Sami Dalouche » Unix / Linux

Let’s stop the account/password proliferation mess !

Sami Dalouche — Sat, 09 Dec 2006 22:12:09 +0000

No matter who you are (Lambda internet/network user, Software Developer or System Administrator..), you are most-likely affected by the proliferation of accounts and passwords.

The problem

As an Internet user, you need to keep track of one account/password pair for each website you use. It is then necessary to choose between having the same password everywhere (the weakest part of the security chain is thus the weakest website…), or maintaining a potentially long document with all the website/password pairs…

As a Software developer, you need to keep track of all the system passwords (.htaccess passwords, database URL/passwords, accounts on the companies’ computers, and so on..).

Finally, as a System Administrator, you need to keep track of all the system’s passwords, which include each application’s password (MySQL root password, SYMPA password, LDAP Manager entry’s password, root passwords on each machine, Apache SSL certificates keys’s protection passwords….). Additionally each administrated (web) application has its own “admin” account with an associated password, and these applications’ configuration files often include passwords for other components of the system (database accounts/passwords, LDAP password, …). Even efforts such as using centralized LDAP authentication result in having some LDAP’s binding account in the configuration files…

Not only it is a mess to administrate, but it is also a very nice way to forget/mess up with permissions and this can result in weak systems that are easily hackable, because of the complexity.

The solutions

The solution to improve the end users experience would require the whole internet to switch to Single Sign On Solutions. Some vendors are pushing centralized SSO solutions, like Microsoft Passport, which is a pretty criticized solution, both technically and ideologically. Others are pushing open, distributed SSO solutions, like OpenID and LID.

Now that everybody is talking about the “Web 2.0″, it is time to think about improving the user’s experience and security, and this implies adopting one of these technologies in a large scale.

Concerning the Software developer’s and System Administrator’s problem, the problem is way more complex. Sure, the total number of accounts and passwords can be limited by using centralized authentication schemes for applications that support it – all should in a perfect world – (You can find more information about using a centralized LDAP repository for Linux/PAM on this page. If you go this way, you will have to find a good, secure distributed/network file system to share /home directories), but the way applications are currently designed does not open the door to an easy solution. Each application/server has a special “admin” mode that gives the user more permissions, and it is common practice to protect that account using a user-defined password.

So, I’d like to know if anyone has ever thought of something nice that could potentially change the world for system administrators and software developers ? One thing I can potentially think of would be a solution where specific roles would be defined and standardized (system administrator, database administrator, ….), and each application would work with the system to validate a set of credentials (and check that the given user has the required role) supplied by the user before giving the permissions. In other terms, this would be some kind of PAM with the addition that system groups would be standardized. And frankly, with the number of applications and needs, I do not really see this as a possible solution.

Another option would be to switch to certificates to authenticate the users. Coupled with well-defined discovery+ storage solutions, there could be some /etc/certificates folder (+ some mechanism to associate certificates with applications roles) containing public keys that applications would lookup in order to validate user credentials. This would imply that each application could somehow challenge the user who would have previously stored his private key on a system that would act as a mediator between each application and him. Humm.. well.. this doesn’t really sound as an easy solution to me…

HOWTO: Setup SYMPA, WWS with Apache2/FastCGI on Debian/Ubuntu Edgy

Sami Dalouche — Sun, 26 Nov 2006 18:24:57 +0000

Debian/Ubuntu sympa packages rely on apache1, so one may have problems running sympa on Ubuntu Edgy, for instance.

This simple HOWTO explains how to configure Sympa and WWS to run with Apache2 and FastCGI. FastCGI is used instead of CGI because of the performance impact it has. (Basically, CGI forks a new instance of the CGI script wheareas a FastCGI-enabled script runs as a daemon to handle requests, much like a decent system like Java Servlet API.)
Installation

Install the sympa package, and copy the installed apache1 configuration files to apache2 folder

# apt-get install sympa libapache2-mod-fastcgi

# ln -s /etc/sympa/httpd.conf-fcgi /etc/apache2/conf.d/sympa-fcgi

# dpkg-reconfigure -plow sympa

A wizzard will come up, make sure to :

Use a database if you want to use WWS
Select “Other” when asked what type of web server you are running
Tell the wizzard that you want FastCGI enabled

Once this is done, check the /etc/sympa/wwsympa.conf file, and make sure

use_fast_cgi is set to 1

and the last step is to restart apache :

/etc/init.d/apache2 restart

Now, my personal thoughts about mailing-list systems. My impression is that there is no perfect Open Source mailing-list system (however, there are several ones that “do the job”). The characteristics of a good mailing-list system would be, to my opinion :

Be entirely configurable through a Web UI. Sympa does a pretty good job at this, since most of the settings are tweakable from WWS. However, the UI is pretty ugly (sure, one can tweak the templates, but…)
Would provide a Mailing-List system as well as a Web forum. To make it simple, something like Google Groups, that also allows to post (and subscribe/unsubscribe orders) via email. It is then up to each subscriber to choose between email and Web.
Re-uses a well-known templating system ( Smarty in the PHP world, or Freemarker in the Java world, …). Why re-inventing yet another templating language if very good ones already exist ? Having to learn a templating language per web-application is pretty much cumbersome.
Be extensible : It should provide a decent plugin system, that people can use to provide additional modules without touching a single line of the current base code. Requiring the modification of a 9980-line (cat /usr/lib/cgi-bin/sympa/wwsympa.fcgi | wc -l) perl script is, In my humble opinion, very bad practice. This implies coding against interfaces, and using some kind of IoC framework like the Spring Framework.
Would be independant of the persistence layer, through the use of a sophisticated persistence engine such as Hibernate. Anyone can then configure it to use his preferred database engine
Authentication would also be extensible. A security framework such as Acegi could be used so that anyone can easily have the mailing list system authenticate the users against the configured authentication backend. (be it database, system/PAM, Single-Sign-On, etc..). It doesn’t make sense to re-implement every authentication backend in every webapp, since some frameworks already do the job.

HOWTO: Use more than 3 virtual interfaces with Xen (by using IP Aliasing)

Sami Dalouche — Sun, 26 Nov 2006 16:11:20 +0000

Prerequisite : You have Xen running correctly for less than 3 virtual interfaces. This HOWTO explains how to get it to work on Ubuntu Edgy.

Xen does not support using more than 3 virtual interfaces on the guest machines (the so-called DomU). It is stated in the Xen FAQ, and attempting to use more results in what Ernie Fontes experienced in this post.
The usual trick for having more interfaces in a stand-alone system is to use IP Aliasing. Ubuntu Linux, among others, support IP Aliasing without any problem. However, IP Aliasing seems not to work (according to my tests) for a Xen DomU.

For some reason that I cannot explain nor understand, there is still a way to use more than 3 virtual interfaces in a Xen DomU by using the offical Xen way of adding interfaces, and by using IP Aliasing on top of that. It is weird, but it works :

using Xen virtual interfaces is limited to 3 interfaces.
using IP aliasing interfaces makes interfaces that are not pingable from the outside
BUT using exactly 3 Xen virtual interfaces, and adding more interfaces thanks to IP Aliasing works beautifully….

Here is a quick HOWTO explaining this procedure :

Xen Configuration

Add 3 interfaces for the DomU (you might replace xenbr1 by xenbr0 if your bridge name is the standard one) :

vif = [ 'bridge=xenbr1','bridge=xenbr1','bridge=xenbr1' ]

And you can create your domain using the usual xm create command.

xm create config.cfg

xm console

DomU Network configuration

You can now configure your domain interfaces and the aliases. For the sake of giving a complete example, here is how to achieve that under Debian/Ubuntu :

Let’s say that we want to configure the 216.240.153.78, 216.240.138.247, 216.240.146.76 IPs for, respectively, eth0, eth1 and eth2, and 216.240.134.6 as well as 216.240.128.182 for the 2 aliases eth0:0 and eth0:1.

/etc/network/interfaces

auto eth0
iface eth0 inet static
address 216.240.153.78
netmask 255.255.255.0
gateway 216.240.153.1

auto eth1
iface eth1 inet static
address 216.240.138.247
netmask 255.255.255.0
gateway 216.240.138.1

auto eth2
iface eth2 inet static
address 216.240.146.76
netmask 255.255.255.0
gateway 216.240.146.1

auto eth0:0
iface eth0:0 inet static
address 216.240.134.6
netmask 255.255.255.0
gateway 216.240.134.1

auto eth0:1
iface eth0:1 inet static
address 216.240.128.182
netmask 255.255.255.0
gateway 216.240.128.1

You can now tell the system to reconfigure the network (/etc/init.d/networking restart), and if it still doesn’t work (especially for the aliases), you can restart the DomU (xm reboot domU-name).

Now, if someone has an idea of why this tip works, I am really really interested to know. Because right now, it looks like magical stuff that I’m not even sure of how I discovered

Awstats, Libperl-Storage, and endianness (Byte Order) issues

Sami Dalouche — Wed, 22 Nov 2006 17:12:21 +0000

If you have recently migrated your AWstats to a different Architecture (Pentium4 to AMD64, for instance), awstats may report you the following error :

Warning: Error while retrieving hashfile: Byte order is not compatible at ../../lib/Storable.pm (autosplit into ../../lib/auto/Storable/_retrieve.al) line 331, at (eval line 1

This is caused by the fact that awstats/perl caches DNS Entries in a machine-dependant way. Others have experienced the same problems, like on this forum.

The solution is actually quick. Let’s say your stats are in /stats, you can do :

find /stats -name ‘*.hash’ -exec rm {} \;

HOWTO: Apache2 + Awstats setup on Debian/Ubuntu (Edgy Eft)

Sami Dalouche — Wed, 22 Nov 2006 17:07:09 +0000

Here is a simple HOWTO explaining how to configure AWstats to analyze Apache2 logs, and provide detailed statistics, under Ubuntu Edgy Eft. This should also work for other Ubuntu versions, as well as any Debian derivative.

Apache

The first step is to activate Logging in Apache, so that Awstats has something to analyze. For instance, you can add something similar in your VirtualHost configuration :

ErrorLog /var/log/apache2/sirika.com-error.log
CustomLog /var/log/apache2/sirika.com-access.log combined

Another important thing is to configure a few things for awstats in apache, like where the icons are, and more importantly, to activate CGI-scripts (since AWstats is written in perl…) . This can be done thanks to the following /etc/apache2/conf/awstats.conf :

# This provides worldwide access to everything below the directory
# Security concerns:
# * Raw log processing data is accessible too for everyone
# * The directory is by default writable by the httpd daemon, so if
# any PHP, CGI or other script can be tricked into copying or
# symlinking stuff here, you have a looking glass into your server,
# and if stuff can be uploaded to here, you have a public warez site!

Options None
AllowOverride None
Order allow,deny
Allow from all
# This provides worldwide access to everything below the directory
# Security concerns: none known

Options None
AllowOverride None
Order allow,deny
Allow from all

# This provides worldwide access to everything in the directory
# Security concerns: none known
Alias /awstats-icon/ /usr/share/awstats/icon/

# This (hopefully) enables _all_ CGI scripts in the default directory
# Security concerns: Are you sure _all_ CGI scripts are safe?
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

Awstats

The next step is to install awstats, with all the necessary perl modules.. Using several optional modules implies that you have installed them. liburi-perl is useful if you use the “decodeutfkeys” module, even though it is NOT listed as recommended or suggested in the awstats package.

sudo apt-get install awstats libnet-dns-perl libnet-ip-perl libgeo-ipfree-perl liburi-perl libnet-xwhois-perl

Once this is working, it is now necessary to configure awstats, to tell it which logs it should monitor, and where it should write its working files (stats). This is done by creating a file /etc/awstats/awstats.website.conf (replace website by your apache2 virtual host name, for instance, and do NOT forget the .conf !).

sudo cp /etc/awstats/awstats.conf /etc/awstats/awstats.website.conf

Editing this file should be pretty straightforward, since it is well commented. In particular, pay attention to the following entries

LogFile=”/var/log/apache2/sirika.com-access.log”

SiteDomain=”sirika.com”

HostAliases=”www.sirika.com”

DirData=”/srv/data/stats/sirika.com”

LogFile should point to the log file configured in Apache2.

SiteDomain is the main domain name, as configured in Apache2.

HostAliases should list ALL the aliases listed in Apache2’s VirtualHost configuration. Usually, you will want the same domain prefixed with www, (or without the www prefix if is it already specified in the main domain name). This is really annoying, error-prone and not having a global definition of a “virtual host” on the system is one of the issues I pointed in “10 things that still suck under linux“. Virtual hosts and aliases should be defined once, globally. Every single concept/thing should be repeated/configured once, and only once, on a perfect system. Anyways…

DirData should point to an empty directory, whose content will be managed by Awstats.
Cron

Everything is now configured. On a perfect system, the setup would stop now. Awstats could be automagically notified for every change in the logs (awstats could register to a so-called “http access event”, and its internal behaviour could define its policy for updating the stats (update synchronously, update asynchronously when the system is idle, etc..). This is one of the things I pointed out in “10 things that still suck under linux“. However, we’re not there yet, so, we need to run the script every day to update the stats. (yeah, that’s the reality today..)

So, this can be done thanks to the following /etc/cron.daily/awstats (do not forget to chmod +x /etc/cron.daily/awstats after creating it) :

#!/bin/sh

/usr/share/doc/awstats/examples/awstats_updateall.pl -awstatsprog=/usr/lib/cgi-bin/awstats.pl now > /dev/null

This will update all the statistics for all the hosts defined in /etc/awstats/*, on a daily basis. Yes, it’s not as beautiful as having a full-featured event-system for which every application could attach to events generated by others, but it has the merits of working…

Logrotate

What happens when your apache logs get rotated (and possibly gzipped, etc) by logrotate (apt-cache show logrotate for more information), and awstats still hasn’t analyzed the end of the logs that is about to be rotated ?

To avoid this situation, it is necessary to tell logrotate to launch awstats BEFORE rotating the logs. This can be done by adding the following lines to /etc/logrotate.d/apache2 :

prerotate
/etc/cron.daily/awstats
endscript

Permissions

And of course, permissions must be tweaked :

Since Awstats runs as the web users for viewing stats (CGI-script), the web user needs read access to /srv/data/stats/*
Additionnally, you may want to provide the “update now” button on your website stats. So, the web user also needs write access to /srv/data/stats/*
Finally, awstats needs access to the apache2 logs to create the stats. This is not a problem when it is run from a cron script, since it is run as root. But, in the case of “update now”, it runs as the web server, so the web server needs read access to its logs. (the default permissions are 660 with root:adm), so www-data doesn’t have access to its logs

The problem with traditional permissions is that there is no decent way of specifying default permissions. So, we are going to use ACLs for that. You can find more information about them here (Using POSIX ACLs to complement traditional Linux permissions). So, this gives, for instance :

# read write execute access for web user to the stats directories
find /srv/data/stats -type d -exec setfacl -m “g:www-data:rwx” {} \;

# read write execute access for FUTURE stats files for the web users

find /srv/data/stats -type d -exec setfacl -d -m “g:www-data:rwx” {} \;

# read write access to the stats files for the web user
find /srv/data/stats -type f -exec setfacl -d -m “g:www-data:rw-” {} \;

# read only access to the logs directory for the web user
find /var/log/apache2 -type d -exec setfacl -m “g:www-data:r-x” {} \;

# read only access to the logs for the web user, for future files

find /var/log/apache2 -type d -exec setfacl -d -m “g:www-data:r-x” {} \;

# read only access to the apache2 logs for the web user
find /var/log/apache2 -type f -exec setfacl -m “g:www-data:r–” {} \;

And it should work.. The last thing would be to protect access to your logs, if you don’t want your users to see them. This can be done using a .htaccess file, and there are plenty of tutorials on the web that explain how to achieve that.

Xen and SELinux : anything in common ?

Sami Dalouche — Sat, 18 Nov 2006 13:32:35 +0000

Xen is definitely a great piece of software. It is currently the only viable (truly) Open Source solution to build secure virtual systems by isolating software in their own sandbox, and being able to set CPU/Memory restrictions on each of the sub systems.

However, each subsystem has to be managed and upgraded separately. This means that each subsystem is a (nearly) complete system that must be administrated in its own. Another aspect is User Management, since some users may need to be propagated. An LDAP repository can be used to avoid the ugly NIS-like propagation, but one needs to define a policy regarding how the users are laid-out in the directory and how the directory is used, since not all virtual machines may be accessed by all users… And user management also implies the usual sharing of /home, for which most people use the old and broken (though working ) NFS .
Monitoring is also an important topic in this area : open source monitoring solutions like OpenNMS must be leveraged in order to monitor all the servers. This is another layer of complexity, that isn’t necessarily needed.

So now, what I am wondering about is why all the buzz goes to Xen, and nobody really cares about SELinux (except maybe Red Hat which seems to provide decent SELinux support in its distribution). Ubuntu, in any case, does not seem to make SELinux its priority, as Michael Dolan highlights it.

Sure, Xen and SELinux are not meant to tackle the same problems. Xen is a virtualization layer, whereas SELinux is a security layer. However, the problem, I believe, is that people tend to use Xen to tackle security problems that SELinux could solve without the need of additional systems. Of course, for complex needs, Xen+SELinux could be envisionned, but the philosophy behind virtualization is that the system is dumb from a security perspective, whereas SELinux tries to fix the heart of the problems : making a multi-user system secure.

In fact, why would anyone want to setup of a full-blown virtual server just to run a DNS server, if some security stack could protect the rest of the system from being damaged in the case that the DNS daemon would get hacked ?

buy 10 mg cialis cheap viagra substitute viagra cialis levitra compare viagra cialis cheap sublingual viagra sublingual viagra price cheap sublingual cialis order sublingual cialis order revatio cheap revatio cheap cialis jelly order cialis jelly cheap viagra jelly order viagra jelly order female viagra cheap female viagra order vpxl buy vpxl levitra professional price buy levitra professional purchase levitra order levitra cheap levitra order cialis soft tabs cialis soft tabs online purchase viagra soft tabs buy viagra soft tabs order cialis super active cialis super active online order viagra super active viagra super active online purchase generic cialis order generic cialis cheap generic cialis generic viagra discount generic viagra online generic viagra price order cialis professional buy cialis professional order viagra professional viagra professional online order brand cialis purchase cialis order cialis buy cialis order brand viagra buy brand viagra purchase viagra order viagra buy viagra

RAID 5 vs RAID 50 (informal comparison/benchmark)

Sami Dalouche — Fri, 17 Nov 2006 23:38:06 +0000

OK, so you just bought that wonderful 4U server, with dual-core Xeon/Core 2 Duo, redundant gigabit ethernet connections, redundant power supplies, KVM over IP / IPMI management card, and most importantly, this wonderful fully hardware-based RAID controller (Semi-Soft RAID has been a disaster for me, by the way).

Now, the question is : Should you use RAID 5, RAID 50 or something else ? Choosing between simple RAID solutions like RAID 0 vs RAID 1 is pretty easy, and one can easily conclude that RAID 0 is for performance (especially writes), whereas RAID 1 is for security. (even though it helps reads). Please note that RAID 1 is very expensive in disk space…
Now, what about the “standard” RAID 3, 4, 5, 5E, 6, 6E levels, or the “nested” ones such as RAID 0+1, 10, 30, 100, 50, 60 ?

In fact, the right choice depends on your specific needs (which is the lovely sentence everyone will use to avoid giving his opinion).

Now, in practice, my personal opinion on that :

RAID 3 and RAID 4 are only theoretical RAID levels that nobody actually uses.
RAID 5E, RAID 6 and RAID 6E are probably very good RAID levels, but the RAID card I use doesn’t support it, so I suspect these levels to be only available in higher-end models. If you are lucky enough to try one of those, I would be happy to hear about the performance.
Most of the other nested RAID levels either are not supported by hardware cards, or are very expensive to implement. So, if you can spend money for them, their evaluation might be good.

After these considerations, and considering that you want a certain balance between security, performance and price, you might want to compare RAID 5 and RAID 50, which are both good compromises between these concerns.

To put it simply let’s consider you have 8 disks. RAID 5 stripes the data over 7 disks, and uses the 8th one for parity checking, so that it can rebuild the data if one disk fails (this is a little simplistic, since no disk is dedicated to partity and the parity blocks are rotated over the disks, but you get the idea).

RAID 5+0 creates 2 RAID arrays with half of the disks, and creates a RAID 0 array (stripping) on top of that. As a result, it is more costly, since 2 disks are used for parity checking instead of one, but is more robust to failures (2 failures are allowed).

It is often said that RAID 5+0 is more efficient for writes… So I wanted to compare how better it is, if ever it is, on a 3ware 9550SX 8 port SATA II RAID controller with write cache enabled, and 8 SATA 300 GB Maxtor DiamondMax 10
So, the result is a set of informal benchmarks, that are probably not related to the way I am going to use the disk anyways, but that has the merit of drawing quick conclusions :
First of all, using RAID 5

sudo dd if=/dev/sda of=/dev/null bs=1M count=1024
10240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 32.7535 seconds, 328 MB/s

dd if=/dev/zero of=out bs=1M count=10240
10240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 88.8292 seconds, 121 MB/s

dd if=./out of=/dev/null
20971520+0 records in
20971520+0 records out
10737418240 bytes (11 GB) copied, 45.3929 seconds, 237 MB/s

dd if=/dev/zero of=ok bs=1M count=1
500 MB / sec
dd if=ok of=/dev/null
630 MB / s
dd if=/dev/zero of=ok bs=1 count=1
40/43 kB / sec (Yes, KB)

dd if=ok of=/dev/null
0+1 records in
0+1 records out
1 byte (1 B) copied, 1.5e-05 seconds, 66.7 kB/s

dd if=./out of=/dev/null
20971520+0 records in
20971520+0 records out
10737418240 bytes (11 GB) copied, 49.5834 seconds, 217 MB/s

dd if=/dev/zero of=ok bs=1k count=1
44 MB / sec

dd if=ok of=/dev/null
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 1.7e-05 seconds, 60.2 MB/s

rm -f ok ; dd if=/dev/zero of=ok bs=1k count=4
4+0 records in
4+0 records out
4096 bytes (4.1 kB) copied, 3.4e-05 seconds, 120 MB/s
120/ 130 MB /s

rm -f ok ; dd if=/dev/zero of=ok bs=1k count=16
16+0 records in
16+0 records out
16384 bytes (16 kB) copied, 8.4e-05 seconds, 195 MB/s

time ( for (( i=0; i < 100000 ; i++ )) ; do dd if=/dev/zero of=$i.out bs=1k count=1 2> /dev/null; done )

real 10m0.205s
user 1m45.403s
sys 8m2.134s

time ( for (( i=0; i < 100000 ; i++ )) ; do dd if=/dev/zero of=$i.out bs=1 count=1 2> /dev/null; done )

real 3m19.841s
user 1m43.242s
sys 1m34.582s

time ( for (( i=0; i < 100000 ; i++ )) ; do dd if=/dev/zero of=$i.out bs=1 count=1 2> /dev/null; done )

real 10m52.149s
user 1m46.703s
sys 9m4.218s

time ( for (( i=0; i < 1000 ; i++ )) ; do dd if=/dev/zero of=$i.out bs=1
count=1 2> /dev/null; done )

real 0m20.931s
user 0m1.068s
sys 0m3.260s

And now, parts of the results on RAID 50 :

dd if=/dev/sda of=/dev/null bs=1M count=10240
Password:
10240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 40.1916 seconds, 267 MB/s

dd if=/dev/zero of=out bs=1M count=10240
10240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 117.762 seconds, 91.2 MB/s

dd if=/dev/zero of=ok bs=1M count=1
1+0 records in
1+0 records out
1048576 bytes (1.0 MB) copied, 0.085963 seconds, 12.2 MB/s

dd if=ok of=/dev/null
2048+0 records in
2048+0 records out
1048576 bytes (1.0 MB) copied, 0.001741 seconds, 602 MB/s

dd if=/dev/zero of=ok bs=1 count=1
1+0 records in
1+0 records out
1 byte (1 B) copied, 3.5e-05 seconds, 28.6 kB/s
dd if=ok of=/dev/null
0+1 records in
0+1 records out
1 byte (1 B) copied, 1.7e-05 seconds, 58.8 kB/s

dd if=/dev/zero of=ok bs=1k count=1
1+0 records in
1+0 records out
1024 bytes (1.0 kB) copied, 3.4e-05 seconds, 30.1 MB/s

dd if=ok of=/dev/null
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 1.9e-05 seconds, 53.9 MB/s

time ( for (( i=0; i < 1000 ; i++ )) ; do dd if=/dev/zero of=$i.out bs=1M count=1 2> /dev/null; done )

real 0m15.759s
user 0m1.068s
sys 0m3.180s

time ( for (( i=0; i < 100000 ; i++ )) ; do dd if=/dev/zero of=$i.out bs=1k count=1 2> /dev/null; done )

real 9m46.112s
user 1m44.779s
sys 7m59.798s

So, my conclusion (which I repeat, is not rocket science) is that RAID 50 isn’t that much better than RAID 5, and is sometimes actually worse, though more expensive. As a result, my personal choice has been RAID 5.

Linux : Finally on the desktop thanks to OpenGL ?

Sami Dalouche — Tue, 07 Feb 2006 17:23:43 +0000

Thanks to Novell !! See this announcement from Miguel de Icaza or this one from Alexandre Gomes for Xgl and the new compositing manager ..

I am looking forward to having everything working on my Ubuntu box… And having applications (f-spot, etc…) using this technology intensively.

So now, what does the Graphical Layering look like, under Linux ? How is Cairo/Glitz related to Xgl ? As far as I understand :

Cairo is the equivalent of Apple Quartz: it provides a vector-based graphics library. In other words: an API that allows you to draw lines, rectangles, etc. Cairo then uses one of its backends (such as Glitz) to do the actual rendering
Glitz is an image compositing library based on OpenGL. It can be used directly, but also integrates with Cairo. An example of OpenGL rendering with Glitz can be found here.
GTK+ is a widget toolkit that uses Cairo for the drawing of its components. In other words : GTK+ provides windows, buttons, text areas, etc, and Cairo is used to draw the lines to represent these buttons.
Xgl is the future of X.org Server, layered on top of OpenGL and Glitz.

So, as far as I understand, things would be rendered this way :

For GTK+ Applications (Inside Application Windows) : GTK -> Cairo -> Glitz -> OpenGL
For classical X applications using the traditional X API :

With Xgl : Application -> Xlib -> Glitz -> OpenGL
With standard X : Application -> Xlib -> Driver-specific acceleration ?

More information about this ?

Other information about the subject :

NewsForge : X graphics get a boost
XGL Release
Xgl unleashed
Slashdot: Novell makes public Release of Xgl Code
The official page.
Novel Linux Desktop Demonstration Videos

Linux Desktop is getting better

Sami Dalouche — Sat, 04 Feb 2006 18:24:58 +0000

As can be seen from this post (standblog), Novell is preparing some really cool features for Linux’s next-generation Desktop..

Can’t wait to have everything included by default on my Ubuntu box..

A few videos are available.

Keeping SSH sessions alive

Sami Dalouche — Sat, 04 Feb 2006 13:06:21 +0000

This post from Scott Merril explains how to keep SSH sessions alive.

I have experienced the same problem in the past when I was using a kind of cheap router-modem for my Internet Connection..

So, thanks scott, it’s always useful to know why it happened

Google creating its own Linux Distribution ?

Sami Dalouche — Wed, 01 Feb 2006 07:21:03 +0000

Apparently, quite a lot of blogs ( BlogORabais , Je Hais le Printemps) and news sites (Slashdot, The Register) are relaying the information…

So, what is Google currently preparing ? Is this information a whole FUD started by Google , just to make this company even more popular ?

In any case, this can only benefit the Ubuntu, Debian and more generally, the Linux communities. So, Long life Google….

FreeNX is damn crazy !

Sami Dalouche — Thu, 26 Jan 2006 20:01:52 +0000

Waoo.. Have you ever tried FreeNX, a free version of NoMachine’s server ? This piece of software is incredible ! In two words, it’s a better, secure, VNC server.

A brief look at NoMachine NX explains some technical details about it… Good luck to understand the gory details

FUSE is the future, a small HOWTO to FUSE on Ubuntu

Sami Dalouche — Wed, 25 Jan 2006 21:38:13 +0000

Yes, FUSE is the future !!

I personnally think that it does NOT make sense to implement every protocol known to earth inside kernel-space, just to be able to mount remote folders. Implementing stuff in kernel-space implies complexity, and bloat.

Added to that, why would you reinvent the wheel ? If libProtocol already exists, it is somewhat stupid to re-implement it, just for the sake of having something in kernel-space..

That’s why FUSE has been invented. This post describes how to mount, for example, a ssh directory using FUSE.

So now, let’s imagine some great stuff with FUSE… The current /var/log totally sucks. Text files are handy for the system administrator, because he can use his usual UNIX guru commands (grep, awk, perl, whatever). However, they are NOT handy at all for system utilities that have to parse all the different formats of logs, in order to output logs, etc (Awstats, for example does that, for Apache logs).

So, we would live in a better world if, for example, all logs were output’ed to a Database, and we had a virtual /var/log, that reflected the database, just so that people can use grep and perl on it… Not only this would allow stats tools to be more efficient, but we would keep the current compatibility…

Anyways…

Linux = 0.53% of internet users

Sami Dalouche — Wed, 25 Jan 2006 20:45:33 +0000

It is a shame to see that only 0.53% of internet users (see zdnet [fr]) use Linux… It was obvious it didn’t represent many users, but so few ?????

Anyways, Good luck to our lovely OS…

10 things that still suck under Linux

Sami Dalouche — Mon, 23 Jan 2006 04:05:58 +0000

I have recently setup a Linux server, so it was the occasion of pointing out the few things that still suck on this beautiful Operating System. Even though the distribution was Ubuntu Linux Server, the most famous Debian GNU/Linux derivative, all of these remarks apply to most other UNIXes such as FreeBSD.

The article is not meant to conclude that XXX OS is better than Unix. It is just a series of remarks that will, hopefully, contribute to making it better in the future.

Lack of consistency : Anyone having administrated a Linux machine has been faced to the general lack of consistence. I am not referring to the often-criticized lack of consistence in the User Interface, but to the heterogeneity of the miscellaneous components instead.In fact, each component (software, library, daemon) does not integrate to its environment, and no effort is done to ensure a smooth integration. For example, there is no generalized notion of a “virtual host” on the system, whereas it is clear for the system administrator that Apache’s www.bar.com’s VirtualHost, Postfix’s smtp.bar.com’s aliases, ProFTPd’s ftp.bar.com’s virtual Host, and all of their respective logs are somewhat related. Why are all tools so much application-centric, instead of being service-oriented ?Linux would be a better place if all those applications shared, to some extend, a set of configuration parameters, log formats and conventions. When looking at awstats logs, only the web-specific part of the bar.com domain appears, whereas the system administrator would like to have a global vision (HTTP, SMTP, FTP, SQL, etc).Of course, the Virtual Host is only one example of a disparate setting. There are lots of others, such as the lack of generalized identifiers and passwords for people’s accounts. As usual, there is nothing technically impossible here, and the solutions are already existing (LDAP, for example, but not necessarily), but once again, to make it possible, people have to agree on some conventions.If you want to provide FreeNX access to your users, you will have to maintain two sets of user/passwords. So would you if you want to give a MySQL database to each of your users. Additionnally, you will have to define a set of conventions to link a user to its database, since MySQL is a planet, and the system is the rest of the universe : there is no link between the two.Finally, even after all these years of editing and modifying these configuration files in /etc, I still wonder why no single file has the same syntax in /etc. There is no pattern, every single file looks like a different world. History has its part of the responsibility, but sometimes, people should be able to correct their mistakes. I am not speaking about drastically changing the whole /etc, but maybe progressively migrating the unused configuration files (how often have you modified /etc/iniittab by hand ?) to some common scheme. (not necessarily XML, but there should be some consistence in the choice. Consistence is not just about eye candy, it is also, and more importantly, about writing once for all, a generic parser, that can be optimised, and on which would all application rely)
Logging is most probably one of the worst parts of a UNIX system. The current syslog system is old and needs to be replaced by something better, cleaner. People could argue that it still works fine, and that syslog-ng solves part of the problem.
However, it’s an inconsistent system : why is it that we can say mail.* or uucp.* (that only few people use, actually..), but not jabber.*, http.*, samba.*, etc.
The answer is simple : the system is way too static, many details have been hardcoded into the system a long time ago, and the only extensible part in it are the localX.* that is limited anyways. The proof ? Any decent application (Apache, Samba, ProFTPd, …) implements its own logging mechanism. This has the consequences of bloating instead of componentizing applications.A solution to this would be to implement a flexible, extensible logging framework, that allows any application to fill a set of user-defined attributed, not static ones. The framework should log to a database (SQL, Native XML, OO, whatever), and indexes should be there to help log analyzers to efficiently perform their job. Text files are not machine-friendly, so any log which is to be analyzed by an application should not be written as a mere text file. Of course, system administrators are used to accessing files, so a possible solution is to use something like FUSE in order to implement a virtual /var/log on which UNIX gurus will be able to tail -f, grep, vi, and less. UNIX not-so-gurus will, on the other side, enjoy seeing better graphical applications focusing on the user experience, search, etc, instead of focusing on parsing and optimizing access the big files.
Additionnally, FUSE would allow tools such as logrotate to still work.
Everything is based on the polling paradigm. Why would man-db run every week, even though I haven’t touched any man page for years ? why would awstats re-analyze my logs every night even though I haven’t had any query the whole day on several virtual hosts ?
The problem is both about elegance and performance. The polling paradim gives the impression of a dumb system, that reverts to ugly hacks to minimize the performance hit caused by this inefficient system.
If my server only uses 1% of its CPU during the day to serve Apache Queries, I do not want to wait until the end of the day for my awstats to be updated. Moreover, if at the end of the day, my Apache still eats 100% of the CPU, I do not want awstats to start analyzing logs.
Permissions. Since sensitive data is disseminated everywhere (passwords all over the configuration files, private keys for some daemons, etc), it is nearly impossible to ensure that a consistent set of permissions are applied.Instead, there should be a central repository where all critical information would be stored, and that could be safely protected and watched by the system administrator. Passwords should not be disseminated to /root/.my.cnf, /etc/freenx, /etc/apache/*, etc..
Additionnally, no distribution currently takes advantage of ACLs by default. It is always possible to mount the filesystem with acls enabled, but no package would, by default, set ACLs instead of standard permissions. However, this could be useful in some cases, such as setting default ACLs in /usr/local/stow (for those who use this system), to ensure that any file created later in this directory will be readable by the staff member, regardless of the umask of the creator.
A lot of other files could benefit from ACLs, and more specifically, default ACLs. This could be used to enforce stricter permissions, such as forbidding access to anyone to /var/log, and only authorizing specific users to rotate logs, etc. A lot of things can be thought and re-engineered.
Useless bindings all over the place. There are many languages, it is a fact. Since every language must communicate with libraries written in other languages, everyone creates bindings all over the place. However, it would be a little smarter to take advantage of the current .Net platform, implemented by the Mono project. For example, there are bindings for Gtk and all Gnome libraries for the .Net platform, so why are people developping Gtk / Gnome bindings for Python, since there already is a python compiler targetting the .Net platform.
Developping less stuff, and concentrating on the already developped architectural blocks would help homogeinizing the system as a whole. I am not against the diversity of languages, but since a platform exists to make all these languages communicate, it should be used.
There should be standard communication patterns between processes. It looks like everybody reinvents the wheel to communicate with other processes. Some applications (pop-before-smtp) watch logs of others (courier-imap, etc), some use IPC, some other prefer UNIX sockets.. It looks like more and more people are adopting dbus these days. Maybe all applications should take the same path, to let the system administrator be able to monitor communications (logging, permissions, etc).
Limits and MaxSettings are hard to parameter. The maximum number of Apache threads , for example, is pretty hard to configure, since there is no easy way to calculate it. It is even harder to set a reasonable value when there are other services that may use the CPU as well…
So, I believe that there should be global parameters, instead of application-specific parameters. It does not make sense to set the number of Threads/Processes in Apache regardless of the other daemons running.
Applications cannot communicate with users :The only communication mean between applications and users are emails. However, email is a specific communication mean, and not everybody wants to use it. Some system administrators may prefer getting paged when a error outcomes (log, whatever) on the system.
There is simply no dedicated mean for alerting a user, so people revert to quick and dirty hacks (call a specific shell script that will send a message to the cell phone, setup a email<-> phone bridge, etc..).

So, there should simply be an abstraction to alert and send messages to the system administrator. The middleware would then use the appropriate plugins to communicate with the user, and such a system would prevent every application to implement specific means of notification.
Too many legacy unsecure systems.Whenever an application ships with SSL/encryption, this encryption is an option. Why wouldn’t things be encypted by default ? Having applications that already implement encryption communicate securly by default does not seem something hard to do, so why would we still stay with all those legacy services, unencrypted just because the system administrator is too lazy to configure the SSL certificates, and stuff ?
SSH is a good example to follow : keys are generated by default, making the system useable right after installation.
SSL is a bad example : its limits prevent it from being used easily with Virtual Hosts, so it should be improved..
Running an encrypted / is hackish. It is particularly hackish (init ramdisk, etc..) to run a system where / is encrypted. This should be fixed to allow people with laptops to take their computer without fearing their data might be stolen.

Once again, I am not criticizing any work done by all the volonteers on this planet. I am just pointing out all the items that I think should be enhanced, in case people did not realize the few things that are still problematic today.

I would love to see other people list their wishes and remarks too.

Why is Ubuntu so popular ?

Sami Dalouche — Fri, 20 Jan 2006 22:22:14 +0000

This article [French] explains it

Horde3 and Imp4 HOWTO under Ubuntu/Debian

Sami Dalouche — Thu, 19 Jan 2006 20:58:05 +0000

This post is a simple set of guidelines (a mini-HOWTO) on How to setup Horde3 and Imp4 Webmail. In fact, the official documentation lacks a few important things, so here are a few tricks.

First of all, install the horde3 and Imp4 packages (Ubuntu/Debian)

apt-get install horde3 imp4

It is then necessary to setup an Alias for Apache. If you’re using Apache2, add a file /etc/apache2/conf.d/horde3.conf containing

Alias /horde3 /usr/share/horde3

Also, allow Apache to write horde configuration files :

chown -R www-data:www-data /etc/horde

Or, if you prefer to use ACLs

setfacl -m “g:www-data:rwx” /etc/horde

setfacl -d -m “g:www-data:rwx” /etc/horde

setfacl -m “g:www-data:rwx” /etc/horde/*

setfacl -d -m “g:www-data:rwx” /etc/horde/*

setfacl -m “g:www-data:rw-” /etc/horde/*/*

and restart apache

/etc/init.d/apache2 restart

You can then browse http://server/horde3

Important parameters to change are (in Horde setup) :

Horde URL (change it to /horde3)
Enable Database Access. Do Not use MySQL Improved (4+), my attempts at using it failed. MySQL Standard runs fine however
Enable Authentication. I recommend IMAP authentication (something like {localhost:143/imap/notls}. Do not forget the /notls, not specifying failed on my setup). Also make sure to add your username to the list of Administrators, otherwise, you won’t have access to horde/imp4 parameters. Using anything else than IMAP seeemed to fail on my setup
Generate the configuration

Horde should now be setup. You now have to configure imp4

generate a configuration using the horde administration panel
modify the /etc/horde/imp4/servers.php file. Instruction are given inside the file concerning the syntax. If you run Courier-IMAP, and want Imp to automatically authenticate using horde credentials :

$servers['imap'] = array(
‘name’ => ‘IMAP Server’,
’server’ => ‘localhost’,
‘hordeauth’ => true,
‘protocol’ => ‘imap/notls’,
‘port’ => 143,
‘folders’ => ‘INBOX.’,
‘namespace’ => ”,
‘maildomain’ => ‘domain.com’,
’smtphost’ => ‘localhost’,
’smtpport’ => 25,
‘realm’ => ”,
‘preferred’ => ”,
‘dotfiles’ => false,
‘hierarchies’ => array()
);

You should now have a working setup.. Good luck !

2 things to make Grub work for you

Sami Dalouche — Sun, 15 Jan 2006 23:36:45 +0000

No matter how better Grub is compared to Lilo, it still has its flaws, making it sometimes hard to use.
Here are two important things to check :

That you have a “boot” symlink pointing to “.” in your /boot directory. Grub sometimes refer to /boot/boot/.., so it is safer to have this symlink
That you are having the right “groot” option defined in your menu.lst. It often happens that Grub mappings at boot time are not the same as Linux Grub mappings. For example, you might ask your BIOS to boot on a specific Hard Disk, that is not (hd0). The BIOS will make Grub believe that your (hdX) device is actually (hd0), so your menu.lst will not work. Change your menu.lst accordingly, and re-run update-grub to take the changes into consideration.

Running Ubuntu GNU/Linux on a FakeRAID/1 (mirroring) array

Sami Dalouche — Sun, 15 Jan 2006 23:27:46 +0000

Edit: These information work for Ubuntu Breezy. Things may have changed with Dapper Drake
Most cheap hardware RAID controllers such as the VIA VT6421 are not purely hardware RAID systems, but should be seen as semi-soft, or FakeRAID controllers.

In order to install an Operating System on a FakeRAID array, it is thus necessary to setup a few things, since the underlying array is not completly transparent to the Operating System.

This short article, based on the Ubuntu Wiki FakeRaid HOWTO explains how to install Ubuntu Linux on such a FakeRAID array.

First of all, be aware that is it not currently possible (well, it is, actually, but one would have to revert to applying hacking changes in the Initial Ramdisk Image, so it is currently better to forget about it) to setup an LVM Volume on top of a FakeRAID array.

Since the Ubuntu Wiki FakeRaid HOWTO already explains how to install Ubuntu on a FakeRAID/0 array, I am just going to highlight the differences for a FakeRAID/1 array here.

The only difference is the creation of the Initial Ramdisk, which should load the dm-mirror module to allow the OS to read / write from the FakeRAID array.

The /etc/mkinitramfs/scripts/local-top/dmraid should be replaced by

#!/bin/sh

PREREQ=”"

prereqs()
{
echo “$PREREQ”
}

case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac

modprobe -q dm-mod
modprobe -q dm-mirror

/sbin/dmraid -ay

In addition to the dm-mod module, the previous script launches the dm-mirror module. This means that the dm-mirror module should be copied. This is done by adding the line

dm-mirror

to the /etc/mkinitramfs/modules file.

The rest of the Ubuntu FakeRaid Howto gives a good explanation of the tasks that should be done in order to configure the FakeRaid array.

RAID controllers reliability

Sami Dalouche — Sun, 15 Jan 2006 23:00:22 +0000

Something that I am currently wondering about is whether people use cheap RAID controllers in Mission-critical environments.

According to my tests with a VIA VT6421 RAID 0/1 controller, there is nothing less reliable than RAID 1…. However, drawing such a conclusion seems inadequate, especially since RAID is so popular.

Using 2 Maxtor 250 GiB Hard Drives, configured as a RAID 1 (mirroring) array using VIA VT6421’s BIOS, and the Ubuntu GNU/Linux Operating System with a 2.6.12-10-686 kernel, RAID is a disaster. In fact, on the 2 installations I did with this setup, both failed at some point :

With the following partitions : /boot (100 MiB, ext3), / (20 GiB, ext3), swap (1 GiB), /home (the rest, ext3) , after an installation of Ubuntu server and a reboot, the / partition is mountable, but trying to read any file in / leads to a “Cannot access blocks beyond filesystem limits”
With the same partitions, except that / was of type reiserfs, installation is fine, mount is fine, except that trying to copy more than 5 GiB of data crashes the system.

Of course, everything runs fine without RAID, so I am wondering what the real problem is :

The VIA VT6421 RAID controller in RAID/1 mode ?
Any cheap RAID controller in RAID/1 mode ?
The Linux driver for these FakeRAID controllers ?

If anyone has an answer to these questions, do not hesitate to post a comment or send me an email.

viagra professional cialis professional brand viagra brand cialis usa dating singles woman dating dating ideas dating advice adult dating personals uk dating adult dating site gay dating services internet dating service adult dating order cialis buy cialis order viagra buy viagra

Using POSIX ACLs to complement traditional Linux permissions

Sami Dalouche — Sat, 14 Jan 2006 17:33:16 +0000

Anyone who has been using Linux in a multi-user environment has been confronted to the limits of the traditional 12-bit based UNIX permission system.

For instance, you are likely to get into trouble if you have a repository (e.g. a folder containing a website) that may be modified by a set of users. Indeed, if a user (bob) has a restrictive mask (077 for instance), here is what might happen :

bob@samlaptop:/tmp $ ls -ld repository
drwxr-xr-x 2 bob repository 4096 2006-01-14 17:46 repository
bob@samlaptop:/tmp $ umask 077
bob@samlaptop:/tmp $ cd repository/
bob@samlaptop:/tmp/repository $ mkdir folder
bob@samlaptop:/tmp/repository $ ls -ld folder/
drwx—— 2 bob repository 4096 2006-01-14 17:46 folder/

As a result, the folder created by bob is not accessible by other members of the repository group. However, it is not possible nor desirable to force a set of users to keep a non-restrictive mask. Additionally, several repositories on the system might have different policies.

This is where ACLs come in. ACLS, or Access Control Lists are a new set of permissions that recent UNIXes such as Linux now support. (Windows has been supporting ACLs for quite a long time). It is now possible to define fine-grained permissions and forget the numerous hacks that everybody has been imaginating in order to survive with the current system.
This post is not a step-by-step HOWTO that explains how ACLs work under Linux, since it has already been covered by alo’s blog, or Andreas Grünbacher white paper and HOWTO. In fact, this article is only a simple introduction that shows how easy it can be to use ACLs, and was written in the hope that ugo+rwx addicts take some time to change their habits.

First of all, you need a decent distribution, such as Ubuntu Linux, that ships an ACL-enabled kernel. Most filesystems (ext3, reiserfs, …) now support ACLs, so these guidelines should work no matter which filesystem you choose. The only requirement is to mount your filesystems with the “acl” option. For instance, your /etc/fstab should look like :

/dev/hdb1 /home reiserfs defaults,acl 0 0

Once this is enabled, you can start playing with acls. One of the most interesting aspects, often under-documented, is the “default” ACL.

To introduce this concept, let’s consider that our repository should be accessible by both the samokk user and by Apache’s user www-data. Any HOWTO about ACLs will tell you that you should use the getfacl command to query the current ACLs of a filesystem object (directory / file).

samokk@bluerock:/tmp$ getfacl repository/
# file: repository
# owner: samokk
# group: samokk
user::rwx
group::r-x
other::r-x

samokk@bluerock:/tmp$ ls -ld repository/
drwxr-xr-x 2 samokk samokk 4096 2006-01-14 09:19 repository/

getfacl reports the same information as ls -l. This means that there are currently no ACLs defined, besides the traditional ugo+rwx permissions.

We want the repository to be unreadable by others, but accessible by Apache :

samokk@bluerock:/tmp$ chmod 750 repository/
samokk@bluerock:/tmp$ setfacl -m “g:www-data:rwx” repository/
samokk@bluerock:/tmp$ getfacl repository/
# file: repository
# owner: samokk
# group: samokk
user::rwx
group::r-x
group:www-data:rwx
mask::rwx
other::—

The setfacl command has been used to add ACLs to the repository object, in order to allow the www-data group (see the g: keyword) to r, w and x on the directory. getfacl’s output reflects this.

However, we still haven’t solved the mask problem we cited above. Allowing www-data to access the repository does not mean www-data will be given permission to access files that will be created in the future. Default ACLs are there to solve this issue. Default ACLs are inherited from the parent directory and can only be applied to directories (it is not possible to create files inside files…).

samokk@bluerock:/tmp$ setfacl -d -m “g:www-data:rwx” repository/
samokk@bluerock:/tmp$ umask 700
samokk@bluerock:/tmp$ >repository/file
samokk@bluerock:/tmp$ getfacl repository/
# file: repository
# owner: samokk
# group: samokk
user::rwx
group::r-x
group:www-data:rwx
mask::rwx
other::—
default:user::rwx
default:group::r-x
default:group:www-data:rwx
default:mask::rwx
default:other::—
samokk@bluerock:/tmp$ getfacl repository/file
# file: repository/file
# owner: samokk
# group: samokk
user::rw-
group::r-x #effective:r–
group:www-data:rwx #effective:rw-
mask::rw-
other::—

Wha we have just done is simple : the repository has been given a default ACLs that will be inherited by directories and that will be used to set the permission of files created inside it. An example repository/file has been created to show that the files actually inherit the permissions.

This is it ! ACLs are actually quite simple to use, so do not hesitate to ease your life !