28 October 2008 21:50
I could argue and make reasonable points - but instead I'm going to be childish/annoying/ignorant/confrontational/blunt:
If I wanted a rational debate I'd approach the topic differently - this is a clue that you shouldn't attempt to convert me.
I got distracted during the "Should selinux be standard? thread, so I will optimistically assume it will not be. Why? Because SELinux is annoying to configure if you understand it, and pointless if you don't.
ObFilm: From Dusk Til Dawn
Tags: lenny, rants, selinux
21 November 2008 21:50
So I've bitten the bullet and ordered an ASUS Eee PC 901 W006 from Amazon.
This has 1Gb of memory, 20Gb of solid-state storage, and is preloaded with Linux.
All being well it will arrive tomorrow, and then I can try installing Lenny upon it. From the Debian Wiki it seems to be a painless process. I guess we'll see..
ObFilm: Twelve Monkeys
Tags: asus, eee pc, lenny
22 November 2008 21:50
Yesterday I wrote that I'd ordered a new ASUS EEE PC, the 901 model, and today it arrived. The machine is gorgeous though I suspect in the long term I'll regret ordering the white model.
This entry was written on the device, slowly due to my fat fingers, with its new Debian Lenny operating system. To save time I didn't even use the default system, I just immediately rebooted it into the installer via a 2Gb USB stick.
Unfortunately I had to run through the installation twice, because I made some bad partitioning decisions and decided to fix them rather than live with them.
Happily everything on the device appears to work perfectly, although there were a few hiccups along the way. The only niggle is that suspend to RAM seems a little flaky; 50% of the time I try to resume and just get a blank window not my X.org desktop. Happily suspend-to-disk works perfectly, and the bootup/restoration process looks very pretty with the splashy package installed.
There are times when I really love using Debian, and this is definitely one of them. Together we've produced an operating system which just works on an amazing array of devices and systems and gets better and better as time goes on!
For example in the past I'd always regarded Network Manager as "that thing we remove to stop breaking our system" - but now I see it working correctly with no effort on my part at all. Amazing!
I guess I'll be returning my Nokia internet tablet in the near future. This device is bigger, but much more capable and versatile.
ObFilm: St Trinians (the recent remake; not too bad. Bonus points for the Shampoo cover).
Tags: asus, eee pc, lenny
12 January 2009 21:50
I'm not sure how you can pre-announce something in a way that cannot be later faked.
The best I can imagine is you write it in a text file and post the size / hash of the file.
steve@skx:~$ ls -l 10-march-2009
-rw-r--r-- 1 steve users 234 Jan 12 21:40 10-march-2009
steve@skx:~$ sha1sum 10-march-2009
steve@skx:~$ md5sum 10-march-2009
I don't need anybody to keep me honest, but I welcome interesting suggestions on more neat ways to pre-confirm you have content that hasn't been changed between being written and being released...?
I guess you could use GPG and a disposible key-pair, and then post the secret key afterward, but that feels kinda wrong too.
Update of course you could post the detached signature. D'oh.
Shamir's Secret Sharing could be another option - posting just enough pieces of the secret to make recovery possible with the addition of one piece that was witheld until the later date. Jake wrote a nice introduction to secret sharing a couple of years ago.
Tags: debian, lenny, meta, pre-disclosure, ssss
11 March 2009 21:50
Yesterday was my birthday, and it was full of cookies, pies, magical pixie dust and things made entirely of sugar and spice!
The remainder of the day was spent re-installing Debian Lenny upon my EEE PC - Somehow I managed to completely screw the system.
Because the EEE PC is one of those ultra-portable machines I mostly used it when I was travelling, or outdoors. That mean I was generally receiving poor connectivity and the system packages weren't up to date.
While I was in bed I figured I'd dist-upgrade it to the recently released Lenny. Unfortunately I started the dist-upgrade inside X.org, once I realised this I figured I'd cancel the operation via Ctrl-c.
Bad news everbody: I think I was unlucky enough to interrupt an upgrade of libc, or something equally critical. Every single application gave segfaults afterward.
I had two open root terminals and I could navigate around via cd .., and "echo *", but all other commands such as sudo, dpkg, strace just gave segfaults. (Even static commands gave errors - so it might have been the dynamic loader that was borked, I admit I didn't look too closely.)
I figured reinstalling would be a good solution since the machine has a 4Gb root partition and /home was stored on a separate 16Gb volume. Unfortunately I managed to misjudge the installer's partitioning step and nuke the partition table on the external volume so I ended up losing the whole system.
Happily reinstallation was a breeze as my home network is setup to allow installation via PXE network booting (at some point I should document NFS-root PXE-booting). It took me longer to fiddle with the BIOS on the EEE PC to allow network booting than it did to complete a minimal install. Which I guess is good.
I still need to restore my backup of /home/, but that can wait a few days. Right now I'm loathe to touch the machine at all - although I did distract myself by getting KVM to PXE boot:
# create 4gb disk image
dd if=/dev/zero of=/tmp/img.img bs=1024 count=4096k
# launch KVM
sudo kvm -no-acpi
-boot n -tftp /var/lib/tftpboot/ -bootp /pxelinux.0
-net nic,macaddr=00:0E:35:be:de:ad -net user
It seems that KVM wants to have access to the local TFTP root directory so I just pointed it at that. Since my desktop machine is also my TFTP + DHCP host that works out nicely. (A quick scan of the manual suggests that QEMU/KVM has funky built-in TFTP code, so it doesn't actually forward TFTP requests over the network.)
DHCP requests were certainly passed around as expected though and were answered via my local dnsmasq installation. I did see errors at every DHCP request in syslog, but they seemed harmleess enough:
gold dnsmasq: no address range available for DHCP request via qemu0
ObFilm: Never Been Kissed.
Tags: birthday, dnsmasq, eee pc, lenny, pxe
20 May 2009 21:50
Etch -> Lenny
This Saturday I'll be upgrading my main box to lenny.
Mostly this should be painless, as the primary services aren't going to change too much.
I've tested the upgrade of the virtual hosting configuration which I use for exim4 on lenny and that works, as-is. I also have a local version of qpsmtpd which I'll be deploying and that works on lenny with my custom plugins.
A new version of Apache 2.x shouldn't cause any problem, although I will need to test each site I have to make sure that Perl module upgrades don't cause any breakage.
I expect random readers will neither notice nor care if my sites go down for an hour or two, but for local people consider this notice ;)
This allows dl/dt/dd/definition lists to have their contents collapsed easily.
Currently I use some custom code to do that (e.g. as used here) but this jquery plugin is far neater, even if the plugin code isn't perhaps the best.
This plugin converts plain links to things that make AJAX requests. In theory this allows graceful enhancements.
e.g. <a href="foo.html#bar">link</a> becomes an AJAX request that loads the contents of "foo.html" into the div with ID bar.
It seems this is a cheap clone of ajaxify, but I didn't know that when I put it together.
ObFilm: The Breakfast Club
Tags: etch, jquery, lenny
24 May 2009 21:50
I've successfully upgraded my primary web/mail/misc host from Debian Etch to Debian Lenny. There were a few minor problems, but on the whole the upgrade was as painless as I've come to expect.
In the past I'd edited my Exim4 configuration to add quite a few ACL checks, for example rejecting mails based upon spoofed/bogus HELO identifiers, and rejecting messages that didn't contain "Subject" or "Date" headers.
The Debian Exim4 configuration may be split into multiple files (which is how I prefer it on the whole). The idea that you just add new files into the existing hierarchy and they'll magically appear in the correct location when a real configuration file is generated. On the whole this works well, but sometimes editing files in-place is required, and it was these local edits that caused me pain.
Fixing things up was mostly not a challenge, primarily it was a matter of removing ACLs until exim4 started without errors - all my spam checking is handled ahead of exim4 these days, except for the last-ditch spam filtering with a combination of procmail-fu and the crm114 classifier package.
Taking a hint from Bubulle's weblog I decided to nuke my CRM114 spam database to avoid any possible version-mismatch issues so now I'm having to classify a lot of "unsure" messages. Happily my memory of doing this last time round is that the initial training of spam/ham takes a day or so to complete.
Anyway now I can start looking to advantage of the things new to Lenny. But probably not until I'm sure things have calmed down and upgraded correctly.
05:00:31 up 260 days, 14:23, 2 users, load average: 0.95, 0.51, 0.31
steve@skx:~$ cat /etc/issue
Debian GNU/Linux 5.0 \n \l
ObFilm: Bill & Ted's Excellent Adventure
Tags: crm114, etch, exim4, lenny
16 February 2010 21:50
As part of some house-keeping I've been checking over my systems and ensuring they're all tickity-boo for the past couple of days.
One thing that I'm getting increasingly tempted by is converting my kvm guest to a 64-bit system.
I've not quite sold myself on the prospect of what will be a fair amount of downtime, but I'm 90% there.
I do think that a lot of my setup needs an overhaul, for example:
- Running all my websites under www-data is beginning to worry me.
- Running services as root is beginning to make me more and more paranoid.
One possible plan is to wipe my system, and then restore data from backups. A perhaps saner approach is divide my guest into two smaller ones, and migrate services over one by one (e.g. website1, website2, .. websiteN, email, etc).
For the moment I've taken a complete dump of my existing guest, and I'm running it with an IP in the 10.0.0.0/24 range on my desktop. That's at least given me a clear idea of the amount of work involved.
I'm still a little unclear on how best to manage running N websites with the intention they'll each run under their own UID. I guess it comes down to having a few instances of nginx/lighttpd/apache and then proxy from *:80 to the actual back-end. Precisely which mixture of services to use is a little overwhelming. Though at some point soon I need to start enabling IPv6 support, and that changes things a little.
(Not least because nginx has no IPv6 support present in the Lenny release - I've got a backported package which I run on the Debian Administration website.)
It's possible I could hack mod_vhost_alias to redirect/proxy to a local port based upon the virtual hostname present in the request - that's pretty trivial and I've already done something similar for work purposes. Though something like that should presumably already exist? I would expect a map of some form:
That has to be about the minimum necessary information to make the decision; a pair of vhost name & local destination.
/me googles some..
OK quick update I've added local users for some of my sites, and now have them running under thttpd.
skx:/etc/thttpd# ls -ltr /home/www/ | tail -n 4
drwxr-sr-x 4 s-static s-static 4096 Jan 15 01:41 static.steve.org.uk
drwxr-sr-x 5 s-openid s-openid 4096 Feb 16 21:31 openid.steve.org.uk
drwxr-sr-x 6 s-images s-images 4096 Feb 16 21:52 images.steve.org.uk
drwxr-sr-x 5 s-packages s-packages 4096 Feb 16 22:03 packages.steve.org.uk
That seems to work well, with a small wrapper script to start N instances of thttpd instead of a single one. Minor issues are that I'm using mod_proxy to forward requests to the thtpd instances running upon the loopback - and it was initially logging 127.0.0.1 as the source IP. A quick patch later all is well.
I'll leave it running a couple of the simple sites for the next few days and see if it kills children. If it does I'll convert the rest.
Probably will aim to have nginx in front of thttpd, instead of Apache, but this way I don't have to worry about mod_rewrite rules just yet.
ObFilm: Cruel Intentions
Tags: amd64, apache, arch, i386, ipv6, lenny, lighttpd, nginx
8 March 2010 21:50
Tomorrow, all being well, I'll receive a new computer.
I've always run Debian unstable upon my desktop in the past, partly because I wanted to have "new stuff" and partly because I needed a Debian unstable system for building Debian packages with.
However I'm strongly tempted to just install Lenny. I use that upon my work desktop and it does me just fine for surfing, building tools, and similar.
I can use pbuilder, sbuildd, or similar to build packages for upload to Debian, and if I want to experiment with new-hotness I can use a KVM guest or two.
Providing the hardware works with Lenny (and I have no reason to believe it won't) then there's no obvious downside I can think of.
The only potential complication will be restoring my backups, it is possible that my firefox databases, and similar things, might not work on older version. Still we shall see.
I plan to install software RAID, and run the system on LVM because quite frankly it rocks. Unless my current system fails in the next 24 hours I can use that to do the installation (My current desktop acts as a TFTP/DHCP/NFS server so I can use it to PXE-boot).
Anyway now I need to go eat food, tidy my desk, and decide what to call the machine .. At the moment the choice is between "march.my.flat" and birthday.my.flat, as my 34th birthday is on March 10th.
Tags: birthday, birthday.my.flat, computers, flat, lenny, lvm, raid, sid
13 March 2010 21:50
After a couple of days I've spotted a few things that don't work so well on Lenny:
gtk-gnutella is a client for a peer-to-peer filesharing system. Unfortunately the version of the client in Lenny dies on startup "This version is too old to connect".
The graphics program, The Gimp, doesn't show a live preview when carrying out things such as colour desaturation.
Although not an insurmountable problem it is moderately annoying if you do such things often.
So I've placed backported packages online.
I expected to have to backport KVM, and I guess I realised I needed a new kernel to match too. So they're available in the kvm-hosting repository; take the kernel with "birthday" in its name - the other is more minimal and has no USB support, etc.
Since I last reset the statistics the blog spam detector has reported, rejected, and refused just over half a million bogus comments.
It can and should do better.
I've been planning on overhauling this for some time; even to the extent of wondering if I can move the XML::RPC service into a C daemon with embedded lua/perl to do the actual analysis.
(Right now the whole service is Perl, but I'm a little suspicious of the XML::RPC library - my daemon dies at times and I don't understand why.)
I'd say "test suggestions welcome", but then I'd have to explain what is already done. If you're curious take a look at the code...
ObSubject: Hot Fuzz
Tags: backports, blogspam, lenny
10 July 2010 21:50
Since I'm I'm using real titles I guess I should make a real post, in which real things are mentioned. Unfortunately recently most of my time has been spent offline, doing things in and around Edinburgh.
However I have done a few things which are possibly worthy of mention. My Lenny repository has been updated a little:
- The Gimp
There's a slightly newer version of The Gimp available now, corresponding to a recent upload to unstable.
Once again I was forced to update the backported gtk-gnutella package, as my previous one was too old to connect to the network.
Finally I added a Lenny package for the itag software which is now essentially complete.
Of those things I had a lot of fun with the itag software. Partly because it allows me to horde my images in a way that I appreciate, but also because it made me go over some older images and be pleasantly suprised.
My personal archive, ~/Images, is now just over 80Gb, and goes back about ten years. (Of course the older images were taken with random point and shoot digital cameras and each images is only a few hundred k in size. The newer images, saved at full-resolution, may be 5Mb each.)
Otherwise I've been slowly deploying OpenLDAP in anger, which has been educational. I've got a minor problem to solve which is that (posix)group definitions don't seem to be working reliably, but otherwise I've got Apache authenticating against groups, SSH logins working, and the little brother database using the LDAP server as an address book. (Mail clients? mutt is the one true mail client. notmuchmail.org will be interesting when further developed, but everything else I'm going to ignore with my stubborn Yorkshire nature ;)
ObQuote: "Oh no no no, dead broad OFF THE TABLE!", from Shrek.
Tags: backports, itag, ldap, lenny, mutt, openldap
16 February 2011 21:50
Rather than waiting for a few months, as I typically do, I decided to be brave and upgrade my main virtual machine from Lenny to Squeeze. That host runs QPSMTPD, Apache, thttpd, and my blogspam server; nothing too complex or atypical.
The upgrade was mostly painless; I was interrupted several times by debconf asking me if I wished to replace configuration files I'd modified, but otherwise there were only two significant messages in the process:
crm114 warned me that its spam database and/or configuration files had changed and would most likely result in brokenness, post-upgrade, and I should do something to stop avoiding lost mail.
Happily this was expected.
It transpired I had a couple of local init scripts which didn't have dependency information succesfully encoded into them; so I couldn't migrate to dependency-based bootup.
Given that this server gets a reboot maybe once every six months that wasn't really worth telling me about; but nevermind. No harm done.
That aside there were no major surprises; all services seemed to start normally and my use of locally-compiled backports meant that custom services largely upgraded in a clean fashion. The only exception was my patched copy of mutt which was replaced unexpectedly. That meant my lovely mutt-sidebar was horribly full of mailboxes, rather than showing only new messages. I created a hasty backported mutt package for Squeeze and made it available. (This patch a) enables the side-bar, and b) allows you to toggle between the display of all mailboxes and those with only new mail in them. It is buggy if you're using IMAP; but works for me. I would not choose to live without it.)
Now that I've had a quick scan over the machine the only other significant change was an upgrade of the mercurial revision control system, the updated templates broke my custom look & feel and also required some Apache mod_rewrite updates to allow simple clones via HTTP. (e.g. "hg clone http://asql.repository.steve.org.uk/").
So in conclusion:
- The upgrade from Lenny to Squeeze (i386) worked well.
- Before you begin running "iptables -I INPUT -p tcp --dport 25 -j REJECT" will avoid some potential surprises
- There are probably other services worth neutering, but I tend to only do this for SMTP.
- Keeping notes of updated template files will be useful if you make such system-wide changes. (e.g. hgwebdir templates)
ObQuote - "Hmm, upgrades " - The Matrix Reloaded (shudder).
Tags: debian, lenny, mutt, squeeze