OpenBSD 4.3 Released Today

I haven't gotten to play with it yet, since I'm still downloading it. I plan on doing a snapshot and upgrading my OpenBSD Parallels VM tomorrow.

Highlights:

• Now supports SMP on most Sparc64 platforms
• Loads of device driver improvements (and additions) for most architectures
• Built-in SNMP Support (no more need for net-snmp)
• Disks/Partitions/Filesystems larger than 2TB are supported for ffs
• Scads of little bugfixes

See the OpenBSD 4.3 Release Notes for details.

KC BSD User Group - April 2008

We switched locations this month to the downtown Central Library at 10th and Wyandotte. The meeting rooms are a lot nicer. Remember, the meetings are the second Wednesday of each month.

We discussed a smorgasbord of topics, most of which at least somehow related to BSD in one way or another. This included (but was not limited to):

• SSH Tunneling
• Proxy configuration
• VPN using BSD-built in and third-party software
• Network layout and BSD router configuration
• Programming in various interpreted scripting languages
• Electronics and embedded computing

All in all, a good time. The next meeting should be on May 14th.

Sysadmin Sunday: Linux and BSD Filesystem attributes

Most sysadmins are familiar with the concept of file ownership and permissions. Read, Write, and Execute are ingrained in our memories from the start. Sometimes, though, that's not enough. Here are some extended attributes for files in Linux and *BSD:

BSD:
To set file flags in BSD, use chflags. To view them, use ls -lO. Flags are as follows (from the chflags(1) man page):

  arch, archived
          set the archived flag (super-user only)

  opaque  set the opaque flag (owner or super-user only).  [Directory
          is opaque when viewed through a union mount]

  nodump  set the nodump flag (owner or super-user only)

  sappnd, sappend
          set the system append-only flag (super-user only)

  schg, schange, simmutable
          set the system immutable flag (super-user only)

  uappnd, uappend
          set the user append-only flag (owner or super-user only)

  uchg, uchange, uimmutable
          set the user immutable flag (owner or super-user only)

  hidden  set the hidden flag [Hide item from GUI]

    As discussed in chflags(2), the sappnd and schg flags may only be unset
    when the system is in single-user mode.

    Putting the letters ``no'' before or removing the letters ``no'' from a
    keyword causes the flag to be cleared.  For example:

  nouchg  clear the user immutable flag (owner or super-user only)
  dump    clear the nodump flag (owner or super-user only)

schg and sappnd are particularly useful. As described, they place files in an append-only or immutable state, where nothing, not even root can break the rules without first going into single-user mode and disabling the flag. uchg will keep you from accidentally clobbering an important file as well, but can still be un-set by you.

Example viewing, setting, and demonstrating the uchg flag:

Chimera:Documents axon$ ls -lO
total 32
-rw-r--r-- 1 axon staff - 8258 Apr 6 19:16 description.html
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc

Chimera:Documents axon$ chflags uchg description.html

Chimera:Documents axon$ ls -lO
total 32
-rw-r--r-- 1 axon staff uchg 8258 Apr 6 19:16 description.html
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc

Chimera:Documents axon$ rm description.html
override rw-r--r-- axon/staff uchg for description.html? y
rm: description.html: Operation not permitted

Chimera:Documents axon$ chflags nouchg description.html

Chimera:Documents axon$ rm description.html

Chimera:Documents axon$ ls -lO
total 8
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc


Linux:
Use chattr to set attributes and lsattr to view them.

From the chattr(1) man page:

The format of a symbolic mode is +-=[ASacDdIijsTtu].

The operator ‘+’ causes the selected attributes  to  be  added  to  the
existing  attributes  of  the files; ‘-’ causes them to be removed; and
‘=’ causes them to be the only attributes that the files have.

The letters ‘acdijsuADST’ select the  new  attributes  for  the  files:
append only (a), compressed (c), no dump (d), immutable (i), data jour‐
nalling (j), secure deletion (s), no tail-merging (t), undeletable (u),
no  atime  updates  (A), synchronous directory updates (D), synchronous
updates (S), and top of directory hierarchy (T).

As you can see, most of these attributes are similar to the BSD flags. We'll do the same thing on Linux with the immutable attribute.

axon@hosting:~/hir-test$ lsattr
------------------ ./internet-resume.doc
------------------ ./mail.sql

axon@hosting:~/hir-test$ chattr +i mail.sql

axon@hosting:~/hir-test$ lsattr
------------------ ./internet-resume.doc
----i------------- ./mail.sql

axon@hosting:~/hir-test$ rm mail.sql
rm: remove write-protected regular file `mail.sql'? y
rm: cannot remove `mail.sql': Operation not permitted

Trying this... Posting from jlime

Thanks to a tip from a jlime forum denizen, I found out that an older kernel would work better on my Jornada 720. Suspend works, WiFi works, even the Torsmo status app works better. Minimo didn't like Blogger, but the Dillo browser seems to be working albeit in a really minimalistic way like you'd expect in a phone's browser.

In short, this is actually a completely functional networked Linux PDA right now. I'll keep this around and do some periodic reviews as I further use this platform.

UNIX variants on HP Jornada Palmtops

We covered this a bit at the 2600 meeting last night. I don't have a lot of time to go into detail, but here's a quick breakdown.

Asmodian X got me hooked on Windows CE Palmtops back in late 1997. I picked up a floor model HP 300LX for cheap, and actually used it as my main computer (including Dialup BBS, Telnet, Mail, and web browsing) for quite a while. It was more than sufficient for typing my papers for class and interfacing with the UNIX servers. Asmo also had a Casio Cassiopeia running CE, so we tinkered with this stuff a LOT back in the day.

Later, at DefCon 6, we'd run into a guy with an HP 620LX. That thing had a full color screen and a significant boost in memory, not to mention sound recording ability. This all sounds cheesy now, but it blew away the devices we had with their four or 16-color greyscale screens.

As time has progressed, I've also acquired an HP 320LX (same as 300LX but with a backlit screen and more RAM), a Jornada 680e (Refurbished Dutch Railways model) and a Jornada 720.

The HP300's are currently packed away somewhere, but the Jornadas are alive and well.

I was considering NetBSD and Linux for this project, but I found out that the NetBSD project for these pretty much died once they could say "it boots!" You have to use a serial cable for the console. In other words, it's useless until someone ports wscons and some device drivers. So, I chose JLime Linux, which is still in active development -- the kernel build on my 720 (Mongo branch) is less than two weeks old!

To install JLime, you need a CF card that's at least 128MB. You create 3 partitions:

1. FAT partition usable from within Windows CE
2. ext2 partition for Linux to run from
3. Swap partition for virtual memory

You copy the bootloader, boot configuration file and zImage (kernel, etc) to the FAT partition, and then uncompress the jLime userland onto the ext2 partition. Since the files were compressed with bzip2 and BSD's tar utility doesn't know what to do with that, I had to uncompress it before using tar. Make sure you run tar as root (or with sudo) and with "xpf" or "xvpf" to retain the file permissions and ownership of the userland image.

Once you insert the card into the PDA and run the boot loader, all of the PDA's memory will be completely wiped, so all files and data on it will be lost. Windows CE stays in ROM so when you reboot, Windows CE will be back in initial setup mode.

I actually put the boot loaders and zimages for both the J680e and the J720 on the FAT partition, created two different ext2 partitions, and left one shared swap partition on my 2GB CF card. Had I been thinking, I would have made a third ext2 for a shared home directory between the two PDAs.

Right now, here's the status of them:
Jornada 680 running jLime (Donkey):

• Boots Linux, loads fine.
• The keymap is completely trashed (dutch keyboard layout) so I can't login.
  
• Apparently, the J680 can "suspend" while running jLime.
  

Jornada 720 running jLime (Mongo)

• Boots Linux
• Runs X with IceWM
• Various X Apps work fine (MiniMO Browser, aterm, etc)
• Recognizes PCMCIA Ethernet and 802.11b/g wireless cards
• Can't seem to use the network, even when configured properly (dhcp doesn't get an address, wireless cards can't associate to open, unencrypted networks, etc)
• Cannot go into suspend mode properly. The backlight stays on, limiting battery life.
• After halting, the PDA can't reboot without a hard reset (removal of main and backup battery at the same time)

So, it looks like jLime has a little ways to go yet, but it's a functional UNIX environment, at least on my Jornada 720. I just wish I could get the networking piece to work properly. I could almost live without a suspend mode, since many of my other laptops don't particularly like to suspend, either.

April Kansas City 2600 Meeting Sneak Preview

jlime Linux on the HP Jornada 720 Handheld/PC

This and a bunch of other stuff at the KC 2600 meeting.

Tonight (Friday, April 4 2008)
Oak Park Mall Food Court (Northeast entrance)
SE Corner of 95th and Quivira in Overland Park, KS
Starts at 5:00PM. Look for geeks with laptops.

UNIX Tip: Double Dashes

Files that start with a dash can cause problems if you don't know how to deal with them. Let's take a look:

Chimera:Documents axon$ ls -1
-file.doc
2008-03-30.mp3
BitPIM.dmg
H-i-R.xcf
Parts.odt
vCards

The file "-file.doc" will cause problems with most command-line tools because they think -file.doc is an argument, not a file name.

Chimera:Documents axon$ cat -file.doc
cat: illegal option -- f
usage: cat [-benstuv] [file ...]
Chimera:Documents axon$ rm -file.doc
rm: illegal option -- l
usage: rm [-f | -i] [-dPRrvW] file ...
       unlink file
Chimera:Documents axon$ mv -file.doc file.doc
mv: illegal option -- l
usage: mv [-f | -i | -n] [-v] source target
       mv [-f | -i | -n] [-v] source ... directory

See what I mean?

Placing two dashes anywhere in the argument list of almost every shell utility will tell that utility that all of the optional arguments have been passed and that anything following the double dash is to be taken literally -- usually this means it's a filename*. This lets you manipulate files that would otherwise cause you problems.

Chimera:Documents axon$ cat -- -file.doc 
this is a test file.
Chimera:Documents axon$ mv -- -file.doc file.doc
Chimera:Documents axon$ ls -1
2008-03-30.mp3
BitPIM.dmg
H-i-R.xcf
Parts.odt
file.doc
vCards

For clarity, I used ls -1 (the number one not the lowercase letter "L" ) to force output to one filename per line.

* For certain things, the literal arguments are passed on to a separate utility or script. A good example of this: Most startx scripts process command-line arguments, but you can use -- to pass additional arguments directly to the X Server, untouched by the startx script.

Sysadmin Sunday: Subversion

Sorry for the recent lack of Sysadmin Sunday posts. I don't always have good Sysadmin content thought up. Sometimes I do, but I don't have time to actually set up an environment to demonstrate it. Sometimes I don't even have time to get around to writing much of anything.

So, we're back this week with a tutorial on setting up Subversion, a revision control system that, in my opinion, is much better and user-friendly than other revision control systems (such as CVS). You'll see me (and many others) casually use "SVN" when referencing Subversion. You can use subversion to synchronize directories (folders) across different workstations, to collaborate changes on large documentation or programming projects, or to simply have a revision control and change rollback system for your files. It works with binary and text, but can take up a lot of hard drive space on the server for large or frequently-changing data sets.

Installation
Initially installing Subversion varies on the platform and package management system available. I am installing subversion on Ubuntu Gutsy Gibbon Server Edition. Here, it's as simple as:
$ sudo apt-get install subversion

On FreeBSD 6.3, I got it installed using pkg_add as well, with no problems.
$ sudo pkg_add -r subversion

Subversion packages are available for many platforms, but if you wish to build it from source, the documentation is quite good.

HiR Reading Room
Of particular note is the O'Reilly and Associates book: Version Control with Subversion. It is free and open source, so it's also available to read in its entirety on the web. I personally liked it enough that I bought the paperback book, as I dealt with subversion on a daily basis at my last full-time job. If you'll be doing a lot with Subversion, this is a great book to have around as a reference guide.

Please note that I'm not dealing with any encryption whatsoever, so you should probably make sure that your svn server isn't accessible from the Internet. Being behind a private firewall or cheap router will work for testing this at home. Read the book for information on securing SVN with ssh or using better authentication options. There's even a web-based SVN Server, which allows your users to browse the repository with a browser while using all of the flexibility and authentication modules at Apache web server's disposal. All of that and plenty more is covered in this book.

Starting svnserve
First, make a directory to keep the repositories in. A repository is simply a directory on the SVN server where data is stored. I chose /var/svn/repositories.
$ sudo mkdir -p /var/svn/repositories

Then, we need to start our svnserve daemon. As I mentioned before, there are several ways to run SVN. Just starting a vanilla svnserve daemon is the easiest way but not always the best way. For the purposes of this demonstration, I will keep it simple.

Place "svnserve -d -r /var/svn/repositories" (or whatever repository root you chose) in the startup scripts, usually in /etc/rc.local. Either reboot, or run "[sudo] svnserve -d -r /var/svn/repositories" from the command line to start it. This restricts svn to exporting only the contents of /var/svn/repositories.

Your first repository
Let's set up our first repository. On the SVN Server, run the following. You may choose whatever you wish for the repository name, but it has to be under the repository root you defined when you started svnserve.
$ sudo svnadmin create /var/svn/repositories/hir-test/

You should create a username and a password by editing the "svnserve" and "passwd" files in the "conf" directory under the repository you just created. Keep in mind that passwords are all in plaintext for this example. It's not really the best way to do things, but it is the simplest.

$ vi /var/svn/repositories/hir-test/conf/svnserve.conf
un-comment the following lines:
anon-access = read
auth-access = write
password-db = passwd


$ vi /var/svn/repositories/hir-test/conf/passwd
Add a line like the following to the end of the file to define your username and password:
axon = setecastronomy

Now, go to a client computer (or simply access it locally but through the svn:// url scheme) and use SVN to check out the repository:
[axon@floaty-fbsd ~]$ svn checkout svn://axon@192.168.0.108/hir-test/
[axon@floaty-fbsd ~]$ cd hir-test
[axon@floaty-fbsd ~/hir-test]$ ls -la

total 8
drwxr-xr-x   3 axon  axon   512 Mar 29 21:37 .
drwxr-xr-x  20 axon  axon  2560 Mar 29 21:38 ..
drwxr-xr-x   6 axon  axon   512 Mar 29 21:37 .svn

Copy a file into the repository, or make a new file. Your choice. Then use "svn stat" to see the status of the files in the directory.
[axon@floaty-fbsd ~/hir-test]$ cp ~/internet-resume.doc .
[axon@floaty-fbsd ~/hir-test]$ svn stat
? internet-resume.doc

SVN doesn't recognize the file, hence the "?" before the file name. We must first add the file with "svn add"
[axon@floaty-fbsd ~/hir-test]$ svn add internet-resume.doc
A (bin) internet-resume.doc
[axon@floaty-fbsd ~/hir-test]$ svn stat
A internet-resume.doc

At this point, SVN is aware of the file, but it still hasn't uploaded it to the svn server. If we go to another machine and check out the repository, it will still be empty. (sorry, I used the DNS name in this example but it's the same server as 192.168.0.108)
axon@hosting:~$ svn checkout svn://axon@lampdev.labs.h-i-r.net/hir-test
Checked out revision 0.
axon@hosting:~$ cd hir-test/
axon@hosting:~/hir-test$ ls -la

total 12
drwxr-xr-x 3 axon axon 4096 2008-03-29 16:52 .
drwxr-xr-x 5 axon axon 4096 2008-03-29 16:52 ..
drwxr-xr-x 6 axon axon 4096 2008-03-29 16:52 .svn

Back on the client machine where we added the file, though, use "svn commit" to update the central repository on the SVN server. You should always commit with a message saying what changes were made. use --message for that. It should then prompt for your password.

[axon@floaty-fbsd ~/hir-test]$ svn commit --message "added my resume"
Authentication realm: 2c608312-9cd3-44f0-b88e-356728a5cc35
Password for 'axon': setecastronomy (not shown on screen)
Adding (bin) internet-resume.doc
Transmitting file data .
Committed revision 1.

Now, whenever you check out the repository elsewhere, the files will be in sync. Use svn update to refresh your local repository to the latest version:
axon@hosting:~/hir-test$ svn update
A internet-resume.doc
Updated to revision 1.
axon@hosting:~/hir-test$ ls
internet-resume.doc

When you delete, copy or move files within a local copy of the repository, it's best (practically mandatory) to use svn delete (svn rm), svn copy (svn cp), and svn move (svn mv) for these tasks, respectively.

So far, the commands we've covered the following for client machines. This should be enough to get you up and running.
svn checkout svn://[user@]host/repo-name - Checks out a local copy of the repository
svn update - Refreshes the local repository
svn add - Adds version control to new files in the local copy of the repository
svn commit --message "test message" - Updates the central repository
svn delete filename - remove a file from the local repository
svn rm filename - same as above
svn copy filename1 filename2 - make a copy of a file within the repo.
svn cp filename1 filename2 - same as above
svn move filename1 filename2 - move a file from one place to another in the repo.
svn mv filename1 filename2 - same as above

There is also a windows shell extension available, called TortoiseSVN. This puts a TortoiseSVN menu in the list when you right-click while browsing files on Windows. From here, you can check out, update, add, commit and manipulate repositories right from within Windows.

UNIX Tip of the day: shell math with bc

bc is "an arbitrary-precision calculator language" which so happens to be nearly ubiquitous across all UNIX platforms that I've ever run across. 

Why on earth would you want to do math on the command-line?  Well, that's a good question.  I often find myself using it when I have a terminal window open and don't feel like finding a calculator or firing up the calculator program just to do some basic division or multiplication.  Remember, I suck at doing math in my head unless it's stupidly simple stuff.

What does "arbitrary precision" mean, exactly?  Well, it means that bc will only be as precise (with floating points) as you are with your input.  Integers in, integers out!

axon$ bc
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
491003798 * 2
982007596

This is important when doing division:
5/2
2

5 divided by 2 is obviously not 2. Set the scale to 2 to make it precise to two decimal points, and try again:
scale=2
5/2
2.50

Much better.

Like shells, you can combine multiple commands on one line with a semicolon between commands: FYI: sqrt(x) gives you the Square Root of x and x^y gives you x to the power of y. This is similar to how many scientific calculators or Google Calculator works. In fact, most of Google Calc's syntax works quite well in bc.

scale=0; sqrt (982007596); 16^2
31337
256

Since bc operates on standard input, you can use any of the below methods to do non-interactive math from the command-line or shell scripts:

Pipe:

axon$ echo "2008 * 42" | bc
84336

Here Document:
axon$ bc << EOF
> (2008 * 42) + 65535
> EOF
149871

Use bc if you are writing a shell script that requires floating-point operations, as most shells don't handle math too well. You can even use shell variables.

axon$ export gallons=12.5
axon$ export price=3.879
axon$ echo "A tank of gasoline costs \$`echo "$gallons * $price" | bc`"
A tank of gasoline costs $48.487

Note that while bc exists as part of most UNIX installations (I think it's part of the Single UNIX Specification), that the supported syntax varies between platforms a little bit.  When in doubt, check the man page.

Sysadmin Sunday: LogCheck

I've been using LogCheck in its various incarnations for quite a while. When I started using it (it feels like a decade ago but it may have been a little less) it was called LogSentry. While it's still pretty simple, it gets the job done. LogCheck's been passed around many times, and I'm relatively sure that the package I downloaded has remained for the most part unchanged for at least 5 years. For a small group of servers you wish to keep tabs on, this tool is great. For an enterprise, you might want something more heavy duty such as a database-driven centralized logging server.

Note that by itself, LogCheck only does two things:

1. Looks through all the log files shown for suspicious or "hackish" activity
2. E-mails the report

That's it.

Installation:
I'll be doing the install on FreeBSD. LogCheck is just a script, so it will run on pretty much anything that isn't Windows.

$ sudo pkg_add -r logcheck
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.3-release/Latest/logcheck.tbz... Done.

Configuration:
To see what LogCheck thinks is "hackish", check out logcheck.hacking and logcheck.violations (in /usr/local/etc/ when installed from FreeBSD's packages) Those contain a list of regular expressions (one per line) that will be used to gather reporting information from the logs. Similarly, logcheck.ignore and logcheck.violations.ignore contain regular expressions that can filter certain results from the report. I recommend looking at these files but not editing them at first. Let LogCheck run for a week or so (daily) to get a feel for it. Then, start adding or removing expressions to the lists to fine tune your reports.

To change what e-mail address the report is sent to, find logcheck.sh (it's also in /usr/local/etc/ when installed from FreeBSD's packages) and modify this block of text as appropriate:

# Person to send log activity to.
SYSADMIN=root

Look at the other variables, too. By default, the log files and configuration will likely be workable, but it's a good idea to make sure.

Adding the following line to the system's crontab will launch LogCheck every hour. This isn't a big deal because it will only mail you if there is something suspicious. If you would rather have a daily log, read the man page on crontab to figure out how the schedule options.

00 * * * * root /bin/sh /usr/local/etc/logcheck.sh

HiR Reading Room: AIX 5L Administration

While AIX 6.1 is the new hotness, it's mostly feature additions. If you know AIX 5, you can get around AIX 6 without a problem -- you just might be missing out on cool things like enhanced RBAC and workload partitions.

The writing, grammar and editing of this book leaves a little bit to be desired, but the concepts covered in AIX 5L Administration are vitally important for any AIX sysadmin to be familiar with. This book is great for people who have a casual working knowledge of the UNIX command line (linux, solaris or BSD) who want to expand their horizons all the way up to seasoned intermediate AIX users, who will find new things and helpful tips within these pages.

I personally bought this book while I was job hunting. I had some rusty familiarity with AIX 4, but was looking at the prospect of landing a job that required working, functional knowledge of Solaris 8, Solaris 10, and AIX 5.3. It was a great refresher course for AIX, and gave me the information I needed to confidently blaze through a pre-employment AIX knowledge test. Now, more than a year later, this book sits next to my desk and is occasionally referenced when I need to do something on AIX that I'm not too familiar with.

Whether for reference, for job advancement, or for the fun of tinkering around with something new, this book comes highly recommended for anyone dealing with AIX, either daily or occasionally.

Sysadmin Sunday: Encrypted Swap Space in FreeBSD

New research shows that cold boot attacks can compromise encryption by giving you access to the RAM's contents. This even applies to full-disk encryption that encrypts swap space and whatnot. We'll probably talk more about that in our podcast.

Physical access almost always means that a total compromise of security is somehow possible. Sensitive data could be at risk long after the data in RAM decays into oblivion. Encryption keys, large documents, and other files containing data you don't want falling into the wrong hands will almost certainly see their fair share of time in virtual memory. That means pages of RAM will be written, for better or worse, to the hard drive.

Encrypting just your swap space can be easier than switching to full-disk encryption and makes it more difficult for an attacker to obtain sensitive data as it gets shuffled in and out of RAM.

OpenBSD encrypts swap by default without any further action. To the best of my knowledge it's alone in that fact. I can't outline how to encrypt swap space in every operating system, but since FreeBSD's the flavor-du-jour, I'll show you how easy it can be.

First, disable swap:

[axon@floaty-fbsd ~]$ sudo swapoff -a
swapoff: /dev/ad0s1b: Cannot allocate memory

Whoops! If there's too much stuff running to fit in RAM without swap, you'll need to cut back. Close your applications, stop the X Window system or whatever you have to do. Let's try that again.

[axon@floaty-fbsd ~]$ sudo swapoff -a

Now, find the swap partition and over-write it using dd(1) to stream /dev/urandom to it. It could take a while depending on the size of the swap partition. Yes, this is a paranoia countermeasure and nothing more. Keep in mind that only freshly-used parts of swap will be encrypted once we're finished. Right now, there could be (ab)usable data out there. Not for long!

[axon@floaty-fbsd ~]$ grep swap /etc/fstab
/dev/ad0s1b none swap sw 0 0
[axon@floaty-fbsd ~]$ sudo dd if=/dev/urandom of=/dev/ad0s1b
dd: /dev/ad0s1b: end of device
464657+0 records in
464656+0 records out
237903872 bytes transferred in 88.835558 secs (2678025 bytes/sec)

To enable GEOM ELI on your swap partition, edit /etc/fstab and add ".eli" to the end of the swap device.

[axon@floaty-fbsd ~]$ sudo vi /etc/fstab
change this line:
/dev/ad0s1b none swap sw 0 0
to this:
/dev/ad0s1b.eli none swap sw 0 0

You have to reboot for this to take effect. Once it comes back online, use kldstat and swapinfo to verify that the geom_eli.ko module is loaded and that the new swap device is being used.

[axon@floaty-fbsd ~]$ kldstat
Id Refs Address Size Name
1 10 0xc0400000 7b2d2c kernel
2 1 0xc0bb3000 6974 snd_ich.ko
3 2 0xc0bba000 239a8 sound.ko
4 1 0xc0bde000 5c304 acpi.ko
5 1 0xc1f19000 e000 geom_eli.ko
6 1 0xc1f27000 19000 crypto.ko
7 1 0xc1f40000 a000 zlib.ko
8 1 0xc21ec000 2000 warp_saver.ko
[axon@floaty-fbsd ~]$ swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 232328 0 232328 0%

Voila!

It's official: Leopard = No network for OpenSolaris Indiana VMs

Lukas got it working on Parallels 3.0 under OS X Tiger, but two different HiR guys failed to get networking to work on OpenSolaris Indiana DP2 on parallels 2.5, 3.0 and VMWare Fusion when running Mac OS X Leopard.

Oh well. Like I said, maybe I'll give it a crack on a real computer when I have a lab machine ready to use.

UNIX Tips of the day - 10 good UNIX habits

Have I mentioned lately how I really like IBM's developerWorks site? I don't think I have.

I already know all of these tricks, but I still catch myself in bad habits on occasion -- for instance, I rarely using grep to count matches and I sometimes pipe things with cat when I don't need to.

The 10 good habits in the article are as follows:

1. Make directory trees in a single swipe.
2. Change the path; do not move the archive.
3. Combine your commands with control operators.
4. Quote variables with caution.
5. Use escape sequences to manage long input.
6. Group your commands together in a list.
7. Use xargs outside of find.
8. Know when grep should do the counting -- and when it should step aside.
9. Match certain fields in output, not just lines.
10. Stop piping cats.

Continue reading: Learn 10 good UNIX usage habits (via IBM developerWorks portal)

Homebrew geeky UNIX screen saver

For the past 7 years or so, I've been doing fun things with XScreensaver to make custom screen savers that display useful information. My favorite XScreensaver mode is Phosphor, which renders olde-school green text on your screen. By default, it just displays information about your system such as system load and host name. While that's fun and all, it's pretty boring for a desktop system.

So, I'm a weather geek. Part of the reason is because I like being outdoors, but even when I'm cowering inside on a blustery February morning, I like to know what the weather is doing. On my FreeBSD lab machine, I configured Phosphor to display the hourly National Weather Service data for my area.

Obviously, you need to download and install XScreensaver first. You can do this using whatever means you want, but on FreeBSD, it's as simple as "sudo pkg_add -r xscreensaver".

Then, I put an entry in my crontab that looks like this (all on one line, though):

7 * * * * /usr/local/bin/lynx -dump -nolist "http://www.crh.noaa.gov/product.php?site=EAX&issuedby=EAX&product=RWR&format=txt" | tail +16 | head -n 15 > ~/.wx.txt

This fetches the weather data (without a list of links and stripped of HTML) for the eastern KS/northwest MO region, grabs the lines I want, then puts it in the .wx file in my home directory. This runs 7 minutes after the hour, every hour, every day.

Of course, you could use a similar script to do an hourly scrape of the front page of your favorite news site, or run any program that will generate a text file for Phosphor on a regular basis.

Now that we have the weather data (or whatever else you want) coming to us every hour, it's time to configure xscreensaver. First, make sure "xscreensaver&" is included before the window manager starts up in your .xinitrc or .xsession file, depending on if you're using an X Display manager or just startx to launch X.

Run "xscreensaver-demo" to access the configuration screen, and set it up to use only one screen saver, choose Phospor, then tell it to read the text file ~/.wx, as shown in the screen shots below:





Notice how the display has that cheesy-yet-familiar phosphor persistent delay? I love it!





Sorry this didn't capture very much of the screensaver, I'm trying to figure out why xvidcap keeps crashing on FreeBSD.

More FreeBSD love and some fun stuff

I'm working on a fun project for HiR that involves a little bit of CAD (computer aided design/drafting) work. QCAD Community Edition is the GPL version of RibbonSoft's inexpensive QCAD software. It comes without RibbonSoft's technical support and lacks certain features that they reserve for QCAD Professional.

RibbonSoft claims that QCAD is usable right out of the gate even by people who have never used CAD before. I haven't touched CAD since I tinkered with AutoCAD Lite back in 8th grade shop class. I'd like to think I'm technically minded as well. QCAD is NOT easy to get the hang of. Maybe compared to AutoCAD or CADKey, but you can ask my wife and she'll tell you I've spent the better part of three whole days just getting my bearings straight with QCAD. I think I've got it mostly figured out now, though.

By the way, QCAD is available as a binary package or in the Ports tree for both FreeBSD 6.2 and OpenBSD 4.2. I've been using it on both platforms. FreeBSD works really well with QCAD despite my somewhat anemic workstation. My Logitech Revolution VX is a life-saver for precision CAD work. With its smooth-scrolling wheel and high-resolution laser optical tracker, it fits the bill perfectly. I'm really glad that FreeBSD and XOrg play nice with this mouse.

As for the project I'm working on, I'll just say it's mischievous and delightfully fun. I'll release the .DXF file for this project when the time comes.

FreeBSD 6.3 on the desktop - Update

This is part of an ongoing series of reviews of FreeBSD 6.3 on the desktop.  

Well, FreeBSD isn't as peppy as I originally thought.  It's no worse than any other Desktop OS would be on this kind of hardware.  AJAX-based web pages and applications are sluggish.  Heavy media  applications like VideoLAN VLC and Amarok run fine as long as they're the only things running.  I'll admit, the slowness keeps sending me back to my happy MacBook on occasion.  This might be easily resolved by building a new(er) computer from parts that aren't about 5 years old.

Yesterday, I got to spend some quality time with FreeBSD, though.   Still enamored with the simplicity of Free's package management, I got gtkam to work quickly and easily to get some photos off of my Canon PowerShot A540 with ease.  That surprised me quite a bit, but gtkam is definitely no replacement for my beloved iPhoto.  FreeBSD had some trouble with one of my SD card readers, but I managed to get it worked out by making sure the card was inserted before attaching the reader.  

I had to build VLC from source via the ports tree, and that took several hours but worked without any problems.  Amarok is a slick audio player, almost as nifty as iTunes or Windows Media Player for my MP3 collection.  It's just terribly bloated.  

I'm also disappointed that secure shell isn't enabled by default.  I needed to get some data from this machine earlier today, and was unable to reach it.  It's alive, but SSHd isn't up and running.  I guess I'm all for leaving as many services disabled as possible, but even OpenBSD asks if you want to enable SSH during the installation.  That's not so much a gripe about FreeBSD on the desktop as it is about its network services out of the box, though.

I'm pleased, but I wish I had a little better machine to throw at the project.  My relatively powerful notebook has spoiled me.

FreeBSD 6.3 - Initial Impact

So, I've been playing with FreeBSD 6.3 for a few days and there are certainly some good things, and definitely some bad things. All in all, though, I like what I've seen. A few days isn't long enough to really get a feel for an operating system on the desktop, so this is the first in a series of reviews I'll be giving FreeBSD 6.3 as I shoe-horn it into my daily life as my main desktop operating system at home. Keep in mind that while I'm on the go, I'm dealing exclusively with Mac OS X on my MacBook, and OpenBSD 4.2 within Parallels when the task at hand calls for something more serious than what OS X can deliver.

The Good:

• The package management woes I had with 5.0 are completely gone. pkg_add -r [package-name] (ex: bash, firefox, windowmaker, nmap, etc) just works right out of the box. The problem I was having before was that they had converted to bzipped packages (.tbz) however pkg_add was still, for some reason, expecting gzipped packages (.tgz). That's all over now, and probably has been for a long time.
• The installation is a breeze. I mentioned this before as well, but the textmode-driven menu really does just work. No, it's not as intuitive as a GUI installer, but it's not as sluggish as GUI, either.
• The OS and Xorg find my snazzy wireless Logitech VX Revolution mouse and all the major features (left, right, center click and vertical scrolling) work without any configuration changes at all. Mouse setup used to be a bit of a chore with FreeBSD.
• It is oh-so-peppy. As lean and mean as I remember it, I'm not exactly running FreeBSD on a powerhouse workstation. It's a lowly Pentium 3 desktop with a mere half-gigabyte of RAM. Compared to Kubuntu, which was installed prior to this, FreeBSD simply hauls ass.
  

The Bad:

• Where in the hell is xorgcfg, the graphical Xorg configuration tool? And why isn't there a somewhat working xorg.conf file installed by default? OpenBSD handles Xorg by default just fine. Playing with FreeBSD 6.2, I know I used xorgcfg to get Xorg up and running, but it's nowhere to be found in 6.3 (at least the way I installed it!) Fortunately, I'm good with xorgconfig, the text configuration tool for Xorg, and got X up and running on my lab machine on the second try.
• Mozilla Firefox, when installed from binary packages, for some reason creates the .mozilla directory in your homedir owned by root the first time you run it, and then can't start. The easy fix, of course, is to change the owner back to yourself before starting Firefox again, but this boggles my mind. What's more peculiar is that after creating a second user to test this with, Firefox starts fine. Hmm...
• I really, really miss OpenBSD's monolithic kernel and on-the-fly reconfiguration. FreeBSD forces you to enable kernel modules to get a lot of "optional" hardware to work.
  

Alas, I digress.

To get sound working, I had to go into /boot/defaults/loader.conf and set the proper sound module to "YES" (in my case, it was the snd_ich_load line) The "proper" way to do this would be to add snd_ich_load="YES" to /boot/loader.conf, but I am lazy and this works. I cheated again and just manually loaded the module from the command-line (kldload snd_ich) and voila! My MP3 player software worked like a charm. To get a guess as to what sound driver you'll need, run pciconf -lv and look for your sound device. Then look through the nondescript driver files (/boot/GENERIC/snd_*.ko) to see if there's a logical choice. Experimenrt if needed.

Despite what a pain in the butt it is, it's little things like this that remind me why I chose FreeBSD in the first place. It really is back to basics. At the same time, projects like OpenBSD are certainly just as minimalist but without the same kind of impact on out-of-box usability. Unfortunately, I've been spoiled, and OpenBSD is now the gold standard by which I measure things of this nature. It's not looking too good for FreeBSD with that minor exception of truly elegant binary package management. And oh, their package management is slick. It's admittedly low-tech, even. But it simply works well, and that's all I ask of it.

With what seems to be all of the major out-of-box problems solved (graphical interface, sound, boot options), I'm hopefully free of any more show-stoppers. Stay tuned next week to see how things are progressing.

Indiana + Parallels 2.5 = No Network For You!

I know, I should probably fork over the cash for Parallels 3.0. The reasons I have not are as follows:

1. As far as I can tell, there won't be much difference with OpenBSD as a guest OS which is primarily what I use Parallels for.
2. Windows 2000, which I use only for VPN access to work a few times per month, works fine under Parallels Desktop 2.5.
3. I don't like spending money.

With that out of the way, here's my OpenSolaris Indiana experience in a nutshell:

• The Live-CD functionality is a breeze. Once it's up, it's fairly responsive considering the fact that it's running Gnome. I really don't like Gnome, but it gets the job done.
• Installation is a breeze if you are willing to dedicate a whole hard drive to it. No word on how easy a multi-boot system is to configure.
• Once installed, it's surprisingly nimble and smooth, with the caveat that it doesn't like NE2000-based ethernet cards (or their emulated analog via Parallels)

Now, Parallels Desktop comes with a CD image full of useful stuff just for this occasion. Included are drivers (Solaris 10 binary as well as source code) for the NE2000 card. As this release of Indiana doesn't ship with a compiler, I followed these instructions for installing the binary drivers on Developer Preview 1, but to no avail. "Network Auto-Magic" did nothing, and a reboot didn't bring the interface to life, either.

This was my first real brush with OpenSolaris. I use Solaris daily as part of my job, and one of my main desktops at home is a Sun workstation running Solaris 10 (I opted for the CDE interface at home due to the slower processor). As such, I'm certainly no stranger to Solaris. Despite being unable to bring the network to life, I can honestly say that OpenSolaris looks, feels, and smells an awful lot like Sun's enterprise UNIX operating system. If you know Solaris, you know OpenSolaris.

On the workstation, Solaris 10 is actually very feature-rich out of the box. OpenSolaris takes this a step further. Until you hit the command-line interface, it feels very much like an older version of Ubuntu Linux. I haven't bothered to see if Java is as deeply integrated into OpenSolaris as it is in the commercial OS, but if it is, that's yet another boon.

I may have another HiR writer check out OpenSolaris on a newer build of Parallels to see if we can get the network up and running. Otherwise, I'll probably shelve Indiana for a bit until I have somewhat capable lab machine available to test it on. Preferably, I'd like to test it as a desktop system (not as a server host), which means that I'll need an extended period of a month or so to really give it the kind of attention it needs.

OpenSolaris Indiana (Developer Preview 2) Available

OpenSolaris Indiana is a project that's creating a binary distribution based on OpenSolaris source code that's both easy to install and use. It's worth checking out. I'm currently installing it within Parallels Desktop on my MacBook, and will also be playing with it some more when I get the free time to do so. Developer Preview 2 was released this week. A Live-CD distro similar to Ubuntu Desktop Edition is available. You can use it from the Live-CD or install it on a hard drive once the interface is up and running.