Ressources documentaires pour Mandriva Linux et les Logiciels Libres

Billets dans la catégorie Linux

Select best Ubuntu mirror from CLI

Sometimes your Ubuntu mirrors may not be up-to-date or may be down. To check Ubuntu mirrors status, don’t hesitate to consult : https://launchpad.net/ubuntu/+archivemirrors.

Now here is a handy little script that allow to select a mirror with the lowest latency available : apt-select.

To install it :

  • If you are using Python 2 ( if not use python3-bs4 instead ) : sudo apt-get install python-bs4
  • Download code from github : wget --no-check-certificate https://github.com/jblakeman/apt-select/archive/master.tar.gz -O - | tar -zx
  • cd apt-select-master
  • Start script and select best mirror ( sources.list will be save in script dir ) : ./apt-select.py
  • Don’t hesitate to check sources.list content : view sources.list
  • Update system sources.list : ./update.sh
  • Update APT database : apt-get update

Enjoy !!! 🙂

Ghost from the past : MSEC GUI mockup

I know that I tend to procrastinate a lot, but this time… I take nearly 1 year ! Last year I decide to draw a mockup of a new possible UI for msec. Why ?

Actual MSEC issues

Present MSEC GUI UI in Mandriva 2010

Present MSEC GUI UI in Mandriva 2010

Presently I do think that msec have several issues. IMHO most of theses issues are due to the fact that the target of these tools are not clearly defined. Here are, IMHO, the current list of issues :

  1. The UI is too much technical and require too much reading
  2. Whereas the UI is technically informative most users, even some of the skilled ones, won’t be able to tel if something is wrong or not
  3. The security parameter tab presents directly some low level settings, and even worse with a two-level tab layout. When you end up doing tabs of tab … it means that something is wrong in your UI
  4. MSEC will show the raw security check logs : this requires high technicals skills to understand, and with so many informations, you may not know if something is wrong or not. On top of that the list of world writable files is displayed, and this could be very big : users homes directories should be filtered out except $HOME/public_html if mod_userdir is installed.

 

New MSEC application UI proposal

So I decide to define the public which will use the application, and what do they expect to see. So let’s define the application goal and target:

  1. The application will be seen by the end user who may not be necessarily technically skilled
  2. As reference I will use the Microsoft Windows Security Center
  3. The application will be used to notify the user about the global security state of his computer, and only to perform some basics configuration settings
  4. More advanced/complete configuration settings should be handled by the CLI or another UI
  5. The UI should give clear visual hints to the user if something wrong or not

 

The mockup

MSEC UI mockup

MSEC UI mockup from july 2010

The mockup was done using OpenOffice.org Draw. The UI is in french but I will explain everything.

The status bar

We are going to begin … from the bottom with the status bar. The status will quickly give 2 informations: if MSEC is enabled and the current security level.

The main panel

Now we are going to detailed each elements in the main panel. All elements are constructed on the same layout :

  1. Status icon: it allows to know if the component is enabled, but also if there are some issues detected. The status icon have 5 states :
    • Green: Component enabled and no errors/issues detected
    • Orange: Component enabled but some errors/issues where detected
    • Yellow: Component enabled but there are some warnings ( not critical issues or some advised features are disabled )
    • Red: Component is disabled but it is strongly recommended to activate the component
    • Grey: Component is disabled and not required
  2. Component icon: the icon allow to easily identify the component. Most of the time the icon will be the one used by the application allowing to configure the component. This way the user will quickly recognize it when looking for it in MCC or KDE system settings ( if the component is integrated and displayed there )
  3. Component name or description: allow to see the component name or description. Some additional informations may be eventually displayed
  4. Fold/Unfold icon: the icon allow to show more about the component and notably the basics actions that can be applied to the component. Most of the time these actions will allow to enable/disable the component, consult the log concerning the components. To show the logs for a component, we’d better use a standard icon to avoid putting unnecessary text.

Now let’s have a look at the details for each components.

Firewall settings

This component will allow to know if the firewall is enabled and if there are issues.

  • status icon : red and green are straightforwards. Orange will be used if scan ports or attacked have been detected and no actions have been taken by the user or a possible system policy ( block or allow/whitelist ). It means that mandi-ifw will have to communicate about its status. Yellow will be when the firewall is enabled but some features are not enable : all ports are opened, scan port detection feature not enabled, Interactive Firewall not enabled
  • component name/description: quick summary for the firewall, may show the number of firewall rules
  • component actions: enable/disable firewall, enable/disable Interactive firewall, enable/disable scan port detection, number of detected attacks, number of rules, show firewall logs

Security Updates

This component will deal with the security update.

  • status icon : green = automatic security updates enabled and system up to date, yellow = automatic security updates enabled but system not up to date, orange = no automatic security updates and last security updates date from more than 1 or 2 weeks old, red = no automatic security updates and no security updates since 1 month or  updates disabled ( no security updates media defined ). No grey state as for me security updates should always be enabled
  • component actions : enable/disable automatic security updates, enable/disable security updates ( updates medias are defined and enabled/disabled in urpmi.cfg ), number of pending security updates, last security update check/installation, show security updates log

System integrity

This component allow to check for the system integrity and its global safety by relying on the MSEC security checks.

  • status icons: green = security checks enabled and no issues detected, yellow = security checks enabled but some warning from some security checks ( CHECK_WRITABLE, CHECK_SUID_ROOT, CHECK_USER_FILES, CHECK_PERMS, CHECK_RPM_INTEGRITY ). Orange = security checks enabled but some critical issues have been detected ( CHECK_PASSWD and CHECK_SHADOW, CHECK_CHKROOTKIT, CHECK_SUID_MD5 ), red = security checks disabled and eventually some critical issues have been detected from last manual check ( CHECK_PASSWD and CHECK_SHADOW, CHECK_CHKROOTKIT, CHECK_SUID_MD5 ) , grey = security check disabled
  • component actions: enable/disable periodic checks, security checks frequencies, enable security checks when on battery, enable/disable email notifications, enable/disable user notifications

MSEC security policy

This component allow to configure some basics MSEC security policies. The mockup lack some of the actions that should be available in this part, they will be detailed below.

  • status icons : green = msec enabled, no issues. Yellow = msec enabled but not at boot, grey = msec is disabled.
  • component actions: enable/disable msec, enable/disable msec at startup/boot show msec logs, msec security level,

Contrary to what can be seen in the mockup, I decide to replace periodic checks with system integrity as for me this is more meaningful.

Conclusion

Here was my proposal for MSEC GUI. I guess that with the new trend in Mandriva, the tool should be written using Qt Quick/QML.

Last but not least, the user notification issue should be taken care too. Indeed presently the desktop notification will just notify that a security have been done, however the user don’t know if something is wrong or not. I guess that instead we should have notifications when one of the component is in red or orange state.

So finally after nearly 1 year I do decide to talk about this mockup : I do hope this will give some interesting ideas to some Mandriva dev or contributors 🙂

 

 

 

 

 

I’m a man, I’m Linux, I’m a Linux man : Happy 20th birthday !

Indeed, since April 7th, Linux Foundation start the celebrations of the 20th birthday of Linux ! As a happy Linux user and contributor since more than 13 years, I do wish a truly happy birthday to Linux i.e to all of the Linux developers/testers/ packagers/promoters/users : WE are Linux. Happy birthday to us !

Links

Upgrading from Mandriva 2010.1 to Mandriva 2011 TP/Cooker

With the migration of Mandriva from rpm 4.6 to rpm 5.x, upgrading from a previous Mandriva release is not straightforward. So here are some tips to have a smooth upgrade :

  1. Install the perl-URPM 3.37 package available in main/testing repository ( 32 bits link, 64 bits link )
  2. remove all your current media : urpmi.removemedia -a
  3. add cooker media : urpmi.addmedia --distrib --mirrorlist 'http://api.mandriva.com/mirrors/basic.cooker.$ARCH.list'
  4. upgrade your Mandriva installation : urpmi --auto-update

If you have issues and error message like Unable to open /usr/lib/rpm/rpmrc for reading then it means that perl-URPM have not been updated and the rpm database conversion is not complete. Indeed part of the conversion of the rpm database is handled by perl-URPM, so if the new version is not installed, then your database end up not being completly converted. So to do this, you will have to download the latest perl-URPM version in cooker repository, extract its content with rpm2cpio, and then initiate the conversion :

  1. download the perl-URPM 4 and urpmi packages in cooker main/release repository in /tmp/rpm5
  2. as root, go the previous directory : cd /tmp/rpm5
  3. extract perl-URPM content with rpm2cpio in the current /tmp/rpm5 directory : rpm2cpio perl-URPM-4*.rpm | cpio -idmv
  4. extract urpmi package content with rpm2cpio in the current /rpm/rpm5 directory : rpm2cpio urpmi*.rpm | cpio -idmv
  5. in the /tmp/rpm5 initiate the rpm database conversion : perl -I. -Murpm -e 'URPM::DB::convert("/", "btree", 1, 1)'
  6. now install the urpmi and perl-URPM package : rpm -Uvh *.rpm
  7. You can finish to upgrade your system : urpmi --auto-update

Normally you system should be updated to the latest cooker release. Happy testing !!! 🙂

Music tagging made easy with MusicBrainz

I must admit that I have a big collection of music files. Tagging correctly theses files take a long time, and the queue of files waiting to be tagged is becoming quite big. Whereas this was optional before, I do appreciate now to have the album covert art as it can be displayed when listening to my music on my Androïd based phone ( Acer Liquid Metal ). So I decide to look for a solution allowing to automatically tag my musics files, and if possible automatically recognize the song, and also fetch the album covert art. I found the solution while reading the latest Amarok 2.4 release note. Amarok is a very good music player developed for the KDE desktop under Linux, but which can be used in others D.E and Operating System : please feel free to visit the Amarok download page 🙂

In the Amarok 2.4 release, they added music tagging using MusicBrainz. Whereas i had already heard about MusicBrainz, I had never really check what MusicBrainz was offering as features. So I decide to take a look at the MusicBrainz Wikipedia page … What can I say ? MusicBrainz is just awesome especially thanks to the acoustic fingerprinting feature ( PUID ) which allow to recognized a song from its acoustic fingerprint : no need to worry about tags or  filename, just feed it with the music file, and it will detect the song and filled the tags. MusicBrainz allows also to retrieve the album covert art. Last but not least, MusicBrainz service is free and people can contribute their data to increase and improve the database !

Ensure about the fact that Amarok was using the acoustic fingerprint feature, I decide to consult the MusicBrainz enabled applications page. There were many Linux applications listed like Amarok, Audacious, Banshee. However the most interesting one was MusicBrainz Picard : a python based application, supported by MusicBrainz, cross-platform ( Windows, Mac, Linux ), supporting acoustic fingerprint recognition and of course … free.

MusicBrainz Picard application screenshot

Installing MusicBrainz Picard under Linux Mandriva is very easy using urpmi : urpmi picard. To start the application, you just need to launch the picard binary, or use the entry menu in Sound & Video -> More -> MusicBrainz Picard. Here are some advices to a smooth experience :

  • Enable covert art retrieval support, by activating  the corresponding plugin in Options -> Options -> Plugins.
  • Enable automatic scan in Options -> Options -> Generals ->[ ] Automatically analyze new files.
  • Display by default the album covert art in the right lower part of the main window in View -> Covert art.

Now you just need to add a file or a directory, and Picard will scan. On the right pane, you will have the estimated album names ( Picard view is album oriented ). When clicking on the album name, you will see the list of songs for the albums, and your files will appeared with a green or orange rectangle at the front. Double-click on the song ( or right click -> Details ) to display its properties, the album covert art ( if found ). You have the possibility if you want to edit the metadata. To save the change, select the song or the album, and then do right click -> Save or CTRL+S.

Happy tagging !

PLUS »

Some Mandriva 2010 Spring Reviews

Here are some Mandriva 2010 Spring reviews I found on the web thanks to http://www.tuxmachines.org/ :

Importing a SVN repository from one server to another one

As now I’m using Netbeans, I had issues with key based authentication for CVS project in Netbeans. That’s why I decide to import my CVS project to SVN. At some point, as the SVN repository was on my own personal computer, I decide to move it to a public server I had, but only allow SSH access to it. So here is the procedure to move a SVN repository to another SVN server, and only allow svn+ssh access ( no webdav, no network svnserve access ) under Mandriva.

  1. On your old SVN server, you have to dump the entire SVN repository : [bash light= »1″]svnadmin dump /path/to/your/repository > /tmp/repository.svn_dump[/bash]
  2. Now copy the dump file somewhere on the new SVN server. You may want to use scp if your SSH key based authentication is working correctly. For example : [bash light= »1″]scp /tmp/repository.svn_dump user@new-svn-server:/tmp[/bash]
  3. Once done, you may want to delete the dump file on the old server and eventually delete also the old SVN repo
  4. On your new server, install the SVN server package and its associated tools : [bash light= »1″]urpmi subversion-server subversion-tools[/bash]
  5. check that svnserve is not started at boot by xinetd. For this check /etc/xinetd.d/svnserve configuration file and check that you have disable = yes as follows : [plain]# default: off
    # description: svnserve is the server part of Subversion.
    service svnserve
    {
    disable             = yes
    port                = 3690
    socket_type         = stream
    protocol            = tcp
    wait                = no
    user                = svn
    server              = /usr/bin/svnserve
    server_args         = -i -r /var/lib/svn/repositories
    }[/plain]
  6. Now create the repository tree on the new server : [bash light= »1″]svnadmin create /var/lib/svn/repositories/[/bash]
  7. Import the dumped repository file in the new SVN repository : [bash light= »1″]svnadmin load /var/lib/svn/repositories/ < /tmp/repository.svn_dump[/bash]
  8. If the importation is successful, now you should ensure that the users connecting with SSH will have write access to the repository. For this add the users to the svn group : [bash light= »1″]usermod -G svn -a user[/bash]
  9. Now add a default ACL for the group to the repository giving read, write and execute ( rwX ) rights to all members of the svn group : [bash light= »1″]setfacl -R -m d:g:svn:rwX /var/lib/svn/repositories/[/bash]
  10. Check that from a remote computer you can list the content of the repository : [bash light= »1″]svn list svn+ssh://user@new-svn-server/var/lib/svn/repositories[/bash]

Happy coding with Subversion 🙂

Ressources :

Showing files metadata under KDE is like Russian roulette

While reading KDE Planet, I’ve noticed this blog post from Peter Penz : Internal Cleanups. He was talking about code cleanups and refactoring he was doing in Dolphin code, which is a very good thing IMHO. Then I learnt something very annoying : since KDE 4.x and Nepomuk integration Dolphin is unable to show metadata informations for a file if the file is not indexed by Strigi and Nepomuk ( KDE bug #193592 ). This explains why I had more and more issues having the size of a photo … Most of the time I did end up starting Gwenview for this ! This is really insane to have to rely on indexing to show a simple information like the dimensions of a photo. Here are the issues I could see :

  1. On my workstations at work, we are using /home on NFS, and really I don’t want to enable Nepomuk and Strigi indexing. I do fear about the NFS support for Nepomuk/Strigi, and the fact that I will clutter my file server with the indexing database of each of my users. I have 90Go of data on my file server, I can’t imagine the size of the indexing database … SCSI disks are not cheap !
  2. Even if I do activate Nepomuk+Strigi indexing, by default only the user $HOME will be indexed. However what about the service/staff directories ? Indeed, several people of the same staff do share some common directories where they did put all of their files. What about this ? Do I have to enable manually the indexing of theses directories each time, and end up with duplicated indexed contents ?
  3. Still on this subject, if you go to /usr/share/pixmaps or /usr/share/wallpaper or on an usb key, you won’t be able to see the metadata of the file as theses locations are not indexed. It means that from the end user perspective, Dolphin behavior will change for no reason as one time it will display the info, and another time not. For the end user : Dolphin will not be a reliable way to show basic informations about a file !
  4. Activating Nepomuk/Strigi is not without issue for Dolphin too … I did notice that since I do have activate Nepomuk and strigi on my personal laptop, sometimes when entering a directory or when double-clicking on a file, Dolphin will just … freeze … No feedback, no error message, no wait message, no explanations … If you click on the UI, you will notice, once Dolphin will unfreeze, that your actions were taken into account. Just now, Dolhin was frozen during at least 30 seconds after trying to open a OpenOffice Writer document by double-clicking on it. So dolphin end up being unreliable for me … Each time I do something, I do fear about Dolphin freezes.

These kinds of behavior should really be avoided on a modern desktop environment, and reliability and speed should be top priorities. Consistent behavior should be important, especially for basics features. If I understand well, I may not expect a fix for this before KDE 4.5/4.6, which means … 2011 at worst in a stable Linux distribution …

Fixing computer freeze when using Intel chipset with dual view

Today I was willing to configure 2 laptop running Mandriva 2010 to do presentations during a meeting. So I was willing to use clone output. Unfortunately, doing so will result in an instant system freeze. Even worst, if the projector is plugged before powering on the laptop, the kernel will crash at boot ! Both laptop were using Intel chipsets ( Dell Latitude E6500, Asus A6VA ). The only solution is to disable KMS support. For this you need to generate an initrd without the i915 module ( use –builtin=i915 ), and then to eventually add in modprobe.conf : options i915 modeset=0. Once done, reboot the computer. Whereas you will not have KMS support, at least you will have dual ouput in clone mode support with no fear on freezing the kernel …

How to configure local mail delivery

I have a separate server which hosts my database. Each night, a cron script is run to dump the databases contents and rsynced the backups to another server. The backup script will log the backup in /var/log, but also send a mail. Most of the time I’m using ssmtp to use my ISP SMTP server as a relay. However my database server most of the time is not connected to internet ( and this on purpose ). This is where the issue comes : ssmtp doesn’t allow local mail delivery 🙁 Even stranger, by default local mail delivery seems to not work at all in a default Mandriva installation 🙁

To handle local mail delivery, you need a local Mail Delivery Agent ( MDA ), and your Mail Transfert Agent ( MTA ) should called the local MDA to deliver local mails. So here are 2 methods to handle local mail delivery.

Using SENDMAIL

The easiest to have local mail delivery is to install … sendmail. Just install sendmail package and start the corresponding service, and your are done.

  • Install sendmail package : [bash light= »true »]urpmi sendmail[/bash]

  • Check that sendmail is used to provide send command : [bash light= »true »]update-alternatives –display sendmail-command[/bash]

  • If this is not the case, instruct update-alternative to use sendmail : [bash light= »true »]update-alternatives –config sendmail-command[/bash]

  • Start the sendmail service : [bash light= »true »]service sendmail restart[/bash]

Using ESMTP

Another way is to use ESMTP. i do advised to use ESMTP because it allow to configure easily a SMTP relay host, and handle also local delivery. However by default, ESMTP is not usable in default Mandriva configuration as it will not install a local MDA ( mdv bug #56759 ) and does not provide a default system-wide configuration file ( mdv bug #56757 ). So here his the procedure for a very simple ESMTP configuration which handle a SMTP relay and local mail delivery :

  • Install esmtp and procmail packages : [bash light= »true »]urpmi esmtp procmail[/bash]

  • Check that esmtp is used to emulate sendmail : [bash light= »true »]update-alternatives –display sendmail-command[/bash]

  • If this is not the case, instruct update-alternative to use esmtp : [bash light= »true »]update-alternatives –config sendmail-command[/bash]

  • Once done, create an empty system-wide configuration file for esmtp : [bash light= »true »]touch /etc/esmtprc[/bash]

  • If you want to configure a SMTP relay host to send mails outside, add the hostname option followed by the SMTP address in /etc/esmtprc. For example :
    # The place where the mail goes. The actual machine name is required
    # no MX records are consulted. Commonly mailhosts are named mail.domain.com
    hostname = smtp.myisp.com:25
    
  • Now add support to procmail as local MDA for local mail delivery by setting the mda option in /etc/esmtprc :
    # Use procmail as MDA for local mail delivery
    mda "/usr/bin/procmail -d %T"
    
Testing you local mail delivery setup

Now that sendmail or ESMTP are configured, you should test if local mail delivery is working correctly. The easiest way is to use the mail command to send, but also read your local mails. For example to send a mail containing the content of /etc/nsswitch.conf to the root user, just type : [bash light= »true »]mail -v -s "Local mail test" root < /etc/nsswitch.conf[/bash]

. Now log as root, and type mail to consult root mails. you may want to use Mutt eventually to read your mails instead of mail

Catégories

My Tweets