Recently in Unix Category

My ancient Thinkpad died a few days ago. A moment's silence, if you please.

...

Thank you.

Being largely skint, I grabbed myself the cheapest netbook going. A Dell Mini 10v. It's awesome. The screen's razor sharp, the keyboard's satisfyingly clacky, and it's really well put together.
Being of the RedHat persuasion, the installed Ubuntu OS survived exactly one boot before being replaced by the mighty Fedora.

An 8GB USB drive and these instructions got it up and running. The default Fedora Gnome desktop's surprisingly light on RAM and everything Just Works. A couple of tweaks, though, because that's the way I roll...

• Get the binary WiFi drivers:
  $ su -
  # rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
  # yum -y update
  # yum -y install kmod-wl broadcom-wl
• Tweak PulseAudio so it doesn't use so much CPU:
  $ su -
  # sed -i 's/; resample-method = speex-float-3/resample-method = speex-float-0/' /etc/pulse/daemon.conf

That's about it, really. Install Flash at your leisure and enjoy full-screen YouTube, iPlayer et al.

There's only one thing wrong with this netbook, and that's the touchpad. The buttons are under the pad, but the areas over the buttons are touch-sensitive, so you can't drag and drop without the pointer flying off in all directions. This isn't a problem that's particular to Linux - Windows 7 users (XP as well, I'd imagine) are reporting the same problem. If you run Linux, though, you get to talk to the developers and raise bug reports. So that's what I did. We'll see how it pans out.

LDAP: Largely Dangerous And Painful. Let me describe why. (Normal people can give this one a miss. Fellow sysadmins can revel in the ridiculousness).

I'm in the middle of putting an LDAP infrastructure together, and rolling it out to 40-odd Solaris boxes for user authentication, NFS auto mounts, sudo and all that good stuff. Our consultant/contractor/architect worships at the alter of the Sun gods, so OpenDS 1.2.0 was his choice of LDAP server. Not a bad choice, to be honest - it's a piece of piss to set up and get multiple servers multi-master replicating, and it's Free.
All was tickety-boo until a week ago.

First up, all 4 replicating LDAP servers hung overnight. This locked out the admin team from half of our machines until I got into work and poked them back into life. No errors in the logs, nothing weird going on, just hung Java processes and no logins. Brought down 2 of the instances and upgraded the other two to OpenDS 2.0 so hopefully that should be the end of that. Hopefully. Maybe.

Then today, I'm happily LDAPing away when I ran an ldapmodify to change the UID of the user that runs out monitoring software. LDIF imported, no problem, except I'd run the ldapmodify binding as the user I was modifying, not the Directory Manager. Alarm bells went off in my head - users shouldn't be able to modify their own UID numbers. I tried it again, using 0 as the UID, and sure enough it turns out that anyone that could authenticate to LDAP could also change their UID so that they were running as root. Fuck me very hard indeed. A very swift google tipped up an ACL to add to stop this, as well as a whole load of other possible nightmares.

Next, while messing with the ACLs for the UID problem, it occurred to me that the 'proxy' user could see everyone's passwords in the directory. This is by design, since we're using proxy authentication on our Solaris hosts (which means user passwords aren't sent over the network in plaintext), but it also means that anyone logged into any LDAP-enabled Sun box can search for and list everyone in the directory's passwords with a simple 'ldaplist -l passwd'. The passwords are encrypted, but the old-skool Unix 'crypt' isn't exactly what you'd call military grade protection. Shit.
To get round this, I'm currently beating my head against the brick wall of TLS/SSL so we can remove the need for a proxy user. The tools supplied with OpenDS work fine, but the native Solaris stuff won't go near the self-signed certificates we're using (either that or I'm Doing It Wrong, I'm not entirely sure yet). I've given up for the night, but it looks like I'm going to have to generate CA certificates, then regenerate and sign all the certs for the LDAP servers, then import them, then import the CA and server certs into the LDAP config on the clients, then see if the native Solaris stuff works with them, then re-run ldapclient on all the clients. Arse.

I don't get paid enough for this.

Woke up this morning to the sound of silence.
No TV.
No fans.
No hard drives.
Nothing (except my brother's cat trying to re-arrange the carpet).
Arse. My ancient Athlon PC has finally booted its bucket. I suppose it's been a bit flaky of late - USB devices disconnecting randomly, video card spluttering occasionally, that sort of thing. Now it gives only a forlorn "beeeeeeeeep" when it's powered up, and it promptly switches itself off again. Maybe it achieved sentience during the night, watched News24 for a while (I think that's what was on when I fell asleep) and decided that this isn't a world it wants to be part of.
Or maybe one of the caps on the motherboard went out of tolerance and hosed the processor. We'll never know.

Anyway, all the motherboard connections have changed since the Athlon XP days, so I'm having to replace pretty much everything. Here's the run-down:
Intel Core 2 Duo E7400 Processor
Asus P5QL SE S775 Motherboard
2GB Kingston RAM
NVidia 9500GT 1GB Video Card
250GB Seagate Barracuda Hard Drive
Akasa Ultra Quiet 460w Power Supply
I'm keeping my Lian Li case, the two CD/DVD drives, and my trusty Trinifuckinghugetron Sun monitor (1600x1200 of glorious ).

Total: 300 quid delivered. None too shabby. Can't really afford it, but still, none too shabby. Yes, the video card's weak and 2GB RAM isn't that much these days, but Unreal 2004 is about the most graphics intensive game I play, and Linux is pretty light on RAM. Hell, the old machine only had 1/2GB RAM and a GeForce 5200, fortheloveofgod.

I've been playing with wiki software at work of late, looking for something to manage the Unix team's ad-hoc documents and other voodoo - stuff that doesn't really fit in the Official Stamped And Approved Methods Of Doing Things.
I wanted to do this at my last employers, but the thought of deploying PHP/perl/MySQL web apps on Solaris filled me with a subtle dread, so I didn't really look into it too deeply.
A quick shufty on the Interwub, however, revealed that Sun have pre-configured Apache/MySQL/PHP packages available as Cool Stack. I wish Sun would stop with the 'cool' moniker. This is not.

The whole install was remarkably painless - building the zone took longer than installing and configuring the 'cool' packages and the TikiWiki software.
First thing I did once the Wiki was up was to slap the install procedure on a Wiki page, which you can see here, if you're interested in doing the same thing yourself. For the uninitiated: yes, that does constitute a remarkably painless install on Solaris.

Passed my second Solaris admin exam yesterday, so I'm apparently now a Sun Certified System Administrator.
Managed to completely cock up the Zones section of the exam, but the power of my raw genius/luck shone through and I scraped a pass anyway.

If, on the off chance, you're going to do this exam, be warned: the exam contents don't quite match up with the course content. You'll need to know how to set up a Jumpstart server, which isn't covered in the courses any more. Looking at the boss's old course materials, it looks like the Jumpstart bit got replaced by an in-depth ZFS bit.

It's customary for Solaris admins to slag off the patch system, so I guess I'll have a go. For the sake of full disclosure: I used to be part of the 1st / 2nd line support team that does global support for smpatch / Sun Update Connection / Update Connection Enterprise. If you raised a Sun case on these products between November 2005 and April 2007, you very probably spoke to me at some point. That said, most of what I have to say is based on my experience working with Solaris, rather than supporting it...

smpatch is broken, but you already know that.
The dependency tree required for a working smpatch install is vast - so vast that Sun won't (didn't?) support anything less than a full end-user (SUNWCuser) install cluster for smpatch. Put together a minimal install for a boundary system and want to patch it? Get yo' Recommended Cluster on, dawg.
Any kind of slow-ish or intermittent Internet connection, and you'll have to supervise patch downloads, lest the 'Error: null' beast be awoken from its slumber (just re-run the 'smpatch download' - you'll usually get at least one more patch down before it errors out again). This is typical of the error messages from smpatch - largely useless, mostly misleading, occasionally deceitful.
Circular dependency in your smpatch database (recent kernel/zones patches, for example)? Ha ha haaaa, sucks to be you. smpatch can't figure it out, so you'll just get a load of patchadd failures during the smpatch run and subsequent shutdown. Re-running smpatch won't work, so don't bother. Time to hit SunSolve and work backwards down the dependency tree manually. You'd better hope SunSolve's feeling perky (gateway timeout anyone? Yeah, thought so), 'cause you're going to be there for a long time.

sconadm is as broken as smpatch, but with the added advantage of weird database issues at the Sun side which may stop you registering anything on your support contract. "Registration failed!" it will challenge. "What the fuck?" you will retort. Do not attempt to debug sconadm issues - your sanity is more valuable than your pride. Call Sun and get hold of SWUP_SUPPORT - they'll give you a script to run that will detail all the packages and patches missing from your system, including a Java update you can't install because your Oracle instance depends on a particular JDK version. But maybe that's just me.

Update Connection Proxy? Don't put yourself through the agony.

The enlightened (with similarly enlightened management) among us use PCA and avoid the smpatch/sconadm brain damage. I heartily recommend that you do too.
Giggle as your patches download without error. Rejoice in the HTML patch list output, with links to the READMEs for each patch. Bask in the glory of the caching PCA proxy.
Unfortunately though, the horror runs much deeper than just the automated patch tools...

The way patches are rolled is insane. Any one patch can update several packages, all-but-one of which may not be installed on your host at the time of patching. What happens if you install one of those not-installed packages after patching? That's right. The patch tools see all your applied patches, so won't recommend any of them again despite the just-installed, unpatched package on your system. Cue headaches trying to work out why you just got pwn3d by 1337 |-|4x0rz despite apparently being patched up to the eyeballs.

On no other Unix (that I've ever worked on at least) does a kernel patch clobber your sendmail config. This is a result of the way the patches are rolled, as above. You were told during the patchadd operation that the sendmail config had been moved, but you weren't expecting what was allegedly a driver update to affect userland apps, and you don't have the time to review 1000 lines of smpatch output for each of 30 odd machines at the end of a 12 hour shift caused by smpatch failing. to. download. every. second. patch, so you missed it. Say goodbye to the free space in /var as the mail spool fills up over the next few days. Say goodbye to your email-based system monitoring.

Ah well, I suppose it's a living. Say hi to SWUP_SUPPORT for me next time you raise an smpatch case. There's also a pretty good blog by one of the PST team at Sun which goes some way to explaining the madness: Patch Corner. Not pretty, is it?

I've sorted out the account signups for this here blog, so you should be able to sign in / retrieve passwords etc. now. See below if you're really interested in what the problem was. The blog software has also been upgraded to the latest stable release, but it shouldn't make any difference from where you're sitting. Anyway, normal people can stop reading.... now.

(I'm posting this, because I've seen a number of people on forums who've had the same issue I did, and none of the threads were answered. Hopefully Google will pick this post up.)
The main problem with the signups was that the return address hadn't been specified in MT, so the emails weren't being sent out to external addresses. Unfortunately, MT doesn't appear to email errors to the admin, so I didn't know about this until Koof pointed out that he couldn't sign up. Once that was fixed I created a new account with my work address as the email address, but the email bounced off the Exchange server with a 500 error for an invalid Return-Path.

MT (on Linux at least) sends mail through the sendmail utility (Postfix in my case) as the webserver user, so it wasn't setting the envelope address sensibly. This meant that everything appeared to be coming from the (unresolvable) local-network hostname, which was correctly rejected as invalid by the remote side. To fix this you can set up Postfix to re-write the envelope headers by editing /etc/postfix/generic, and adding, e.g.:
webserveruser@localhostname.localdomain webmaster@example.com
Then add:
smtp_generic_maps = hash:/etc/postfix/generic
to /etc/postfix/main.cf if it's not already there, then run:
postmap /etc/postfix/generic
and
killall -HUP master
to make the changes stick. Once that's done, mail from the webserver user will appear to come from webmaster@example.com and all should be well.

So I was on Digg the other day, and I heard that Movable Type is going Open Source, so I downloaded it (and installed Apache and MySQL) and I'm playing about with it on my desktop machine. It's pretty impressive; both in how easy it is to set up, and what it can do.
I'm thinking, therefore, about using it in place of the venerable HTML hack-up you see before you.
All I need to do is find a style that's not yet another "Web2.0 - paster-colours - drop-shadow - gray-on-white-text - ground-reflections etc." look that I'm becoming really fucking sick of seeing all over the place. You know what I'm talking about.

Update: Sod it. The 'Minimalist Grey' style looks pretty good, so that's what I'm going to use. Gray on gray text or no.

Unfortunately I'm forced to use a Windows machine as my desktop box at work. This causes me pain. Things that would be a two minute job (like burning ISO images to DVD) take an age, and require the installation of third party software. I miss select-to-copy and middle-click-paste. Creating Word documents isn't scriptable. Applications put user data on the C: drive. It's a mess.
I have lessened the pain somewhat with the use of some choice apps:
- Dexpot (virtual desktops and hotkey desktop switching).
- WinKey (key bindings to launch apps).
- X-Win32 (X server).
- Cygwin (BASH and various Unix tools).
After installing all that crap, Windows is just about usable. I can Ctrl-Tab between a fullscreen CDE session and a Windows desktop, and I can operate in a relatively mouse-less way most of the time.

On the upside though, I've had a chance to test that Java web server I was working on a while back (it's still not finished, but I intend to get back into it soon). I'm surprised to report that it works just fine on Windows with Sun's Java installed. I was expecting all kinds of hassle with path seperators etc, but it's all handled very gracefully. Nice.

So I'm watching The Antiques Roadshow one Sunday, while stuffing my face with delicious chicken, and there's a bit on Thomas Chippendale. Bear with me.
Basically, according to the old-stuff boffins at the afore mentioned Roadshow, he's only really famous because of one thing.
He released a book of drawings of his furniture.
Apparently, that's it. Don't get me wrong, he was a choice chippy, but the thing that made him the legend that he is, is his book.
Could this be the first example of successful Open Source in a modern(ish) commercial market? At the time his peers though he was utterly mental for releasing publicly, to anyone who cared to pick up his book, what would normally be considered trade secrets.
Sounds pretty familiar...