2008 Meeting Minutes

Sorry guys and gals. I am sick and unable to make the first meeting of the year.

If anybody has any notes from the meeting, feel free to post them.

I only had my BlackJack on me and I found the appropriate building entrance a bit late -- my notes are therefore somewhat limited. voip-info.org - mfr. info.
888voipstore.com - good source
grandstream - decent brand

the-asterisk-book.com/unstable
packetpub.com/asterisk/book

/etc/asterisk/
extensions.conf
sip.conf
voicemail.conf

fxo - talks to telco / pstn
fxs - talks to handsets

wifi routers with USB connectors & external antennas can imply beefier cpu, more i/o options, external storage, etc. HTH,
-dhbarr.

Intro topic: stunt config

Video Cards and Dual Monitors. Some stunt config of Robert's new IBM laptop which doesn't want to set the resolutoin on the big monitor and his laptop screen well.

nVidia vs. ATIi discussion. 8860 GTS and later have must better support under Linux. Note that nVidia twinview is needed to dual monitors. Xinerama still doesn't work correctly.

Gnome terminal does not work with Xinerama. Xterm still does. Compiz also has issues (resolutions, etc.)

Advanced Topic: Q&A

This will be all over the board.

Q: Should Ubuntu move from 6 month releases to yearly?

Redhat and Ubuntu appear to be in a race. Both release at 6 month.

1. 
   desktop: 3 years long-term support
   server: 5 years long-term support
   6.06 is the last LTS
   8.10 is the next LTS[/list:u]
   
   If you do a server install then do an 'apt-get ubuntu-desktop' you will get conflicting network management systems installed:
   
   1. 
      server uses traditional ifup/ifdown scripts
      desktop uses the dbus based networkmanager gui
      [/list:u]
      
      Q: Vmware running windows some times has problems under Linux.
      
      You need to install Vmware tools. The default devices are generic and not very fast. Tools for windows improved the video drivers and
      
      Q: Can Linux have the 32-bit limit on RAM that Windows has?
      
      No.
      
      Q: Can I setup more RAM in VMware on Linux than is physically on the system?
      
      No, you are limited to the host memory.
      
      Q: Can you setup 64-bit?
      
      Yes. The free version can support emulating up to two 64-bit CPUs.
      
      Q: Can you run 94-bit Linux on 32-bit systems?
      
      Yes and no. It shouldn't work. In the case of 32-bit applications moved to 64-bit, it's people that made bad assumption and their code doesn't work now. The haugpauge drivers would be an example.
      
      Q: Performance of 64-bit or 32-bit software on 64-bit hardware?
      
      Generally the 64-bit on 64-bit will work much faster. Running 32-bit code on a 64-bit system will get to be slow.
      
      Some people locally install 32-bit versions of firefox and java and flash for support. These programs will install parallel to the 64-bit versions globally available.
      
      Some drivers (ATi) have issues. Being that they are 32-bit only and won't work at all.
      
      Q: 64-bit software availability?
      
      There just hasn't been a huge push in the Wintel world. Solaris servers have been 64-bit for a long time. Linux has supported 64-bit for a long time. Most Linux applications written with libraries and are ready to go for 64-bit. Servers have been 64-bit for a long time. Desktop just isn't there yet in the software support.
      
      Games are still 32-bit. Most people that have 64-bit systems (gamers and other early adopters and performance freaks) are still running 32-bit software.
      
      Q: Where can you get rid of stuff like the single-board monitor Robert has?
      
      Give it to Robert, apparently.

Linux SIG 2008-04-03

Intro Topic: Eric talks about fuse

fuse: File system in User Space.

Problems with code in kernel space can crash your system. Windows NT integrates the windowing system into the kernel for performance reasons. Unix puts these in user space where crashes in the program do not affect the rest of the system. Hence why UNIX is often more stable than Windows NT.

Like video drivers, fuse separates filesystem drivers from the kernel and moves them into user space. This allows many new, strange filesystems and experimentation with the same without the side effects of crashed systems.

There are many plug-ins for fuse for doing practical and silly things: your remote $HOME mounted via ssh as a local directory to your gmail account as a mountable filesystem.

Installing fuse.

Step 1 - Ask apt what it knows about fuse.

apt-cache seach fuse
...
fusesmb - Windows SMB shares
gmailfs - your gmail account as a storage space
fusedav - WebDAV views of things like websites that use WebDAV
libfuse-perl - write a filesystem in Perl.
encfs - Crypographics filesystems
clamfs - userspace filesystem that is anti-virus protected.
nfts-3g - use NTFS filesystems without patching your kernel


Step 2 - What is installed?

# apt-cache search fuse
fuse-module
fuse-utils


Step 3 - Changing sources.list to include debian's repository.

# apt-get install sshfs
...

Step 4 - Read the Friendly Manual.

$ man sshfs

Options of interest:

-o reconnect, in case you drop a lot
-o idmap=TYPE, user group mappings as you *might* have a different user account at the destination system


Step 4 - Since the sshfs plugin is installed, try to remotely mount via it.

$ mkdir vortex/
$ sshfs vortex: vortex/
<error about opening /dev/fuse>

Step 4.1 - Eric needs to give himself access to the fuse device!

$ ls /dev/fuse
drw-rw--- root fuse /dev/fuse
$ group
eric user
$ sudo usermod -G eric,user,fuse eric


Step 5 - Try again.


# su - eric
$ sshfs votex: vortex/
$ ls vortex/
... snip lots of stuff...

$ vi somefiles


Tab completion even works.

Other plug-ins are available. Things like unpackfs that lets you see into zip, zoo, gzip, etc files.

Intro Topic Part II: Exploring encfs.
Note that trackerd - a super find tool - is makes this part very slooooow.

$apt-get install librlog1c2a
$encfs ~/mysecret ~/notasceret
$vi ~/notasceret/hi
$ls -l ~/notasceret
-r2-r--r-- 1 eric eric 47 2008-04-03 19:27 hi
$ls ~/mysecret
-rw-r--r-- 1 eric eric 55 2008-04-03 19:26 E-M5030fjama,


Other features of fuse:


eric$ su - robert
robert$cd ~eric
ls -ld vortex
?--------- ? ? ? ? vortex
robert$su - root
root#cd ~eric
root#ls -ld vortex
?--------- ? ? ? ? vortex


Even root cannot see in the encfs files. root can only see what the kernel let's him/her and the kernel space part of fuse is mediating this. (Yet as root you could just su to eric.)

lsof notes that it cannot stat a fuse filesystem

root# lsof
losf: WARNING: can't stat() fuse filesystem /home/eric/vortex
Output information may be incomplete.
eric$ lsof | grep ...somestuff...
sshfs 6456 eric ... /dev/fuse


Intro Topic Part III: unmounting fuse filesystems


$fusermount -i notsosecret
$ls /notsosecret/
$ ls mysecret/
E-M5030fjama,
$


Miscellaneous Topic: Demo of the Maxtor Fusion

Maxtor Fusion. It's a toaster-sized PC that runs Linux!

1. Intel Celeron 400Mhz
   256M Ram
   500Gb drive (as packaged)
   2 USB 2.0 ports
   1 Gigabyte ethernet port.
   Debian etch + fabrik PHP website[/list:u]
   
   
   Pretty bad photos from the presentation are not shown.
   
   Many steps are omitted here such as:
   
   1. probing the system to determine it's OS
      analysis of the fabrik PHP site
      detailed security analysis of original configuration
      backing up the filesystem
      user reconfiguration
      package selection, install
      disk footprint details[/list:u]
      
      1. Open up the fusion's case (and void the warranty) to reveal a 500Gb Seagate Barracuda EIDE Drive.
      
      2. Remove the drive.
      
      3. Put the drive into an enclosure.
      
      5. Attach the drive to a desktop.
      
waveclaw@mingle:/media> sudo su -
mingle:~ # cd /media
mingle:/media # ls -l
total 22
-rw-r--r-- 1 root root 388 Mar 31 20:04 .hal-mtab
-rw------- 1 root root 0 Mar 29 12:26 .hal-mtab-lock
drwxr-xr-x 24 root root 1024 Oct 20 2006 _
drwxr-xr-x 4 root root 1024 Oct 19 2006 _boot
drwxr-xr-x 6 10001 10000 1024 Oct 20 2006 _fsys
drwxr-xr-x 14 10001 10000 1024 Oct 20 2006 _fsys_factory
drwxr-xr-x 10 10001 10000 4096 Oct 20 2006 _space
drwxrwxrwt 5 root root 4096 Mar 31 19:09 _tmp
drwxr-xr-x 12 root root 1024 Oct 19 2006 _usr
drwxr-xr-x 15 root root 1024 Oct 19 2006 _var
drwxr-xr-x 2 root root 4096 Oct 19 04:01 floppy
mingle:/media # mount
/dev/sdb1 on / type ext3 (rw,acl,user_xattr)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
udev on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
/dev/mapper/mingle-opt on /opt type ext3 (rw,noatime,acl,user_xattr)
/dev/mapper/mingle-usr on /usr type ext3 (rw,acl,user_xattr)
/dev/mapper/mingle-var on /var type ext3 (rw,acl,user_xattr)
/dev/mapper/mingle-home on /export type reiserfs (rw,noatime)
/dev/sda1 on /export/home/jdpowell/Documents/Disk_images type ext3 (rw,noexec,nosuid,nodev)
securityfs on /sys/kernel/security type securityfs (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
none on /proc/fs/vmblock/mountPoint type vmblock (rw)
/dev/sdf1 on /media/_boot type ext3 (rw,nosuid,nodev)
/dev/sdf7 on /media/_var type ext3 (rw,nosuid,nodev)
/dev/sdf5 on /media/_ type ext3 (rw,nosuid,nodev)
/dev/sdf8 on /media/_fsys type ext3 (rw,nosuid,nodev)
/dev/sdf9 on /media/_fsys_factory type ext3 (rw,nosuid,nodev)
/dev/sdf6 on /media/_usr type ext3 (rw,nosuid,nodev)
/dev/sdf11 on /media/_tmp type ext3 (rw,nosuid,nodev)
/dev/sdf10 on /media/_space type ext3 (rw,nosuid,nodev)

      
      5.1 Make a chroot environment.
      
mingle:/media # umount *
umount: /media/_: device is busy
umount: /media/_: device is busy
umount: floppy: not mounted
mingle:/media # cd _
mingle:/media/_ # mount /dev/sdf1 boot
mingle:/media/_ # mount /dev/sdf7 var
mingle:/media/_ # mount /dev/sdf5 type
mount: mount point type does not exist
mingle:/media/_ # mount /dev/sdf8 fsys
mingle:/media/_ # mount /dev/sdf9 fsys_factory
mount: mount point fsys_factory does not exist
mingle:/media/_ # mount /dev/sdf9 fsys_factory
mount: mount point fsys_factory does not exist
mingle:/media/_ # mount /dev/sdf6 usr
mingle:/media/_ # mount /dev/sdf11 tmp
mingle:/media/_ # mount /dev/sdf10 space
mingle:/media/_ # ls
.gnupg dev home lib mnt root srv usr
bin etc initrd lost+found opt sbin sys var
boot fsys initrd.img media proc space tmp vmlinuz
mingle:/media/_ # cd ..

      
      5.2 chroot as root into the new 'system'
      
mingle:/media # chroot _
mingle:/# mount -t none proc /proc
mingle:/# mount -t none sys /sys
mingle:/# whoami
root
mingle:/# dpkg --version
Debian `dpkg' package management program version 1.13.16 (i386).
This is free software; see the GNU General Public License version 2 or
later for copying conditions. There is NO warranty.
See dpkg --license for copyright and license details.

      
      6. Turn on the ssh daemon.
      
mingle:/# whoami
root
mingle:/# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
mingle:/# grep -i root /etc/ssh/ssh*con*
sshd_config:PermitRootLogin yes
mingle:/# update-rc.d -f ssh defaults
Adding system startup for /etc/init.d/ssh ...
/etc/rc0.d/K20ssh -> ../init.d/ssh
/etc/rc1.d/K20ssh -> ../init.d/ssh
/etc/rc6.d/K20ssh -> ../init.d/ssh
/etc/rc2.d/S20ssh -> ../init.d/ssh
/etc/rc3.d/S20ssh -> ../init.d/ssh
/etc/rc4.d/S20ssh -> ../init.d/ssh
/etc/rc5.d/S20ssh -> ../init.d/ssh
mingle:/# exit
mingle:/media #

      
      7. Remove the drive from the enclosure and re-install into the fusion's case.
      
      8. Plug into the fusion into the network.
      
mingle:/media # ssh fusion
/usr/bin/ksh-886>ssh fusion
The authenticity of host 'fusion (192.168.1.2)' can't be established.
RSA key fingerprint is 9c:47:83:b2:2c:cf:13:ab:aa:bd:1e:a9:66:1d:df:bb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'fusion,192.168.1.2' (RSA) to the list of known hosts.
root@fusion's password:
Linux fusion 2.6.24-1-686 #1 SMP Mon Feb 11 14:37:45 UTC 2008 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 6 18:22:46 2008 from mingle
fusion:~#

      
      9. Upgrade to something this year.
      
fusion:~# cat <STUFF >> /etc/apt/sources.list
#added 2008-03-31

deb http://mirror.cs.wisc.edu/pub/mirrors/linux/debian/ testing main non-free contrib
#deb-src http://mirror.cs.wisc.edu/pub/mirrors/linux/debian/ testing main non-free contrib

#deb http://debian.oregonstate.edu/debian/ testing main
#deb-src http://debian.oregonstate.edu/debian/ testing main

deb http://security.debian.org/ testing/updates main

deb http://debian.oregonstate.edu/debian/ testing main
#deb-src http://debian.oregonstate.edu/debian/ testing main

deb http://ftp.us.debian.org/debian/ testing main
#deb-src http://ftp.us.debian.org/debian/ testing main

deb http://mirrors.kernel.org/debian/ testing main contrib
#deb-src http://mirrors.kernel.org/debian/ testing main

deb file::///space/packages/debian_standard_repository testing main contrib non-free
#deb-src file::///home/admin/packages/debian_standard_repository testing main contrib non-free
STUFF
fusion:~# apt-get update
...huge update omitted...
fusion:~# apt-get dist-upgrade
... huge update omitted ...

      
      10. For about the price of a recent SATA drive the Fusion is a nice little web server and development box.
      
      11. See a Trac install on a Maxtor Fusion at http://www.waveclaw.com:8080/
      
      12. Err....Profit?
      
      Q/A
      
      Q: Can I get flash installed for Firefox 3?
      
      A: You can symlink the flash library from your old firefox directory and it will work.
      
$cd ~/.mozilla/firefox/ # if you used the local installer
$cd /usr/lib/firefox/plugins # if you installed it globally

      If you used apt-get, or the gui upgrade tool for Unbuntu, the new firefox 3 is in /usr/lib/firefox3/.
      So, do
      
$cd /usr/lib/firefox3/plugins
$ln -s /usr/lib/firefox/plugin/flashplugin-alternative.so .
$ls flashplugin-alternative.so
lrwxrwxrwx 1 eric eric 51 2008-04-03 20:04 flahsplugin-alternative.so -> /usr/lib/firefox/plugins/flashplugin-alternative.so

      
      The next time firefox starts it will pick up this plugins. firefox has a set of paths it will check for this plugins. They are just normal Linux libraries (.so files) or XPI User Interface programs for firefox (.xul files.) If you put them somewhere on these paths (like ~/.mozilla/firefox/plugins) you will be able to use these plugins the next time you restart.
      
      Q: I only used up 1/2 my filesystem. I wanted to put Mint Linux on my HD, too but the installer says it won't fix.
      
      A: Boot blocks are only 1 block in size. Half of this is taken up by error messages. You can have a max of 4 primary partitions listed in the tiny spare remaining. You can use an extended partition which can have up to 64 *sub* partitions. However, creating an extended partition uses up one of the primary partitions. By default, Ubuntu tries to install much of it's stuff into an extended filesystem.
      
      
$ sudo su -
# /sbin/fdisk -l /dev/sda
Device Boot Start End Blocks Id System
/dev/sda1 * 1 9 72261 83 Linux
/dev/sda2 10 12161 195221880 82 Linux swap / Solaris
/dev/sda3 10 12161 195221880 5 Exteneded
/dev/sda5 10 12161 97610940 8e Linux LVM
/dev/sda6 10 12161 97610940 8e Linux LVM

      
      There is no limit to the number of Linuxes that you can install on a system. However, this adds ridiculous numbers of partitions. So you probably want to share many filesystems (/home, /tmp, swap, etc.) The installer programs may not like this, but it is trivial to setup by editing your /etc/fstab. Don't share /usr, /, or /boot.
      
      Future Topic Ideas:
      
      Clustering under Linux.

Linux SIG 2008-06-05

Topic: Clustering Primer

Theory - you really need to know what you are trying to achieve.

Q: What about heartbeats?

Heartbeats are how most system 'pings' are implemented.

Q: What about High Availability?

You are trying to preserve uptime. For instance, the 4 asterisk boxes and two CISCO routers in a cluster for daVinici systems. When the master goes down, systems switch to the secondary or slave system. While both are up the slave and master are both used. Each is sized to handle the full load.

On most systems, you have a slave that replicates data from the master and pings it every time. When the pings fail, the slave comes up as the new master and alters everyone about it.

Q: Load balancing situations?

Active websites like slashdot.org, sourceforge.net, cnn.com use several machines with duplicates of the sites. The load is distributed by hardware or other solutions that sit 'in front' of the real servers.

Q: Supercomputing?

With some computations, the amount of processing power vs the memory or disk I/O overhead is significant. For those that are also breakable into parallel workloads, you use many servers. Each node in the system does part of the work at the same time. These are usually a bunch of rack mounted hardware running the Linux kernel and special support applications to handle the workload.

The University of Oklahoma uses this heavily for weather modeling, explosions, chemistry. Some physics modeling doesn't work as well on such systems.

daVinici did OCR for the Oklahoma State Government using a small cluster. The OCR job is very intensive. It would take all weekend for the systems to do it. Instead, each PC would grab a page off an NFS share and work on it then return it to the server completed. Lots of locks and contention issues arose. Was very crude but did the job well.

Some applications are written specifically to run in a clustered supercomputer environment.

Q: Other systems?

Folding@Home is an ad hoc cluster. The head node hands jobs to people's PCs that have the client installed. The results are sent back to the head node to analyze. The client only runs when the system is idle.

Some infrastructures can be setup in an office to allocate resources as needed. For instance, a workstation needing to compile a large program. The workstation asks a load master computer to batch submit the job. The load master hands the job off to an idle server with less load and complete the job faster.

LDAP is a replicated "lightweight" database often used for user account information. The information propigates through out the 'cluster' of LDAP servers. Clients connect to their local server. If the normal server goes down, then the clients are responsible for finding and accessing a backup.

Most webservers are not cluster aware. This is why they often have load balancers sitting in front of them.

Q: What about special protocols?

MPI is a library that you use to parallelize a normally linear application. The MPI libraries and kernel modules speak their own protocol to exchange information and manage systems.

The daVinici OCR system was done using ordinary Linux userspace tools.

Supercomputing cluster APIs and servers reflect the eclectic and custom natures of the teams that originate them. A lot of the supercomputer software is created to fit a particular problem. These often are built in response to precieved deficiencies in existing systems.

In summary, you need to know what you want to do:
reduce downtime on a service
complete a computationally intensive task quickly
improve performance of an oversubscribed service

lcic.org - Linux Clustering Information Center.

There is a lot of information out on the Internet, especially for Linux and BSD. Those are used a lot. 3D CGI and Hollywood has many production houses using large rendering clusters.

Next month: a demo of an actual cluster.

Intro topic: General Questions.

Q: Cellphones that run Linux?

We did cover Linux connecting to a cellphone as a modem.

Q: Howto setup IM?

Most people running Linux can use Pidgin just like they do on Microsoft Windows or an Apple OS.

Do you have a previous IM account? No?

1. Goto one of the websites for an IM service.
- talk.google.com
- yahoo.com
- msn.com

Then use you account information to add an account to Pidgin.

Pidgin is the new name for Gaim. It should be installed on most modern Linux distributions.

2. Pick the type of service you signed up to

Accounts -> Add / Edit.

(Your account's username)
(Your account's password)

3. You probably want to setup Pidgin to automatically remember your password.

4. As soon as you save the account Pidgin will try to log you in.

5. For those accounts you want to use every time you run Pidgin, you can select enable in the Accounts window. (Accounts menu on main window.) Likewise, enable those you want to automatically login to each time.

LinuxSIG

Topic: Linux Clustering with ClusterKnopix

Setup is ten Compaq Armada laptops network booting to the head node. The default PXE boot firmware couldn't bring the systems up. gPXE is being used instead. Out of the 10 systems, 3 came up. Due to NFS issues, the other 7 are refusing to boot.

ClusterKnoppix is old tech, >4 years old. It is unmaintained. The current ParallelKnopix uses the MPI libraries. However, only 1 CD is needed. The harddrives of the client machines are never changed. This is a 2.4 kernel system.

On the root node is running openMosix. You run a script to setup the 'cluster' and specify things like drivers to check, etc.

This is a compute cluster, which is designed to speed up a process, verses a High Availability cluster, which would be designed to survive outage but not improve performance.

Eric is using openMosix, which is a process-based reallocator. It waits to see if the tast takes too long then farms it off the the lowest in-use member of the compute cluster. MPI is a library that your program is required to be compiled against to use.

mosmon is producing a pretty graph to see. openmosixview 1.5 is showing and managing the load balancing.

openmosixmigmon is another visualiation tool meant to describe in realtime the processes as they are distributed.

The demo application will be a render in POVRay.

#povray -i skyvase.pov +v +ft -x -a0.300 #r3 -q9 -m2.0 -w1600 -h1200 +NT16

Note the background is showing activity.

'Slaves NN at Knoppix successfully started' is displayed in the background.

This would take about a half hour to do on 1 system, it is taking about 5 minutes with all 4 systems (3 clusters and the head node).

The job outputted a lot of nice stats once done. Takes under 2 minutes. This results in a nice skybase.tga with some ray-traced reflections, etc.

One of the cluster members was removed and rebooted. He shows up automatically.

With a little more tweaking, 3 more nodes out of the 10 for the cluster have come up. Most of these are 600 mHz speed, the most powerfull at 1 GHz system. Most are 256 Mb to 300mb RAM systems, so no 'super' computing today.

Now the image renders in under a minute.

Speaking of tweaking, you need to be carefull about setting the process sensitivity of the openmosix's reallocator. You don't want normal processes (e.g. your 'ls *' command) getting farmed out to another node from the one you issued the command.

9 of 10 systems are now in the cluster. Trying again with 3200x2400 image size. This takes 2m 15s to render.

Adding two more systems gained about 15 minutes with the large image. This process segfaulted several times. This is a noted problem. There is no support for partial recovery as the application being supported by openmosix dies, not the cluster.

For the original size, 7 seconds were saved. No segfaults.

Scientific computing? Sure. Day to day practicality this is not. This was really popular around 2003. Several groups were running 'flash clusters' similar to 'flash mobs' but with people willing to share hardware.

Debian, on which Knoppix is based, supports many clustering packages. Ubuntu, which is based on debian, inherits many of these packages. Ubuntu clusters are known.

For more information: Linux Clustering Information Center

LiniuxSIG 20080807

About 7 people tonight.

Intro Topic: Q&A

Advanced Topic: Anti-virus

Q&A

Q: Have you, Robert Green, ever talked about returning to the Computer Show? The last guy, the lawyer, that run it has quit. The last guy was driving away a lot of the vendors.

A: The new guy that took over from the previous guy was running it the last time I checked. The lawyer stopped running it about 4 months ago. I haven't been back since I haven't been able to wrap my mind about what I wanted to do. The other volunteers returned because of the new guy.

Q: Viruses commonly come from shared documents (e.g. email) but what about those that come through open ports?

A: A port is nothing but a logical location on your computer for another computer to connect to your computer. If you are not running a service on your computer, nothing is there to receive connections, thus cannot receive viruses. If you need to run the service, but don't want to expose that port, you run a firewall. Robert runs a Linux server in his network in place of the typical Linksys or other home network router. It has a firewall that blocks all ports but the one used by ssh. That services is setup to only accept public key logins so can sit out, exposed to the wild Internet.

Q: Does Linux have a firewall?

A: It has many. The current one is called Iptables and is a kernel netfilter. You create scripts to setup the rules (or chains) in the Iptables to filter access locally. Unbuntu, RedHat and SuSE have simple configuration tools for end-users to configure the firewall. This will be hanging off the security submenu somewhere in your system administration menus on your distribution's favorite desktop. Iptables has been around since 2.2 kernel so is about 6 years of very mature and well vetted use. It's built into the kernel so any updates to the kernel get you updates that might exist for the Iptables Firewall.


Q: Explain


A: Linux security models can be complex.

|-----------------|
|----+ +--|
| Internet |
|-+ +----|
|-----+ |
|----------+
||
+----+
| AP | <-- probably a DSL router or Cable Router
+----+
| | || | |
-+-+-+-----++--+-+--+--+-+--- DMZ
| || | | |
||
|------------------|
| Firewall or | | | |
| Lynksys | --+-+-+--+--+--- Border systems
| Router | | |
|------------------|
||
| | || | |
-+-+-+--+--+-+--+--+-+--- Internal Systems
| | | |

The router in your home network is very simple operating system on a hardware architecture different than your home PC. It runs a firewall and NAT. NAT means that the internal network is setup with private addresses not routable on the Internet side. The Internet side of the router is typically not setup to be administered remotely. By default this is turned off at the factor. This can be turned on, running a public webserver. Most these routers are so small (2 meg or ram, 8 meg of ram) to make it unattractive as a point of attack. The Linksys can be exploited, but typically the cracker is going for the low hanging fruit to make a botnet.


Q: What is a botnet?

A: Where the money is. You infect a bunch of computers with a virus that does nothing initially. Later on I sell access to these systems to someone. I use the virus and a special control channel (typically a private IRC server that the virus is subscribed too) to manage the compromised machines. You can even use these zombie PCs to send spam, spread bad files, collect private user information and make enormous numbers of fake connections to overwhelm other person's services. Running as a very sophisticated mail relay, these botnets can patch themselves, defend against other viruses, disable antivirus and intelligently hijack personal email accounts to spam people.

Q: Linux has a remote dial-up connection tool. Does the remote computer you call need to run Linux?

A: No. You can connect to remote Windows desktops, Citrix servers. To a Linux box there are many many options but they are complicated.

Q: Go-To My PC?

A: Again, there are many options. At work, Robert uses VNC. The clients on the servers are running as servers and the servers are running in client mode. So they can connect to their systems and have them callback and connect the to the requester to share the desktop. This is used for helpdesk and troubleshooting. Yes, this is backwards. We use UnPP (Universal Plug-n-Play) to dynamically open the ports and forward the connections so the ports are kept closed. All this is automatic at the customer's site to avoid issues like calling up non-technical users to get IP addresses, etc.

|--------------| +------UPnP opened ports -------+ |---------------|
| | V V | |
| Local client |---| Firewall |------{Internet} -----| Firewall |-----| Remote Server |-----[ Linux desktop ]
| (windows) | | (Windows) |
|--------------| |---------------|
* client running in server mode * server running in client mode


In the case of Robert's workplace, they have a single Windows server that handles the windows clients. The Linux systems connect to them in turn.


Q: Is VNC available by default for Linux?

A: You need to buy the professions version for the nice features. Note: there is no nice GUI for the free VNC product.


Q: Can a internet facing router's IP change?

A: For residential customers, you will have a fairly static connection with Cox and probably have the same IP address for at least 3 months assuming you're router is not down for over an hour. With AT&T DSL your ISP will change hourly.

With DyDNS or other such services you can buy a special domainname at dydns.org, etc that will get the IP address to resolve from a client on your desktop or home server.

The other thing needed for the VNC and other remote access tools is to do port forwarding.

Q: Do they still make PC Anywhere?

A: Yes, and you still will have the same security and other issues with PC Anywhere as with VNC.

Q: How often are ATI drivers updated on Linux?

A: Video drivers: two sets the free set and the Fglrx commercial drivers. Those are at the manufacturers discretion. The ATi cards requires some hoop jumping to get working properly. Specific versions of the driver will only support some of ATi's cards.

Antii-Virus

Google for anti-virus Linux. No, really. Do it.

Virus scanning under Linux is mostly a topic to talk about. There are a few Linux viruses and they tend to require very specific conditions to work.

Normally, worms and rootkits require misconfigured services or bad password/username combos.

Most of the time virus scanning is done on Linux is to deal with Linux being a carrier for Microsoft Windows viruses. Mailhosts and gateways, running Linux, become immune carriers. Thus scanners are run on the Linux server where the virus cannot run and are caught there before infecting Microsoft Windows PC clients of that server. This does not mean that you should not run scanners locally on the Microsoft Windows PCs. They are still vulnerable to other routes of infection.

Scanning on Linux mailhosts + proper email retention policies can prevent catching and storing viruses.

Commercial Products
Mostly corporate or enterprise products. Annual subscriptions to updates and definitions are typical.

1. Sophos - www.sophos.com - a mailserver product with a file scanning product. You don't need the whole infrastructure, just the little $50-style scanner. Does include a Perl API for on-demand access usable with Per-based filtering in some mail servers. One pain point: the engines and definitions are not backwards compatible, so when a monthly update occurs you will have to update. They also have email appliances.
   Avg - large scale virus solution. (Not the avg-free product.)
   Avast
   aMaViS - hooks into mailservers and integrates anti-virus into your mail chain.
   Macafee - corporate mail scanner. Does have clear home-user and business-user products.
   [/list:u]
   
   Some have gone out of business or are niche players.
   
   1. 
      Vexra
      Another company that got bought out by Microsoft and the Linux product discontinued.
      [/list:u]
      
      Free utilities
      
      1. 
         Panda
         F-prot
         ClamAV - the big-name opensource virus scanner. Completely maintained by the community. The definitions for viruses that it scans is community maintained. It often gets updated before the commercial solutions can roll out their own virus definitions. It is a command line tool.
         [/list:u]
         
         Definition updates
         
         With clamav, most companies update their definitions from the clamav.net site daily if not hourly. The engine updates are slower but on a monthly to weekly basis. Corporate users typically don't pull the engine as frequently.
         
         Basic command line scanners will probably require manual checking for new definitions. More desktop-ish clients will check automatically. Servers that don't run desktops typically run a script that, to an acceptable trade-off from paranoia and saturating the definition servers, periodically checks for and downloads updates.
         
         File Servers
         
         Samba has integration with clamav for On Access Scanning. This enables you to scan for a virus as soon as it is dropped on the Linux file share supporting the Windows clients. This is an alternative or addition to scheduled scanning (such as scanning just before backups and quarantine files.) In both cases, you will want a policy about how you deal with users that have 'lost' a file due to it being infected.
         
         Other Virus Topics
         
         SME is a distribution of Linux for corporate clients who don't want to know about Linux but want to run Linux. It's repackaged Redhat with clamav installed.
         
         Symantec has a virus scanning and spam filtering appliance that will integrate into your mail systems.
         
         A favorite compromise under Linux: mail.cgi. Sends an email, but all the mechanisms available through it are also available to any user. Instant spam gateway. Or open relay via apache, the webserver.
         
         This is not a discussion of trojan software or hacked websites that target Microsoft as those don't even work on Linux most of the time.
         
         Normally installing a Linux system includes basic hardening and proper security practices
         
         Note: unlike Linux servers, home users of Linux care the most about their /home. They can re-install the Operating System over and over again. Losing the files in their personal home account, in which they can access all their own files, means losing real value.
         
         The saving grace is that the approach to attacking Linux is to attack vulnerable services that normally don't run on a Linux system. Plus strong firewalling, NATing or firewalling on home networks tends to limit this.

LInuxSIG 2008-10-02

Last month

There was no meeting as noone with a key to the room could make it.

Note about the latest Gnome desktop: trackerd. Turn it off if you want any kind of performance.

AstriCON: Eric went to the Asterisk Conference and will be demoing the Call Center in a Box. Running on Linux.

Intro Topic: Q/A

Q: Can I run 32-bit software on my 64-bit linux?

Yes. there are compatibility libraries.

There are extensions in the CPU that really do let the CPU use the 64-bit width address system.

Q: I'm having trouble installing X Plane.

Linux cannot actually run Windows software. WINE: Wine Is Not an Emulator, is a tool that will run with *reasonable* success, most Microsoft Windows software.

You are running Ubuntu. There is a version of Wine that you can install from the Ubuntu package manager.

You still have to put the CD in the drive, mount it if it doesn't mount automatically. You will have to open a terminal window (command line) and run the installation program, install.exe or setup.exe typically, and put the word 'wine ' before the program name.

Example: TeamFortress 2 via steam. This installs on Linux. However, the hardware requirements are somewhat higher. Systems that just meet the minimum requirements will not play well.

For games there are three options:
- wine as mentioned above
- the commercial fork of wine called cedega
- the commercial version of wine from Crossover meant for playing video games

Recommended that you bring the game next month if you cannot get it running.

The CD may mount somewhere. Modern Linux systems mount CDs under the volume label. You will need to check the /media directory for this. For example:
wine /media/my\ facny\ windows\ cd/install.exe
The '\ ' are to escape the spaces for the shell.

Q: I started using Pidgin. Is it like Yahoo with rooms?

Depends on the service. Some services do require you do know the person's name.

Q: How do I fix the fonts, they are too small?

In GNOME, goto Appearance Preferences. Select the Fonts tab. Update the size of the Fonts. They will apply immediately and be saved.


Ctrl+ or Ctrl- in firefox will change the size of the font of your webpages. You can set a minimum font size and force pages to use your font sizes. This will make layout bad on webpages written by people who have their fonts on their systems set to Huge size.


Side Note: In Ubuntu 8.04 the update manager will not steal focus.

AstriCON CD

ContactQ is a queue management software application built on top of Asterisk. It is supposed to be used for a call center, particularly for in-bound call routing.

Hardware: IBM Laptop with 512 MB ram + 64 swap, P3 850 Mhz (speedstep)

To check the 'hardware' use

cat /proc/cpuinfo

and you will get the low value (throttled back)

To check the real hardware performance use

bash
while :;do:;done

in another window

cat /proc/cpuinfo

and the result should tell you the real Mhz.

For example: the laptop showed 700 Mhz. The final count was 850 Mhz.

This is due to binning of processors. When built originally all the CPUs come off the same assembly line. Tested under adverse conditions (usually low voltage and high heat) the ones that fail get put in the slow bins. As the assembly line quality improves, the number of slow processors declines and can actually cause shortages. So faster CPUs will get labeled as slower ones and sent to customers.


The CD contains CentOS, a whitebox version of RedHat's commercial RedHat Enterprise

ContactQ is the software. It will 'shoot the box' it is installed on. This is 0.9 version demo software. Buyer beware.

Note this is a netbooting Laptop. In Eric's home, booting while pressing F12 will cause the laptop to install Linux and the child-apeasement tools (games) in his post-installation.

This is a hands-free install apparently.

The ContactQ software does not want to allow a local login. The http://10.0.0.223/admin/ page shows us the login screen. What is our user name, password and domain? Per http://contaq.org/index.php/demo and the Demo guide http://contaq.org/index.php/User the username is superadmin, password is contactq, and leave the domain blank. The Demo's domain is admin, admin, Default.

This is Linux + something on top of it + a preinstalled application.

Checking the system:

cat /etc/lsb-release

returns nothing, so checking

cat /etc/redhat-release
CentOS release 5 (Final)

This is not a Linux Standards Base compliant system. This is a RedHat based system. RedHat is a commercial, sold, system based on free software. CentOS takes the free source packages from RedHat and removes the RedHat logos, brands, etc out. What is left is the compilation of software identical to that shipped by RedHat. RedHat ships and sells a copyrighted compilation including trademarked logos.

Whitebox was a similar attempt, but CentOS is currently the most popular free respin of RedHat of choice.

The CentOS on the ContaQ box is a pretty nice little setup:

Seperate /var of 6 Gb good size, possibly to hold spool files. Seperate /boot per the modern way of dealing with old BIOSes, 3.9 G root. This is out of a 12Gb Harddrve (23579136 blocks of 512 bytes each per cat /proc/ide/hda/capacity and is a Hitachi per cat /proc/ide/hda/model).

Eric logs in to the system as the super admin.

The web ui has the basic info pages including disk usage.

The maintainanence section includes the ability to create a backup image of the contaq system.

The Domains section lets you setup more domains. The 'Default' domain is already setup.

The Contact Plan section includes a set of regular expression patterns for extensions of which 12 are configured.

The built-in documentation is rather limited to mainly legalese. The http://wiki.contactq.org/index.php/User page shows more information.

Eric then logged out and relogged in as the domain admin. Many more options are available, all of them pertinent to the setup of phone extensions. He set up a new user, ericsales at extension 1234.

A phone was attached at 10.0.0.214. This is a grandstream so it has a web ui at http://10.0.0.213/. The phones have downloaded firmware are are trying to register. Some of the configuration information is not obvious (Eric has gotten into the astrisk config in the ContaQ system and is setting up by hand.)

The ericsales account was added to the ACD group and the ACD queue. You cannot see a user in the membership tabs is you did not select 'enable'

Now when you dial 1001, you get the ContactQ lady telling you about the software.

The problem: we now have 1 phone. It is setup for the ericsales extension.

Eric adds an account for Eli as elisales and adds him as a SIP user. Using the apply changes on the left-hand menu, Eric applies changes to the sip system. This user is setup on the 2nd phone.

The logs are being checked. While this setup an Asterisk with SIP accounts, all the functionality is in binary external proxies.

Turns out you have to apply the system config, too. The proxy logfiles reported that the Default domain was not found.

The dashboard feature dynamically updates and reveals that agents are automatically made available on login.

We will be meeting in November.

Linux SIG 2008-11-07

Eric Presents FAQ plus Install on a virgin ASUS WL-500g Wireless Router.

Q: What software can you use to cause your laptop to dial home if it is stolen, like lowjack for Windows?

It's easy enough to do on a scripting level. And several dial-home scripts.

Example: an /etc/init.d/boot.local that emails you back a traceroute home. Assuming the thief is stupid enough to not wipe the hard drive or even stupider and connects it to the network, you can send logs to anywhere you wanted.

We could start a http://findmylinuxlaptop.com. Internal keylogger + logs + traceroute + personal server + cronjob = dial home device.


Q: If you have windows and Linux on the same computer can you use something like killdisk to remove both?

There is nothing about Linux that prevents you from clearing the hard drive. In fact, Linux installers have the option to use the entire disk and wipe everything out for your. You will lose everything on that hard drive. Back your files up or make some other arrangements to save your documents and programs that you want to keep.

Q: How do you turn off that thing where you walk away and it asks you for a password?

It's the screensaver. You need to change the settings on the screensaver to disable it if you never want this to happen again.

In Unbutu, start your system and login. System-> Preferences->Screensaver->uncheck 'Lock screen when screensaver is active.'

Q: Difference between a router and a modem?

A router is a computer that has a least two network interfaces and firgures out how to move data from one interface to the other.

A modem is a very low level device. It is just a pipe. The router would need the modem to use modem features. The computers provided to you to connect to ADSL or cable is called a modem, but is really a router.

Advanced Topic: $100 ASUS WL-500g Wireless Router / Home Gateway install.

In the box:
- bittorrent client
- media player
- uPnP media
- harddrive/webcam/camera
- anntenas (to be replaced)
- soon to be useless instruction book
- the router
- a powersupply.

The antenna is a reverse polarity SMA, so it can be replaced with a nice high-gain antenna.

Note this a device with a compress image in it to hold the Operationg System (OS). Replaing the OS with Linux may void the warrenty, but you can install the original "firmware" aka OS or other upgraded firmware from the manufacturer.

There is a JTAG port on most embeded devices. You can open up the case and use this port and put something into the flash on the system even if you bricked it (aka, broke the OS by not upgrading properly.) THe OS is actually the second thing loaded on it, the first being a bootloader.

OpenWRT

http://www.openwrt.org

Brief History of OpenWRT

Linksys likes Linux. So they used Linux in their routers. When you install GPL'd software, like Linux, and ship them you MUST make available the source code. Linksys didn't. People thretened legal action. Linksys published the source code. The OpenWRT project works on the code. There is a tiny amount of customization needed to work on Linksys and a large amount of very popular Linux software that will run on the hardware.

This was so popular that people began buying these Linksys routers just to put Linux on them. In fact, when the Linksys company produced linux-incompatible versions, a higher-priced model would be released that could have Linux put on them. These also sold well.

People do make custom router-boards just for running OpenWRT.

Flashing the Router

Step 0: Goto openwrt.org and get proper distribution.

Current release is kamakazi. This is a mixed drink and once you install and log into the router you will get the recipe as your reward. Each one of the releases (last one: white russian) is named for a different drink.

Beware: some routers ship with very little space. Some people have put a Linux *kernel* on a system with as little as 1mb of flash, but very few to none of the features you want will be available. The system tonight is somewhat beefer than normal.

Many bits of hardware are supported, including Playstation 3, One-Laptop-per-Child's OLP. The broadcom 4710@200Mhz WRT54G is the original that started it all. WRT54G is notorious for having many important variations ALL UNDER THE SAME MODEL. Some may not be supported and still be called WRT54G. The WRTG54GL 1.0 and WRTG54GL 1.1 with Broadcom 5352@200MHZ are Linux-friendly and are sold at a good price on the secondary market. WRTSL54Gs, Eric has one, is no longer sold but has the beefer 266Mhz, 8Mb flash, 32Mb ram and usb port so sought after.


Step 1: unpack the router

Note: you can swap out the wireless card for a more powerfull card. There is a serial port (the OS will talk to you over this if you plug it in.) There is a hidden admin page that lets you backup the firmware (url provided at openwrt's site.)

Step 2: hook Eric's laptop to the router as if he is going to use it for his normal network use

Step 3: Look in the configuration book and use it to setup the router.

Note: the router setup with a 192.168.1.1 address and it's upstream network device is 192.168.1.1 and both the networks are 192.168.1.0/24. This is a problem. Simple solution? Change the internal IP address to 192.168.2.1

Step 4: Lets' Linux this thing, shall we?

WTG-Premium, version 1. Supported, but there is a version 2 which is a Work-in-Process. The Linksys version has a pair of ethernet adapter with VLAN tagging and a dedicated upstream network card. You cannot tell from the box that this Asus is limited to just one network card, but the Linux system - once installed - will tell you about this.

There is a TFTP server on the system and you can load linux this way. The ASUS web GUI does not work yet, so diag (diagnostic) mode for the TFTP process will be needed.

Broadcom-2.4 is the one to use for the AUS: http://wiki.openwrt.org/openWrtDocs/hardware/Asus/WL500GP.

Note that the 2.6 version would not work with the default system and the 2.6 Linux kernel is not compatible with the Broadcom chip used for the wireless. (Turns out that Eric already had the image.)

Step 5: power off the router, and do the diag mode TFTP process.

Note that the system retained the 192.168.2.1 address given before.

Step 6: tftp up

At Thu Nov 6, 19.56 CST - the router was flashed.

At Thu Nov 6, 19.58 CST - the router rebooted itself.

Step 7: telnet to 192.168.1.1 works.

Kamikaze 7.09: 1 Vodka to 1 Triple sec to 1 lime juice.

Using passwd will disable the telnet and enable an ssh shell.

The shell is busybox. To save space, things like ls and sleep and ping and vi is busybox, a program that is small and which behaves differenlt based on how it was called.

The ssh is dropbear. dropbear allows you to put a public key in place to login just like ssh, but in /etc/dropbear/authorized_keys instead.

Step 8: minimal setup

Eric usually put an ssh public trust in place and disabled password support. Normally, regular user accounts are used to connect and root is never allowed to login. This system will not have normal users so the 'root trust' is used.

All the configuration files are in /etc/config. These assume you know what you are doing.

vi /etc/config/dropbear
Password 'off'

vi /etc/wireless
# commented out - options disabled 1

note: editing these files does not affect the current settings. You must reboot.

Eric reboots.

Step 9: demo

The OpenWrt wireless network is up.

Note: the kernel is using a bridging lan and subinterfaces.

ipkg - is the standard tiny package management system which can be used to update your router.

You can install the pretty webpage configuration utilities and a webserver, etc via this.

There are some interesting packages, including tunneling over: ping, dns, http, etc. There are zaptel and asterisk packages. You can server about 4, maybe 5 users with IP phones.

Even ptunnel - run TCP over ICMP (yes, tunnel your normal traffic over ping.)

Important Note: No meeting Next month on the 1st of January.

LinuxSIG 2008-12-04

Record low attendance? All 4 of us here.

Pre-seeding: ubuntu / debian. A method of automatic installation.

https://help.ubuntu.com/8.10/installation-guide/hppa/preseed-using.html

Needs:

1. - Environment to feed to it: cdrom, network install location.
   - Preferably a blank or new PC into which you can install.
   - A file with your answers to the installation process[/list:u]
   
   To start a pre-seeded installation process:
   - change the grub command line to reference the preseed server and you can install from it.
   or
   - use BootP (predecessor to DHCP and still part of it) and computers with PXE bios capable network cards
   
   You can customize the installation source or setup MAC address based unique settings.
   
   The Demo:
   
   1. - postponed [/list:u]
      
      Q/A
      
      Q: What is a checksum?
      
      A: This is a number created by a process that would be different for files with different contents.
      
      The chances that two files will have the same checksum are very small. Two files with few differences such as size or small changes usually have very different numbers created by the algorithm.
      
      Popular algorithms (and the tools on linux to create them)
      
      1. - sum
         - md5sum
         - sha1sum[/list:u]
         
         Example:
         ls -l myfile
-rw-r--r-- 1 powellj users 23 2008-12-04 18:50 myfile
cat myfile
This is a sample file.
md5sum myfile
a60319cd0397d5c9bcc0652f9a54c56c myfile
sha1sum myfile
29cb70183455e46d32a129a75de9fb544c248c08 myfile
sha256sum myfile
83403ffc809fa63050d58475e34d0e27b292c02e16e3666e64963c6c0d33eef1 myfile
echo 'This is a sample file!' > myfile
ls -l myfile
-rw-r--r-- 1 powellj users 23 2008-12-04 18:51 myfile
cat myfile
This is a sample file!
md5sum myfile
2e676d2345fbc9230a3f04338507779b myfile
sha1sum myfile
15553f1534a317f778e1fdc1aefe53b07c5d8a92 myfile
sha256sum myfile
3044f38ee583c2158fffcef5962a2d74cda940f97df2a390c119f403f90cd18e myfile
         
         Q: How does this relate to packages and official software repositories?
         
         A: These [checksums] are how things like Linux distributions verify their repositories of software.
         
         When you installed your Linux Operating System, you installed some lists of repositories and the signatures of special files in those systems. The special files are just more lists. Lists of files and their checksums.
         
         When you download an update or upgrade parts of the Operating System, you verify the signatures of those files by comparing them with the ones you have.
         
         Technically, the signatures are made using a private key kept by the provider and the public key was on your installation CD. You can see them with
         apt-key list
         on your ubuntu install.
         
         The repository is just a tree of packages and these lists with their signatures.
         
         Q: My audio doesn't work.
         
         A: Their could be a number of reasons. Lack of drivers, lack of configuration, software failures in the audio layers. On-board audio quality is usually poor. Linux support for on-board cards that are not AC95 compliant is very poor.
         
         Eric gives a talk about pulseaudio causing crashes on 8.04 ubuntu.
         
         Mixing in software vs mixing in hardware. Generally Linux software mixing has a lot more channels than the consumer grade cards that do support mixing.
         
         Q: My printer (multifunction devices) doesn't work.
         
         A: CUPS uses ppd files. Linux and Unix work best with Postscript printers.
         
         The printer in this case is a multifunction device. It is pretty dumb and doesn't accept any printing languages (PCL, Postscript, JCL, etc.) The "driver" is in the form a of an unmaintained vendor binary program that actually renders the image to print then spits raw image data to the printer.
         
         The scanner is supported through SANE, completely separate from CUPS.
         
         Important Note: No meeting Next month on the 1st of January.