Distro Recipes 2013: Nice first !

As indicated, I had the opportunity to talk during the first Distro Recipes event organized in Paris last week, at the invitation of Hupstream. As Yoann Sculo posted, this was a very interesting day for me, and I really regret I was busy to also attend the first day and the opening.

After a nice welcome breakfast, Aurélien Bompard started by presenting the Fedora distribution.

He did a great job especially expalining how easy it was to become a Fedora maintainer, even if a comparison to Debian revealed that it’s much less different that what people may think (it also takes time to become a packager able to modify most distro packages) and I know by experience that the Fedora packagers are really picky (sometimes for not so good reasons) with new contributions.

After that I talked about HP and Linux distributions. I used in fact the standard HP marketing presentation of the company as a starter (modified of course to suit my needs and include more penguins !) in order to explain the span of our activities, our relationship with communities including distributions, announced that HP will even soon provide firmware for ProLiant servers under a package format (rpm and deb), the fact that HP doesn’t see Linux demand for desktop/laptop on the consumer market (no, it’s not just a price issue that would make Linux more appealing in that case as I justified) but that we do support Linux on some enterprise desktops/laptops. Hopefully this was useful and/or new to some of the audience.

Then Dodji Seketeli made the type of talk making you believe that you could contribute to gcc ! Of course, when he details how much time it took him to add some of the features of the next stable version, you know you can’t ! Well I at least Anyway lots of good news and features that make that future version 4.8 expected soon.

That conclude our morning sessions, and it was then time to eat !! Especially as we had a great buffet waiting for us as you can see:

In order to avoid a sleepy afternoon, we started right after by a round table with 7 people (!), that I had the pleasure to chair. With a representative of each distribution (Mageia, openSUSE, Fedora, Debian, Arch, Embedded) and a Microsoft representative, you could expect blood and swords fight ! Not at all, I was surprisingly happy that the elements were clearly exposed, each representative defending their own work rather than criticizing, and finding ways to propose more future joint work. Of course, some subjects such as LSB/FHS lead to more debate, but very constructive and I really enjoyed this time slot as a way to show that differences are an added value ! It was also the opportunity for me to meet with Colin Guthrie and Frédérc Crozat, which I had never met before. These distros should be happy to have such representatives defending them (and the others too of course ) Finally if you have ideas to share to improve cross-distribution work , consider joining the mailing listdedicated to his topic and start sharing your ideas.

Then it was time again for the remaining presentations. The first was Lucas Nussbaum. Long time Debian Developer, (he is even running for the Debian Project Leader now, vote for him !) he made a convincing picture of the Debian ecosystem, the numerous Web sites that contributors can create to enhance the distribution with stats, infos, Ubuntu correlations, … As usual, Debian appears as a very mature distribution, with a strong Governance, being perl friendly… If I had to change I may well become a debianers. But isn’t it because of the pres, as the morning I was a fedorian

The next speaker was a long time Linux enthousiast Pierre Ficheux. In fact back when it was Minitel time (not 2.0) I used his xtel program !! Pierre made a presentation (in english but with the accent ) around embedded Linux distributions, presenting various way to tailor one for your device (he was using a Raspberry Pi) depending whether you use an Ubuntu, a Yocto generated one or a pure OpenEmbedded linux one. Definitely a good idea to explore for my Pi !

And then we had the lightnings talks. Aurélien Bompard was there again for HyperKitty. Too bad it’s devoted to mailan, as I think Sympa would also benefit from such a work, as their archive management (at least on the latest versions I used) could be improved.

I came then again on stage for a project-builder.org presentation (building cross-distro packages for upstream projects) and made a short demo which I think is explaining much more than my slides, so I plan on using it more in the future !

After me, Eric Leblond explained how his upstream project (ulogd2) wasn’t picked up correclty by most distributions and asked for help to improce that.

And final speaker was Nicolas Vérité who made a panel on all mobile Linux distributions, recommending to follow closely Tizen for the future as the main force in this area.

Too bad it was already over. Anne closed the session and I’d like to thank her for the invitation and the perfect organization of this first cross-distributions vent as a real success. Well done and see you next year hopefully !

Meeting at the first Distro Recipes

I’ve been kindly invited for the first Distro Recipes event in Paris the 4th and 5th of April.

As I have an internal HP meeting on the 4th, I’ll be only available at the end of that day, but will present on the 5th how Hardware manufacturers work with Linux distributions, giving the example of HP. I’ll also monitor a round table aound “Linux distributions: differences and commonalities” where we will try to have polite discussions about what makes a distribution unique, and what is instead worth sharing by collaborating. Finally I’ll also present during the lightning talks “Project-Builder.org: packaging for multi-OS Open Source Projects“

So won’t have that too much time outside of presentations, as you can see, but would be happy anyway to meet with MondoRescue or Project-Builder.org or HP/Linux users and talk with them.

Anyway a great event to be in, as the list of speakers is really interesting, all majors distros being represented, and for sure very interesting new contacts to make, and hopefully the curiosity to discover these other distros that you don’t use Come for the same reasons, and see you there !

Time to drop flash

I’ve never been anti-non-FLOSS: I’ve used StarOffice back in 1995, when it would allow me to not use a Windows PC, but to do everything I had to do with a LInux system. I’ve used and still use AcrobatReader (and Okular). And on LInux I’m using flash, especially to look at Video published, such as on http://youtube.com

But today, trying to get an update for flash, I read on Adobe’s Web site that Flash Player 11.2 would be the last version for Linux. Only security fixes will continue to be provided. Well so instead of being an incitation to move back to Windows (you dreamed guys ) or adopting Mac, It’s an incitation to drop flash usage as much as possible, and use more open video format.

Don’t get me wrong, I’m always favouring open format, and free, libre, open source software. But I’m also practical, and if I need to use a software to have my work done which is not FLOSS, I dislike that but can use it as long as it’s not core to my activity. And honestly, flash is probably the last one with regards using non-FLOSS on my systems. Flash is not core anyway. It’s for entertainment mostly so I’m ok with a proprietary plugin, especially when Mageia does a great packaging work making it very easy to use.

But now, if Adobe doesn’t care about Linux users, then all Vidéo providers shouldn’t care either about the flash format and start moving off it ASAP. (including french TV for their news).

When I think about the “awesome” presentation I had today at LCA, about native (without plugin) Video conferencing between Firefox and Chrome, using native HTML5 WebRTC format, I think all these funcky formats are just doomed to disappear anyway. The richness of Open Source, and it’s rapid evolution pace doesn’t allow anymore to companies, even the size of Adobe, to resist. And for sure their decision will accelerate the move. Especially as mobile users, who are mostly Linux users nowadays, ar using more video content.

So many thanks to those who are working on such standards and techno; it will make our lives much more easier, and still fun in a near future.

A Mageia based Firewall with auto_inst and lots of other stuff like chrooted squid

I’ve been working on renewing some of my systems, and as I now moved fully to Mageia version 2, I’ve worked on tooling my installation of my firewall.

It’s still not fully as I wanted it to be, but is already worth sharing s well as some comments around the distribution usage.

First, I used a PXE install of Mageia with auto_inst. On my PXE server, I used the following config for PXElinux:
label pxe
kernel k/m2
append initrd=i/m2.img ramdisk_size=512000 root=/dev/ram3 kickstart=http://x.y.z.k/pub/ks/www/guerrero.pl automatic=met:http,int:eth1,ser:w.y.z.k,dir:/pub/mageia/distrib/2/i586,netw:dhcp

Nothing special here, just following the doc. Well, which doc could you say ? The one I just added to the Mageia wiki from the Mandriva wiki, itself from the Mandrka version. Remember, auto_inst was Mandriva’s best kept secret ! Hopefully, it will change with Mageia !

Now the secret sauce is in the guerrero.pl file, which is the auto_inst config.
Here is mine:
#!/usr/bin/perl -cw
#
# $Id$
#
#
# You should check the syntax of this file before using it in an auto-install.
# You can do this with 'perl -cw auto_inst.cfg.pl' or by executing this file
# (note the '#!/usr/bin/perl -cw' on the first line).
$o = {
'timezone' => {
'ntp' => '0.pool.ntp.org',
'timezone' => 'Europe/Paris',
'UTC' => 1
},
'services' => [
'acpid',
'crond',
'fusioninventory-agent',
'gpm',
'msec',
'network',
'network-up',
'ntpd',
'numlock',
'partmon',
'postfix',
'resolvconf',
'rsyslog',
'shorewall',
'squid',
'sshd'
],
'security_user' => 'bruno_at_musique-ancienne.org',
'default_packages' => [
'acpi',
'acpid',
'apache',
'basesystem',
'drakxtools-curses',
'ethtool',
'fusioninventory-agent',
'gpm',
'grub',
'iptraf',
'kernel-server-latest',
'locales-fr',
'lshw',
'lsof',
'mondo',
'msec',
'nss',
'ntpd',
'numlock',
'openssh-server',
'openssh-client',
'pam_abl',
'pam_cgroup',
'postfix',
'rsyslog',
'squid',
'squidguard',
'shorewall',
'shorewall-doc',
'strace',
'sudo',
'tcpdump',
'tmpwatch',
'traceroute',
'tshark',
'vim-enhanced',
'vlock',
'wget',
],
'users' => [
{
'icon' => 'default',
'realname' => 'administrator',
'uid' => undef,
'groups' => [],
'name' => 'administrator',
'shell' => '/bin/bash',
'gid' => undef,
'pw' => '$2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
}
],
'locale' => {
'country' => 'FR',
'IM' => undef,
'lang' => 'fr',
'langs' => {
'fr' => 1
},
'utf8' => 1
},
'net' => {
'zeroconf' => {},
'network' => {
'NETWORKING' => 'yes',
'GATEWAY' => 'x.y.z.k',
'CRDA_DOMAIN' => 'FR',
'FORWARD_IPV4' => 'false'
},
'autodetect' => {},
'network::connection::ethernet' => {},
'resolv' => {
'DOMAINNAME' => 'nameserver',
'dnsServer' => 'x.y.z.k',
'DOMAINNAME2' => 'search',
'dnsServer2' => 'musique-ancienne.org',
},
'wireless' => {},
'ifcfg' => {
'eth0' => {
'BROADCAST' => '',
'isUp' => 1,
'BOOTPROTO' => 'dhcp',
'isPtp' => '',
'NETWORK' => '',
'HWADDR' => undef,
'DEVICE' => 'eth0',
'METRIC' => 10
}
},
'type' => 'network::connection::ethernet',
'net_interface' => 'eth0',
'PROFILE' => 'default'
},
'authentication' => {
'shadow' => 1,
'blowfish' => 1
},
'partitions' => [
{
'fs_type' => 'ext4',
'mntpoint' => '/',
'size' => 1138567
},
{
'fs_type' => 'swap',
'mntpoint' => 'swap',
'size' => 4038086
},
{
'fs_type' => 'ext4',
'mntpoint' => '/usr',
'size' => 6165190
},
{
'fs_type' => 'ext4',
'mntpoint' => '/var',
'size' => 8283384
},
{
'fs_type' => 'ext4',
'mntpoint' => '/tmp',
'size' => 542289
},
# Put the one extending lst
{
'fs_type' => 'ext4',
'mntpoint' => '/var/spool/squid',
'size' => 20283384,
'ratio' => 100,
},
],
'partitioning' => {
'auto_allocate' => 1,
'clearall' => 1,
'eraseBadPartitions' => 1
},
'superuser' => {
'pw' => '$2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'realname' => 'root',
'uid' => '0',
'shell' => '/bin/bash',
'home' => '/root',
'gid' => '0'
},
'security' => 'secure',
'mouse' => {
'EmulateWheel' => undef,
'synaptics' => undef,
'name' => 'Any PS/2 & USB mice',
'device' => 'input/mice',
'evdev_mice' => [
{
'device' => '/dev/input/by-id/usb--event-mouse',
'HWheelRelativeAxisButtons' => '7 6'
}
],
'evdev_mice_all' => [
{
'device' => '/dev/input/by-id/usb--event-mouse',
'HWheelRelativeAxisButtons' => '7 6'
}
],
'type' => 'Universal',
'nbuttons' => 7,
'Protocol' => 'ExplorerPS/2',
'wacom' => [],
'MOUSETYPE' => 'ps/2'
},
'interactiveSteps' => [
],
'autoExitInstall' => '0',
'no_suggests' => 1,
'mkbootdisk' => 0,
'isUpgrade' => 0,
'excludedocs' => 0,
'miscellaneous' => {
'numlock' => 1,
},
'keyboard' => {
'GRP_TOGGLE' => '',
'KEYBOARD' => 'us'
},
'postInstall' => '
cd /root
wget http://x.y.z.t/pub/ks/www/post-install.sh
chmod 755 ./post-install.sh
./post-install.sh 2>&1 | tee /dev/tty7 | tee /var/log/post-install.log
',
};

First, that doesn’t completely install a minimal Mageia. For now, due to plymouth (from ML feedback) it adds a lot of X11 packages which shouldn’t be required. Even adding the no_suggests (not documented on the Mandriva wiki, but now on the Mageia version didn’t fully solved the problem, even if it improved stuff. I now have a compliant install with 387 packages – after my postinstall phase removed most of what was not needed.

So what does my postinstall ?
Here it is:

#!/bin/bash
#
# $Id$
#
# Common conf for all zones
# Idempotent PostInstall script

echo "Common final setup"
echo "---------------"

echo "Allow remote access for sshd"
grep -Eq '^sshd:' /etc/hosts.allow 2> /dev/null
if [ $? -ne 0 ]; then
echo "sshd: LOCAL, musique-ancienne.org, x.y.z.t" >> /etc/hosts.allow
fi

# Temporary hack before overwrite by cb
grep -Eq '^ssh' /etc/shorewall/rules.drakx
if [ $? -ne 0 ]; then
echo "ACCEPT net fw tcp 22 -" >> /etc/shorewall/rules.drakx
fi

echo "Allow sudo access for administrator"
grep -Eq '^administrator' /etc/sudoers
if [ $? -ne 0 ]; then
echo "Defaults:administrator !requiretty" >> /etc/sudoers
echo "administrator ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
else
perl -pi -e 's/^administrator.*/administrator ALL=(ALL) NOPASSWD:ALL/' /etc/sudoers
perl -pi -e 's/^Defaults:administrator.*/^Defaults:administrator !requiretty/' /etc/sudoers
fi

echo "Allow cron access to administrator"
grep -Eq '^administrator' /etc/cron.allow 2> /dev/null
if [ $? -ne 0 ]; then
echo "administrator" >> /etc/cron.allow
fi

echo "Allow shutdown access to administrator"
grep -Eq '^administrator' /etc/shutdown.allow 2> /dev/null
if [ $? -ne 0 ]; then
echo "administrator" >> /etc/shutdown.allow
fi
FWDIR=`echo ~administrator`
echo "administrator setup"
mkdir -p $FWDIR/.ssh
chmod 700 $FWDIR/.ssh
cat > $FWDIR/.ssh/authorized_keys < /var/spool/cron/root
echo "0 3 * * * /usr/local/bin/rc.upd" >> /var/spool/cron/root
chmod 600 /var/spool/cron/root

echo "Postfix alias"
perl -pi -e "s/root:\s*postfix/root: bruno_at_musique-ancienne.org/" /etc/postfix/aliases
postalias /etc/postfix/aliases

echo "Manages long reboot of dhcp server just in case"
# Not necessarily used BTW
cat > /etc/dhclient-eth0.conf < /etc/dhclient-eth1.conf <> /var/spool/cron/root
fi
grep -Eq "mkcommon" /var/spool/cron/root
if [ $? -ne 0 ]; then
echo "30 4 * * * /usr/local/bin/mkcommon" >> /var/spool/cron/root
fi
grep -Eq "mk$h" /etc/rc.local
if [ $? -ne 0 ]; then
echo "/usr/local/bin/mk$h" >> /etc/rc.local
fi
grep -Eq "mkcommon" /etc/rc.local
if [ $? -ne 0 ]; then
echo "/usr/local/bin/mkcommon" >> /etc/rc.local
fi
echo "Setup administrator passwd"
echo "XXXXXXXXXXXXXXXXXXXXX" | passwd --stdin fwadmin
echo "Setup root passwd"
echo "XXXXXXXXXXXXXXXXXXXXX" | passwd --stdin root

echo "Start specific postinstall for machine $h"
wget http://x.y.z.t/pub/ks/www/post-install-$h.sh
chmod 755 post-install-$h.sh
z=`grep -E "^#[ ]*ZONE:" post-install-$h.sh`
zone=`echo $z | cut -d: -f2`
# Doing the zone first
wget http://x.y.z.t/pub/ks/www/post-install-$zone.sh
chmod 755 post-install-$zone.sh
echo "Start specific postinstall for zone $zone"
./post-install-$zone.sh
echo "End specific postinstall for zone $zone"
# Then the machine
./post-install-$h.sh
echo "End specific postinstall for machine $h"
echo "End common postinstall"
echo "Now you can run cb -m $h to distribute content"


Seems complex, but isn’t that much. What it does roughly is opening enough security on a machine configured with security level of “secure” or 5 for msec to have an administrator account allowed to connect on it remotely with ssh and use sudo automatically (scripting purposes), cron and shutdown, configure mail redirection, distribution and machine update via cron, password setup and the launch of other scripts, depending on the zone in which the machine is (that postinstall script is common to many installed machines) and the machine itself.

So what does the zone post install script in addition ?. Here it is again:

#!/bin/bash
#
# $Id$
#
# Common conf for DMZ Zone
#

# Idempotent PostInstall script

echo "DMZ final setup"
echo "---------------"

echo "DNS setup"
cat > /etc/resolv.conf <> /etc/postfix/main.cf
if [ _"$kickstart" = _"" ]; then
/etc/init.d/postfix restart
fi

echo "NTP conf"
perl -pi -e 's/^server.*/server 0.pool.ntp.org/' /etc/ntp.conf
echo "0.pool.ntp.org" > /etc/ntp/step-tickers
if [ _"$kickstart" = _"" ]; then
/etc/init.d/ntpd restart
fi

cat > /etc/sysconfig/network < /etc/hostname << EOF
$h.musique-ancienne.org
EOF
if [ _"$kickstart" = _"" ]; then
/etc/init.d/network restart
fi


So basically, network and some services (ntp, smtp) setup. Stuff that every machine in that zone should get.
Now the final script run is the one for that specific machine, :


#!/bin/bash
#
# $Id$
#
# KEEP THAT COMMENT INTACT - USED FOR COMMON DMZ/LAN CONF
#
# ZONE:dmz
#

# Idempotent PostInstall script for guerrero

machine=`basename $0 .sh | cut -d- -f3`

echo "$machine final setup"
echo "--------------------"

echo "Rotate on a year"
perl -pi -e "s/rotate \d+/rotate 52/" /etc/logrotate.conf /etc/logrotate.d/*

DSK=`df | grep -E ' /$' | grep /dev | awk '{print $1}' | sed 's/[0-9]*$//'`
echo "Tuning File Systems"
tune2fs -c 0 -i 0 -m 1 ${DSK}1 # /
tune2fs -c 0 -i 0 -m 1 ${DSK}6 # usr
tune2fs -c 0 -i 0 -m 1 ${DSK}7 # var
tune2fs -c 0 -i 0 -m 0 ${DSK}8 # squid
tune2fs -c 0 -i 0 -m 1 ${DSK}9 # tmp

echo "$machine static network configuration"
# Affect the static address to $machine
cat > /etc/sysconfig/network-scripts/ifcfg-eth1 < /etc/sysconfig/network-scripts/ifcfg-eth0 <> /etc/sysctl.conf
else
perl -pi -e 's/net.ipv4.ip_forward[\s]*=.*/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
fi
sysctl -p

if [ _"$kickstart" = _"" ]; then
/etc/init.d/network restart
fi

echo "Secure the system with msec"
perl -pi -e 's/BASE_LEVEL=.*/BASE_LEVEL=secure/' /etc/security/msec/security.conf

echo "cleanup extra packages installed on Mageia 2"
urpme --auto iw libmcpp0 libx11-common libxaw7 libxcomposite1 libxfixes3 libxcursor1 libxi6 libxinerama1 libxkbfile1 libxpm4 libxtst6 libxxf86dga1 libxxf86misc1 libxxf86vm1 mandi wireless-regdb x11-font-alias x11-font-cursor-misc xli xmodmap x11-font-encodings x11-data-xkbdata x11-data-bitmaps libdmx1 libmnl0 libnl3 rgb sessreg x11-font-misc-misc


So outside fixing the network conf after install (addresses, routing and topology), and tuning the file systems, adjuting the logrotate, it really secure the system with msec by changing the level in /etc/security/msec/security.conf which doesn’t seem to be done correctly by the auto_inst setup I used.

And finally it removes these ackages that I do not want on such a system hardened, a,d which resist to the no_suggests option ! Hopefully, Mageia 3 won’t have that issue anymore (will test later on this month the beta of Mageia 3)

But that’s not all ! As you’ve probably seen, some other scripts are invoked on the system, through cron or /etc/rc.local. This is where I really transform that gneric system into a firewall and a my proxy.

A first script invoked on all my system (mkcommon) does that for the moment:

#!/bin/bash
#
# $Id$
#
# Common setup for systems
#
# Script is idempotent
echo "Re-activate sysrq"
grep -Eq '^kernel.sysrq' /etc/sysctl.conf
if [ $? -ne 0 ]; then
echo "kernel.sysrq = 1" >> /etc/sysctl.conf
else
perl -pi -e 's/kernel.sysrq[\s]*=.*/kernel.sysrq = 1/' /etc/sysctl.conf
fi
/sbin/sysctl -p

grep 'll=' /etc/bashrc
if [ $? -ne 0 ]; then
echo "alias ll='ls -lia'" >> /etc/bashrc
fi

I like keeping control through the keyboard of the system so reactivate what msec desactivate for sysrq. And that’s also an easy way to add aliases, or all other common stuf you may want.

The other one, does the conf for the system:

#!/bin/bash
#
# $Id$
#
# Setup squid in a chrooted environment
# requires usage of the chroot directive in squid.conf
# Cf: http://wiki.squid-cache.org/ConfigExamples/ChrootJail
#
export CHROOTDIR=/var/spool/squid
SQUID=squid
SQGID=squid
# Script is idempotent

#
# Setup a global chrooted environment (normally a separated script expanded here)
#
# Script is idempotent
if [ _"$CHROOTDIR" = _"" ]; then
echo "Variable CHROOTDIR is not defined so unable to run mkchrootbase"
exit -1
fi
if [ "`echo $CHROOTDIR | cut -c1`" != "/" ]; then
echo "Variable CHROOTDIR doesn't start with / so unable to run mkchrootbase"
exit -1
fi
if [ "$CHROOTDIR" = "/" ]; then
echo "Variable CHROOTDIR is / so unable to run mkchrootbase"
exit -1
fi
rm -rf $CHROOTDIR/var/log $CHROOTDIR/var/run $CHROOTDIR/etc $CHROOTDIR/lib $CHROOTDIR/usr $CHROOTDIR/dev $CHROOTDIR/tmp
#
echo "Creating base chroot content"
install -v -m 755 -o root -g root -d $CHROOTDIR
install -v -m 1777 -o root -g root -d $CHROOTDIR/tmp
install -v -m 755 -o root -g root -d $CHROOTDIR/var/log/
install -v -m 755 -o root -g root -d $CHROOTDIR/var/run/
install -v -m 755 -o root -g root -d $CHROOTDIR/dev
cp -a /dev/null /dev/zero /dev/random /dev/urandom $CHROOTDIR/dev
install -v -m 755 -o root -g root -d $CHROOTDIR/etc
cp -a /etc/resolv.conf /etc/nsswitch.conf /etc/hosts /etc/localtime $CHROOTDIR/etc/
install -v -m 755 -o root -g root -d $CHROOTDIR/lib
cp -a /lib/libnss_dns* $CHROOTDIR/lib/

echo "Creating squid chroot content"
install -v -m 755 -o $SQUID -g $SQGID -d $CHROOTDIR/var/spool/squid
install -v -m 755 -o $SQUID -g $SQGID -d $CHROOTDIR/var/log/squid
install -v -m 755 -o $SQUID -g $SQGID -d $CHROOTDIR/etc/squid
cp -a /etc/squid/* $CHROOTDIR/etc/squid
install -v -m 755 -o root -g root -d $CHROOTDIR/usr/share/squid
cp -a /usr/share/squid/{icons,errors} $CHROOTDIR/usr/share/squid
install -v -m 755 -o root -g root -d $CHROOTDIR/usr/lib/squid
cp -a /usr/lib/squid/* $CHROOTDIR/usr/lib/squid/
chown ${SQUID}:$SQGID $CHROOTDIR/var/run
install -v -m 755 -o root -g root -d $CHROOTDIR/usr/bin
cp -a /usr/bin/squidGuard $CHROOTDIR/usr/bin
cp -a `/usr/sbin/mindi --locatedeps /usr/bin/squidGuard | sort -u` $CHROOTDIR/lib

# This is to make systemd happy
ln -sf $CHROOTDIR/var/run/squid.pid /var/run/

# Secure squid properly
grep -Eq squid /etc/security/msec/perm.local 2> /dev/null
if [ $? -ne 0 ]; then
cat >> /etc/security/msec/perm.local << EOF
/var/log/squid/ squid.squid 750
/var/spool/squid/var/log/squid/ squid.squid 750
/var/log/squid/* squid.squid 640
/var/spool/squid/var/log/squid/* squid.squid 640
EOF
msec
fi

echo "Setup of the squidGuard conf..."
sqg=`ls -d /usr/share/squidGuard*`
install -v -m 755 -o root -g root -d $CHROOTDIR/$sqg
ln -sf $sqg /usr/share/squidGuard
rm -rf $CHROOTDIR/usr/share/squidGuard
cd $sqg
rm -f blacklists.tar.gz
wget http://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz
if [ $? -eq 0 ]; then
rm -rf blacklists
echo "Extracting the blacklists..."
tar xfz blacklists.tar.gz
echo "Generating the DBs for squidGuard..."
squidGuard -b -d -C all -c /etc/squid/squidGuard.conf
chown -R ${SQUID}:$SQGID blacklists
fi
echo "Copying squidGuard content..."
rm -rf $CHROOTDIR/usr/share/squidGuard
cp -a /usr/share/squidGuard $CHROOTDIR/usr/share/squidGuard


So this one is the trickiest one. It does the chroot environment in order to run squid in it. I may move to an LXC container later on, but that was what I previoulsy had, and thought it was still a valid approach.
The problem I found with tthis is with systemd. Colleagues could say I’m not found of it, but this was the first time I really had to interact erioulsy with that new init apporahc, and I’m less tan happy of the move

systemd is hard to understand, hard to debug (ok jouis it so darmn complicated !) and doesn’t understand the chroot approach as I wanted to do it here. I had to add the trick around the copy of /var/run pid file to make it happy. ANd even with that, when I restart the squid process with systemd very often it fails, leave some processes. In any case I do not use restart anymore, but just stop, then start, in order to minimize issues. SysVinit wasn’t having all these problems. Which may lead me to consider LXC or that type of setup after all.

Squidguard is automatically updated in this conf with the latest content from the University of Toulouse which does a great job to propose their conf files.

Finally I use a tool I developed to maintain all this. casparbuster is my small distribution tool, to propagate the various conf files that are still needed on the system. Now that ssh is up and running, with an account able to use it and become root, then I use an SVN controlled environment in order to store and manage all the relevant conf files (such as my shorewall files e.g.) and I can very easily distribute them to my target systems. I just do cb -m firewall, and voila, all my files are there, process relaunched, and system ready to work ! But enough for this article, very long already, these details are left for a new one I hope to write soon.

Most of that was part of my Christmas activities, and I now have a new shiny low power machine (but still powerfull) managing our security and Internet access. Took time, but happy with the results !

Mindi 2.1.3 is now available

Ok, so before 1 week in my other life (amateur early music musician), I want to publish this new update of mindi only. It fixes 4 minor bugs that have been reported, mostly with fixes, and that should make MondoResuce more robust again. To be used with mondo 3.0.2.

This version brings:

• Fix #621 by avoiding to handle iso9660 and bind FS type from fstab.
• Fix a bug in mindi where regular expressions were used with grep without the -E option
• Fix #614 SLES kbd issue
• Improves Mageia 2 support which needs .ko.xz modules detection

All packages have been made and are available at ftp://ftp.mondorescue.org
So happy disaster recovery !

MondoRescue 3.0.1 announced

As commented previously, MondoRescue 3.0.1 has been officially announced today.

I’ve also pushed that version which I hope should be a good stable one to Mageia and Mandriva as well.
Iv’e also added support for openSuSE 12.1 to rpmbootstrap so now VE works fine with it.

Time to go back to project-builder.org for its own next version !

MondoRescue: welcome to a new bug fix mainly version

The MondoRescue project has made quite some progresses again recently. So it”s time to publish mondo 3.0.1 and mindi 2.1.1. Those are bug fix versions mainly. Especially there is a fix for bad LVM i-want-my-lvm setup file, where sometimes duplicated lines were generated which was annoying, as well as an error again in some cases to compute the multiplier factor used when disk size changed.

Among the major improvements, we are now supporting kernel 3.2 new usb_common module, btrfs, grub2 and the launch of rpcbind at restore time to improve NFS restore support for at least RHEL 6.2 (on which I made my tests) and hopefully Debian 6 as well (feedback welcome !). All details are available in trac.

I have had multiple reports that this version was indeed better than 3.0.0 with regards to the issues mentionned upper, so I think it’s time to make it official now, so a larger audience can test it. This is the version I’ll push to Mageia tomorrow, once the build is done, and to Mandriva when time permits. What I find nice, is that latest releases receive more feedback, and also more pathces from contributors and users. A good sign !

The next task on my TODO list is to publish a newer version of project-builder.org as well, that is still helping me dramatically in building the 100+ tuples as well as indices for urpmi/yum/apt/… in the public repository.

Let’s meet at Fosdem 2012 in Brussels

I’ll attend Fosdem again this year next week-end in Brussels. I’ll deliver a talk on Project-Builder.org as a support for a Continuous Packaging cross Operating Systems development.

There are some news with the tool, and hopefully a new version, and some future evolution that I’d like to communicate. I also plan to present less slides, and have a more concrete demo to help people see the value of the approach.

While not presentting, I’ll probably be around near the Mageia booth or around my HP colleagues attending the event as well (Bdale Garbee, Martin Michlmayr, Hugo Roy). Don’t hesitate to come and chat !

Migrating from KMail to Thunderbird: The revenge

After migrating 2 of my kids and my wife from Kmail to Thunderbird last year, I finally decided this week-end to finish the last migration for my first daughter on her Mageia distribution.

I previously made unsuccessful tries, as her environement was different, with many more subdirectories, and special chars, so it didn’t work with the previous version of the script.

Now with the revisions 1389 and 1390 of the md2mb.pl script, I have successfully migrated her environment, without any manual intervention.

Hopefully, seeing the number of times the previous post was looked at, it will be again useful (even more now that it works better:-)) for others. I even clarified the license in revision 1391 for you to use more easily.

Happy migration !

MondoRescue 3.0.0 is now officially out

To be honest the first packages appeared before Christmas as I was hoping to have everything ready as a gift ! But I met a certain number of issues trying to build all packages for the 99 different distributions I’m trying to build for ! This is due to my upgrade to Mageia 1 where the QEMU/KVM version proposed work differently from the previous Mandriva 2010.2 I was using.

Some i386 VMs are now freezing, so I had to find new correct parameters for them. Then autoconf wasn’t generating a correct content for all Mandrake/Mandriva build for mondo, so I had to call for these distro now %configure2_5 as a macro, instead of %configure.

And I still have some issues remaining, with busybox on SLES 9, Mandriva 2009.1, and RHEL 3, with some old SuSE (10.1-11.0) and old Asianux 2, RH 7.3/9, RHAS 2.1 … So Project-Builder.org gained at this occasion a new feature which consists in enumerating on the remote repo which packages have been built correctly or not. And chain the result to a sbx2vm option through the new –rebuild option, which will trigger the rebuild of all not correctly built packages. Very handy ! And will be used to finish publishing what is missing and still useful.

But I already delayed too much the delivery of that important evolution in the project life, so it was time to officially introduce MondoRescue 3.0.0 to the world !

And finally looking at all the modifications since latest stable, MondoRescue really deserve it’s 3.0.0 label ! I won’t be able to cope with the Linux kernel, now at 3.2, but hopefully you’ll find that new version usefull. It fixes a lot of issues brought recently on the mailing list. Remains to work on the Xen kernel support more precisely, but most of what I wanted to fix is in it, including OBDR fixes, RHEL 6.2 fixes, SSSTK ProLiant support improved, loop mount issues, bootable USB keys, mdadm support for metadata, a grub install fix among many others.

You’ll need to use mondo 3.0.0 with mindi 2.1.0 and mindi-busybox 1.18.5 to have a working environemnt as underlined on our Wiki.

And even if it’s a 3.0.0 number, I consider it stable and in the line of latest 2.2.9.x versions. I’d like to avoid copying my Red Hat friends with their .0 versions

Happy New Year and Disaster Recovery with MondoRescue !