Sackville-West Clan Wiki/ tech

Tech Notes

A repository of notes, how-tos and other bits related to using and configuring my Debian systems.

RSS Atom Add a new post titled:
vcs-home... time to start

I've been lurking on the vcs-home mailing list for quite a while in the hopes of taking the plunge one day.... Maybe that day is today? I've been granted a new laptop and want to get it rolling, but the thought of sorting through all my stuff to figure out what to copy.... shudder.... And there will be some things that are unique to the laptop that I don't want on my desktop. It's all a mess. more...

Sorting this all out is a big enough process that I don't want to do it twice, so I think this is the time to go to a revision controlled $HOME using git. I don't have a completely solid plan yet, but I envision something like this:

  • a master branch that is the common files I'll expect to use everywhere -- general purpose personal stuff, perhaps some common config files, perhaps those portions of src/ that build general purpose scripts
  • a branch for each task -- one for personal stuff, school stuff, work stuff, etc.
  • a separate set of repositories for certain sets of config files. These would include machine-specific branches -- the laptops need slightly different sets of .muttrc files and the like, different X configurations for different geometries of machines, and the like
  • continue to maintain the ever growing set of repos for school projects, personal code and such. These things are already in revision control, may be published elsewhere (github, my personal server, etc), and change more frequently than the rest of $HOME. Also, these things sort of have a life of their own (may be shared with other people, for example) and should be well segregated from the rest of the world.

So, today I start the process by committing large chunks of config files using this method so that I can get this laptop configured... I'll keep you posted.

less...

Posted Thu Jan 20 19:01:14 2011
SMTP data timeout Since we moved to Oregon, we've been seeing lots of "SMTP data timeout" in the exim Posted Sun Oct 17 09:49:58 2010
Creating a new git repo

These are my basic instructions for creating a new git repo. I don't do this very often, and so can never quite remember the process...

Assuming I'm logged in to the web server, become the www-data user for convenience:

sudo su www-data #www-data doesn't have a password, so sudo is needed, or I could su root first...

cd /var/cache/git
mkdir new_repo.git
cd new_repo.git
git init --bare
touch git-daemone-export-ok
echo "some basic description" > README.html
git update-server-info

and that's pretty much it on the server.

On the local machine, do

git clone http://git.swclan.homelinux.org/priv/new_repo.git # git is not real happy with this, but it'll work...

... hack hack hack ...

git push remotes/origin master

This seems to be the magic sauce. enjoy.

Posted Mon Aug 9 15:24:19 2010
Serving up git

I had horrible fits getting git served up the way I wanted. My goals were simple:

So, why not just use github or some other service? Because I like running my own servers. It's just fun!

Anyway, this gave me such fits, that I need to make note of what's going on here, and I might as well share...

Apache config:

<VirtualHost 192.168.2.3:80>
        ServerName git.swclan.homelinux.org
        DocumentRoot /var/cache/git

        CustomLog /var/log/apache2/access.log combined

        Alias /gitweb /usr/lib/cgi-bin/gitweb.cgi
        Alias /gitweb_styles /usr/share/gitweb

        Options +ExecCGI
        AddHandler cgi-script cgi

        RewriteEngine on
        RewriteRule ^/priv/.*$ %{REQUEST_URI} [L,PT]
        RewriteRule ^/(.*\.git/(?!/?(info|objects|refs)).*)?$ /gitweb%{REQUEST_URI}  [L,PT]

        SetEnv      GITWEB_CONFIG   /etc/gitweb.conf

        Alias /priv /var/cache/git
        <Location /priv>
                DAV on
                AuthType Basic
                AuthName "Git"
                AuthUserFile /etc/apache2/passwd.git
                Require valid-user
        </Location>

</VirtualHost>

The really crucial bit is the rewriting stuff and the alias for /priv. I want requests that come in without /priv in the url to get rewritten to gitweb if appropriate. The second RewriteRule comes from the tips on this gitweb README. That all works wonderfully allowing gitweb to serve up alongside git over http:// for cloning. Great.

The first RewriteRule line matches any /priv/ url and leaves it unchanged, but the [L,PT] directive causes rewriting to stop at that point, so the gitweb rewrite rule gets skipped over. Then the Alias directive points it to the right directory and the Location stanza allows webDAV for just those requests only.

Ba-da-bing, all my goals met.

So, why not ssh? I don't have direct ssh access to the machine -- there's a hop in the middle. I could rework all my ssh stuff, but I really like the way it is... So there's the solution.

Posted Sun Apr 18 19:10:24 2010
Git multi-repo migration

My school code repos have been in complete disarray for quite a while. I had most of it in some kind of revision control, but not reliably. Some was in git, some in darcs, some in svn from servers that weren't up anymore (school svn repos get taken down at the end of the quarter), and some was just sitting there... This is not a good situation.

So, in the spirit of spring cleaning, I set off to get it organized and into one repo for posterity's sake, I suppose. For the darcs and svn stuff, I decided to just blow away the history and add the stuff as is into a main git repo. Likewise, the unversioned stuff just needed to be git added. But for the various stuff that was already in git, the real problem was how to preserve the history and combine the various bits into one comprehensive bunch. Google provides several solutions, but this, which is better explained over on stackoverflow(second best response) really seemed the best.

details...

The process is straightforward.

Move everything in the repo down one level in the file system. This way, src/school/foo/code.c becomes src/school/foo/foo/code.c

$ cd src/school/foo \
$ git filter-branch --index-filter \
'git ls-files -s | sed "s-\t-&foo/-" |
GIT_INDEX_FILE=$GIT_INDEX_FILE.new \
git update-index --index-info &&
mv $GIT_INDEX_FILE.new $GIT_INDEX_FILE' HEAD

Note the placement of foo in the above command. It should be replaced with your appropriate repo/directory name. You'll want a clean repo before you do this. I had to git reset --hard on some of the repos to get it to work.

Since I wanted everything to be merged into on repo at src/school, I did

$ cd ..
$ pwd
/home/andrew/src/school/
git init # note, you may do this in advance...
git pull foo

This move the contents of foo/foo up into foo/

And now blow away the old repo

$ rm -rf foo/foo foo/.git

And that's it. Repeat ad nauseum through the whole mess until done.

hide details...

It was really a pretty slick process and one worth remembering.

Posted Sun Apr 18 18:35:08 2010
Keyboard shortcuts in GnuCash and GNOME

This little trick is great if you're running a full GNOME environment: Editable menu accelerators. Head over to Preferences -> Menu and Toolbar and click "Editable Menu accelerators". Then in any GNOME app, select your menu item, and while it's highlighted, enter the keystroke you want to use as a shortcut. Bing, it should appear in the menu and be bound there. You can use the delete key in the same manner to delete a shortcut.

This little tidbit is remarkably hard to find (hence this note). In fact, I found it on gmane after a lot of hair pulling... I knew I'd seen it somewhere. The official GnuCash location for this info is in the tutorial in the very last paragraph.

So I'd love to be able to use this tidbit, but running xmonad I don't have all that fluffy GNOME stuff running. If anyone knows a work-around, let me know, please!

Posted Fri Jan 30 17:11:05 2009
A little fun with tcltk

So, Melissa McDirmid, my linear algebra teacher, came to me with a problem. She wanted to use the game xlightoff in class to demonstrate how linear algebra could be used to solve the game. Okay cool. But she's a windows user, not into upgrading to linux (certainly not for one demo) and I didn't want to mess around with installing an X server on her machine.

There are other versions of the game out there, but she wanted a standalone version with the randomization of the xlightoff version. This version, by Bruce Ediger, is written in tcl/tk, making it nicely cross-platform and pretty easy to grok.

A few tweaks and I've got a version that randomizes the board, and also allows us to work on a 3x3 version... much nicer for our in-class problem.

Posted Wed Jan 28 13:18:22 2009
Tekuti I recently stumbled across tekuti, a blogging framework written in guile. Very interesting. I suspect it's absurdly lightweight. I'm pretty happy with ikiwiki, but since this whole web site is woefully disorganized, and because I love scheme (of which guile is a dialect), I may just have to try it out. Posted Mon Jan 19 16:57:59 2009
Ikiwiki fits and OpenId

Argh!!

I do so little with Ikiwiki, that I can never remember how to get anything done in it. more...

So what did I want to do? Get OpenID setup so I could not be forced to remember my less-than-perfect OpenID URL and just use the URL of this wiki instead.

So that's pretty easy on this end using the bit of code at the bottom of the ikiwiki built in OpenID page... great. But I had disabled meta tags on this thing eons ago and had to spend too long trying to find the config file. Then I had to literally spend forever figuring out how to get the damn thing to update its wrappers.... and it's just so simple.

ikiwiki --setup /path/to/ikiwiki.setup

and it's done. sheesh.

The cool thing is now I can do OpenID with just http://wiki.swclan.homelinux.org! w00t!

Posted Wed Oct 8 18:15:23 2008
Spare Parts

If you're at all like me, you've got a pile of spare parts. Junky old network cards all tangled up with crappy winmodems, ISA sound cards and other bits of computer flotsam are piled all over my office, spilling out into the rest of the basement. more...

These parts can be a valuable resource for keeping systems running. Sure they may be out of date, kind of crappy parts, but these are just the things that are almost sure to work, especially with linux systems. The older (within reason) a part is, the more likely there are drivers in the mainline kernel. And if there aren't, there should at least be a good pile of google hits on how to get the darn thing to work. The best part is the old bits are usually free! They tend to be left overs scavenged from my own machines that died in one way or another. Even better, a lot of them come from old borked windows systems that people would rather throw away than try to use... go figure.

There are entire businesses devoted to just this kind of thing too. I'm sure you've seen them in your town. They are locally owned small computer shops with so much stuff piled up in them that you can't see in the windows. There's usually some only marginally helpful person behind the counter who refuses to come out and help. There are boxes piled high with green computer cards labeled "network cards $5" or "pci video cards $8" or whatever. These places are also a treasure trove of sometimes decent, slightly out-of-date tech. Sometimes you can find a nice haul of pretty good stuff that was scrapped by company in some company-wide upgrade. I once found a whole bunch of what were once top-of-the-line network cards for literally about $4 a piece. A bought a bunch and they work great.

What's the point of all this? Well, my wife's computer broke (ahem) yesterday. So I fiddled around with all the parts I had and determined that I had no combination of spare motherboard and processor that would actually work. So off I go to my usual crappy old parts store. Unfortunately they're GONE! What? I head to the next one up the street and they don't really have any used parts to speak of. You could see in the windows, it was a clean place, and the counter guy was actually helpful. That's no good... So I head to the last place I know of and while they're still there, they are getting ready to close that store and will probably scrap all those old parts! Horror!

This has gone on long enough. Suffice it to say that there is a sad change a-foot in the computer world. The spare parts stores are closing down... Where will I go when I run out of parts here in my basement?

collapse

Posted Fri Sep 19 07:58:03 2008
XMonad screenshots

XMonad Screenshots

My current window manager of choice is XMonad a fantastic tiling window manager written in Haskell. I've been playing with different configurations and a little compositing and here are a couple of the latest screenshots...Click to expand.

This shot is of the Grid layout with Magnifier set to 120%. It took a while to come up with the right combination of alpha settings and colors to make me happy...

Magnifier Grid layout

And here is a Circle layout, fun...

Circle layout

collapse.

Posted Tue Mar 25 20:54:35 2008
Disk Encryption

Disk Encryption For Laptops

The next step in getting my laptop into shape is setting up disk encryption. In my hurry to set this laptop up for our trip last summer, I didn't bother with encryption. Now that I'm preparing to go back to school and will be using the lappy a lot more, I really need to get it properly set up. This involves getting it reconfigured with encryption, a properly installed dev environment, etc etc etc...

The first step is encrypting the system. I'm going to try to get proper encryption (of /, /home, swap) without wiping an reinstalling...

more

Why?

Because I can? (I think...) Debian is known for never needing to be reinstalled unless you crash a small plane into the case, or something like that. So I want to see if I can get the whole lappy converted over without having to wipe the system. I've got the system more-or-less configured the way I like and don't want to do that again. And, its a challenge, so why not...

Current Configuration

delappy:/# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda3             9.2G  1.9G  6.9G  22% /
tmpfs                 249M     0  249M   0% /lib/init/rw
udev                   10M  108K  9.9M   2% /dev
tmpfs                 249M     0  249M   0% /dev/shm
/dev/hda1              96M   47M   44M  52% /boot
/dev/hda6              42G  2.6G   37G   7% /home
/dev/hda5             3.7G  991M  2.6G  28% /var
delappy:/# fdisk -l

Disk /dev/hda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00055945

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1          13      104391   83  Linux
/dev/hda2              14         136      987997+  82  Linux swap / Solaris
/dev/hda3             137        1353     9775552+  83  Linux
/dev/hda4            1354        7296    47737147+   5  Extended
/dev/hda5            1354        1840     3911796   83  Linux
/dev/hda6            1841        7296    43825288+  83  Linux

As you can see, I've already got the disk partitioned out, and while I'd like to use something like LVM, at the moment, I don't think I will.

The Plan

The plan is pretty simple. First, since there's room on hda3 (current /), I'll just move the existing data (home and var) into that partition and go from there. I can lay encryption over the existing partitions and move the data back. I'll use hda6 as / temporarily while working on encrypting hda3 that and then move it all back, carve it up into its various parts and then be fully encrypted except for swap.

There are other details to work out as well. For example, I plan to put the root key on a sd card so that it can be used as a boot key. This will be much easier than keeping track of a really really long passkey, though the passkey will still work if I somehow lose the sd card.

I'm sure there are more details to be worked out and I plan to keep notes on it all as I go along and ultimately, I'll post the results here.

Sources

These are the places I've used for research prior to embarking on this:

http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system http://wejn.org/how-to-make-passwordless-cryptsetup.html http://www.debian-administration.org/articles/428 http://www.saout.de/tikiwiki/tiki-index.php

and surely others. I'll try to add them as I go.

hide

Posted Sat Oct 20 17:41:21 2007
Linksys WUSB11 2.8

Configuring the Linksys WUSB 11 v 2.8 wireless adapter

This is the beginning of what may be a longer term project to get wireless working in my house. I'm not a fan of wireless -- I think it's generally kludgy, unreliable and slow. This has been reinforced by my experiences on the road (see our trip) with my new laptop.

But, I have this laptop and a desire to be moderately more accessible to the family while working. So I've decided to try and get wireless rolling and rather than crack the case to put in one of the Belkin cards I've got lying around, I'm going to try to get this USB adapter working.

more

Part 1

Most of the available info on the web is from a couple years ago, which I usually find encouraging. If there's no noise about it, then maybe it just works now? Nope.

I'm using at76c503a-source which originally comes from http://at76c503a.berlios.de/.

I've aptitude install'ed the package and it drug in atmel-firmware as well.

This package is designed for use with module-assistant. Building it should be easy:

m-a a-i at76c503a

but it fails with

make[3]: Entering directory `/usr/src/linux-headers-2.6.22-2-k7' 
  CC [M]  /usr/src/modules/at76c503a/at76_usb.o
/usr/src/modules/at76c503a/at76_usb.c: In function ‘at76_ieee80211_to_eth’:
/usr/src/modules/at76c503a/at76_usb.c:3379: error: ‘struct sk_buff’ has no member named ‘mac’
/usr/src/modules/at76c503a/at76_usb.c: In function ‘at76_ieee80211_fixup’:
/usr/src/modules/at76c503a/at76_usb.c:3430: error: ‘struct sk_buff’ has no member named ‘mac’
/usr/src/modules/at76c503a/at76_usb.c: In function ‘at76_rx_monitor_mode’:
/usr/src/modules/at76c503a/at76_usb.c:3856: error: ‘struct sk_buff’ has no member named ‘mac’

that's a problem. But I only have the linux headers installed and not the full source. I'm going to pull that down and try again, or maybe grep for those structures and see if I can figure it out. meanwhile, I'll email the maintainer and see what I can find...

Part 2

So, not to be deterred, I downloaded the upstream tarball from berlios. Lo and behold, it compiled and works just fine... go figure. So I filed a bug_report against the source package at debian. The maintainer was quick to respond that the package needed upgrading to the newest version quite badly. A little back and forth and he is working on getting updated after I confirmed that it builds just fine against the debian kernels.

Long story short, the upstream sources work fine for this adapter, and a fix will be in debian soon.

Part 3

So this adapter works just fine, but has some shortcomings. The firmware required to operate it is very restrictive and won't let you do lots of nice things (like wpa!). So I think this adapter will get relegated to the trash heap at some point. Or maybe get added to a kid computer at some point. It has decent power and works well throughout the house, but its limited to 11Mbps (802.11b I think) and doesn't deal well with some of the settings on the laptop.

hide

Posted Thu Oct 18 17:08:41 2007
Passwordless GDM login

Password-less GDM login

This crops up from time-to-time. I configure computers for my kids to use. They currently range in age from 6 through 10. That's a pretty good spread in terms of what is expected for kids using computers. A ten year old can pretty easily understand the idea of security but doesn't understand what that really involves. A six year old, however, just wants to go to pbskids.org Daddy!!!

more...

So, in the interest of making my life easy, I have setup gdm so that the kids can login through the browser by clicking their .face file. I've also deleted their passwords

passwd -d -u kid-name

This gives the kids an empty password so that they only need a user name to login. But pam won't let you just do that and gdm appears to use pam so... You have to tell pam that its okay too. Edit /etc/pam.d/common-auth. Change:

auth required pam_unix.so nullok_secure

to

auth required pam_unix.so nullok

and now the kids can log in with a single click.

Now if only I could get them to log back out...

hide

Posted Tue Aug 7 23:29:16 2007
Ikiwiki and SSL

Using SSL with Ikiwiki

As should be obvious, this wiki is run using ikiwiki. Now I know that wikis are supposed to be editable by anybody, but for our purposes, that's really not good. This is a family oriented wiki which is accessed by children and is also a repository for information we want to preserve, but still have public access available. Some kind of authentication is required to control access. And it needs to be simple to implement and control.

more...

Default Authentication (signinedit)

Ikiwiki comes with a default password authentication system that is pretty simple but effective. Users must login to make use of any editing features. Couple that with

account_creation_password => "super-secret-passphrase-that-you'll-never-guess"

in the ikiwiki.setup file and you've got a pretty simple, but reasonable way to control access to the wiki. You control who has access by requiring an administrator to enter the account creation password at the time an account is created. I haven't yet investigated what happens when you enter an incorrect accountcreationpassword, but I'm sure fail2ban can be configured to pick it up and shutdown access to someone trying to crack it. This is by no means a Fort Knox of security, but it seems pretty reasonable and like the bars on the window, will keep the honest folk honest. But there is still one major vulnerability that I wanted to get rid of: all this stuff happens in plaintext. This is not an issue for most of our access to this wiki as it happens from our LAN, and is properly firewalled and audited. However, we're getting ready for the trip of doom and want access from anywhere. The world abounds with packet sniffers and compromised network connections and sending cleartext authentications out into that world is not a pleasant thought.

mod_ssl

I spent a couple days trying to figure out how to get some kind of encryption involved without unnecessary complication or overhead. The first, simplest solution is to put the whole thing under mod_ssl with

<VirtualHost *:443>
    ServerName wiki.swclan.homelinux.org
    DocumentRoot /var/www/ikiwiki/
    SSLEngine on
...
</Virtualhost>

but these seems extreme to me. This would put the entire website under SSL and that's really not necessary. Plus, since I'm using self-signed certificates, could cause warnings to pop-up just for someone to view the site. Plus SSL slows down access...

mod_auth_digest

The next solution I considered was to turn over authentication to mod_auth_digest. My understanding is that this provides authentication without the clear text password. I'm sure its not all that secure (its and MD5 checksum of the username, password, requested URL and a couple other bits) but it at least removes the "clear text passwords floating through the air" problem. Its also dead simple to setup

<VirtualHost *:80>
   ...
   <Directory /cgi-bin/>
       AuthType Digest
       AuthName "restricted wiki"
       AuthUserFile /path/to/password/digest
       Require valid-user
    </Directory>
</VirtualHost>

along with using the htdigest program to setup passwords for your users. Finally, you have to setup

cgiurl => "http://wiki.swclan.homelinux.org/cgi-bin/ikiwiki.cgi",

and

wrappers -> [
....
    wrapper => "/var/www/ikiwiki/cgi-bin/ikiwiki.cgi",

in your ikiwiki.setup file so the wiki can point to all the right places.

This worked pretty well in that it allowed authentication with reasonable security from publicly accessible networks. But there are some problems:

  1. With the ikiwiki authentication (signinedit) still turned on, people have to actually autheticate twice -- not a great solution, escpecially since the kids want access too.
  2. With the ikiwiki authentication (signinedit) turned off, the commits become anonymous. Instead of AndrewSackville-West showed as the committer, you just get an IP address. This isn't a big deal other than I don't like it...

Rewriting

The next solution was an utter failure: Rewriting. Apache lets you do all kinds of fancy stuff with rewriting and redirecting requests. That's all cool, but in the final analysis was unworkable for me. Probably there is some awesome rewriting-fu that could make it work, but all I got was errors when trying to commit edits.

Final solution

The final solution to this problem was overwhelmingly simple. Isn't that always the way it is? I'm embarrassed at how simple it is, and how ridiculously obvious in hind-sight. The solution is to change ikiwiki.setup:

cgiurl => "https://wiki.swclan.homelinux.org/cgi-bin/ikiwiki.cgi",

note the https in the url. Also setup apache with:

<VirtualHost *:443>
    ServerName wiki.swclan.homelinux.org
    DocumentRoot /var/www/ikiwiki/
    SSLEngine on
    SSLCertificateFile 
    ....
</VirtualHost>

and it just magically works. The ikiwiki.setup change makes all links in the wiki that point to the cgi script point to an SSL version of the website. Dead simple. I'm sure I could tweak it so that only cgi requests are accessible through the SSL version of the site, but I'll leave that for another day. As it is, someone could access an SSL version of the site by manually entering an https:// URL, which puts us in the same situation as the original solution, but that's their problem. I suppose I could

RewriteEngine on
RewriteRule !^cgi-bin/(.*)$ http://wiki.swclan.homelinux.org/$1 [R,L]

or

<VirtualHost *:443>
    ServerName wiki.swclan.homelinux.org/cgi-bin  #not sure this works...
...
</VirtualHost>

but that's for another day.

Please let me know what you think.

hide

Posted Tue Aug 7 11:48:51 2007