Planet CentOS

We have posted a warning about the impact of the Debian OpenSSL vulnerability on the CentOS-announce list, but I think it is useful to repeat it here (for readers of CentOS Planet) as well:

A severe vulnerability was found in the random number generator (RNG)
of the Debian OpenSSL package, starting with version 0.9.8c-1 (and
similar packages in derived distributions such as Ubuntu). While this
bug is not present in the OpenSSL packages provided by CentOS, it may
still affect CentOS users.

The bug barred the OpenSSL random number generator from gaining enough
entropy required for generating unpredicatable keys. In fact it
appearss that the only source for entropy was the process ID of the
process generating a key, which is chosen from a very small range and
is predictable. As such, all keys generated using the Debian OpenSSL
library should be considered compromized. Programs that use OpenSSL
include OpenSSH and OpenVPN. Note that GnuPG and GNU TLS do not use
OpenSSL, so they are not affected.

This vulnerability can affect CentOS machines through the use of keys
that were generated with the OpenSSL package from Debian. For
instance, if a user uses OpenSSH public key authentication to log on
to a CentOS server, and this user generated the key pair with a
vulnerable OpenSSL library, the server is at heavy risk because the
key can be reproduced easily.

Additionally, all (good) DSA keys that were ever used on a vulnerable
Debian machine for signing or authentication should also be considered
compromized due to a known attack on DSA keys.

As a result of this bug, everyone should audit *every* key or
cerficicate that was generated with OpenSSL, to trace its origin and
make sure that it was not generated with a vulnerable Debian OpenSSL
package. Or in the case of DSA keys care should be taken that they
were not generated or used on a system with a vulnerable OpenSSL
package. Keys that are potentially compromised should be replaced with
strong keys.

The Debian Wiki[2] has a preliminary list of affected application. A
tool to detect potentially weak keys is also provided, but it contains
an incomplete list of affected keys and can give false positives.

The Metasploit project provides a full list of weak keys in various
configurations[3].

Questions on how this may affect CentOS users should be directed to
the CentOS users list. List subscription information is available
from:

http://lists.centos.org/mailman/listinfo/centos

With kind regards,
The CentOS Team

[1] http://www.debian.org/security/2008/dsa-1571
[2] http://wiki.debian.org/SSLkeys
[3] http://metasploit.com/users/hdm/tools/debian-openssl/

One of the larger complaints about mysql for me has always been the hoops required to find out basic information. I want to check my GRANTS periodically to check permissions. I want backups to not take forever, and I want to be able to use find. Turns out, I can have everything I want [...]

Does anyone have a Lirc ( http://www.lirc.org/ ) compatible remote they would like to recommend ?

- KB

I’m used to deploy IBM Director server/agents on IBM hardware to monitor hardware/services .. and surely due to the fact that i work for an IBM business partner and that i give myself the IBM director course for IBM …

But there is something really anoying : each time you receive a IBM director cd/iso image (like the 5.20.2 that you can download from the IBM support website), it should normally contains the Linux level 2 agent for each of the supported Linux distributions (aka RHEL 3,4,5 , SLES 9,10 and Vmware esx). You can even integrate such agent in the director console to push it to remote machine (in fact it will do it through ssh … so be careful if you tuned sshd to accept only specific user/key-based auth …)

But last time i had to deploy it on CentOS machines (usually a simple change in the /etc/redhat-release file is enough ) i did it from the director console … Task was marked as successfully but nothing was installed .. (how the hell could director answer me that it was successfull if it was not the case ?) . Okay, let’s do it manually then … but then i saw that the level2 agent located on the CD (director/agent/linux/i386/FILES/dir5.20.2_agent_linux.sh -x) contained only the RHEL3 and SLES10 RPMS inside ! WTF ?

You can download the full Director Linux agent 2 package on the IBM website and that one will contain all the required RPMS …

The meeting in #centos-social takes place on May 4th 2008 and NOT March 4th 2008. Looks like there are still some intellectual property issues with CPTM (CentOS Public Time Machine), so we had to reschedule that event.

We hope to have the machine ready for Linuxtag 1875, though.

Sorry.

Linuxtag 2008 is coming closer by the minute (May 28th to May 31st 2008) - and we are going to be there. And so can you - either as a visitor or with us at the booth we have there!

To coordinate this event, there is going to be a “Meeting” in the IRC channel #centos-social on the freenode IRC network. The meeting will take place on Sunday, May 4th 2008 (not March 4th) at 22:00 CEST (that’s 20:00 UTC). Just connect to irc.freenode.net with an IRC client and /join #centos-social then.

So if you want to be part of Linuxtag 2008: Be there on sunday! Or you could subscribe to the centos-promo mailing list and discuss matters there.

See you!

Now this is way cool. It’s a way to apply a security patch against your kernel without having to reboot — which is one of the reasons why people normally hesitate to update the kernel.

This doesn’t work with every security update, as ksplice cannot work with patches updating data structures in the kernel code, but 42 of the last 50 kernel security patches wouldn’t have required a reboot.

I hope that the distributors take a sharp look at the mechanisms behind ksplice and incorporate that into their (enterprise) products.

In recent days, the subject of intrusion detection systems for centos has come up. To cover this and hopefully help some folks out, I’ve decided to do a brief writeup of Aide, the IDS which comes with CentOS. Please don’t confuse this with SELinux. SELinux is a Mandatory Access Control style permissioning system. SELinux stops people from getting into your system via protected applications. Aide lets you know if they actually get beyond SELinux and onto your system.

Installing Aide
yum install aide
What? You expected it to be harder? Now that we have aide installed, we need to configure it. The default config file should be okay for most folks who haven’t relocated things on the distro too much. Double check to make sure that all the directories you want to scan are listed. If you want to fine-tune the aide config, then you’ll need to edit /etc/aide.conf.

Initializing Aide’s Records

The next thing we need to do is create the initial aide database. For this, you need to run the following command:
# /usr/sbin/aide --init

This will take a little bit of time to run, and you’ll have some disk churn for minute or two while aide investigates your system and creates a baseline. Once this is done, we’re going to run an initial query of the system, just to make sure that everything’s working properly. To do this, run the command below:
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# /usr/sbin/aide --check


This copies the initial database to the current database, then checks them against each other. In theory you should not have any differences. If you do, investigate them. As we’re still setting this up, they’re likely to be mundane .viminfo files or something similar. Keep in mind that when you update applications via ‘yum update’ that you may see aide go a bit nuts, just as tripwire or others would. You’re replacing files on your system when you update, and this is exactly what aide is designed to warn you about. In a perfect world, you should get some output like the text below:

# aide --check
AIDE, version 0.13.1
### All files match AIDE database. Looks okay!


Once we’re satisfied that aide is working as we expect, it’s time to set up a periodic check of the system. Only you can determine what’s often enough for your servers. I personally run aide as weekly cron, by creating a file in /etc/cron.weekly/ called aide.cron, with the following contents:


#!/bin/bash
/usr/sbin/aide --check | /bin/mail -s "Weekly Aide Data" email@host.com

This runs my check once a week. That’s pretty much it to setting up aide. If you want to see more options for aide, please check out the documentation in /usr/share/doc/aide-*/

Update:

So it seems that by default, aide requires selinux to be enabled, or at least permissive so that it can record the selinux contexts of the files it watches. If for some reason you really, truly want to have selinux disabled, but you still want aide to watch the system, use the config file below. It is identical to the default scan, but with the selinux bits removed.

selinux-free.aide.conf

Official vendor support for an operating system contributes highly to the visibility of a system. Therefore it is very encouraging to see that VMWare is planning to support CentOS as a guest and host(?) system in its upcoming VMWare Workstation 6.5 product. Kudos go out to VMWare for planning to support CentOS, as well as releasing guest OS tools under a free software license.

Of course, we would love to see more vendors supporting CentOS. And given the fact that we try to be fully binary compatible with our upstream vendor, it should not require retraining of support personnel or much additional effort. It's surprising to see that some vendors do not support CentOS even when their infrastructure or developers rely on CentOS. Of course, many vendors will create their offerings based on customer demand. So, don't hesitate to speak up, and ask your software vendor to support CentOS. Maybe even drop a few lines on why you prefer CentOS over the operating systems that they do support (such as stability, long term support, etc.). Finally, let the community know if a major products starts supporting CentOS, other people may have been waiting for support as well (and as a kind "thank you" to that particular company).

Some handy commands to remember when you really need to abuse ssh.

ssh -X remotehost # yawn. X forwarding through ssh.

ssh -Y remotehost # trusted X forwarding through ssh. Still yawn, let’s do something fun.

ssh -D2222 remotehost # This is okay. This command sets up a SOCKS proxy on port 2222 which can be used with firefox (and Internet Explorer if you really hate yourself) to avoid office internet filters…. not that I condone such anti-social behavior.

ssh -L 3306:database.example.net:3306 # okay, now we’re getting interesting. This generates an ssh tunnel between your machine and the remote box on port 3306. This works for connecting to remote mysql instances when firewalls would ordinarily interfere. Simply point your mysql client to localhost:3306 and you’re off and running. This can also be applied to other applications as well. A slight modification, and you get the string below:

ssh -L3389:remote.win2k3.server:3389 user@remote.linux.box # This command is a variation on the command above, allowing us to connect to those unsightly windows machines via rdesktop for remote administration. Best of all, we do this without opening up the remote desktop ports to the outside world. Remember folks, that windows code is expensive, you have to keep your precious little snowflakes safe after all.

With the commands above, you can alternatively add -f , if you want ssh to go to the background after the authentication portion is handled. Otherwise it’ll just leave you sitting at a remote shell prompt. If you wanted to add a built-in self-destruct, you could add ’sleep 30′ after the ssh command strings above. This tells ssh to exit after 30 seconds if nothing has made a connection via the tunnel created.

ssh -nNT -R 2222:localbox:2222 remotebox # This command lets you create a reverse ssh tunnel, so that if you connect to remotebox:2222, you’ll be connected to the local machine on port 2222 also. This is useful when you really want to go home at night, but your boss demands you keep working. This way, you each get what you want, and you can avoid the firewall your office employs to keep folks from remotely connecting to…well, if you’re using this, you don’t really care.

Crap, what if I already have an ssh session open, but I forgot to create the tunnel? Not to worry, there are escape keys to rescue you. Operating a little like screen, ~C will open an ssh command prompt so that you can start or stop tunnels as needed. It’ll look a bit like the one below:

[jperrin@server ~]$
ssh> help
Commands:
-Lport:host:hostport Request local forward
-Rport:host:hostport Request remote forward
-KRhostport Cancel remote forward


As always, we’re just scratching the surface of what ssh can do, so if you want more information, fire up ‘man ssh’ in your favorite terminal and sit down for a good read.

SSH is a staple of *nix environments, however most people don’t take the time to customize it in order to take advantage of the deeper features. If you have more than a few machines to log into or administer, it’s pretty likely that you’ve also got a few usernames to go along with them. By creating a personal ssh config file, you can shave a few seconds and a few keystrokes off your logins. You can even create profiles for several user accounts on the same machine if you have specific task based logins.

To get started with your own personal config file, create and open ~/.ssh/config in your favorite text editor. The easiest way to organize this file is to break it up into host based sections, similar to the example below.

Host SessionName # Short Name you can use to start a session
HostName server.example.com # FQDN or ip of the server
User myuser # Unprivileged username for this session

Host Session2
HostName server.example.com
User myadminuser #this is a 2nd user with sudo access to the same server
IdentityFile id_rsa

Host server2
HostName server2.example.com
User yetanother # yet another user on another host.
IdentifyFile second_rsa_key
Compression yes #server has limited bandwidth, so enable compression

Host backup
HostName backups.example.com
User backupuser # backup user
BindAddress 192.168.1.2 #Connect from this ip address.
Port 2222 # Use this port instead of 22.

As you can see from the example above, we change ssh keys so you don’t have to use the same one, ssh usernames to eliminate the @, and the address ssh connects from since we have multiple IP addresses on this system. This isn’t really even scratching the surface of what you can do with ssh, so if you have even more customizations in mind, have a read through the ssh_config manpage in your favorite terminal.

Red Hat partner summit is over and i really enjoyed it for both the technical labs/presentations and the nice discussions i had with Red Hat employees (for example i really appreciated Boris Devouge’s talks). One thing that was announced is the upcoming release of Paravirt drivers for Windows DomU. (probably they will be released somewhere between 5.2 and 5.3). I’ve seen them in action during a lab organized by Olivier Reneault and it’s funny to see that Windows device manager reports them as ‘RHEL scsi driver disk’ and ‘RHEL PV nic driver’. It seems the goal (as usual with Red Hat, in opposite with what Novell is always doing regarding this …) is to release them under the GPL. In fact, my discussion with Olivier learned me that they were/are developed in collaboration with Hitachi.

Other thing that i learned is that PV drivers/modules for EL3 are on the way too (you’ll never have a xen kernel for el3 because of its 2.4 kernel …) so that you’ll have better performances too.

During some presentations and labs it was mentionned also that RHN/Satellite technology will also be released as open-source/gpl but the main stopping problem is that actually both products use Oracle as a backend, and that explains also the prices for such products. I explained to them that what i do for some customers who want to save bandwidth without having to pay for Satellite is that i use reposync (from the yum-utils package) to mirror the rhn channels on a local machine .. and i was astonished that some RH tech people didn’t know that it was included in the base EL5 …

Last but not least is the fact that the Partner portal changed a bit several weeks ago and i decided to update the profile. When you do it you’re asked several questions including ‘Which products do you actually support ?’ and in the list, below RHEL, SLES and MS windows i saw CentOS …

Well, for the past 2 hours, I’ve been fighting with mod_rewrite to get rid of the ~ character that apache shoves into a url for the UserDir directive by default. Since having a url like http://example.com/username/foo.html is far neater than http://example.com/~username/foo.html, and mostly because hughesjr has been after me to fix it, I finally have a solution.

So, for those of you thinking “uh, there’s an example for doing this right in the httpd docs”… let me save you the trouble. It doesn’t work. the instructions at http://httpd.apache.org/docs/2.2/rewrite/rewrite_guide.html cause the url to be rewritten properly, but then promptly 404’s because it looks in /var/www/html/u/username/ for the files. Afer digging around in google, and working with some friendly folks in #apache (yes they do exist) we have a solution:

RewriteEngine On
#RewriteLog logs/rewrite.log # Uncomment for rewrite logging
#RewriteLogLevel 3 # uncomment for verbose logging
RewriteCond %{REQUEST_URI} ^/([^/]+)
RewriteCond /home/%1 -d
RewriteRule ^/([^/]+)(.*) /home/$1/public_html/$2


Take that bit of code, and drop it into /etc/httpd/conf.d/homedir.conf or wherever else you’d like in your httpd configs, and reload apache. From there you’ll be able to use shorter, sexier UserDir urls for your user’s webpages.

When you boot up a typical RHEL or CentOS system, there are a number of checks that occur during that boot process. While you can see most of them mentioned during startup, or via the green [OK] during boot if you’ve disabled the quiet boot, a few useful ones are still hidden.  These are control files which can be dropped into / by an admin  and are checked silently by /etc/rc.sysinit on boot. These hidden files can have a profound impact on your system’s behavior if you use them properly. Because these files aren’t meant to be permenant, they’re often deleted after they’re used.

Autorelabel

If you have the file /.autorelabel  your system will  check to see  if you’re using selinux, and subsequently relabel your entire file structure on boot.  If you’re having an issue getting your selinux contexts correct, this is a handy way to fix things if you’re rebooting anyway.  Now, this isn’t just a completely automatic utility, so if you want to fine-tune things, or do this on your own, you can add ‘AUTORELABEL=0′ on its own line to /etc/sysconfig/selinux. This will drop you to  init1 so that you can  fix things manually.

Autofsck

Having a file called /.autofsck will cause the system to fsck its filesystems on boot. If you have a file called /fsckoptions, or /etc/sysconfig/autofsck, they’ll be parsed for instructions about just exactly how you want fsck to run against your file systems.

Forcequotacheck

The /forcequotacheck file does essentially exactly what it says. With this file in place, your system will check every applicable mount point for quota compliance.  If you use quotas on your filesystems, keep this one in mind. If not, you can ignore it like everyone else.

Unconfigured

We saved the best for last with this one. The /.unconfigured file, if present on your system will trigger a whole host of actions.  This file will on reboot, essentially return the system to a ‘firstboot’-like state. It will prompt you for a keyboard type, root password, network configuration info,  timezone, and authentication method. This file is useful for resellers and VARs who push out machines on a regular basis. You can install, configure it how you want it, put all your bits in, and then drop a file and ship it off to a customer to ‘configure’ when it arrives.  It also makes for a darn MEAN April fool’s day joke with your local BOFH.

I have actually the chance to assist to the Red Hat Emea partner summit event in Malaga (Spain) and i had the opportunity to listen to Jim Whitehurst, the new Red Hat ceo .. he’s really pleasant to listen to.

We (Dag Wieers and myself) had the oppurtunity to talk to Scott Creenshaw, the Red Hat vice president, about CentOS .. but i’ll come back probably later on that … One thing he announced during his presentation was Ovirt.org , which is an http-based Virtual Machine management system. This was produced by the Red Hat emerging techonologies group, so basically by the same people that bring koan and cobbler to live. I’m now interested in testing it and see how it can compete against other http-based systems like openqrm .. while on the other hand openqrm is not limited to vm deployment and provisioning …

Building off yesterday’s entry, today we’re going to add php into the mix. Mostly to add php, you’ll need to go through all of the previously mentioned steps, and a couple more for php. I’m going to assume that you have isql odbc queries working and that you’ve installed php-odbc. We’ll move on from there.

Since the Data Source Names, or DSN’s are user specific, and apache is a system account, we have to change a few things to make this work. You’ll need to create a system wide DSN, and to do this, we’re going to need to edit /etc/odbc.ini.

Open up /etc/odbc.ini as root, and add an entry similar to the data template we added yesterday. It should look like the one below.

[mymssql]
Driver = FreeTDS
Description = Sample Database
Trace = No
Server = my.mssql.server
Port = 1433

With this in place, you can go ahead and get your php ready. Sample code is below:


<?php
echo "How many users logged in last week";
//Connect to the database
$connect = odbc_connect("mymssql", "statuser", "statpass") or die("Could not connect to the database");
//Basic query, salt to taste
$query = "SELECT COUNT(user_id) from USERS";
// actually run the query
$result = odbc_exec($connect, $query);
//iterate through the results to test
while(odbc_fetch_row($result)) {
odbc_result_all($result);
};
odbc_close($connect);
?>

That’s it. That’s all it takes to make php work with Microsoft SQL Server via odbc. There are some issues that you may run into. For example, counting the results on certain versions of MSSQL will always return a value of -1, which is less than useful. You can either code around this yourself, or you can use adodb to communicate with your database and continue to simplify things.

As much as I wish I could have a pure Linux machine room, this just is not to be. I have to watch over several windows machines in addition to the Linux bits I love so much. Recently I’ve had a need to talk to our Microsoft SQL servers and pull data from them to our Linux servers for statistics gathering. In order to get CentOS to talk to Microsoft’s SQL server, you’re going to need FreeTDS.

To get FreeTDS, you will need to use the RPMForge repository. With RPMForge enabled, run the command yum install freetds. Once this command finishes it’s time to configure freetds.

To configure FreeTDS, there really isn’t that much you need to do. Simply open /etc/freetds.conf, scroll to the bottom of the file, and add a line for your MSSQL server similar to the sample listings in the file already. Basically you should have a section looking like the one below:


[mymssql]
host = my.mssql.server
port = 1433
tds version = 8.0


Now, at this point we need to test the connection between FreeTDS and MSSQL, so I’ll assume that you have a user who can connect to MSSQL via a network connection. If not, you need to make one. To test FreeTDS, open up a terminal window and type in tsql -S mymssql -U username If all goes well, you should be prompted for a password, and then get a numbered prompt. See below for the expected results:

[root@statbox etc]# tsql -S mymssql -U statuser
locale is "en_US.UTF-8"
locale charset is "UTF-8"
Password:
1>

If you get the numbered prompt like the one above, then so far so good. At this point, you can actually run sql queries directly from FreeTDS’s tsql client, but it can be incredibly cumbersome to do so. A better method to extract data from MSSQL is to use the unixODBC package to communicate with FreeTDS for you. The unixODBC client will clean up and clarify the responses you get from FreeTDS so that you can actually make sense of things. It should already be installed on your system, but you can verify by running the command rpm -q unixODBC. If rpm tells you that it’s not installed, simply use yum to get it from the base CentOS repository.

To use the unixODBC package, we again have to configure a few things, because by default unixODBC comes configured only for postgresql. Most of the guides you’ll find reference the gui utilities for configuring things, but there’s really no need for all of this. The easiest way is to simply create a couple template files and import them.

The first template file that we need to create is the driver, which tells unixODBC how to talk to FreeTDS. For this, open up your favorite text editor (it had better be vim) and create a file called driver.tpl with the contents listed below:

[FreeTDS]
Description = version 0.64
Driver = /usr/lib/libtdsodbc.so.0

Now save this file, and import it (as root) by running the command odbcinst -i -d -f driver.tpl. You should get some output similar to the following:

odbcinst: Driver installed. Usage count increased to 1.
Target directory is /etc

You can verify that everything was added properly by checking the contents of /etc/odbcinst.ini. Now what we need to do is set up the data portion for ODBC. This is done on a per-user basis and creates a DSN, or Data Source Name.

As your normal user (or whoever will be connecting to the database), create a text file called datasource.tpl with the following format, substituting your own information where appropriate:

[mymssql]
Driver = FreeTDS
Description = Sample Database
Trace = No
Server = my.mssql.server
Port = 1433
Database = puppies

Once you’ve got this file all set, we need to create the DSN. To do this run the command: idbcinst -i -s -f datasource.tpl. We should be able to test this now by using isql. You should see a prompt like the one below:

[user@statbox ~]$ isql -v mymssqll statuser statpass
+---------------------------------------+
| Connected!
|
| sql-statement
| help [tablename]
| quit
|
+---------------------------------------+
SQL>


That’s pretty much it. From here, you can simply use isql to run your mssql queries and grab the information that you need, just like you would with mysql or postgresql.

Matthew and I spent sometime today working on getting the CentOS-5 installer done so it works out of the box for network installs onto an EEEpc.

For now, take a look at his post, and the pictures he has posted online. More details from my side as soon as I can get my notes etc sorted out. There are a few issues that still need attention, but we are looking fairly good so far.

- KB

I know most of you don't care about my alpine fetish, but this goes out to my fellow alpine users :-)

Pine was almost dead for years and likely because of that I never reconsidered optimising my mail-usage. With alpine's rebirth I have been busy improving my daily overload of personal messages.

One of the things I was loosing considerable time with was attachments. I often get non-text attachements (like RPMs, Word documents, PDF, archives) and to remotely look at them was a major pain (save attachement, remember name, copy to local machine or somewhere shared, then open to find out it was useless). Especially when you just need a small piece of information, the drag of going through this often caused me to "bounce" my mail to Google Mail and use the browser. And even for patches, it could be better.

So yesterday I revisited my ~/.mailcap file and improved it to only use terminal applications and now it includes the following entries:


### antiword
application/msword; antiword -t %s; copiousoutput

### cat
application/pgp-signature; cat %s; copiousoutput

### cdiff (needs coloroutput)
text/x-diff; cdiff %s; needsterminal
text/x-patch; cdiff %s; needsterminal

### elinks (needs input)
application/xhtml+xml; /usr/bin/elinks -force-html %s; needsterminal
text/html; /usr/bin/elinks -force-html %s; needsterminal

### mc (needs input)
application/x-7zip; /usr/bin/mc %s#u7z; needsterminal
application/x-bzip2; /usr/bin/mc %s#utar; needsterminal
application/x-gzip; /usr/bin/mc %s#utar; needsterminal
application/x-patch; /usr/bin/mc %s#patchfs; needsterminal
application/x-rpm; /usr/bin/mc %s#rpm/CONTENTS.cpio#ucpio; needsterminal
application/x-tar; /usr/bin/mc %s#utar; needsterminal
application/zip; /usr/bin/mc %s#zip; needsterminal

I can now just go inside archives and RPMs (using midnight commander), I can look inside Word documents, HTML messages can be browsed and patches are colorized ! Only PDF files needs some more love and attention. To summarize, I rule :-)

(Leave your Thunderbird and Evolution remarks to yourself please. No swearing either !)

BTW Alpine 1.10 is released !

(For non native french speakers : that will be my only announce here in another language than english )

Le projet CentOS est heureux de vous annoncer la naissance du site http://fr.centos.org .
En réponse à la demande croissante de la communauté des utilisateurs francophones de CentOS, le forum fr.centos.org a vu le jour.
Nous profitons de cette annonce pour relancer l’appel aux volontaires pour traduire le wiki existant (http://wiki.centos.org)
Pour se faire, il suffit de vous inscrire dans un premier temps à la liste de diffusion centos-docs (sur http://lists.centos.org) et de vous créer un identifiant/login sur le wiki.
Demandez ensuite l’autorisation d’éditer les pages en dessous de http://wiki.centos.org/fr …

Nous tenons tout particulièrement à remercier Guillaume Kulawoski qui est à la base de l’idée et la mise en place du forum , ainsi que Thierry Delmonte pour la conception graphique.

A bientôt sur fr.centos.org !

As a fervent user of tabs in my browser, this article caught my attention. It explains in great detail all the different changes and improvements to Firefox that affect its memory usage.

At some point you start to wonder how it could have gotten this worse, but it usually takes a big swing in one direction to get corrective actions and a joint focus on what was neglected.

My only concern still is the memory usage of Java and I can only hope that the new OpenJDK initiative will not only produce a leaner JVM, but also one that ships and integrates well with every Linux distribution by default.

Stories like these not only focus on the technological improvements, but also on the effort of individual Open Source developers so it is easier to grasp the collective work Open Source software consists of.

Now, the next article I want to see is a similarly detailed report of the different performance improvements ! :-)

And RHEL5.2/CentOS-5.2 will likely ship Firefox 3 !

So, following up on my last blog post about editing text areas using an external editor I remembered that in the past there used to be an addon that could do view source in external editors / viewers and checking again, it seems that you can now edit text areas as well using the same addon. Its called *drum roll* ViewSourceWith written by David Ficano.

From their homepage, these are the goals:

- open page source as DOM document, read faq
- open CSS and JS files present on page
- open images using your preferred image viewer (e.g. GIMP or ACDSee)
- open PDF links with Acrobat Reader or Foxit Reader or what you prefer
- edit textboxes content with your preferred editor and automatically see modified text on browser when you re-switch focus on it, this simplifies wiki pages editing, read faq
- open server side pages that generate the browser content, this simplifies web developer's debug, read server-faq
- open files listed in Javascript console. When editor open file the cursor can be moved to line number shown on javascript console, read js faq

I've just installed it and the UI is much easier to work with ( Dag is going to like this one a lot more ). Dont have rpms as yet, but there will be some shortly. For now, just install it from their website.

- KB

RHEL 5.2 beta is released and many interesting features and software updates are expected.

It is very unusual for software to be updated (instead of bugfix backports) in a Red Hat Enterprise distribution (or CentOS for that matter) but there are exceptional cases where this makes more sense than the alternative.

Red Hat has decided that for desktop applications they can make that exception, meaning Red Hat and CentOS desktop users (me!) will soon be able to use a recent Firefox, Thunderbird or OpenOffice.

I welcome this decision although that means that I have to carefully rephrase my definition of RHEL/CentOS during customer meetings and presentations. I already used the wifi infrastructure backport in the RHEL4 series as such an example where customer requests (here Cisco) are validated and results into fresh fruit in old trees. Undoubtedly with a lot of testing and QA guarantees.

Now, the really big and exciting news (brought to me by Karanbir) is that RHEL 5.2 will include Dstat by default. Not only does it mean that I can die peacefully now, it also allows me to open a bug-report with Red Hat to fix my own code ;-)

Even though RHEL is the last distribution to include dstat, it is most dear to me since that is what I work with everywhere and what I promote. Thank you Red Hat.

Update: Only after posting I noticed that LWN did not exactly reference Red Hat's announcement directly, and that actually has all the good stuff in it :-)

Everyone has an editor of choice, and when it comes to editing text areas, like wiki content or even just generic contact forms and doing posts in forums or blogs its quite irritating to not get access to that editor.

The only way to get access to that editor is to have it launch on some hot key, then when the textarea box comes up, do a select-all, cut and paste that content into the editor - then when you are done, select-all from the editor and paste that into the textarea. You could do this by hand, but its quite a pain. In most cases it then boils down to which kind of pain you want to suffer. The lack of a decent editor built into firefox, or the copy + paste pain of moving content between apps. The best medium would be if there was an app that would do this for you, and there is. Called 'Its all Text!. And its a addon to firefox that does just this sort of a thing. The project home page is here.

You install it as an addon, go into the preferences and select what editor you want to use. Then when a textarea comes up, a small button comes up, by default on the lower right corner and clicking that will launch your editor, with the command line specified and let you do the edit etc. When you are done, just save and quit. the addon will check the tempfile it setup for changes, and paste them back into the text area. If you want the 'edit' button somewhere else you can change that in the addons preferences. I prefer the top left instead of the bottom right - since in lots of cases, the text area for wiki pages etc is quite large and I dont get the bottom right without needed to scroll the window a bit.

RPMS for CentOS-5 are here : i386 x86_64 Just click the Arch you need them for and it should install the addon.

- KB

By default in CentOS and RHEL, apache does a very good job of handing out what you tell it. However if you deviate much from the usual html and php filetypes, you may find that some browsers try to render your files as text. Sometimes this is the desired behavior, and sometimes it’s not. I’ve been compiling a list of various extensions added to apache via the AddType directive for some time now, and enough folks have asked for it that it’s probably time to share it out. For those of you who are interested, here’s the filetype.conf I use. If something is missing, there are corrections to be made, or you’ve got questions, please ask in the comments.

Download it here

Been working with Johnny on getting the CentOS-5 Installer sorted to work on Sparc ( essentially any recent Sun hardware including the UltraSPARC T1 CoolThreads stuff ). However, the only Sparc machine that I have locally and is usable is an Ultra/10. Not the fastest machine on the planet, I know. Also, no one is allowed to crack jokes about it. So dont.

Anyway, getting network booting is easy for these machines, all you need is rarpd and tftpd installed on the machine. On a CentOS Machine here is how you would go about doing that :

yum install rarpd tftp-server
echo '{Mac Add of Machine} 192.168.1.45' > /etc/ethers
cp tftp64.img /tftpboot/C0A8012D
service rarpd start
{ edit the /etc/xinetd.d/tfp file and change disable=yes to disable=no }
service xinetd reload
{ on the SUN Machine, from OBP's 'ok' prompt type 'boot net' }

Couple of things to note here :

• You need the MAC Address of the machine to put into the /etc/ethers file along with the IP address you are going to allocate it. If you dont know what the MAC address is, start the machine up and look in the syslog on the machine running rarpd, you will notice a message like this :

  Feb 29 00:17:10 monk rarpd[18869]: RARP request from 08:00:20:f8:d4:c7 on eth0

  And you can get the MAC from there.

• If things dont work, edit the /etc/init.d/rarpd file and add a '-v' to the rarpd startup command line. Sometimes it helps to know what is going on.
• rarpd will, by default, check to make sure there is a tftp image that the machine can boot, however its worth telling rarpd where the tftpboot directory is, so add this to the end of the rarpd startup line in the initscript : -b /tftpboot
• The filename you copy the tftp64.img file to must be the Hex format of the IP address you allocate the machine via rarpd, and it needs to be in uppercase. For those who cant conver between decimal IP and Hex there are online calculators.

Now, time for me to get back to installing stuff and seeing what I can help Johnny fix.

- KB

While i was testing ocfs2 on CentOS 5.1, one colleague of mine asked me if that was possible to have VMware server on top of ocfs2 to test a move from one node to the other node. Of course my first reaction was that vmware-server can’t do live migration like esx/vmware infrastructure can .. but because the machines were ready and that it’s fast to setup , we did the test.

The first vm refused to start on top of ocfs2 , while the same vm started on local storage. Google pointed me to the correct answer in 3 seconds : you need to include a special parameter in the vmx (vmware guest config file) to have it working on top of ocfs2 . The line to be included is “mainmem.usenamedfile=”FALSE” “. You can have more informations on the Vmware forum regarding this.

We then were able to quickly move (by suspending a vm on node1 and resuming it directly on node2) a VM between the two physical machines. Of course that’s not live migration, but that’s very close to … and my colleague was happy

Since 10 years I am praying for a much more convenient email program, one that understands my relation with incoming mail and incoming folders. Let me explain...

I get lots of mails from different sources. Some are addressing me, others have me in Cc:. Some are from mailinglist that are very important to me (because I am responsible for answering), others I just want to follow up if I have some time. My email-client however treats all these mails the same way.

This is really not Alpine's fault, in fact, none of the email clients do what I desire. What I want is a "virtual view" (yes, think Evolution) but one that is smart about the emails it lists. Let me give some examples:

1. I may want to chose that emails addressed to my personal address in To: or Bcc: requires an answer from me, unless I delete it from this "virtual view"
2. Mails that have my personal email address in Cc: may have a different policy. One where I read it and do not answer would remove it from this "virtual view" as well, if I so desire and configure it. But if I want to keep it explicitely, I need to say so. (Opposite behaviour than 1.

For some of the mailinglists I may want a similar behaviour as 1. For others 2 and yet others should not be in my "virtual view".

The end-result would be that my "virtual view" shows me only a list of emails that desire my attention (either need to be read, or need to be answered). With the ones that require an answer on top.

If my email client would have this functionality, I wouldn't be loosing emails out of my sight whenever I get large volumes of email, as now frequently happens :-/

Alpine does show me (with flags) what mails were send to me personally and which ones I have answered. But my inbox is not "virtual" and full of email that takes too many key-presses to move individually, blocking my view to the important emails I really should be answering first.

Oh yes, and it needs to be console-based !

Currently, I hate the fact that my email client assumes that recent mail is more important than anything else and I am too weak to teach it to behave better. Can you help me, please ?

The CentOS project is looking for more slogans that may end up on promotional material (eg media, flyers, posters or stickers). We already collected a few funny, ironic, sarcastic or even distasteful ones.

Feel free to visit our Slogans wiki page for a good laugh or rude offenses and add your own slogan by sending them to this thread.

And who knows, yours may end up somewhere ? If it gets selected, you win free CentOS updates for a whole month !! So get started already ;-)

Disclaimer: Ideas contributed to this thread are considered free to be reused. Otherwise do NOT submit them to a public mailinglist :-) I will be adding them to the wiki.

There is also a mailinglist thread and a forum thread about the slogans initiative.

When CentOS 5.1 was announced, the upstream release notes contained some notes about new features being integrated in 5.1, like iscsi-target functionnality. Of course they were announced in the “Technology Previews” section, meaning that it’s not fully supported and not considered production ready. But most of the time, packages ‘just work’ [TM].

Is this the case for the package scsi-target-utils-0.0-0.20070620snap.el5 ? hmmm …. On my (already too long) TODO list, I planned to test Ocfs2 on top of a shared device , and because of a lack of Fiber Channel HBAs in my lab, the only solution was to play with iScsi target/iscsi initiator on both machines (3 machines : 1 as a iscsi target and the 2 others as initiator/ocfs2 machines). I already tested the standard IET iscsi target daemon in the past and i was expecting to find almost the same behavior .. but it’s not.

In fact, there is *NO* configuration files included with tgtadm so you have to type all your tgtadm commands to create the iscsi target LUNs and share them . The tgtadm tool isn’t a big deal and it’s even good to add new target on the fly … but because of the lack of config files, you can’t save your actual config and hope to restore it at the next boot … So you’d better have to save your tgtadm commands in a script and call that bash script from within a new initscript … I now understand why the release notes consider that it’s not *production ready* yet … so let’s see what will be included/modified in 5.3 …