The only annoying piece in this is recompiling Freetype with the bytecode interpreter enabled, but it’s pretty easy to follow the steps here.

wget http://mirrors.adams.net/centos/5.3/updates/SRPMS/freetype-2.2.1-21.el5_3.src.rpm

rpm -ivh freetype-2.2.1-21.el5_3.src.rpm

Update the paths below to wherever you’re keeping your source RPM data. For root it’s usually /usr/src/redhat.

vi /usr/src/redhat/SPECS/freetype.spec

change the bytecode setting to “0″. It’s usually the first uncommented line:

%define without_bytecode_interpreter    0

Then build the RPMs:

rpmbuild -bb /usr/src/redhat/SPECS/freetype.spec

Install them:

rpm -ivh /usr/src/redhat/RPMS/freetype*.rpm

Then tell yum to ignore Freetype so it doesn’t remove your custom RPM:

vi /etc/yum.conf

exclude = freetype*

Restart X to load the new Freetype, and in Gnome go to System > Preferences > Fonts.

Set the Fixed width font to “Monospace 10″

Set all the other fonts to “Sans 8″

Set Font Rendering to “Subpixel smoothing”

And you’re good to go. Looks nice, doesn’t it?

I had compiled my own Bind RPMs to address the latest DoS issue. I’m running version 9.5 since it supports the “allow-query-cache” option and RHEL 5 only provides version 9.3. So after I installed my own RPM, of course SE Linux was preventing named from starting. This is how I fixed it:

Check the audit.log for AVC messages:

# cat /var/log/audit/audit.log |grep 'avc:' > /tmp/se.txt

edit the text file to include only the SE issues you want to address:

# vi /tmp/se.txt

create a policy module:

# cat /tmp/se.txt | audit2allow -M local

load the module:

# semodule -i local.pp

That’s all it took to get Bind working for me.

It has the option to permanently ban IPs, but it gets its list of bad IPs from /var/log/secure. Once those logs are rotated and the fail2ban process gets restarted you’ll no longer be blocking them. So I tweaked it to save all the blocked IPs to a file so you can always blacklist them.

All the changes were in /etc/fail2ban/actions.d/iptables.conf. The first addition loads the list of saved IPs to blacklist (/etc/fail2ban/ip.deny) when the process is first started (the addition is in bold).

actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> –dport <port> -j fail2ban-<name>
for IP in `cat /etc/fail2ban/ip.deny`; do iptables -I fail2ban-SSH 1 -s $IP -j DROP;done

Then under actionban we want to check the list of IP’s that we explicitly allow (/etc/fail2ban/ip.allow), if it’s not in that list, ban it and add it to ip.deny:

actionban =  if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP;fi
if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo “<ip>” >> /etc/fail2ban/ip.deny;fi

This next change is optional since the unban functionality hasn’t been added to fail2ban yet:

actionunban = if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ]; then iptables -D fail2ban-<name> -s <ip> -j DROP;fi
if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo “<ip>” >> /etc/fail2ban/ip.allow;fi

You can always ignore IPs by adding them to the ip.allow file, but I’d recommend using the jail.conf “ignoreip” variable until the unban functionality is finalized (probably in ver 0.9).

Under Processor Type and Features:

Tickless System (Dynamic Ticks) = YES

Paravirtualized guest support = YES

Timer Frequency = 100 HZ

It’s possible I didn’t need to change all of these, but now idle utilization is down to 2% or less… a huge difference.

If you’re not familiar with compiling a kernel on a RHEL system, check out this guide.

browser.display.auto_quality_min_font_size

By default it’s set to 20, I set it to 1. This improves font rendering quality but may sacrifice some performance. I didn’t notice any performance hit.

I love my iPhone, but I hate that I can’t sync it natively inside Linux. I was never able to get iTunes working running under Wine, so I’ve been forced to create a virtual machine running WinXP to sync it. I don’t like the idea of a VM running in the background, wasting system resources when it’s not being used. I wanted a better solution.

With the help of udev and VirtualBox command-line tools, I was able to come up with something better. Now when I’m ready for bed I plug my iPhone in, VirtualBox automatically boots the VM, and it syncs with iTunes. When I unplug the phone, Windows shuts down automatically. The only time the VM is using system resources is while I’m sleeping, so I don’t care.

I think this is as good as it gets with the iPhone on Linux and the only compromise is the time invested to set it up.

To do this, you’ll first need to install the full version of Sun’s VirtualBox, it includes USB features that are required. It’s free for personal use. Create a new VM with a bare Windows install on it. I didn’t install any additional updates and I disabled Windows Update, since it’s behind a NAT and I won’t be doing anything other than the sync on it. I also disabled a bunch of unnecessary services and ran Bootvis to minimize the VM boot time. Then I mapped a network drive to my music folder (on the host system) so iTunes will have access to my entire music collection. I logged in with my iTunes account and resubscribed to all my podcasts. At this point it’s not a bad idea to make a copy of the VM in it’s pristine state.

VirtualBox Settings

Shut down Windows. In VirtualBox, right-click the VM and select Preferences. You should tell it to use VT-x/AMD-V (General > Advanced) if you have a relatively modern processor that supports virtualization extensions; it’s not a requirement but will improve performance. The settings you will need are under USB. Check “Enable USB Controller” and “Enable USB 2.0 EHCI Controller”, the click the plus icon to add a filter. While your iPhone is attached to the system, you should see it listed in the dropdown (Apple Inc. iPhone), select it and click OK. This is required so your VM can see the device. You might also want to configure a sound device (PulseAudio) or iTunes will complain.

Now we get to the fun stuff, tweaking the host Linux system and writing BASH scripts. First, let’s create a log file that anyone can write to in case we need to troubleshoot:

$ sudo touch /var/log/iphone.log

$ sudo chmod 777 /var/log/iphone.log

Now, we need to get the internal ID of the VM you created.

$ VBoxManage list vms

You should see the name of the new VM followed by it’s UUID in parenthesis. Copy that UUID, we’ll need it for our first script:

iphone_attach.sh

#!/bin/bash
export XAUTHORITY=/home/nathan/.Xauthority
export DISPLAY=:0.0
su nathan -c “/usr/bin/VBoxManage startvm bc341828-db3b-46a9-8bc9-153c8eb35ad7″ >> /var/log/iphone.log

The two export lines tell the script which X Windows session to attach to. The final command uses the VBoxManage tools to start your VM, log the output, and do it under your own user account (since this will run as root). Obviously you’ll need to change “nathan” to your account name for each instance. You should also replace the UUID with your own. The remove script is not all too different:

iphone_remove.sh

#!/bin/bash
export XAUTHORITY=/home/nathan/.Xauthority
export DISPLAY=:0.0
su nathan -c “/usr/bin/VBoxManage controlvm bc341828-db3b-46a9-8bc9-153c8eb35ad7 acpipowerbutton” >> /var/log/iphone.log

Again, the export commands tell it which X session to use and we use VBoxManage to simulate an ACPI shutdown. You’ll need to replace the UUID with your own and change the user name and home folder path. Make sure these scripts work before you move on to the udev stuff.

grab the serial number

Note, this section was originally created using 0810 (Intrepid) but it broke in Jaunty (0904). I have another way to configure this so it works in Jaunty at the end of this post (it may also work in Interpid).

Now we need to tell Linux to run the above scripts when the device is connected/disconnected from the USB bus. First we need to find the serial number of your iPhone so we can tell udev what to look for.

$ lsusb | grep Apple

This displays the USB bus and device numbers for your phone, note the two 3-digit numbers and plug them into the next command.

udevinfo -a -p `udevinfo -q path -n /dev/bus/usb/004/002`|grep “ATTR{serial}”

Change 004 to the bus number you got in the previous command and change 002 to your device number. This digs into the attributes of your iPhone and displays the serial number which we’ll need later on. Note that you can remove the grep command to view all available attributes of your phone if you’re curious.

udev stuff

Go to the udev rules directory and create a new iphone rule, use a lower number like 98 so it gets processed after the other rules.

$ cd /etc/udev/rules.d

$ sudo vi 98-iphone.rules

98-iphone.rules

ACTION==”add”, SUBSYSTEM==”usb”, ATTR{serial}==”c4560xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”, SYMLINK+=”iphone”, RUN+=”/home/nathan/scripts/iphone_attach.sh”

ACTION==”remove”, SYMLINK==”iphone” ,RUN+=”/home/nathan/scripts/iphone_remove.sh”

The first line here describes what to look for when a device is attached and what to do when it finds your iPhone. The ACTION, SUBSYTEM, and ATTR declarations tell it to watch for a USB device being added with the serial number of your iPhone. SYMLINK tells it to create an entry on the dev file system for it (/dev/iphone); through trial and error I discovered that this is required so we have something to look for when the phone is disconnected. The RUN section tells it to run the iphone_attach.sh script.

The second line is a bit different and maybe not as intuitive. It is watching for the dev file of your iphone to disappear (/dev/iphone) which happens as soon as you unplug it. Then it runs the iphone_remove.sh script. That’s it, you’re done.

other stuff

One annoyance I ran into was Nautilus trying to automount the phone as a camera. I was unable to tell it to ignore the iPhone, so I just turned off automount completely in Nautilus using gconf-editor.

$ gconf-editor

(uncheck: apps > nautilus > preferences > media_automount)

Another idea I had to use the suspend/resume functionality instead of stopping/starting the VM. However, I found that on resume the VM wouldn’t properly sync with the phone until Windows rebooted, even after using the VBoxManage commands to disconnect/reconnect the phone.

In the future, I’d like to look into reducing the XP install size with something like nLite and using dropbox to move the VM to the cloud. The ultimate goal would be to have the ability to sync my phone from home, work, or my laptop while travelling. I have some ideas on the way to approach this but it’s not a burning need at the moment. It would be really cool though.

Jaunty

Unfortunately I noticed the iphone_remove.sh script was no longer triggering after I upgraded to Jaunty. So I figured out another way to configure udev. First, we need to come up with another identifier to use in the udev rule:

udevadm monitor –environment

While that command is running in the background, plug in your phone, one of the lines should look like this:

PRODUCT=5ac/1292/1

Copy this line. I’m not sure if the same ID applies to the original and 3G phones, so run this for yourself. Then we can create the udev rule.

vi /etc/udev/rules.d/98-iphone.rules

You may need to change the Product ID here if it differs from mine, and change the path to your script:

SUBSYSTEM==”usb”, ENV{PRODUCT}==”5ac/1292/1″, ACTION==”add”, RUN+=”/home/nathan/scripts/iphone_attach.sh”
SUBSYSTEM==”usb”, ENV{PRODUCT}==”5ac/1292/1″, ACTION==”remove”, RUN+=”/home/nathan/scripts/iphone_remove.sh”

And that’s it. This may actually be the proper way to configure the rules in Intrepid, but I no longer have a 0810 system to test on.

]]> http://n8wood.wordpress.com/2009/04/22/iphone-syncing-and-linux/feed/ 6 n8wood VirtualBox usb itunes http://n8wood.wordpress.com/2009/04/06/automating-pass-phrase-signings-with-expect/ http://n8wood.wordpress.com/2009/04/06/automating-pass-phrase-signings-with-expect/#comments Mon, 06 Apr 2009 20:34:45 +0000 n8wood http://n8wood.wordpress.com/?p=116 ]]> I got annoyed with entering the pass phrase to sign RPMs, especially when I had a script that would build many RPMs while I went off and did something else. So I used expect to script it, and it was quite easy.

This is what my rpm build command looked like when run manually:

rpmbuild -bb –sign –target=i386,x86_64 package.spec

Here’s the expect script that inputs the pass phrase when prompted:

#!/usr/bin/expect
spawn rpmbuild -bb –sign –target=i386,x86_64 [lindex $argv 0]
set pass sekretpassword
expect “phrase:”
send “$pass\r”
interact

To run the script once, I would just pass the filename.spec as an argument, but I’d rather use it to build many RPMs with a single command. Here’s the bash script I use to do it.

#!/bin/bash
cd /home/nathan/rpm/SPECS/
for file in `ls *.spec`
do
/home/nathan/scripts/rpmbuild_expect “$file”
done

Expect can be used to automate anything that requires standard input, it’s quite handy.

Commodity Server Environments

Virtualization abstracts the server layer; eliminating driver issues, and making an OS installation look more like an atomic unit instead of a collection of software and libraries. OS images become the foundation for many different application platforms. Install an OS with some core packages, use it as a template, and you’ll never have to repeat the process for all the apps you build (until you decide to move to a newer OS). It streamlines and standardizes your server environment. Repositories of free virtual appliances are available now for developers, sys admins, and hobbyists to tweak, learn, and implement.

Need a caching DNS, proxy, mail, web, DB, file, print, or development server? Grab one now, freshly baked, no Windows required.

Preserved In Carbonite

Once the hypervisor is pervasive in our environments, we will begin archiving VMs. Want to retire that old HR system since you’ve moved to a new platform? You can’t exactly delete the data it contains (in it’s proprietary format), but odds are you’ll never actually grab anything from it… again. Archive the VM. Put it on tape and free up some resources. If the unlikely occurs and you need to access the system, your hypervisor won’t care if it’s a decade old OS that only supports decade old hardware. It sure beats a closet full of old servers that may or may not boot; or a folder full of CD’s that won’t install on your current hardware/OS (plus you’ll still need to restore the data from tape).

Remember those VMs you archived, do they require Windows licenses while they’re sitting on tape, or just when you need to access them a decade from now? Have fun keeping track of that.

Streamlined Installation and Support

These atomic units (VMs) also simplify things for software vendors. Instead of shipping an installer, they can ship a VM. This reduces the amount of QA that goes into a product dramatically. It will run perfectly in the environment because it’s the same system they tested it on. It eliminates software requirements, speeds up problem resolution, and reduces support call volume. Vendors could more easily provide services to customize their products. Configure the image in house and send it out to the client when it’s ready. No need for messy VPN solutions and vendor access to your inside network.

Why would a vendor choose the additional cost of a Windows license and more importantly, the complexities of redistributing that OS with their virtual appliance?

The Cloud

Cloud computing moves the abstraction out even further, to the compute cycles, the storage, and even the data center. The end user doesn’t care what OS the service runs on, so it will be that of least resistance to the service provider… probably Linux.

Vendor Lock-In Versus Ultimate Flexibility

All of these things work better with an open OS. The ability to create libraries of shared images online is just not possible with Windows. Projects like NC State’s Virtual Computing Lab lend themselves to and will thrive in an open, unencumbered environment. Commercial software platforms add unnecessary overhead and crippling restrictions to our enterprises, schools, and governments.

Microsoft may find itself a has been, operating on the thin margins of commoditized desktop OS as organizations see the benefits of open platforms and open formats.

“No handlers could be found for logger “xend”"

If I manually started the VM, it worked fine, but the init script would just not work. After reducing the script to it’s most basic functionality and ignoring the settings in /etc/sysconfig/xendomains I was able to determine SE Linux was causing the problem. As soon as I disabled it with “setenforce 0″, it worked.

I could understand having this problem if the script or RPM packages were custom, but Xen + xendomains are all Centos packages. The RPMs should contain the SE Linux commands to allow Xen VM startup from the startup script.

Truly annoying.

After failing to get Bind running with this, I discovered that the setting was not introduced until version 9.4. Unfortunately, Centos/RHEL only provides Bind 9.3. I was unable to find Bind 9.4+ in custom repositories, so I decided to grab the source RPM (9.5.1) from Fedora 10 and build it for Centos 5.

I figured I’d post a link to them in case they could be of use to anyone else. Note: I have not tested these thoroughly, but they seem to work on my test box.  I’ve included bind-chroot, if you don’t use chroot skip that link.

i386:

http://arilon.ccv.brown.edu/rpm/bind-9.5.1-0.8.b2.i386.rpm

http://arilon.ccv.brown.edu/rpm/bind-chroot-9.5.1-0.8.b2.i386.rpm

http://arilon.ccv.brown.edu/rpm/bind-libs-9.5.1-0.8.b2.i386.rpm

http://arilon.ccv.brown.edu/rpm/bind-utils-9.5.1-0.8.b2.i386.rpm

rpm -Uvh bind*