fidzu : Fedora

Meanwhile I managed to write some tutorials:Using piped examples with tee and xargs.Send emails from linux terminal.Linux command execution using WinSCP.and more...Here are the latest Linux tutorials written by me.

06 Feb 2012 11:40am GMT

There are Eternals and there is Eternity, a temporal field in spacetime which exists through centuries. The Eternity was created in the 24th century and does employ best minds from all of the centuries since then. It was supposed to be eternal but beyond a certain future they are blocked by some mysterious power/force. And if they travel beyond these hidden centuries, they find Earth, a barren planet & humanity completely extinct. For eternals, who can watch all of the past(since the creation of temporal field in 24th century) present and future, by travelling upwhen & downwhen within the Eternity, the hidden centuries are a setback. They do cause reality changes and then watch its effects in the future. Their mission is to create a perfect happy time for all of the humanity by minimising their suffering in all of the times. But their own time proceeds in a normal manner, they do age, and it is independent of the true reality's time changes.

In order to be really eternal all of spacetime must be closed in loop to Eternity's temporal field, but they can't. They suspect that Timers, from the hidden cenuries, are fast catching up with them and want to destroy their power to change humanity's fate (a fate which they see fit). But what could the Timers be plotting against them, and why would they not let a guardian organization oversee all of humanity's welfare. Probably the answer lies in Eternity's decision to delay and sabotage space travelling capabilities of Humanity. The timers are themselves plotting reality changes to delay humanity's inevitable extinction at the specified time...but what kind of plot.

06 Feb 2012 11:23am GMT

As I mentioned elsewhere, there are some changes ahead in CUPS 1.6. These changes are not imminent but give an indication of the direction the CUPS project is heading.

Back in 2007 CUPS became an Apple project. Now the parts that are not relevant on Mac OS are being dropped, with some of the Linux-relevant parts being gathered together in a separate project, cups-filters.

The main part that is being dropped completely is CUPS Browsing. This is currently the primary mechanism for CUPS-to-CUPS printer queue discovery on Linux. It works by having each CUPS server periodically broadcast UDP packets on port 631 announcing its available queues, and listening for broadcasts from other CUPS servers.

This discovery method is being dropped because DNS-SD is preferred upstream. Support for it has been upstream in CUPS for a while, and it is what CUPS uses on Mac OS X, but it uses Apple's libdns_sd library and not Avahi. I have added support for this in Fedora, and the patch is submitted upstream.

So in CUPS 1.6, automatic CUPS queue discovery will require Avahi to be running on both the server (i.e. the system hosting the CUPS queue) and the clients (i.e. the systems wanting to print to it).

Of course, you will be able to run CUPS without having Avahi running - but you won't have automatic CUPS queue discovery in that case. Clients will have to have queues explicitly configured, or else use the BrowsePoll configuration setting to periodically query a particular CUPS server for its queues.

Several other filters will be dropped from CUPS in 1.6, to be picked up by the new cups-filters package. Information about this package is on the OpenPrinting web site and a beta release is now available.

This new package restores the filters that will be dropped in CUPS 1.6 and also adds new filters to support PDF as the baseline document format rather than PostScript.

06 Feb 2012 11:16am GMT

Ever thought "hey, I'd like to use this with Tor"? Well, I'm giving someone in the Fedora community the opportunity to review a package that will allow you to do just that. Torsocks provides a "usewithtor" functionality to allow many network-utilizing programs to go over the Tor network instead of exposing your doings to the public Internet directly. As soon as the package has made its way through the review process I plan to push it out to EPEL as well.

06 Feb 2012 6:42am GMT

Since my current Internet Service Provider Reliance Communication has started cheating, I now keep an account of my bandwidth usage. Here's a script I use for every internet session:

-----------------------------------------------------------------------------------------
filename: netusage.sh
-----------------------------------------------------------------------------------------
#!/bin/sh

while(2>1)
do
date >>usage.txt
ifconfig ppp0|tail -n 2 >>usage.txt
ifconfig ppp0
if [ "$?" -ne "0" ]; then
cp usage.txt $( date | sed -e "s/://g" |sed -e "s/ //g").txt
rm usage.txt
break;
fi
sleep 180;
done
-----------------------------------------------------------------------------------------
It takes a sample of usage every 3 minutes and when you are done, dumps your usage for the session in some file with name such as "SunFeb5044143IST2012.txt". Later you can grep, cut and sum all of your usage from all of the files for a particular period.

And if you are interested in some graph of your usage pattern, you cane even do that using some kind of regression or time series.

Other better ways are welcome.

06 Feb 2012 5:55am GMT

I don't usually post (1) short snippets or (2) about current sporting events, but Robyn Bergeron's note was impossible to pass up:

I have decided that the POSSE owl should be named Superb Owl. So that he can have one day a year dedicated to him.

(Note that the POSSE owl is not necessarily a male owl, and that my posting of Robyn's quote does not constitute my endorsement of such a name for said owl. Still, it made me stammer incoherently for a moment. Thank you, Robyn.)

That is all. Have a very good evening, and may your nacho overdoses be miraculously healed with a good night's sleep.

06 Feb 2012 5:16am GMT

Soy yo o es pésima la manera en que amarok administra las etiquetas? hace meses que vengo con ese problema, vengo etiquetando todo pero por hay hoy amarok me muestra las etiquetas bien por hay otro día me muestra cualquier cosa.

Lo peor es que me he fijado en las propiedades de los archivos de audio y están bien, terminé instalando exaile para corroborar cosas y agrego la colección y me puso tal cual las etiquetas de los archivos.

uso easytag, también amarok para editar las etiquetas, por ejemplo si etiqueto desde amarok una canción me la muestra impecable, luego quito y vuelvo a poner la colección y se arma la catombe!!

Hace tiempo que Amarok es mi reproductor de música preferido, pero tiene ese defecto conmigo, a alguno le pasa igual?

06 Feb 2012 1:46am GMT

literally in the last minutes of Fosdem, 3 of the FAmSCo Members - Gerard, Christoph and Zoltan - gathered for some minutes ;)

05 Feb 2012 9:36pm GMT

One of the things that always make me feel happy when friends ask me "why are you part of Fedora" is that everyday you will find a great idea, a great project or an awesome team to be part of. When we change our status from "user" to "contributor", we agree to teach what we know and try to make FOSS tools and strategies go further. So now let me tell you about our new project… Fedora Videos:

What is Fedora Videos?

Our contributor Nitesh Narayan Lal came up with an idea to create a serie of videos and give our users an interface to check them on an easier way. We could say that we want to teach fedora through videos… but I'm sure that this project might have bigger goals in a short lapse.

Will be there a guidelines?

Yes, but consider it more like "recommendations". We want to gather the best videos from the net, created by users and enthusiast, and turn them info Fedora official videos. Yes… we are thinking on give you an intro/outro and some easy tips so our job making translations and sharing can be easier. Right now we are working on this guidelines and you can actually check how it goes in here: https://fedoraproject.org/wiki/User:Niteshnarayan/video_tutorials/Guidelines

How can I search though so many Videos?

Yes, But we need your help! We think that use the *Join Fedora categories* might be a good start, but we need more sub-categories. Nitesh has done a great work on this… can you help us improve it a bit more? Check: https://fedoraproject.org/wiki/User:Niteshnarayan/video_tutorials/Guidelines#Video_Categories

Current Tasks

In our amazing first meeting we start with some task that are currently under development. Tasks so far goes this way:

• Create a guidelines for official videos - bckurera, tatica and Nitesh Guidelines first draft
• Create a guidelines for submit and publish videos - bckurera, tatica and Nitesh Guidelines first draft
• Categorize video sections by interests or teams - Nitesh Sections first draft
• Check privacy, licenses and Ads for each service and Check on HTML5 alternatives who link you to the theora - FranciscoD: Analysis

Now, on a more personal task I'm needing people who have some experience with Video edit and intro creations. I might be able to do a Blender intro but I want to have some experienced hand to have some support and guide. Let me know if you can give us a hand :)

If I have an idea to share, a video to spread or just want to be part of this project, what should I do?

All mayor stuff will be online at our wiki, however, if you can make it to our meetings and share one hour weekly with us will be amazing. We will gather every Thursday at 1530UTC (Check your local time/date here)

05 Feb 2012 9:25pm GMT

As promised in my earlier post entitled Kerberos for haters, I've assembled the simplest possible guide to get Kerberos up an running on two CentOS 5 servers.

Also, I don't really hate Kerberos. It's a bit of an inside joke with my coworkers who are studying for some of the RHCA exams at Rackspace. The additional security provided by Kerberos is quite good but the setup involves a lot of small steps. If you miss one of the steps or if you get something done out of order, you may have to scrap the whole setup and start over unless you can make sense of the errors in the log files. A lot of my dislikes for Kerberos comes from the number of steps required in the setup process and the difficulty in tracking down issues when they crop up.

To complete this guide, you'll need the following:

• two CentOS, Red Hat Enterprise Linux or Scientific Linux 5 servers or VM's
• some patience

Here's how I plan to name my servers:

• kdc.example.com - the Kerberos KDC server at 192.168.250.2
• client.example.com - the Kerberos client at 192.168.250.3

CRITICAL STEP: Before getting started, ensure that both systems have their hostnames properly set and both systems have the hostnames and IP addresses of both systems in /etc/hosts. Your server and client must be able to know the IP and hostname of the other system as well as themselves.

First off, we will need NIS working to serve up the user information for our client. Install the NIS server components on the KDC server:

[root@kdc ~]# yum install ypserv

Set the NIS domain and set a static port for ypserv to make it easier to firewall off. Edit /etc/sysconfig/network on the KDC server:

NISDOMAINNAME=EXAMPLE.COM
YPSERV_ARGS="-p 808"

Manually set the NIS domain on the KDC server and add it to /etc/yp.conf:

[root@kdc ~]# nisdomain EXAMPLE.COM
[root@kdc ~]# echo "domain EXAMPLE.COM server kdc.example.com" >> /etc/yp.conf

Adjust /var/yp/securenets on the KDC server for additional security:

[root@kdc ~]# echo "255.0.0.0 127.0.0.0" >> /var/yp/securenets
[root@kdc ~]# echo "255.255.255.0 192.168.250.0" >> /var/yp/securenets

Start the NIS server and generate the NIS maps:

[root@kdc ~]# /etc/init.d/ypserv start; chkconfig ypserv on
[root@kdc ~]# make -C /var/yp

I usually like to prepare my iptables rules ahead of time so I ensure that it doesn't derail me later on. Paste this into the KDC's terminal:

iptables -N SERVICES
iptables -I INPUT -j SERVICES
iptables -A SERVICES -p tcp --dport 111 -j ACCEPT -m comment --comment "rpc"
iptables -A SERVICES -p udp --dport 111 -j ACCEPT -m comment --comment "rpc"
iptables -A SERVICES -p tcp --dport 808 -j ACCEPT -m comment --comment "nis"
iptables -A SERVICES -p udp --dport 808 -j ACCEPT -m comment --comment "nis"
iptables -A SERVICES -p tcp --dport 88 -j ACCEPT -m comment --comment "kerberos"
iptables -A SERVICES -p udp --dport 88 -j ACCEPT -m comment --comment "kerberos"
iptables -A SERVICES -p udp --dport 464 -j ACCEPT -m comment --comment "kerberos"
iptables -A SERVICES -p tcp --dport 749 -j ACCEPT -m comment --comment "kerberos"
/etc/init.d/iptables save

We need our time in sync for Kerberos to work properly. Install NTP on both nodes, start it, and ensure it comes up at boot time:

[root@kdc ~]# yum -y install ntp && chkconfig ntpd on && /etc/init.d/ntpd start
[root@client ~]# yum -y install ntp && chkconfig ntpd on && /etc/init.d/ntpd start

Now we're ready to set up Kerberos. Start by installing some packages on the KDC:

[root@kdc ~]# yum install krb5-server krb5-workstation

We will need to make some edits to /etc/krb5.conf on the KDC to set up our KDC realm. Ensure that the default_realm is set:

default_realm = EXAMPLE.COM

The [realms] section should look like this:

[realms]
EXAMPLE.COM = {
        kdc = 192.168.250.2:88
        admin_server = 192.168.250.2:749
}

The [domain_realm] section should look like this:

[domain_realm]
kdc.example.com = EXAMPLE.COM
client.example.com = EXAMPLE.COM

Add validate = true within the pam { } block of the [appdefaults] section:

[appdefaults]
 pam = {
   validate = true

Adjust /var/kerberos/krb5kdc/kdc.conf on the KDC:

[realms]
EXAMPLE.COM = {
        master_key_type = des-hmac-sha1
        default_principal_flags = +preauth
}

There's one last configuration file to edit on the KDC! Ensure that /var/kerberos/krb5kdc/kadm5.acl looks like this:

*/admin@EXAMPLE.COM          *

We're now ready to make a KDC database to hold our sensitive Kerberos data. Create the database and set a good password which you can remember. This command also stashes your password on the KDC so you don't have to enter it each time you start the KDC:

kdb5_util create -r EXAMPLE.COM -s

On the KDC, create a principal for the admin user as well as user1 (which we'll create shortly). Also, export the admin details to the kadmind key tab. You'll get some extra output after each one of these commands but I've snipped it to reduce the length of the post.

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc root/admin
kadmin.local:  addprinc user1
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local:  exit

Let's start the Kerberos KDC and kadmin daemons:

[root@kdc ~]# /etc/init.d/krb5kdc start; /etc/init.d/kadmin start
[root@kdc ~]# chkconfig krb5kdc on; chkconfig kadmin on

Now that the administration work is done, let's create a principal for our KDC server and stick it in it's keytab:

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc -randkey host/kdc.example.com
kadmin.local:  ktadd host/kdc.example.com

Transfer your /etc/krb5.conf from the KDC server to the client. Hop onto the client server, install the Kerberos client package and add some host principals:

[root@client ~]# yum install krb5-workstation
[root@client ~]# kadmin.local
kadmin.local:  addpinc --randkey host/client.example.com
kadmin.local:  ktadd host/kdc.example.com

There aren't any daemons on the client side, so the configuration is pretty much wrapped up there for Kerberos. However, we now need to tell both servers to use Kerberos for auth and your client servers needs to use NIS to get user data.

• On the KDC:
  • run authconfig-tui
  • choose Use Kerberos from the second column
  • press Next
  • don't edit the configuration (authconfig got the data from /etc/krb.conf)
  • press OK
• On the client:
  • run authconfig-tui
  • choose Use NIS and Use Kerberos
  • press Next
  • enter your NIS domain (EXAMPLE.COM) and NIS server (kdc.example.com or 192.168.250.2)
  • press Next
  • don't edit the Kerberos configuration (authconfig got the data from /etc/krb.conf)
  • press OK

Got NIS problems? If the NIS connection stalls on the client, ensure that you have the iptables rules present on the KDC that we added near the beginning of this guide. Also, if you forgot to add both hosts to both servers' /etc/hosts, go do that now.

Let's make our test user on the KDC. Don't add this user to the client -- we'll get the user information via NIS and authenticate via Kerberos shortly. We'll also rebuild our NIS maps after adding the user:

[root@kdc ~]# useradd user1
[root@kdc ~]# passwd user1
[root@kdc ~]# make -C /var/yp/

On the client, see if you can get the password hash for the user1 account via NIS:

[root@client ~]# ypcat -d EXAMPLE.COM -h kdc.example.com passwd | grep user1
user1:$1$sUlSTlCv$riK5El3z8N4y.mi5Fe3Q60:500:500::/home/user1:/bin/bash

You can see why NIS isn't a good way to authenticate users. Someone could easily pull the hash for any account and brute force the hash on their own server. Go back to the KDC and lock out the user account:

[root@kdc ~]# usermod -p '!!' user1

Go back to the client and try to pull the password hash now:

[root@client ~]# ypcat -d EXAMPLE.COM -h kdc.example.com passwd | grep user1
user1:!!:500:500::/home/user1:/bin/bash

On the plus side, the user's password hash is now gone. On the negative side, you've just prevented this user from logging in locally or via NIS. Don't worry, the user can log in via Kerberos now. Let's prepare a home directory on the client for the user:

[root@client ~]# mkdir /home/user1
[root@client ~]# cp -av /etc/skel/.bash* /home/user1/
[root@client ~]# chown -R user1:user1 /home/user1/

Note: In a real-world scenario, you'd probably want to export this user's home directory via NFS so they didn't get a different home directory on every server.

While you're still on the client, try to log into the client via the user. Use the password that you used when you created the user1 principal on the KDC.

[root@client ~]# ssh user1@localhost
user1@localhost's password:
[user1@client ~]$ whoami
user1

List your Kerberos tickets and you should see one for your user principal:

[user1@client ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500_fCKPnZ
Default principal: user1@EXAMPLE.COM
 
Valid starting     Expires            Service principal
02/05/12 14:18:53  02/06/12 00:18:53  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 02/05/12 14:18:53

Your KDC should have a couple of lines in its /var/log/krb5kdc.log showing the authentication:

Feb 05 14:18:53 kdc.example.com krb5kdc[4694](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.250.3: ISSUE: authtime 1328473133, etypes {rep=16 tkt=16 ses=16}, user1@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Feb 05 14:18:53 kdc.example.com krb5kdc[4694](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.250.3: ISSUE: authtime 1328473133, etypes {rep=16 tkt=18 ses=18}, user1@EXAMPLE.COM for host/client.example.com@EXAMPLE.COM

The first line shows that the client asked for a Authentication Server Request (AS_REQ) and the second line shows that the client then asked for a Ticket Granting Server Request (TGS_REQ). In layman's terms, the client first asked for a ticket-granting ticket (TGT) so it could authenticate to other services. When it actually tried to log in via ssh it asked for a ticket (and received it).

YOU JUST CONFIGURED KERBEROS!

From here, the sky's the limit. Another popular implementation of Kerberos is encrypted NFSv4. You can even go crazy and use Kerberos with apache.

Let me know if you have any questions about this post or if you spot any errors. With this many steps, there's bound to be a typo or two in this guide. Keep in mind that there are some obvious spots for network-level and service-level security improvements. This guide was intended to give you the basics and it doesn't cover all of the security implications involved with a Kerberos implementation.

The Kerberos-hater's guide to installing Kerberos is a post from: Major Hayden's Racker Hacker blog.

Thanks for following the blog via the RSS feed. Please don't copy my posts or quote portions of them without attribution.

05 Feb 2012 9:03pm GMT

New Hampshire has passed a new law that is summarized as follows:

This bill requires state agencies to consider open source software when acquiring software and promotes the use of open data formats by state agencies. This bill also directs the commissioner of information technology to develop a statewide information policy based on principles of open government data.

They are living up to the high standards of their state motto!

read more

05 Feb 2012 7:29pm GMT

As mentioned previously, today I presented a talk at FOSDEM 2012, titled "Building application sandboxes on top of LXC and KVM with libvirt". As promised I have now uploaded the PDF slides for public access. For further information about libvirt-sandbox, consult this previous blog post on the subject. Also keep an eye on this site for further blog posts in the future. Thanks to everyone who attended the talk. I look forward to returning again in a year's time for another update.

05 Feb 2012 5:29pm GMT

Links

This blog post was created on 2012-02-05 at 18:25 by Andreas Haerter. It is tagged with links, planet-fedora, planet-puppet, puppet.

05 Feb 2012 5:25pm GMT

Links

This blog post was created on 2012-02-05 at 18:25 by Andreas Haerter. It is tagged with links, planet-fedora, planet-puppet, puppet.

05 Feb 2012 5:25pm GMT

40 years ago, some folks at Stanford conducted an interesting experiment with preschoolers:

A marshmallow was offered to each child. If the child could resist eating the marshmallow, he was promised two instead of one. The scientists analyzed how long each child resisted the temptation of eating the marshmallow, and whether or not doing so had an effect on their future success. (Source: Wikipedia)

Short answer: yes.

Greg and I were talking about the difference between production and production capacity a few days ago, and the importance of balancing the two. It's not a hard concept; we do this all the time when we play video games. When you play Monopoly, you build houses and hotels because you know that's going to give you the strong resource and financial base you need to wipe the board with everyone else at the end; when you sit down for Settlers of Catan, you build cities - you don't just start hurtling roads out there, right? You want that grain, that ore, those bricks. You want that power at your fingertips, so you Do The Marshmallow - you focus on building that power, even if it means not using all the little bits of power you have right then. Less shiny now, more shiny later.

What does this have to do with FOSS? Well, I'm reminded of the Marshmallow Experiment every time I see something like this:

"Linux geeks not caring about noobs is the main reason Windows is so popular." -Chris Watkins

That's my friend Chris, from Appropedia. Chris is a technical guy who loves the Free world; he's an engineer working on disseminating open-licensed appropriate technology information to grassroots communities of hackers in the developing world using an entirely open-source software stack to do so. His statement reads to me like a bug report on FOSS's ability to build production capacity in its communities. (We've gotten better, thanks to tons of long, hard work by many different groups and people - but there's still a long way to go.)

I am also reminded of the Marshmallow Experiment every time I see something like this:

I just think it's bizarre. "We need more people! Lets try to recruit those with this particular type of sex organs!" -from a GNOME Women comment thread

Dude. Do you want to curse the darkness? Or do you want to light some candles? Because what you did right there is called "cursing the people who are lighting candles." When you see someone trying to improve the capacity of a community you care about, try helping them. Constructive criticism is helpful; however, the above comment is a good example of destructive criticism. Here's how to tell the difference.

These comments are, in different ways, both about building production capacity in FOSS communities. In a world where software is considered obsolete after a year or two, where 6-month releases are built in no small part upon the outputs of 48-hour hackfests, where there are so many compelling reasons to focus on the now - what does your project do to look into the future? (Does it?) Could you see those two scenarios above applying to the communities you work within?

05 Feb 2012 4:05pm GMT

Glances stellt zusammengefasst die wichtigsten Systemdaten dar. Es ist ein bisschen wie phpsysinfo, aber für die Konsole.

Pakete für Fedora sind verfügbar.

05 Feb 2012 4:00pm GMT