBIAN_FRONTEND=noninteractive
1622 DEBIAN_PRIORITY=critical
1623 export DEBIAN_FRONTEND DEBIAN_PRIORITY
1624 chroot $tmpdir tasksel --new-install
1626 echo deb $mirror $to main
> $tmpdir/etc/apt/sources.list
1627 chroot $tmpdir aptitude update
1628 touch $tmpdir/etc/udev/kernel-upgrade
1629 chroot $tmpdir aptitude -y dist-upgrade
1631 </pre
></blockquote
>
1633 <p
>I suspect it would be useful to test upgrades with both apt-get and
1634 with aptitude, but I have not had time to look at how they behave
1635 differently so far. I hope to get a cron job running to do the test
1636 regularly and post the result on the web. The Gnome upgrade currently
1637 work, while the KDE upgrade fail because of the bug in
1638 kdebase-workspace-data
</p
>
1640 <p
>I am not quite sure what kind of extract from the huge upgrade logs
1641 (KDE
167 KiB, Gnome
516 KiB) it make sense to include in this blog
1642 post, so I will refrain from trying. I can report that for Gnome,
1643 aptitude report
760 packages upgraded,
448 newly installed,
129 to
1644 remove and
1 not upgraded and
1024MB need to be downloaded while for
1645 KDE the same numbers are
702 packages upgraded,
507 newly installed,
1646 193 to remove and
0 not upgraded and
1117MB need to be downloaded
</p
>
1648 <p
>I am very happy to notice that the Gnome desktop + laptop upgrade
1649 is able to migrate to dependency based boot sequencing and parallel
1650 booting without a hitch. Was unsure if there were still bugs with
1651 packages failing to clean up their obsolete init.d script during
1652 upgrades, and no such problem seem to affect the Gnome desktop+laptop
1658 <title>Lenny-
>Squeeze upgrades, removals by apt and aptitude
</title>
1659 <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__removals_by_apt_and_aptitude.html
</link>
1660 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__removals_by_apt_and_aptitude.html
</guid>
1661 <pubDate>Sun,
13 Jun
2010 09:
05:
00 +
0200</pubDate>
1664 <a href=
"http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html
">testing
1665 of Debian upgrades
</a
> from Lenny to Squeeze continues, and I
've
1666 finally made the upgrade logs available from
1667 <a href=
"http://people.skolelinux.org/pere/debian-upgrade-testing/
">http://people.skolelinux.org/pere/debian-upgrade-testing/
</a
>.
1668 I am now testing dist-upgrade of Gnome and KDE in a chroot using both
1669 apt and aptitude, and found their differences interesting. This time
1670 I will only focus on their removal plans.
</p
>
1672 <p
>After installing a Gnome desktop and the laptop task, apt-get wants
1673 to remove
72 packages when dist-upgrading from Lenny to Squeeze. The
1674 surprising part is that it want to remove xorg and all
1675 xserver-xorg-video* drivers. Clearly not a good choice, but I am not
1676 sure why. When asking aptitude to do the same, it want to remove
129
1677 packages, but most of them are library packages I suspect are no
1678 longer needed. Both of them want to remove bluetooth packages, which
1679 I do not know. Perhaps these bluetooth packages are obsolete?
</p
>
1681 <p
>For KDE, apt-get want to remove
82 packages, among them kdebase
1682 which seem like a bad idea and xorg the same way as with Gnome. Asking
1683 aptitude for the same, it wants to remove
192 packages, none which are
1684 too surprising.
</p
>
1686 <p
>I guess the removal of xorg during upgrades should be investigated
1687 and avoided, and perhaps others as well. Here are the complete list
1688 of planned removals. The complete logs is available from the URL
1689 above. Note if you want to repeat these tests, that the upgrade test
1690 for kde+apt-get hung in the tasksel setup because of dpkg asking
1691 conffile questions. No idea why. I worked around it by using
1692 '<tt
>echo
>> /proc/
<em
>pidofdpkg
</em
>/fd/
0</tt
>' to tell dpkg to
1695 <p
><b
>apt-get gnome
72</b
>
1696 <br
>bluez-gnome cupsddk-drivers deskbar-applet gnome
1697 gnome-desktop-environment gnome-network-admin gtkhtml3.14
1698 iceweasel-gnome-support libavcodec51 libdatrie0 libgdl-
1-
0
1699 libgnomekbd2 libgnomekbdui2 libmetacity0 libslab0 libxcb-xlib0
1700 nautilus-cd-burner python-gnome2-desktop python-gnome2-extras
1701 serpentine swfdec-mozilla update-manager xorg xserver-xorg
1702 xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-evdev
1703 xserver-xorg-input-kbd xserver-xorg-input-mouse
1704 xserver-xorg-input-synaptics xserver-xorg-input-wacom
1705 xserver-xorg-video-all xserver-xorg-video-apm xserver-xorg-video-ark
1706 xserver-xorg-video-ati xserver-xorg-video-chips
1707 xserver-xorg-video-cirrus xserver-xorg-video-cyrix
1708 xserver-xorg-video-dummy xserver-xorg-video-fbdev
1709 xserver-xorg-video-glint xserver-xorg-video-i128
1710 xserver-xorg-video-i740 xserver-xorg-video-imstt
1711 xserver-xorg-video-intel xserver-xorg-video-mach64
1712 xserver-xorg-video-mga xserver-xorg-video-neomagic
1713 xserver-xorg-video-nsc xserver-xorg-video-nv
1714 xserver-xorg-video-openchrome xserver-xorg-video-r128
1715 xserver-xorg-video-radeon xserver-xorg-video-radeonhd
1716 xserver-xorg-video-rendition xserver-xorg-video-s3
1717 xserver-xorg-video-s3virge xserver-xorg-video-savage
1718 xserver-xorg-video-siliconmotion xserver-xorg-video-sis
1719 xserver-xorg-video-sisusb xserver-xorg-video-tdfx
1720 xserver-xorg-video-tga xserver-xorg-video-trident
1721 xserver-xorg-video-tseng xserver-xorg-video-v4l
1722 xserver-xorg-video-vesa xserver-xorg-video-vga
1723 xserver-xorg-video-vmware xserver-xorg-video-voodoo xulrunner-
1.9
1724 xulrunner-
1.9-gnome-support
</p
>
1726 <p
><b
>aptitude gnome
129</b
>
1728 <br
>bluez-gnome bluez-utils cpp-
4.3 cupsddk-drivers dhcdbd
1729 djvulibre-desktop finger gnome-app-install gnome-mount
1730 gnome-network-admin gnome-spell gnome-vfs-obexftp
1731 gnome-volume-manager gstreamer0.10-gnomevfs gtkhtml3.14 libao2
1732 libavahi-compat-libdnssd1 libavahi-core5 libavcodec51 libbluetooth2
1733 libcamel1.2-
11 libcdio7 libcucul0 libcupsys2 libcurl3 libdatrie0
1734 libdirectfb-
1.0-
0 libdvdread3 libedataserver1.2-
9 libeel2-
2.20
1735 libeel2-data libepc-
1.0-
1 libepc-ui-
1.0-
1 libfaad0 libgail-common
1736 libgd2-noxpm libgda3-
3 libgda3-common libgdl-
1-
0 libgdl-
1-common
1737 libggz2 libggzcore9 libggzmod4 libgksu1.2-
0 libgksuui1.0-
1 libgmyth0
1738 libgnomecups1.0-
1 libgnomekbd2 libgnomekbdui2 libgnomeprint2.2-
0
1739 libgnomeprint2.2-data libgnomeprintui2.2-
0 libgnomeprintui2.2-common
1740 libgnomevfs2-bin libgpod3 libgraphviz4 libgtkhtml2-
0
1741 libgtksourceview-common libgtksourceview1.0-
0 libgucharmap6
1742 libhesiod0 libicu38 libiw29 libkpathsea4 libltdl3 libmagick++
10
1743 libmagick10 libmalaga7 libmetacity0 libmtp7 libmysqlclient15off
1744 libnautilus-burn4 libneon27 libnm-glib0 libnm-util0 libopal-
2.2
1745 libosp5 libparted1.8-
10 libpoppler-glib3 libpoppler3 libpt-
1.10.10
1746 libpt-
1.10.10-plugins-alsa libpt-
1.10.10-plugins-v4l libraw1394-
8
1747 libsensors3 libslab0 libsmbios2 libsoup2.2-
8 libssh2-
1
1748 libsuitesparse-
3.1.0 libswfdec-
0.6-
90 libtalloc1 libtotem-plparser10
1749 libtrackerclient0 libxalan2-java libxalan2-java-gcj libxcb-xlib0
1750 libxerces2-java libxerces2-java-gcj libxklavier12 libxtrap6
1751 libxxf86misc1 libzephyr3 mysql-common nautilus-cd-burner
1752 openoffice.org-writer2latex openssl-blacklist p7zip
1753 python-
4suite-xml python-eggtrayicon python-gnome2-desktop
1754 python-gnome2-extras python-gtkhtml2 python-gtkmozembed
1755 python-numeric python-sexy serpentine svgalibg1 swfdec-gnome
1756 swfdec-mozilla totem-gstreamer update-manager wodim
1757 xserver-xorg-video-cyrix xserver-xorg-video-imstt
1758 xserver-xorg-video-nsc xserver-xorg-video-v4l xserver-xorg-video-vga
1761 <p
><b
>apt-get kde
82</b
>
1763 <br
>cupsddk-drivers karm kaudiocreator kcoloredit kcontrol kde kde-core
1764 kdeaddons kdeartwork kdebase kdebase-bin kdebase-bin-kde3
1765 kdebase-kio-plugins kdesktop kdeutils khelpcenter kicker
1766 kicker-applets knewsticker kolourpaint konq-plugins konqueror korn
1767 kpersonalizer kscreensaver ksplash libavcodec51 libdatrie0 libkiten1
1768 libxcb-xlib0 quanta superkaramba texlive-base-bin xorg xserver-xorg
1769 xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-evdev
1770 xserver-xorg-input-kbd xserver-xorg-input-mouse
1771 xserver-xorg-input-synaptics xserver-xorg-input-wacom
1772 xserver-xorg-video-all xserver-xorg-video-apm xserver-xorg-video-ark
1773 xserver-xorg-video-ati xserver-xorg-video-chips
1774 xserver-xorg-video-cirrus xserver-xorg-video-cyrix
1775 xserver-xorg-video-dummy xserver-xorg-video-fbdev
1776 xserver-xorg-video-glint xserver-xorg-video-i128
1777 xserver-xorg-video-i740 xserver-xorg-video-imstt
1778 xserver-xorg-video-intel xserver-xorg-video-mach64
1779 xserver-xorg-video-mga xserver-xorg-video-neomagic
1780 xserver-xorg-video-nsc xserver-xorg-video-nv
1781 xserver-xorg-video-openchrome xserver-xorg-video-r128
1782 xserver-xorg-video-radeon xserver-xorg-video-radeonhd
1783 xserver-xorg-video-rendition xserver-xorg-video-s3
1784 xserver-xorg-video-s3virge xserver-xorg-video-savage
1785 xserver-xorg-video-siliconmotion xserver-xorg-video-sis
1786 xserver-xorg-video-sisusb xserver-xorg-video-tdfx
1787 xserver-xorg-video-tga xserver-xorg-video-trident
1788 xserver-xorg-video-tseng xserver-xorg-video-v4l
1789 xserver-xorg-video-vesa xserver-xorg-video-vga
1790 xserver-xorg-video-vmware xserver-xorg-video-voodoo xulrunner-
1.9</p
>
1792 <p
><b
>aptitude kde
192</b
>
1793 <br
>bluez-utils cpp-
4.3 cupsddk-drivers cvs dcoprss dhcdbd
1794 djvulibre-desktop dosfstools eyesapplet fifteenapplet finger gettext
1795 ghostscript-x imlib-base imlib11 indi kandy karm kasteroids
1796 kaudiocreator kbackgammon kbstate kcoloredit kcontrol kcron kdat
1797 kdeadmin-kfile-plugins kdeartwork-misc kdeartwork-theme-window
1798 kdebase-bin-kde3 kdebase-kio-plugins kdeedu-data
1799 kdegraphics-kfile-plugins kdelirc kdemultimedia-kappfinder-data
1800 kdemultimedia-kfile-plugins kdenetwork-kfile-plugins
1801 kdepim-kfile-plugins kdepim-kio-plugins kdeprint kdesktop kdessh
1802 kdict kdnssd kdvi kedit keduca kenolaba kfax kfaxview kfouleggs
1803 kghostview khelpcenter khexedit kiconedit kitchensync klatin
1804 klickety kmailcvt kmenuedit kmid kmilo kmoon kmrml kodo kolourpaint
1805 kooka korn kpager kpdf kpercentage kpf kpilot kpoker kpovmodeler
1806 krec kregexpeditor ksayit ksim ksirc ksirtet ksmiletris ksmserver
1807 ksnake ksokoban ksplash ksvg ksysv ktip ktnef kuickshow kverbos
1808 kview kviewshell kvoctrain kwifimanager kwin kwin4 kworldclock
1809 kxsldbg libakode2 libao2 libarts1-akode libarts1-audiofile
1810 libarts1-mpeglib libarts1-xine libavahi-compat-libdnssd1
1811 libavahi-core5 libavc1394-
0 libavcodec51 libbluetooth2
1812 libboost-python1.34
.1 libcucul0 libcurl3 libcvsservice0 libdatrie0
1813 libdirectfb-
1.0-
0 libdjvulibre21 libdvdread3 libfaad0 libfreebob0
1814 libgail-common libgd2-noxpm libgraphviz4 libgsmme1c2a libgtkhtml2-
0
1815 libicu38 libiec61883-
0 libindex0 libiw29 libk3b3 libkcal2b libkcddb1
1816 libkdeedu3 libkdepim1a libkgantt0 libkiten1 libkleopatra1 libkmime2
1817 libkpathsea4 libkpimexchange1 libkpimidentities1 libkscan1
1818 libksieve0 libktnef1 liblockdev1 libltdl3 libmagick10 libmimelib1c2a
1819 libmozjs1d libmpcdec3 libneon27 libnm-util0 libopensync0 libpisock9
1820 libpoppler-glib3 libpoppler-qt2 libpoppler3 libraw1394-
8 libsmbios2
1821 libssh2-
1 libsuitesparse-
3.1.0 libtalloc1 libtiff-tools
1822 libxalan2-java libxalan2-java-gcj libxcb-xlib0 libxerces2-java
1823 libxerces2-java-gcj libxtrap6 mpeglib networkstatus
1824 openoffice.org-writer2latex pmount poster psutils quanta quanta-data
1825 superkaramba svgalibg1 tex-common texlive-base texlive-base-bin
1826 texlive-common texlive-doc-base texlive-fonts-recommended
1827 xserver-xorg-video-cyrix xserver-xorg-video-imstt
1828 xserver-xorg-video-nsc xserver-xorg-video-v4l xserver-xorg-video-vga
1829 xulrunner-
1.9</p
>
1835 <title>Officeshots taking shape
</title>
1836 <link>http://people.skolelinux.org/pere/blog/Officeshots_taking_shape.html
</link>
1837 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Officeshots_taking_shape.html
</guid>
1838 <pubDate>Sun,
13 Jun
2010 11:
40:
00 +
0200</pubDate>
1840 <p
>For those of us caring about document exchange and
1841 interoperability,
<a href=
"http://www.officeshots.org/
">OfficeShots
</a
>
1842 is a great service. It is to ODF documents what
1843 <a href=
"http://browsershots.org/
">BrowserShots
</a
> is for web
1846 <p
>A while back, I was contacted by Knut Yrvin at the part of Nokia
1847 that used to be Trolltech, who wanted to help the OfficeShots project
1848 and wondered if the University of Oslo where I work would be
1849 interested in supporting the project. I helped him to navigate his
1850 request to the right people at work, and his request was answered with
1851 a spot in the machine room with power and network connected, and Knut
1852 arranged funding for a machine to fill the spot. The machine is
1853 administrated by the OfficeShots people, so I do not have daily
1854 contact with its progress, and thus from time to time check back to
1855 see how the project is doing.
</p
>
1857 <p
>Today I had a look, and was happy to see that the Dell box in our
1858 machine room now is the host for several virtual machines running as
1859 OfficeShots factories, and the project is able to render ODF documents
1860 in
17 different document processing implementation on Linux and
1861 Windows. This is great.
</p
>
1866 <title>Calling tasksel like the installer, while still getting useful output
</title>
1867 <link>http://people.skolelinux.org/pere/blog/Calling_tasksel_like_the_installer__while_still_getting_useful_output.html
</link>
1868 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Calling_tasksel_like_the_installer__while_still_getting_useful_output.html
</guid>
1869 <pubDate>Wed,
16 Jun
2010 14:
55:
00 +
0200</pubDate>
1871 <p
>A few times I have had the need to simulate the way tasksel
1872 installs packages during the normal debian-installer run. Until now,
1873 I have ended up letting tasksel do the work, with the annoying problem
1874 of not getting any feedback at all when something fails (like a
1875 conffile question from dpkg or a download that fails), using code like
1878 <blockquote
><pre
>
1879 export DEBIAN_FRONTEND=noninteractive
1880 tasksel --new-install
1881 </pre
></blockquote
>
1883 This would invoke tasksel, let its automatic task selection pick the
1884 tasks to install, and continue to install the requested tasks without
1885 any output what so ever.
1887 Recently I revisited this problem while working on the automatic
1888 package upgrade testing, because tasksel would some times hang without
1889 any useful feedback, and I want to see what is going on when it
1890 happen. Then it occured to me, I can parse the output from tasksel
1891 when asked to run in test mode, and use that aptitude command line
1892 printed by tasksel then to simulate the tasksel run. I ended up using
1895 <blockquote
><pre
>
1896 export DEBIAN_FRONTEND=noninteractive
1897 cmd=
"$(in_target tasksel -t --new-install | sed
's/debconf-apt-progress -- //
')
"
1899 </pre
></blockquote
>
1901 <p
>The content of $cmd is typically something like
"<tt
>aptitude -q
1902 --without-recommends -o APT::Install-Recommends=no -y install
1903 ~t^desktop$ ~t^gnome-desktop$ ~t^laptop$ ~pstandard ~prequired
1904 ~pimportant
</tt
>", which will install the gnome desktop task, the
1905 laptop task and all packages with priority standard , required and
1906 important, just like tasksel would have done it during
1907 installation.
</p
>
1909 <p
>A better approach is probably to extend tasksel to be able to
1910 install packages without using debconf-apt-progress, for use cases
1911 like this.
</p
>
1916 <title>Idea for a change to LDAP schemas allowing DNS and DHCP info to be combined into one object
</title>
1917 <link>http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html
</link>
1918 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html
</guid>
1919 <pubDate>Thu,
24 Jun
2010 00:
35:
00 +
0200</pubDate>
1921 <p
>A while back, I
1922 <a href=
"http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html
">complained
1923 about the fact
</a
> that it is not possible with the provided schemas
1924 for storing DNS and DHCP information in LDAP to combine the two sets
1925 of information into one LDAP object representing a computer.
</p
>
1927 <p
>In the mean time, I discovered that a simple fix would be to make
1928 the dhcpHost object class auxiliary, to allow it to be combined with
1929 the dNSDomain object class, and thus forming one object for one
1930 computer when storing both DHCP and DNS information in LDAP.
</p
>
1932 <p
>If I understand this correctly, it is not safe to do this change
1933 without also changing the assigned number for the object class, and I
1934 do not know enough about LDAP schema design to do that properly for
1935 Debian Edu.
</p
>
1937 <p
>Anyway, for future reference, this is how I believe we could change
1939 <a href=
"http://tools.ietf.org/html/draft-ietf-dhc-ldap-schema-
00">DHCP
1940 schema
</a
> to solve at least part of the problem with the LDAP schemas
1941 available today from IETF.
</p
>
1944 --- dhcp.schema (revision
65192)
1945 +++ dhcp.schema (working copy)
1947 objectclass (
2.16.840.1.113719.1.203.6.6
1948 NAME
'dhcpHost
'
1949 DESC
'This represents information about a particular client
'
1953 MAY (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
1954 X-NDS_CONTAINMENT (
'dhcpService
' 'dhcpSubnet
' 'dhcpGroup
') )
1957 <p
>I very much welcome clues on how to do this properly for Debian
1958 Edu/Squeeze. We provide the DHCP schema in our debian-edu-config
1959 package, and should thus be free to rewrite it as we see fit.
</p
>
1961 <p
>If you want to help out with implementing this for Debian Edu,
1962 please contact us on debian-edu@lists.debian.org.
</p
>
1967 <title>LUMA, a very nice LDAP GUI
</title>
1968 <link>http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html
</link>
1969 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html
</guid>
1970 <pubDate>Mon,
28 Jun
2010 00:
30:
00 +
0200</pubDate>
1972 <p
>The last few days I have been looking into the status of the LDAP
1973 directory in Debian Edu, and in the process I started to miss a GUI
1974 tool to browse the LDAP tree. The only one I was able to find in
1975 Debian/Squeeze and Lenny is
1976 <a href=
"http://luma.sourceforge.net/
">LUMA
</a
>, which has proved to
1977 be a great tool to get a overview of the current LDAP directory
1978 populated by default in Skolelinux. Thanks to it, I have been able to
1979 find empty and obsolete subtrees, misplaced objects and duplicate
1980 objects. It will be installed by default in Debian/Squeeze. If you
1981 are working with LDAP, give it a go. :)
</p
>
1983 <p
>I did notice one problem with it I have not had time to report to
1984 the BTS yet. There is no .desktop file in the package, so the tool do
1985 not show up in the Gnome and KDE menus, but only deep down in in the
1986 Debian submenu in KDE. I hope that can be fixed before Squeeze is
1989 <p
>I have not yet been able to get it to modify the tree yet. I would
1990 like to move objects and remove subtrees directly in the GUI, but have
1991 not found a way to do that with LUMA yet. So in the mean time, I use
1992 <a href=
"http://www.lichteblau.com/ldapvi/
">ldapvi
</a
> for that.
</p
>
1994 <p
>If you have tips on other GUI tools for LDAP that might be useful
1995 in Debian Edu, please contact us on debian-edu@lists.debian.org.
</p
>
1997 <p
>Update
2010-
06-
29: Ross Reedstrom tipped us about the
1998 <a href=
"http://packages.qa.debian.org/g/gq.html
">gq
</a
> package as a
1999 useful GUI alternative. It seem like a good tool, but is unmaintained
2000 in Debian and got a RC bug keeping it out of Squeeze. Unless that
2001 changes, it will not be an option for Debian Edu based on Squeeze.
</p
>
2006 <title>Caching password, user and group on a roaming Debian laptop
</title>
2007 <link>http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html
</link>
2008 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html
</guid>
2009 <pubDate>Thu,
1 Jul
2010 11:
40:
00 +
0200</pubDate>
2011 <p
>For a laptop, centralized user directories and password checking is
2012 a bit troubling. Laptops are typically used also when not connected
2013 to the network, and it is vital for a user to be able to log in or
2014 unlock the screen saver also when a central server is unavailable.
2015 This is possible by caching passwords and directory information (user
2016 and group attributes) locally, and the packages to do so are available
2017 in Debian. Here follow two recipes to set this up in Debian/Squeeze.
2018 It is also possible to set up in Debian/Lenny, but require more manual
2019 setup there because pam-auth-update is missing in Lenny.
</p
>
2021 <h2
>LDAP/Kerberos + nscd + libpam-ccreds + libpam-mklocaluser/pam_mkhomedir
</h2
>
2023 This is the traditional method with a twist. The password caching is
2024 provided by libpam-ccreds (version
10-
4 or later is needed on
2025 Squeeze), and the directory caching is done by nscd. The directory
2026 lookup and password checking is done using LDAP. If one want to use
2027 Kerberos for password checking the libpam-ldapd package can be
2028 replaced with libpam-krb5 or libpam-heimdal. If one is happy having a
2029 local home directory with the path listed in LDAP, one can use the
2030 pam_mkhomedir module from pam-modules to make this happen instead of
2031 using libpam-mklocaluser. A setup for pam-auth-update to enable
2032 pam_mkhomedir will have to be written until a fix for
2033 <a href=
"http://bugs.debian.org/
568577">bug #
568577</a
> is in the
2034 archive. Because I believe it is a bad idea to have local home
2035 directories using misleading paths like /site/server/partition/, I
2036 prefer to create a local user with the home directory in /home/. This
2037 is done using the libpam-mklocaluser package.
</p
>
2039 <p
>These packages need to be installed and configured
</p
>
2041 <blockquote
><pre
>
2042 libnss-ldapd libpam-ldapd nscd libpam-ccreds libpam-mklocaluser
2043 </pre
></blockquote
>
2045 <p
>The ldapd packages will ask for LDAP connection information, and
2046 one have to fill in the values that fits ones own site. Make sure the
2047 PAM part uses encrypted connections, to make sure the password is not
2048 sent in clear text to the LDAP server. I
've been unable to get TLS
2049 certificate checking for a self signed certificate working, which make
2050 LDAP authentication unsafe for Debian Edu (nslcd is not checking if it
2051 is talking to the correct LDAP server), and very much welcome feedback
2052 on how to get this working.
</p
>
2054 <p
>Because nscd do not have a default configuration fit for offline
2055 caching until
<a href=
"http://bugs.debian.org/
485282">bug #
485282</a
>
2056 is fixed, this configuration should be used instead of the one
2057 currently in /etc/nscd.conf. The changes are in the fields
2058 reload-count and positive-time-to-live, and is based on the
2059 instructions I found in the
2060 <a href=
"http://www.flyn.org/laptopldap/
">LDAP for Mobile Laptops
</a
>
2061 instructions by Flyn Computing.
</p
>
2063 <blockquote
><pre
>
2065 reload-count unlimited
2068 enable-cache passwd yes
2069 positive-time-to-live passwd
2592000
2070 negative-time-to-live passwd
20
2071 suggested-size passwd
211
2072 check-files passwd yes
2073 persistent passwd yes
2075 max-db-size passwd
33554432
2076 auto-propagate passwd yes
2078 enable-cache group yes
2079 positive-time-to-live group
2592000
2080 negative-time-to-live group
20
2081 suggested-size group
211
2082 check-files group yes
2083 persistent group yes
2085 max-db-size group
33554432
2086 auto-propagate group yes
2088 enable-cache hosts no
2089 positive-time-to-live hosts
2592000
2090 negative-time-to-live hosts
20
2091 suggested-size hosts
211
2092 check-files hosts yes
2093 persistent hosts yes
2095 max-db-size hosts
33554432
2097 enable-cache services yes
2098 positive-time-to-live services
2592000
2099 negative-time-to-live services
20
2100 suggested-size services
211
2101 check-files services yes
2102 persistent services yes
2104 max-db-size services
33554432
2105 </pre
></blockquote
>
2107 <p
>While we wait for a mechanism to update /etc/nsswitch.conf
2108 automatically like the one provided in
2109 <a href=
"http://bugs.debian.org/
496915">bug #
496915</a
>, the file
2110 content need to be manually replaced to ensure LDAP is used as the
2111 directory service on the machine. /etc/nsswitch.conf should normally
2112 look like this:
</p
>
2114 <blockquote
><pre
>
2118 hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
2124 netgroup: files ldap
2125 </pre
></blockquote
>
2127 <p
>The important parts are that ldap is listed last for passwd, group,
2128 shadow and netgroup.
</p
>
2130 <p
>With these changes in place, any user in LDAP will be able to log
2131 in locally on the machine using for example kdm, get a local home
2132 directory created and have the password as well as user and group
2135 <h2
>LDAP/Kerberos + nss-updatedb + libpam-ccreds +
2136 libpam-mklocaluser/pam_mkhomedir
</h2
>
2138 <p
>Because nscd have had its share of problems, and seem to have
2139 problems doing proper caching, I
've seen suggestions and recipes to
2140 use nss-updatedb to copy parts of the LDAP database locally when the
2141 LDAP database is available. I have not tested such setup, because I
2142 discovered sssd.
</p
>
2144 <h2
>LDAP/Kerberos + sssd + libpam-mklocaluser
</h2
>
2146 <p
>A more flexible and robust setup than the nscd combination
2147 mentioned earlier that has shown up recently, is the
2148 <a href=
"https://fedorahosted.org/sssd/
">sssd
</a
> package from Redhat.
2149 It is part of the
<a href=
"http://www.freeipa.org/
">FreeIPA
</A
> project
2150 to provide a Active Directory like directory service for Linux
2151 machines. The sssd system combines the caching of passwords and user
2152 information into one package, and remove the need for nscd and
2153 libpam-ccreds. It support LDAP and Kerberos, but not NIS. Version
2154 1.2 do not support netgroups, but it is said that it will support this
2155 in version
1.5 expected to show up later in
2010. Because the
2156 <a href=
"http://packages.qa.debian.org/s/sssd.html
">sssd package
</a
>
2157 was missing in Debian, I ended up co-maintaining it with Werner, and
2158 version
1.2 is now in testing.
2160 <p
>These packages need to be installed and configured to get the
2161 roaming setup I want
</p
>
2163 <blockquote
><pre
>
2164 libpam-sss libnss-sss libpam-mklocaluser
2165 </pre
></blockquote
>
2167 The complete setup of sssd is done by editing/creating
2168 <tt
>/etc/sssd/sssd.conf
</tt
>.
2170 <blockquote
><pre
>
2172 config_file_version =
2
2173 reconnection_retries =
3
2179 filter_groups = root
2181 reconnection_retries =
3
2184 reconnection_retries =
3
2188 cache_credentials = true
2191 auth_provider = ldap
2192 chpass_provider = ldap
2194 ldap_uri = ldap://ldap
2195 ldap_search_base = dc=skole,dc=skolelinux,dc=no
2196 ldap_tls_reqcert = never
2197 ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
2198 </pre
></blockquote
>
2200 <p
>I got the same problem here with certificate checking. Had to set
2201 "ldap_tls_reqcert = never
" to get it working.
</p
>
2203 <p
>With the libnss-sss package in testing at the moment, the
2204 nsswitch.conf file is update automatically, so there is no need to
2205 modify it manually.
</p
>
2207 <p
>If you want to help out with implementing this for Debian Edu,
2208 please contact us on debian-edu@lists.debian.org.
</p
>
2213 <title>Lenny-
>Squeeze upgrades, apt vs aptitude with the Gnome desktop
</title>
2214 <link>http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html
</link>
2215 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Lenny__Squeeze_upgrades__apt_vs_aptitude_with_the_Gnome_desktop.html
</guid>
2216 <pubDate>Sat,
3 Jul
2010 23:
55:
00 +
0200</pubDate>
2218 <p
>Here is a short update on my
<a
2219 href=
"http://people.skolelinux.org/~pere/debian-upgrade-testing/
">my
2220 Debian Lenny-
>Squeeze upgrade testing
</a
>. Here is a summary of the
2221 difference for Gnome when it is upgraded by apt-get and aptitude. I
'm
2222 not reporting the status for KDE, because the upgrade crashes when
2223 aptitude try because of missing conflicts
2224 (
<a href=
"http://bugs.debian.org/
584861">#
584861</a
> and
2225 <a href=
"http://bugs.debian.org/
585716">#
585716</a
>).
</p
>
2227 <p
>At the end of the upgrade test script, dpkg -l is executed to get a
2228 complete list of the installed packages. Based on this I see these
2229 differences when I did a test run today. As usual, I do not really
2230 know what the correct set of packages would be, but thought it best to
2231 publish the difference.
</p
>
2233 <p
>Installed using apt-get, missing with aptitude
</p
>
2235 <blockquote
><p
>
2236 at-spi cpp-
4.3 finger gnome-spell gstreamer0.10-gnomevfs
2237 libatspi1.0-
0 libcupsys2 libeel2-data libgail-common libgdl-
1-common
2238 libgnomeprint2.2-data libgnomeprintui2.2-common libgnomevfs2-bin
2239 libgtksourceview-common libpt-
1.10.10-plugins-alsa
2240 libpt-
1.10.10-plugins-v4l libservlet2.4-java libxalan2-java
2241 libxerces2-java openoffice.org-writer2latex openssl-blacklist p7zip
2242 python-
4suite-xml python-eggtrayicon python-gtkhtml2
2243 python-gtkmozembed svgalibg1 xserver-xephyr zip
2244 </p
></blockquote
>
2246 <p
>Installed using apt-get, removed with aptitude
</p
>
2248 <blockquote
><p
>
2249 bluez-utils dhcdbd djvulibre-desktop epiphany-gecko
2250 gnome-app-install gnome-mount gnome-vfs-obexftp gnome-volume-manager
2251 libao2 libavahi-compat-libdnssd1 libavahi-core5 libbind9-
50
2252 libbluetooth2 libcamel1.2-
11 libcdio7 libcucul0 libcurl3
2253 libdirectfb-
1.0-
0 libdvdread3 libedata-cal1.2-
6 libedataserver1.2-
9
2254 libeel2-
2.20 libepc-
1.0-
1 libepc-ui-
1.0-
1 libexchange-storage1.2-
3
2255 libfaad0 libgd2-noxpm libgda3-
3 libgda3-common libggz2 libggzcore9
2256 libggzmod4 libgksu1.2-
0 libgksuui1.0-
1 libgmyth0 libgnome-desktop-
2
2257 libgnome-pilot2 libgnomecups1.0-
1 libgnomeprint2.2-
0
2258 libgnomeprintui2.2-
0 libgpod3 libgraphviz4 libgtkhtml2-
0
2259 libgtksourceview1.0-
0 libgucharmap6 libhesiod0 libicu38 libisccc50
2260 libisccfg50 libiw29 libkpathsea4 libltdl3 liblwres50 libmagick++
10
2261 libmagick10 libmalaga7 libmtp7 libmysqlclient15off libnautilus-burn4
2262 libneon27 libnm-glib0 libnm-util0 libopal-
2.2 libosp5
2263 libparted1.8-
10 libpisock9 libpisync1 libpoppler-glib3 libpoppler3
2264 libpt-
1.10.10 libraw1394-
8 libsensors3 libsmbios2 libsoup2.2-
8
2265 libssh2-
1 libsuitesparse-
3.1.0 libswfdec-
0.6-
90 libtalloc1
2266 libtotem-plparser10 libtrackerclient0 libvoikko1 libxalan2-java-gcj
2267 libxerces2-java-gcj libxklavier12 libxtrap6 libxxf86misc1 libzephyr3
2268 mysql-common swfdec-gnome totem-gstreamer wodim
2269 </p
></blockquote
>
2271 <p
>Installed using aptitude, missing with apt-get
</p
>
2273 <blockquote
><p
>
2274 gnome gnome-desktop-environment hamster-applet python-gnomeapplet
2275 python-gnomekeyring python-wnck rhythmbox-plugins xorg
2276 xserver-xorg-input-all xserver-xorg-input-evdev
2277 xserver-xorg-input-kbd xserver-xorg-input-mouse
2278 xserver-xorg-input-synaptics xserver-xorg-video-all
2279 xserver-xorg-video-apm xserver-xorg-video-ark xserver-xorg-video-ati
2280 xserver-xorg-video-chips xserver-xorg-video-cirrus
2281 xserver-xorg-video-dummy xserver-xorg-video-fbdev
2282 xserver-xorg-video-glint xserver-xorg-video-i128
2283 xserver-xorg-video-i740 xserver-xorg-video-mach64
2284 xserver-xorg-video-mga xserver-xorg-video-neomagic
2285 xserver-xorg-video-nouveau xserver-xorg-video-nv
2286 xserver-xorg-video-r128 xserver-xorg-video-radeon
2287 xserver-xorg-video-radeonhd xserver-xorg-video-rendition
2288 xserver-xorg-video-s3 xserver-xorg-video-s3virge
2289 xserver-xorg-video-savage xserver-xorg-video-siliconmotion
2290 xserver-xorg-video-sis xserver-xorg-video-sisusb
2291 xserver-xorg-video-tdfx xserver-xorg-video-tga
2292 xserver-xorg-video-trident xserver-xorg-video-tseng
2293 xserver-xorg-video-vesa xserver-xorg-video-vmware
2294 xserver-xorg-video-voodoo
2295 </p
></blockquote
>
2297 <p
>Installed using aptitude, removed with apt-get
</p
>
2299 <blockquote
><p
>
2300 deskbar-applet xserver-xorg xserver-xorg-core
2301 xserver-xorg-input-wacom xserver-xorg-video-intel
2302 xserver-xorg-video-openchrome
2303 </p
></blockquote
>
2305 <p
>I was told on IRC that the xorg-xserver package was
2306 <a href=
"http://git.debian.org/?p=pkg-xorg/xserver/xorg-server.git;a=commit;h=
9c8080d06c457932d3bfec021c69ac000aa60120
">changed
2307 in git
</a
> today to try to get apt-get to not remove xorg completely.
2308 No idea when it hits Squeeze, but when it does I hope it will reduce
2309 the difference somewhat.
2314 <title>jXplorer, a very nice LDAP GUI
</title>
2315 <link>http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html
</link>
2316 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/jXplorer__a_very_nice_LDAP_GUI.html
</guid>
2317 <pubDate>Fri,
9 Jul
2010 12:
55:
00 +
0200</pubDate>
2320 <a href=
"http://people.skolelinux.org/pere/blog/LUMA__a_very_nice_LDAP_GUI.html
">my
2321 last post
</a
> about available LDAP tools in Debian, I was told about a
2322 LDAP GUI that is even better than luma. The java application
2323 <a href=
"http://jxplorer.org/
">jXplorer
</a
> is claimed to be capable of
2324 moving LDAP objects and subtrees using drag-and-drop, and can
2325 authenticate using Kerberos. I have only tested the Kerberos
2326 authentication, but do not have a LDAP setup allowing me to rewrite
2327 LDAP with my test user yet. It is
2328 <a href=
"http://packages.qa.debian.org/j/jxplorer.html
">available in
2329 Debian
</a
> testing and unstable at the moment. The only problem I
2330 have with it is how it handle errors. If something go wrong, its
2331 non-intuitive behaviour require me to go through some query work list
2332 and remove the failing query. Nothing big, but very annoying.
</p
>
2337 <title>Idea for storing LTSP configuration in LDAP
</title>
2338 <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html
</link>
2339 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Idea_for_storing_LTSP_configuration_in_LDAP.html
</guid>
2340 <pubDate>Sun,
11 Jul
2010 22:
00:
00 +
0200</pubDate>
2342 <p
>Vagrant mentioned on IRC today that ltsp_config now support
2343 sourcing files from /usr/share/ltsp/ltsp_config.d/ on the thin
2344 clients, and that this can be used to fetch configuration from LDAP if
2345 Debian Edu choose to store configuration there.
</p
>
2347 <p
>Armed with this information, I got inspired and wrote a test module
2348 to get configuration from LDAP. The idea is to look up the MAC
2349 address of the client in LDAP, and look for attributes on the form
2350 ltspconfigsetting=value, and use this to export SETTING=value to the
2351 LTSP clients.
</p
>
2353 <p
>The goal is to be able to store the LTSP configuration attributes
2354 in a
"computer
" LDAP object used by both DNS and DHCP, and thus
2355 allowing us to store all information about a computer in one place.
</p
>
2357 <p
>This is a untested draft implementation, and I welcome feedback on
2358 this approach. A real LDAP schema for the ltspClientAux objectclass
2359 need to be written. Comments, suggestions, etc?
</p
>
2361 <blockquote
><pre
>
2362 # Store in /opt/ltsp/$arch/usr/share/ltsp/ltsp_config.d/ldap-config
2364 # Fetch LTSP client settings from LDAP based on MAC address
2366 # Uses ethernet address as stored in the dhcpHost objectclass using
2367 # the dhcpHWAddress attribute or ethernet address stored in the
2368 # ieee802Device objectclass with the macAddress attribute.
2370 # This module is written to be schema agnostic, and only depend on the
2371 # existence of attribute names.
2373 # The LTSP configuration variables are saved directly using a
2374 # ltspConfig prefix and uppercasing the rest of the attribute name.
2375 # To set the SERVER variable, set the ltspConfigServer attribute.
2377 # Some LDAP schema should be created with all the relevant
2378 # configuration settings. Something like this should work:
2380 # objectclass (
1.1.2.2 NAME
'ltspClientAux
'
2383 # MAY ( ltspConfigServer $ ltsConfigSound $ ... )
2385 LDAPSERVER=$(debian-edu-ldapserver)
2386 if [
"$LDAPSERVER
" ] ; then
2387 LDAPBASE=$(debian-edu-ldapserver -b)
2388 for MAC in $(LANG=C ifconfig |grep -i hwaddr| awk
'{print $
5}
'|sort -u) ; do
2389 filter=
"(|(dhcpHWAddress=ethernet $MAC)(macAddress=$MAC))
"
2390 ldapsearch -h
"$LDAPSERVER
" -b
"$LDAPBASE
" -v -x
"$filter
" | \
2391 grep
'^ltspConfig
' | while read attr value ; do
2392 # Remove prefix and convert to upper case
2393 attr=$(echo $attr | sed
's/^ltspConfig//i
' | tr a-z A-Z)
2394 # bass value on to clients
2395 eval
"$attr=$value; export $attr
"
2399 </pre
></blockquote
>
2401 <p
>I
'm not sure this shell construction will work, because I suspect
2402 the while block might end up in a subshell causing the variables set
2403 there to not show up in ltsp-config, but if that is the case I am sure
2404 the code can be restructured to make sure the variables are passed on.
2405 I expect that can be solved with some testing. :)
</p
>
2407 <p
>If you want to help out with implementing this for Debian Edu,
2408 please contact us on debian-edu@lists.debian.org.
</p
>
2410 <p
>Update
2010-
07-
17: I am aware of another effort to store LTSP
2411 configuration in LDAP that was created around year
2000 by
2412 <a href=
"http://www.pcxperience.com/thinclient/documentation/ldap.html
">PC
2413 Xperience, Inc.,
2000</a
>. I found its
2414 <a href=
"http://people.redhat.com/alikins/ltsp/ldap/
">files
</a
> on a
2415 personal home page over at redhat.com.
</p
>
2420 <title>Combining PowerDNS and ISC DHCP LDAP objects
</title>
2421 <link>http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html
</link>
2422 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html
</guid>
2423 <pubDate>Wed,
14 Jul
2010 23:
45:
00 +
0200</pubDate>
2425 <p
>For a while now, I have wanted to find a way to change the DNS and
2426 DHCP services in Debian Edu to use the same LDAP objects for a given
2427 computer, to avoid the possibility of having a inconsistent state for
2428 a computer in LDAP (as in DHCP but no DNS entry or the other way
2429 around) and make it easier to add computers to LDAP.
</p
>
2431 <p
>I
've looked at how powerdns and dhcpd is using LDAP, and using this
2432 information finally found a solution that seem to work.
</p
>
2434 <p
>The old setup required three LDAP objects for a given computer.
2435 One forward DNS entry, one reverse DNS entry and one DHCP entry. If
2436 we switch powerdns to use its strict LDAP method (ldap-method=strict
2437 in pdns-debian-edu.conf), the forward and reverse DNS entries are
2438 merged into one while making it impossible to transfer the reverse map
2439 to a slave DNS server.
</p
>
2441 <p
>If we also replace the object class used to get the DNS related
2442 attributes to one allowing these attributes to be combined with the
2443 dhcphost object class, we can merge the DNS and DHCP entries into one.
2444 I
've written such object class in the dnsdomainaux.schema file (need
2445 proper OIDs, but that is a minor issue), and tested the setup. It
2446 seem to work.
</p
>
2448 <p
>With this test setup in place, we can get away with one LDAP object
2449 for both DNS and DHCP, and even the LTSP configuration I suggested in
2450 an earlier email. The combined LDAP object will look something like
2453 <blockquote
><pre
>
2454 dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
2456 objectClass: dhcphost
2457 objectclass: domainrelatedobject
2458 objectclass: dnsdomainaux
2459 associateddomain: hostname.intern
2460 arecord:
10.11.12.13
2461 dhcphwaddress: ethernet
00:
00:
00:
00:
00:
00
2462 dhcpstatements: fixed-address hostname
2464 </pre
></blockquote
>
2466 <p
>The DNS server uses the associateddomain and arecord entries, while
2467 the DHCP server uses the dhcphwaddress and dhcpstatements entries
2468 before asking DNS to resolve the fixed-adddress. LTSP will use
2469 dhcphwaddress or associateddomain and the ldapconfig* attributes.
</p
>
2471 <p
>I am not yet sure if I can get the DHCP server to look for its
2472 dhcphost in a different location, to allow us to put the objects
2473 outside the
"DHCP Config
" subtree, but hope to figure out a way to do
2474 that. If I can
't figure out a way to do that, we can still get rid of
2475 the hosts subtree and move all its content into the DHCP Config tree
2476 (which probably should be renamed to be more related to the new
2477 content. I suspect cn=dnsdhcp,ou=services or something like that
2478 might be a good place to put it.
</p
>
2480 <p
>If you want to help out with implementing this for Debian Edu,
2481 please contact us on debian-edu@lists.debian.org.
</p
>
2486 <title>What are they searching for - PowerDNS and ISC DHCP in LDAP
</title>
2487 <link>http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html
</link>
2488 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/What_are_they_searching_for___PowerDNS_and_ISC_DHCP_in_LDAP.html
</guid>
2489 <pubDate>Sat,
17 Jul
2010 21:
00:
00 +
0200</pubDate>
2492 <a href=
"http://people.skolelinux.org/pere/blog/Time_for_new__LDAP_schemas_replacing_RFC_2307_.html
">followup
</a
>
2494 <a href=
"http://people.skolelinux.org/pere/blog/Idea_for_a_change_to_LDAP_schemas_allowing_DNS_and_DHCP_info_to_be_combined_into_one_object.html
">previous
2496 <a href=
"http://people.skolelinux.org/pere/blog/Combining_PowerDNS_and_ISC_DHCP_LDAP_objects.html
">merging
2497 all
</a
> the computer related LDAP objects in Debian Edu.
</p
>
2499 <p
>As a step to try to see if it possible to merge the DNS and DHCP
2500 LDAP objects, I have had a look at how the packages pdns-backend-ldap
2501 and dhcp3-server-ldap in Debian use the LDAP server. The two
2502 implementations are quite different in how they use LDAP.
</p
>
2504 To get this information, I started slapd with debugging enabled and
2505 dumped the debug output to a file to get the LDAP searches performed
2506 on a Debian Edu main-server. Here is a summary.
2508 <p
><strong
>powerdns
</strong
></p
>
2510 <a href=
"http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend
">Clues
2511 on how to
</a
> set up PowerDNS to use a LDAP backend is available on
2514 <p
>PowerDNS have two modes of operation using LDAP as its backend.
2515 One
"strict
" mode where the forward and reverse DNS lookups are done
2516 using the same LDAP objects, and a
"tree
" mode where the forward and
2517 reverse entries are in two different subtrees in LDAP with a structure
2518 based on the DNS names, as in tjener.intern and
2519 2.2.0.10.in-addr.arpa.
</p
>
2521 <p
>In tree mode, the server is set up to use a LDAP subtree as its
2522 base, and uses a
"base
" scoped search for the DNS name by adding
2523 "dc=tjener,dc=intern,
" to the base with a filter for
2524 "(associateddomain=tjener.intern)
" for the forward entry and
2525 "dc=
2,dc=
2,dc=
0,dc=
10,dc=in-addr,dc=arpa,
" with a filter for
2526 "(associateddomain=
2.2.0.10.in-addr.arpa)
" for the reverse entry. For
2527 forward entries, it is looking for attributes named dnsttl, arecord,
2528 nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord, mxrecord,
2529 txtrecord, rprecord, afsdbrecord, keyrecord, aaaarecord, locrecord,
2530 srvrecord, naptrrecord, kxrecord, certrecord, dsrecord, sshfprecord,
2531 ipseckeyrecord, rrsigrecord, nsecrecord, dnskeyrecord, dhcidrecord,
2532 spfrecord and modifytimestamp. For reverse entries it is looking for
2533 the attributes dnsttl, arecord, nsrecord, cnamerecord, soarecord,
2534 ptrrecord, hinforecord, mxrecord, txtrecord, rprecord, aaaarecord,
2535 locrecord, srvrecord, naptrrecord and modifytimestamp. The equivalent
2536 ldapsearch commands could look like this:
</p
>
2538 <blockquote
><pre
>
2539 ldapsearch -h ldap \
2540 -b dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no \
2541 -s base -x
'(associateddomain=tjener.intern)
' dNSTTL aRecord nSRecord \
2542 cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
2543 rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
2544 nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
2545 rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
2547 ldapsearch -h ldap \
2548 -b dc=
2,dc=
2,dc=
0,dc=
10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no \
2549 -s base -x
'(associateddomain=
2.2.0.10.in-addr.arpa)
'
2550 dnsttl, arecord, nsrecord, cnamerecord soarecord ptrrecord \
2551 hinforecord mxrecord txtrecord rprecord aaaarecord locrecord \
2552 srvrecord naptrrecord modifytimestamp
2553 </pre
></blockquote
>
2555 <p
>In Debian Edu/Lenny, the PowerDNS tree mode is used with
2556 ou=hosts,dc=skole,dc=skolelinux,dc=no as the base, and these are two
2557 example LDAP objects used there. In addition to these objects, the
2558 parent objects all th way up to ou=hosts,dc=skole,dc=skolelinux,dc=no
2559 also exist.
</p
>
2561 <blockquote
><pre
>
2562 dn: dc=tjener,dc=intern,ou=hosts,dc=skole,dc=skolelinux,dc=no
2564 objectclass: dnsdomain
2565 objectclass: domainrelatedobject
2568 associateddomain: tjener.intern
2570 dn: dc=
2,dc=
2,dc=
0,dc=
10,dc=in-addr,dc=arpa,ou=hosts,dc=skole,dc=skolelinux,dc=no
2572 objectclass: dnsdomain2
2573 objectclass: domainrelatedobject
2575 ptrrecord: tjener.intern
2576 associateddomain:
2.2.0.10.in-addr.arpa
2577 </pre
></blockquote
>
2579 <p
>In strict mode, the server behaves differently. When looking for
2580 forward DNS entries, it is doing a
"subtree
" scoped search with the
2581 same base as in the tree mode for a object with filter
2582 "(associateddomain=tjener.intern)
" and requests the attributes dnsttl,
2583 arecord, nsrecord, cnamerecord, soarecord, ptrrecord, hinforecord,
2584 mxrecord, txtrecord, rprecord, aaaarecord, locrecord, srvrecord,
2585 naptrrecord and modifytimestamp. For reverse entires it also do a
2586 subtree scoped search but this time the filter is
"(arecord=
10.0.2.2)
"
2587 and the requested attributes are associateddomain, dnsttl and
2588 modifytimestamp. In short, in strict mode the objects with ptrrecord
2589 go away, and the arecord attribute in the forward object is used
2592 <p
>The forward and reverse searches can be simulated using ldapsearch
2593 like this:
</p
>
2595 <blockquote
><pre
>
2596 ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
2597 '(associateddomain=tjener.intern)
' dNSTTL aRecord nSRecord \
2598 cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord tXTRecord \
2599 rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord sRVRecord \
2600 nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord iPSecKeyRecord \
2601 rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord sPFRecord modifyTimestamp
2603 ldapsearch -h ldap -b ou=hosts,dc=skole,dc=skolelinux,dc=no -s sub -x \
2604 '(arecord=
10.0.2.2)
' associateddomain dnsttl modifytimestamp
2605 </pre
></blockquote
>
2607 <p
>In addition to the forward and reverse searches , there is also a
2608 search for SOA records, which behave similar to the forward and
2609 reverse lookups.
</p
>
2611 <p
>A thing to note with the PowerDNS behaviour is that it do not
2612 specify any objectclass names, and instead look for the attributes it
2613 need to generate a DNS reply. This make it able to work with any
2614 objectclass that provide the needed attributes.
</p
>
2616 <p
>The attributes are normally provided in the cosine (RFC
1274) and
2617 dnsdomain2 schemas. The latter is used for reverse entries like
2618 ptrrecord and recent DNS additions like aaaarecord and srvrecord.
</p
>
2620 <p
>In Debian Edu, we have created DNS objects using the object classes
2621 dcobject (for dc), dnsdomain or dnsdomain2 (structural, for the DNS
2622 attributes) and domainrelatedobject (for associatedDomain). The use
2623 of structural object classes make it impossible to combine these
2624 classes with the object classes used by DHCP.
</p
>
2626 <p
>There are other schemas that could be used too, for example the
2627 dnszone structural object class used by Gosa and bind-sdb for the DNS
2628 attributes combined with the domainrelatedobject object class, but in
2629 this case some unused attributes would have to be included as well
2630 (zonename and relativedomainname).
</p
>
2632 <p
>My proposal for Debian Edu would be to switch PowerDNS to strict
2633 mode and not use any of the existing objectclasses (dnsdomain,
2634 dnsdomain2 and dnszone) when one want to combine the DNS information
2635 with DHCP information, and instead create a auxiliary object class
2636 defined something like this (using the attributes defined for
2637 dnsdomain and dnsdomain2 or dnszone):
</p
>
2639 <blockquote
><pre
>
2640 objectclass ( some-oid NAME
'dnsDomainAux
'
2643 MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $
2644 DNSTTL $ DNSClass $ PTRRecord $ HINFORecord $ MINFORecord $
2645 TXTRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $
2646 NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
2647 A6Record $ DNAMERecord
2649 </pre
></blockquote
>
2651 <p
>This will allow any object to become a DNS entry when combined with
2652 the domainrelatedobject object class, and allow any entity to include
2653 all the attributes PowerDNS wants. I
've sent an email to the PowerDNS
2654 developers asking for their view on this schema and if they are
2655 interested in providing such schema with PowerDNS, and I hope my
2656 message will be accepted into their mailing list soon.
</p
>
2658 <p
><strong
>ISC dhcp
</strong
></p
>
2660 <p
>The DHCP server searches for specific objectclass and requests all
2661 the object attributes, and then uses the attributes it want. This
2662 make it harder to figure out exactly what attributes are used, but
2663 thanks to the working example in Debian Edu I can at least get an idea
2664 what is needed without having to read the source code.
</p
>
2666 <p
>In the DHCP server configuration, the LDAP base to use and the
2667 search filter to use to locate the correct dhcpServer entity is
2668 stored. These are the relevant entries from
2669 /etc/dhcp3/dhcpd.conf:
</p
>
2671 <blockquote
><pre
>
2672 ldap-base-dn
"dc=skole,dc=skolelinux,dc=no
";
2673 ldap-dhcp-server-cn
"dhcp
";
2674 </pre
></blockquote
>
2676 <p
>The DHCP server uses this information to nest all the DHCP
2677 configuration it need. The cn
"dhcp
" is located using the given LDAP
2678 base and the filter
"(
&(objectClass=dhcpServer)(cn=dhcp))
". The
2679 search result is this entry:
</p
>
2681 <blockquote
><pre
>
2682 dn: cn=dhcp,dc=skole,dc=skolelinux,dc=no
2685 objectClass: dhcpServer
2686 dhcpServiceDN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
2687 </pre
></blockquote
>
2689 <p
>The content of the dhcpServiceDN attribute is next used to locate the
2690 subtree with DHCP configuration. The DHCP configuration subtree base
2691 is located using a base scope search with base
"cn=DHCP
2692 Config,dc=skole,dc=skolelinux,dc=no
" and filter
2693 "(
&(objectClass=dhcpService)(|(dhcpPrimaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)(dhcpSecondaryDN=cn=dhcp,dc=skole,dc=skolelinux,dc=no)))
".
2694 The search result is this entry:
</p
>
2696 <blockquote
><pre
>
2697 dn: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
2700 objectClass: dhcpService
2701 objectClass: dhcpOptions
2702 dhcpPrimaryDN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
2703 dhcpStatements: ddns-update-style none
2704 dhcpStatements: authoritative
2705 dhcpOption: smtp-server code
69 = array of ip-address
2706 dhcpOption: www-server code
72 = array of ip-address
2707 dhcpOption: wpad-url code
252 = text
2708 </pre
></blockquote
>
2710 <p
>Next, the entire subtree is processed, one level at the time. When
2711 all the DHCP configuration is loaded, it is ready to receive requests.
2712 The subtree in Debian Edu contain objects with object classes
2713 top/dhcpService/dhcpOptions, top/dhcpSharedNetwork/dhcpOptions,
2714 top/dhcpSubnet, top/dhcpGroup and top/dhcpHost. These provide options
2715 and information about netmasks, dynamic range etc. Leaving out the
2716 details here because it is not relevant for the focus of my
2717 investigation, which is to see if it is possible to merge dns and dhcp
2718 related computer objects.
</p
>
2720 <p
>When a DHCP request come in, LDAP is searched for the MAC address
2721 of the client (
00:
00:
00:
00:
00:
00 in this example), using a subtree
2722 scoped search with
"cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
" as
2723 the base and
"(
&(objectClass=dhcpHost)(dhcpHWAddress=ethernet
2724 00:
00:
00:
00:
00:
00))
" as the filter. This is what a host object look
2727 <blockquote
><pre
>
2728 dn: cn=hostname,cn=group1,cn=THINCLIENTS,cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
2731 objectClass: dhcpHost
2732 dhcpHWAddress: ethernet
00:
00:
00:
00:
00:
00
2733 dhcpStatements: fixed-address hostname
2734 </pre
></blockquote
>
2736 <p
>There is less flexiblity in the way LDAP searches are done here.
2737 The object classes need to have fixed names, and the configuration
2738 need to be stored in a fairly specific LDAP structure. On the
2739 positive side, the invidiual dhcpHost entires can be anywhere without
2740 the DN pointed to by the dhcpServer entries. The latter should make
2741 it possible to group all host entries in a subtree next to the
2742 configuration entries, and this subtree can also be shared with the
2743 DNS server if the schema proposed above is combined with the dhcpHost
2744 structural object class.
2746 <p
><strong
>Conclusion
</strong
></p
>
2748 <p
>The PowerDNS implementation seem to be very flexible when it come
2749 to which LDAP schemas to use. While its
"tree
" mode is rigid when it
2750 come to the the LDAP structure, the
"strict
" mode is very flexible,
2751 allowing DNS objects to be stored anywhere under the base cn specified
2752 in the configuration.
</p
>
2754 <p
>The DHCP implementation on the other hand is very inflexible, both
2755 regarding which LDAP schemas to use and which LDAP structure to use.
2756 I guess one could implement ones own schema, as long as the
2757 objectclasses and attributes have the names used, but this do not
2758 really help when the DHCP subtree need to have a fairly fixed
2759 structure.
</p
>
2761 <p
>Based on the observed behaviour, I suspect a LDAP structure like
2762 this might work for Debian Edu:
</p
>
2764 <blockquote
><pre
>
2766 cn=machine-info (dhcpService) - dhcpServiceDN points here
2767 cn=dhcp (dhcpServer)
2768 cn=dhcp-internal (dhcpSharedNetwork/dhcpOptions)
2769 cn=
10.0.2.0 (dhcpSubnet)
2770 cn=group1 (dhcpGroup/dhcpOptions)
2771 cn=dhcp-thinclients (dhcpSharedNetwork/dhcpOptions)
2772 cn=
192.168.0.0 (dhcpSubnet)
2773 cn=group1 (dhcpGroup/dhcpOptions)
2774 ou=machines - PowerDNS base points here
2775 cn=hostname (dhcpHost/domainrelatedobject/dnsDomainAux)
2776 </pre
></blockquote
>
2778 <P
>This is not tested yet. If the DHCP server require the dhcpHost
2779 entries to be in the dhcpGroup subtrees, the entries can be stored
2780 there instead of a common machines subtree, and the PowerDNS base
2781 would have to be moved one level up to the machine-info subtree.
</p
>
2783 <p
>The combined object under the machines subtree would look something
2784 like this:
</p
>
2786 <blockquote
><pre
>
2787 dn: dc=hostname,ou=machines,cn=machine-info,dc=skole,dc=skolelinux,dc=no
2790 objectClass: dhcpHost
2791 objectclass: domainrelatedobject
2792 objectclass: dnsDomainAux
2793 associateddomain: hostname.intern
2794 arecord:
10.11.12.13
2795 dhcpHWAddress: ethernet
00:
00:
00:
00:
00:
00
2796 dhcpStatements: fixed-address hostname.intern
2797 </pre
></blockquote
>
2799 </p
>One could even add the LTSP configuration associated with a given
2800 machine, as long as the required attributes are available in a
2801 auxiliary object class.
</p
>
2806 <title>OpenStreetmap one step closer to having routing on its front page
</title>
2807 <link>http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html
</link>
2808 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/OpenStreetmap_one_step_closer_to_having_routing_on_its_front_page.html
</guid>
2809 <pubDate>Sun,
18 Jul
2010 16:
45:
00 +
0200</pubDate>
2812 <a href=
"http://feedproxy.google.com/~r/Opengeodata/~
3/wUTCzDZk3lc/project-of-the-week-which-way-home
">todays
2813 opengeodata blog entry
</a
>, I just discovered that the
2814 OpenStreetmap.org site have gotten
2815 <a href=
"http://nroets.dev.openstreetmap.org/demo/index.html?layers=B000FTFTT
">support
2816 for calculating routes
</a
>. The support is still experimental and
2817 only available from the development server, until more experience is
2818 gathered on the user interface and any scalability issues.
</p
>
2820 <p
>Earlier, the routing I knew about using the OpenStreetmap.org data
2821 was provided by
<a href=
"http://maps.cloudmade.com/
">Cloudmade
</a
>,
2822 but having it on the main page is required to make everyone aware of
2823 the issue. I
've had people reject Openstreetmap.org as a viable
2824 alternative for them because the front page lacked routing support,
2825 and I hope their needs will be catered for when routing show up on the
2826 www.openstreetmap.org front page.
</p
>
2831 <title>One step closer to single signon in Debian Edu
</title>
2832 <link>http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html
</link>
2833 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/One_step_closer_to_single_signon_in_Debian_Edu.html
</guid>
2834 <pubDate>Sun,
25 Jul
2010 10:
00:
00 +
0200</pubDate>
2836 <p
>The last few months me and the other Debian Edu developers have
2837 been working hard to get the Debian/Squeeze based version of Debian
2838 Edu/Skolelinux into shape. This future version will use Kerberos for
2839 authentication, and services are slowly migrated to single signon,
2840 getting rid of password questions one at the time.
</p
>
2842 <p
>It will also feature a roaming workstation profile with local home
2843 directory, for laptops that are only some times on the Skolelinux
2844 network, and for this profile a shortcut is created in Gnome and KDE
2845 to gain access to the users home directory on the file server. This
2846 shortcut uses SMB at the moment, and yesterday I had time to test if
2847 SMB mounting had started working in KDE after we added the cifs-utils
2848 package. I was pleasantly surprised how well it worked.
</p
>
2850 <p
>Thanks to the recent changes to our samba configuration to get it
2851 to use Kerberos for authentication, there were no question about user
2852 password when mounting the SMB volume. A simple click on the shortcut
2853 in the KDE menu, and a window with the home directory popped
2856 <p
>One step closer to a single signon solution out of the box in
2857 Debian Edu. We already had PAM, LDAP, IMAP and SMTP in place, and now
2858 also Samba. Next step is Cups and hopefully also NFS.
</p
>
2860 <p
>We had planned a alpha0 release of Debian Edu for today, but thanks
2861 to the autobuilder administrators for some architectures being slow to
2862 sign packages, we are still missing the fixed LTSP package we need for
2863 the release. It was uploaded three days ago with urgency=high, and if
2864 it had entered testing yesterday we would have been able to test it in
2865 time for a alpha0 release today. As the binaries for ia64 and powerpc
2866 still not uploaded to the Debian archive, we need to delay the alpha
2867 release another day.
</p
>
2869 <p
>If you want to help out with implementing Kerberos for Debian Edu,
2870 please contact us on debian-edu@lists.debian.org.
</p
>
2875 <title>First Debian Edu test release (alpha0) based on Squeeze is released
</title>
2876 <link>http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html
</link>
2877 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/First_Debian_Edu_test_release__alpha0__based_on_Squeeze_is_released.html
</guid>
2878 <pubDate>Tue,
27 Jul
2010 17:
45:
00 +
0200</pubDate>
2880 <p
>I just posted this announcement culminating several months of work
2881 with the next Debian Edu release. Not nearly done, but one major step
2882 completed.
</p
>
2885 <p
>This is the first test release based on Squeeze. The focus of this
2886 release is to test the user application selection. To have a look,
2887 install the standalone profile and let the developers know if the set
2888 of installed packages i.e. applications should be modified. If some
2889 user application is missing, or if there are some applications that no
2890 longer make sense to be included in Debian Edu, please let us know.
2891 Also, if a useful application is missing the translation for your
2892 language of choice, please let us know too.
</p
>
2894 <p
>In addition, feedback and help to polish the desktop (menus,
2895 artwork, starters, etc.) is appreciated. We would like to ship a nice
2896 and handy KDE4 desktop targeted for schools out of the box.
</p
>
2898 <p
>The other profiles should be installable, but there is a lot more
2899 work left to be done before they are ready, so do not expect to
2902 <p
>Changes compared to the lenny based version
</p
>
2905 <li
>Everything from Debian Squeeze
2907 <li
>Desktop environment KDE
4.4 =
> the new KDE desktop in
2908 combination with some new artwork
2909 <li
>Web browser Iceweasel
3.5
2910 <li
>OpenOffice.org
3.2
2911 <li
>Educational toolbox GCompris
9.3
2912 <li
>Music creator Rosegarden
10.04.2
2913 <li
>Image editor Gimp
2.6.10
2914 <li
>Virtual universe Celestia
1.6.0
2915 <li
>Virtual stargazer Stellarium
0.10.4
2916 <li
>3D modeler Blender
2.49.2 (new application)
2917 <li
>Video editor Kdenlive
0.7.7 (new application)
2918 </ul
></li
>
2919 <li
>Now using Kerberos for password checking (migration not finished).
2925 <li
>SMTP (sender verification)
2928 <li
>New experimental roaming workstation profile for laptops.
</li
>
2929 <li
>Show welcome page to users when they first log in. The URL is
2930 fetched from LDAP.
</li
>
2931 <li
>New LXDE desktop option, in addition to KDE (default) and Gnome.
</li
>
2932 <li
>General cleanup (not finished)
</li
>
2934 <p
>The following features are not working as they should
</p
>
2937 <li
>No web based administration tool for creating users and groups. The
2938 scripts ldap-createuser-krb and ldap-add-user-to-group can be used
2939 for testing.
</li
>
2940 <li
>DVD installs are missing debian-installer images for the PXE boot,
2941 and do not set up the PXE menu on eth0 because of this. LTSP
2942 clients should still boot from eth1 on thin client servers.
</li
>
2943 <li
>The restructured KDE menu is not implemented.
</li
>
2944 <li
>The LDAP server setup need to be reviewed for security.
</li
>
2945 <li
>The LDAP directory structure need to be reworked.
</li
>
2946 <li
>Different sets of packages are installed when using the DVD and the
2947 netinst CD. More packages are installed using the netinst CD.
</li
>
2948 <li
>The jackd package fail to install. This is believed to be caused by
2949 some ongoing transition, and hopefully should be solved soon. The
2950 jackd1 package can be installed manually for those that need it.
</li
>
2951 <li
>Some packages lack translations. See
2952 http://wiki.debian.org/DebianEdu/Status/Squeeze for updated status,
2953 and help out with translations.
</li
>
2956 <p
>To download this multiarch netinstall release you can use
</p
>
2959 <li
><a href=
"ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
</a
></li
>
2960 <li
><a href=
"http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
</a
></li
>
2961 <li
>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-CD.iso
</li
>
2963 <p
>To download this multiarch dvd release you can use
</p
>
2966 <li
><a href=
"ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
">ftp://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
</a
></li
>
2967 <li
><a href=
"http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
">http://ftp.skolelinux.org/skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
</a
></li
>
2968 <li
>rsync -avzP ftp.skolelinux.org::skolelinux-cd/squeeze-alpha/debian-edu-
6.0.0+edua0-DVD.iso
</li
>
2971 <p
>There is no source DVD available yet. It will be prepared when we
2972 get closer to the final release.
</p
>
2974 <p
>The MD5SUM of these images are
</p
>
2977 <li
>3dbf45d59f42a53518b6e3c9ec3b5eb6 debian-edu-
6.0.0+edua0-CD.iso
</li
>
2978 <li
>22f2cbfce281d1c6e478be452638675d debian-edu-
6.0.0+edua0-DVD.iso
</li
>
2981 <p
>The SHA1SUM of these images are
</p
>
2983 <li
>c53d1b69b40cf37cd27aefaf33f6f6a3821bedf0 debian-edu-
6.0.0+edua0-CD.iso
</li
>
2984 <li
>2ec29d7db676d59d32197b05c277ffe16348376c debian-edu-
6.0.0+edua0-DVD.iso
</li
>
2986 <p
>How to report bugs:
2987 http://wiki.debian.org/DebianEdu/HowTo/ReportBugsInBugzilla
</p
>
2989 <p
>Please direct replies to debian-edu@lists.debian.org
</p
>
2995 <title>Circular package dependencies harms apt recovery
</title>
2996 <link>http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html
</link>
2997 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Circular_package_dependencies_harms_apt_recovery.html
</guid>
2998 <pubDate>Tue,
27 Jul
2010 23:
50:
00 +
0200</pubDate>
3000 <p
>I discovered this while doing
3001 <a href=
"http://people.skolelinux.org/pere/blog/Automatic_upgrade_testing_from_Lenny_to_Squeeze.html
">automated
3002 testing of upgrades from Debian Lenny to Squeeze
</a
>. A few packages
3003 in Debian still got circular dependencies, and it is often claimed
3004 that apt and aptitude should be able to handle this just fine, but
3005 some times these dependency loops causes apt to fail.
</p
>
3007 <p
>An example is from todays
3008 <a href=
"http://people.skolelinux.org/~pere/debian-upgrade-testing//test-
20100727-lenny-squeeze-kde-aptitude.txt
">upgrade
3009 of KDE using aptitude
</a
>. In it, a bug in kdebase-workspace-data
3010 causes perl-modules to fail to upgrade. The cause is simple. If a
3011 package fail to unpack, then only part of packages with the circular
3012 dependency might end up being unpacked when unpacking aborts, and the
3013 ones already unpacked will fail to configure in the recovery phase
3014 because its dependencies are unavailable.
</p
>
3016 <p
>In this log, the problem manifest itself with this error:
</p
>
3018 <blockquote
><pre
>
3019 dpkg: dependency problems prevent configuration of perl-modules:
3020 perl-modules depends on perl (
>=
5.10.1-
1); however:
3021 Version of perl on system is
5.10.0-
19lenny
2.
3022 dpkg: error processing perl-modules (--configure):
3023 dependency problems - leaving unconfigured
3024 </pre
></blockquote
>
3026 <p
>The perl/perl-modules circular dependency is already
3027 <a href=
"http://bugs.debian.org/
527917">reported as a bug
</a
>, and will
3028 hopefully be solved as soon as possible, but it is not the only one,
3029 and each one of these loops in the dependency tree can cause similar
3030 failures. Of course, they only occur when there are bugs in other
3031 packages causing the unpacking to fail, but it is rather nasty when
3032 the failure of one package causes the problem to become worse because
3033 of dependency loops.
</p
>
3036 <a href=
"http://lists.debian.org/debian-devel/
2010/
06/msg00116.html
">the
3037 tireless effort by Bill Allombert
</a
>, the number of circular
3039 <a href=
"http://debian.semistable.com/debgraph.out.html
">left in Debian
3040 is dropping
</a
>, and perhaps it will reach zero one day. :)
</p
>
3042 <p
>Todays testing also exposed a bug in
3043 <a href=
"http://bugs.debian.org/
590605">update-notifier
</a
> and
3044 <a href=
"http://bugs.debian.org/
590604">different behaviour
</a
> between
3045 apt-get and aptitude, the latter possibly caused by some circular
3046 dependency. Reported both to BTS to try to get someone to look at
3052 <title>Debian Edu roaming workstation - at the university of Oslo
</title>
3053 <link>http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
</link>
3054 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
</guid>
3055 <pubDate>Tue,
3 Aug
2010 23:
30:
00 +
0200</pubDate>
3057 <p
>The new roaming workstation profile in Debian Edu/Squeeze is fairly
3058 similar to the laptop setup am I working on using Ubuntu for the
3059 University of Oslo, and just for the heck of it, I tested today how
3060 hard it would be to integrate that profile into the university
3061 infrastructure. In this case, it is the university LDAP server,
3062 Active Directory Kerberos server and SMB mounting from the Netapp file
3065 <p
>I was pleasantly surprised that the only three files needed to be
3066 changed (/etc/sssd/sssd.conf, /etc/ldap.conf and
3067 /etc/mklocaluser.d/
20-debian-edu-config) and one file had to be added
3068 (/usr/share/perl5/Debian/Edu_Local.pm), to get the client working.
3069 Most of the changes were to get the client to use the university LDAP
3070 for NSS and Kerberos server for PAM, but one was to change a hard
3071 coded DNS domain name in the mklocaluser hook from .intern to
3074 <p
>This testing was so encouraging, that I went ahead and adjusted the
3075 Debian Edu scripts and setup in subversion to centralise the roaming
3076 workstation setup a bit more and avoid the hardcoded DNS domain name,
3077 so that when I test this tomorrow, I expect to get away with modifying
3078 only /etc/sssd/sssd.conf and /etc/ldap.conf to get it to use the
3079 university servers.
</p
>
3081 <p
>My goal is to get the clients to have no hardcoded settings and
3082 fetch all their initial setup during installation and first boot, to
3083 allow them to be inserted also into environments where the default
3084 setup in Debian Edu has been changed or as with the university, where
3085 the environment is different but provides the protocols Debian Edu
3091 <title>Autodetecting Client setup for roaming workstations in Debian Edu
</title>
3092 <link>http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html
</link>
3093 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Autodetecting_Client_setup_for_roaming_workstations_in_Debian_Edu.html
</guid>
3094 <pubDate>Sat,
7 Aug
2010 14:
45:
00 +
0200</pubDate>
3096 <p
>A few days ago, I
3097 <a href=
"http://people.skolelinux.org/pere/blog/Debian_Edu_roaming_workstation___at_the_university_of_Oslo.html
">tried
3098 to install
</a
> a Roaming workation profile from Debian Edu/Squeeze
3099 while on the university network here at the University of Oslo, and
3100 noticed how much had to change to get it operational using the
3101 university infrastructure. It was fairly easy, but it occured to me
3102 that Debian Edu would improve a lot if I could get the client to
3103 connect without any changes at all, and thus let the client configure
3104 itself during installation and first boot to use the infrastructure
3105 around it. Now I am a huge step further along that road.
</p
>
3107 <p
>With our current squeeze-test packages, I can select the roaming
3108 workstation profile and get a working laptop connecting to the
3109 university LDAP server for user and group and our active directory
3110 servers for Kerberos authentication. All this without any
3111 configuration at all during installation. My users home directory got
3112 a bookmark in the KDE menu to mount it via SMB, with the correct URL.
3113 In short, openldap and sssd is correctly configured. In addition to
3114 this, the client look for http://wpad/wpad.dat to configure a web
3115 proxy, and when it fail to find it no proxy settings are stored in
3116 /etc/environment and /etc/apt/apt.conf. Iceweasel and KDE is
3117 configured to look for the same wpad configuration and also do not use
3118 a proxy when at the university network. If the machine is moved to a
3119 network with such wpad setup, it would automatically use it when DHCP
3120 gave it a IP address.
</p
>
3122 <p
>The LDAP server is located using DNS, by first looking for the DNS
3123 entry ldap.$domain. If this do not exist, it look for the
3124 _ldap._tcp.$domain SRV records and use the first one as the LDAP
3125 server. Next, it connects to the LDAP server and search all
3126 namingContexts entries for posixAccount or posixGroup objects, and
3127 pick the first one as the LDAP base. For Kerberos, a similar
3128 algorithm is used to locate the LDAP server, and the realm is the
3129 uppercase version of $domain.
</p
>
3131 <p
>So, what is not working, you might ask. SMB mounting my home
3132 directory do not work. No idea why, but suspected the incorrect
3133 Kerberos settings in /etc/krb5.conf and /etc/samba/smb.conf might be
3134 the cause. These are not properly configured during installation, and
3135 had to be hand-edited to get the correct Kerberos realm and server,
3136 but SMB mounting still do not work. :(
</p
>
3138 <p
>With this automatic configuration in place, I expect a Debian Edu
3139 roaming profile installation would be able to automatically detect and
3140 connect to any site using LDAP and Kerberos for NSS directory and PAM
3141 authentication. It should also work out of the box in a Active
3142 Directory environment providing posixAccount and posixGroup objects
3143 with UID and GID values.
</p
>
3145 <p
>If you want to help out with implementing these things for Debian
3146 Edu, please contact us on debian-edu@lists.debian.org.
</p
>
3151 <title>Testing if a file system can be used for home directories...
</title>
3152 <link>http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html
</link>
3153 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html
</guid>
3154 <pubDate>Sun,
8 Aug
2010 21:
20:
00 +
0200</pubDate>
3156 <p
>A few years ago, I was involved in a project planning to use
3157 Windows file servers as home directory servers for Debian
3158 Edu/Skolelinux machines. This was thought to be no problem, as the
3159 access would be through the SMB network file system protocol, and we
3160 knew other sites used SMB with unix and samba as the file server to
3161 mount home directories without any problems. But, after months of
3162 struggling, we had to conclude that our goal was impossible.
</p
>
3164 <p
>The reason is simply that while SMB can be used for home
3165 directories when the file server is Samba running on Unix, this only
3166 work because of Samba have some extensions and the fact that the
3167 underlying file system is a unix file system. When using a Windows
3168 file server, the underlying file system do not have POSIX semantics,
3169 and several programs will fail if the users home directory where they
3170 want to store their configuration lack POSIX semantics.
</p
>
3172 <p
>As part of this work, I wrote a small C program I want to share
3173 with you all, to replicate a few of the problematic applications (like
3174 OpenOffice.org and GCompris) and see if the file system was working as
3175 it should. If you find yourself in spooky file system land, it might
3176 help you find your way out again. This is the fs-test.c source:
</p
>
3180 * Some tests to check the file system sematics. Used to verify that
3181 * CIFS from a windows server do not work properly as a linux home
3183 * License: GPL v2 or later
3185 * needs libsqlite3-dev and build-essential installed
3186 * compile with: gcc -Wall -lsqlite3 -DTEST_SQLITE fs-test.c -o fs-test
3189 #define _FILE_OFFSET_BITS
64
3190 #define _LARGEFILE_SOURCE
1
3191 #define _LARGEFILE64_SOURCE
1
3193 #define _GNU_SOURCE /* for asprintf() */
3195 #include
&lt;errno.h
>
3196 #include
&lt;fcntl.h
>
3197 #include
&lt;stdio.h
>
3198 #include
&lt;string.h
>
3199 #include
&lt;stdlib.h
>
3200 #include
&lt;sys/file.h
>
3201 #include
&lt;sys/stat.h
>
3202 #include
&lt;sys/types.h
>
3203 #include
&lt;unistd.h
>
3207 * Test sqlite open, as done by gcompris require the libsqlite3-dev
3208 * package and linking with -lsqlite3. A more low level test is
3210 * See also
&lt;URL: http://www.sqlite.org./faq.html#q5
>.
3212 #include
&lt;sqlite3.h
>
3213 #define CREATE_TABLE_USERS \
3214 "CREATE TABLE users (user_id INT UNIQUE, login TEXT, lastname TEXT, firstname TEXT, birthdate TEXT, class_id INT );
"
3215 int test_sqlite_open(void) {
3217 char *name =
"testsqlite.db
";
3220 int rc = sqlite3_open(name,
&db);
3222 printf(
"error: sqlite open of %s failed: %s\n
", name, sqlite3_errmsg(db));
3228 rc = sqlite3_exec(db,CREATE_TABLE_USERS, NULL,
0,
&zErrMsg);
3229 if( rc != SQLITE_OK ){
3230 printf(
"error: sqlite table create failed: %s\n
", zErrMsg);
3234 printf(
"info: sqlite worked\n
");
3238 #endif /* TEST_SQLITE */
3241 * Demonstrate locking issue found in gcompris using sqlite3. This
3242 * work with ext3, but not with cifs server on Windows
2003. This is
3243 * done in the sqlite3 library.
3245 *
&lt;URL:http://www.cygwin.com/ml/cygwin/
2001-
08/msg00854.html
> and the
3246 * POSIX specification
3247 *
&lt;URL:http://www.opengroup.org/onlinepubs/
009695399/functions/fcntl.html
>.
3249 int test_gcompris_locking(void) {
3251 char *name =
"testsqlite.db
";
3253 int fd = open(name, O_RDWR|O_CREAT|O_LARGEFILE,
0644);
3254 printf(
"info: testing fcntl locking\n
");
3256 fl.l_whence = SEEK_SET;
3257 fl.l_pid = getpid();
3258 printf(
" Read-locking
1 byte from
1073741824");
3259 fl.l_start =
1073741824;
3261 fl.l_type = F_RDLCK;
3262 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
3264 printf(
" Read-locking
510 byte from
1073741826");
3265 fl.l_start =
1073741826;
3267 fl.l_type = F_RDLCK;
3268 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
3270 printf(
" Unlocking
1 byte from
1073741824");
3271 fl.l_start =
1073741824;
3273 fl.l_type = F_UNLCK;
3274 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
3276 printf(
" Write-locking
1 byte from
1073741824");
3277 fl.l_start =
1073741824;
3279 fl.l_type = F_WRLCK;
3280 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
3282 printf(
" Write-locking
510 byte from
1073741826");
3283 fl.l_start =
1073741826;
3285 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
3287 printf(
" Unlocking
2 byte from
1073741824");
3288 fl.l_start =
1073741824;
3290 fl.l_type = F_UNLCK;
3291 if (
0 != fcntl(fd, F_SETLK,
&fl) ) printf(
" - error!\n
"); else printf(
"\n
");
3298 * Test if permissions of freshly created directories allow entries
3299 * below them. This was a problem with OpenOffice.org and gcompris.
3300 * Mounting with option
'sync
' seem to solve this problem while
3301 * slowing down file operations.
3303 int test_subdirectory_creation(void) {
3305 char *path = strdup(
"test
");
3308 printf(
"info: testing subdirectory creation\n
");
3309 for (level =
0; level
&lt; LEVELS; level++) {
3310 char *newpath = NULL;
3311 if (-
1 == mkdir(path,
0777)) {
3312 printf(
" error: Unable to create directory
'%s
': %s\n
",
3313 path, strerror(errno));
3316 asprintf(
&newpath,
"%s/%s
", path,
"test
");
3324 * Test if symlinks can be created. This was a problem detected with
3327 int test_symlinks(void) {
3328 printf(
"info: testing symlink creation\n
");
3329 unlink(
"symlink
");
3330 if (-
1 == symlink(
"file
",
"symlink
"))
3331 printf(
" error: Unable to create symlink\n
");
3335 int main(int argc, char **argv) {
3336 printf(
"Testing POSIX/Unix sematics on file system\n
");
3338 test_subdirectory_creation();
3341 #endif /* TEST_SQLITE */
3342 test_gcompris_locking();
3347 <p
>When everything is working, it should print something like
3351 Testing POSIX/Unix sematics on file system
3352 info: testing symlink creation
3353 info: testing subdirectory creation
3355 info: testing fcntl locking
3356 Read-locking
1 byte from
1073741824
3357 Read-locking
510 byte from
1073741826
3358 Unlocking
1 byte from
1073741824
3359 Write-locking
1 byte from
1073741824
3360 Write-locking
510 byte from
1073741826
3361 Unlocking
2 byte from
1073741824
3364 <p
>I do not remember the exact details of the problems we saw, but one
3365 of them was with locking, where if I remember correctly, POSIX allow a
3366 read-only lock to be upgraded to a read-write lock without unlocking
3367 the read-only lock (while Windows do not). Another was a bug in the
3368 CIFS/SMB client implementation in the Linux kernel where directory
3369 meta information would be wrong for a fraction of a second, making
3370 OpenOffice.org fail to create its deep directory tree because it was
3371 not allowed to create files in its freshly created directory.
</p
>
3373 <p
>Anyway, here is a nice tool for your tool box, might you never need
projects / homepage.git / blob