Fix for acroread

Adobe reader fails to start on the Gnome desktop on Fedora 6. There 
seems to be a conflict withscim (smart common input method). 
The fix is to add the following to the top of /usr/bin/acroread:

export GTK_IM_MODULE=xim

GRUB errors

After a migration of my home server to a new mirrored 500GB sata setup from my old 160GB pata system, I encountered some problems with booting the server. Intially booting stopped at:

GRUB _

This was fixed by booting from the FC6 DVD and selecting "linux rescue". I then chrooted to my install with "chroot /mnt/sysimage", followed by a "grub-install".

This fixed my first problem but now boot was hanging at:

GRUB loading stage 2

So again, back into the rescue boot and my chroot environment. Now I ran "/sbin/grub" which took me into the grub shell. I ran "root (hd0,0)" to use the first partition of the boot disk, then ran "setup (hd0).

Next boot all was well.

X Forwarding problems

I've set up a new Fedora 6 server using Xen (another story), but no xorg packages were installed. When logging in over ssh with X forwarding enabled (ssh -X) I still couldn't run any GUI applications remotely. Logging in with debug (ssh -Xv):

debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Remote: No xauth program; cannot forward with spoofing.

Turns out the solution is to install xauth:

# yum install xorg-x11-xauth.i386

Configuring apache for webdav

I wanted to configure my apache server with a webdav directory to test iCal's calender publishing ability. My apache server runs on Fedora Core 5. In /etc/httpd/conf.d I created a file called webdav.conf which along with all the other .conf files in this directory gets read by the master conf file /etc/httpd/conf/httpd.conf. The file webdav.conf has the following content:

<Location /cal>
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /var/www/.htusers
require user myuser
</Location>

The location directive refers to a directory called "cal" located at the root of my webserver created with:

mkdir -p /var/www/html/cal
chown apache:apache /var/www/html/cal

"DAV On" enables the webdav access for this location. I'm using basic apache username/password authentication for a pre-existing user "myuser" in the file /var/www/.htusers.

Secure IMAP with Dovecot and SSL

In common with many other older protocols IMAP traffic is sent in clear text, with potential for anyone to eavesdrop or steal passwords. Like other modern IMAP servers Dovecot provides methods of enhancing security; you can either use secure authentication methods such as cram-md5 or encrypt the whole session using SSL. I've configured my Fedora Core 5 server to use SSL.

By default on FC5 Dovecot allows the following protocols:

imap imaps pop3 pop3s

To only allow imaps we must set:

protocols = imaps

in /etc/dovecot.conf

The server also comes with a dummy "localhost.localdomain" x509 certificate in /etc/pki/dovecot which should be replaced by at your own self-certified certificate (or even better one signed by a CA). There is a script provided ( /usr/share/doc/dovecot-1.0/examples/mkcert.sh ) to automate the process, but first a two files must be modified. Since mkcert.sh has not been written specifically for FC5 we must change the locations in the script so that they look like:

#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
#SSLDIR=${SSLDIR-/etc/ssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}

CERTFILE=$SSLDIR/certs/dovecot.pem
KEYFILE=$SSLDIR/private/dovecot.pem

Of course, these values should match what is in /etc/dovecot.conf, but the above is good for a default install. Next, update the contents of /etc/pki/dovecot/dovecot-openssl.cnf to reflect the local country code, organisation and common name (something other than localhost.localdomain!). Now all that is reuired is to run "mkcert.sh" then run a "service dovecot restart", following which any mail clients will need to be configured for SSL.

CUPS Browsing

The CUPS print software ships with the browse support (or rather the broadcast component of the server) disabled. Once enabled, all clients should be able to detect and browse all printers on the server. There are basically three possible configurations (in /etc/cups/cupsd.conf) for broadcast:

BrowseAddress aaa.bbb.ccc.ddd
BrowseAddress @LOCAL
BrowseAddress @IF(name)

The first will specify a broadcast address such as 192.168.0.255. The second will broadcast to all local nets, whilst ignoring LANS such as point-to-point (dial-up) etc. The last limits broadcasts to an interface, so "BrowseAddress @IF(eth0)" only broadcasts on device eth0.

By default the server will allow incoming packets from any address, so if you wish to restrict access you can use either of the "BrowseAllow" or "BrowseDeny" directives as in:

BrowseDeny badhost.example.net (requires "HostNameLookups On")
BrowseDeny 192.168.1.10
BrowseDeny @IF(eth1)

Solaris and man page troubles

After a fresh install of Solaris I was unable to use "man -k" as I was getting:

/usr/share/man/windex: No such file or directory

The solution is to run "catman -w" and all is well.

Xgl on Fedora Core 5

I've got Xgl running by following the instructions here. I've been waiting quite a while for somebody to provide an easy and non destructive way of installing Xgl. I have previously tried using Aiglx, but that didn't seem as stable; blurry fonts and X server hangs when switching between virtual consoles.

Xgl works very well on my desktop (P4 2.8, 1 GB Ram, nVidia fx5700 256MB) with the nVidia driver, but not so well on my laptop (P4 2.4, 1 GB Ram, ATI 340M IGP). As ATI haven't released a linux driver for the 320/340 IGP series I have to use the open source 'radeon' driver which doesn't yet support the pixel-buffer required by Xgl. As a result some of the effects are rendered in software, and some graphical glitches are visible.

To view/modify the shortcut keys for compiz (which provides all the cool effects) you'll need to run 'gconf-editor' and look at 'apps/compiz'.

Remote name daemon control (rndc) for BIND

Using the rndc command you can send commands to your DNS servers over TCP authenticated by digital signatures. Without any parameters the command prints out its options:

Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command

command is one of the following:

reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
reconfig Reload configuration file and new zones only.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
*restart Restart the server.

* == not yet implemented
Version: 9.3.2

Because digital signatures are used for authentication with the name server daemon, you must speicify either a key-file ( -k option) or key on the command line ( -y option). If no key or key-file is sepcified then rndc will look in the rndc.conf file.

So now you can do cool stuff like turn query logging on and off with:

# rndc querylog
# ping -c 1 www.google.com
# tail /var/log/messages
Jun 28 23:48:21 poseidon named[1986]: query logging is now on
Jun 28 23:48:48 poseidon named[1986]: client 192.168.116.10#33362: query: www.google.com IN A +
# rndc querylog
# tail /var/log/messages
Jun 28 23:51:32 poseidon named[1986]: query logging is now off

You can dump the name server cache with the command:

# rndc dumpdb -cache

The dump file will be specified in the named.conf file in the options directive:

dump-file "/var/named/data/cache_dump.db";

Since my server runs in a chrooted environment the location is actually /var/named/chroot/var/damed/data/cache_dump.db. The file itself is just plain text so you can view it in any editor.

DB2 upgrade

I had a DB2 V8.1 fixpack 2 installation on one of my FC5 systems which I upgraded to the (currently) latest fixpack 12. After completing the upgrade and running the post install tasks (iupdate) I found I couldn't run any of the utils such as db2cc:

[db2inst1@medusa ~]$ db2cc
stackpointer=0x1c3aa4
Writing Java core file ....
Written Java core to /tmp/javacore11599.1151439455.txt
DB2JAVIT : RC = 11

Oops! Something was clearly very wrong here. It turns out that the Java SDK (1.31) originally installed with DB2 doesn't work with FC5 or my kernel (2.6.17). My problem was resolved by downloading and installing the Java 1.42 SDK rpm from IBM, and running the following command as user db2inst1:

db2 update dbm cfg using JDK_PATH /opt/IBMJava2-142

Mirroring websites with wget

I'm sure it's already quite well known, but I've just discovered how to mirror web sites with wget. I'd been wanting to make sure I had a back up of this blog and was already sure that wget would be the tool to use. A quick search turned up this command:

wget --mirror –w 2 –p --html-extension –-convert-links –P /home/pat/documents/blogger/ http://patgardner.blogspot.com

--mirror

get files recursively, but depending on timestamp

-w

wait a number of seconds between retrieval

-p

download all page requisites such as images

--html-extension

makes sure that all the copies of files have .html file extensions

--convert-links

convert links suitable for local viewing

-P

path to save files to

iFolder

I've just discovered iFolder, a storage solution originally created by Novell but now released as an open source project. With iFolders you can set up directories to replicate to a server, which in turn will replicate to any other computer that has the client software installed. Client software is available for Windows XP, Linux and OS X. Without the client software you can still upload/download files via the web interface.

Slow Firefox

Firefox 1.5.0.3 provided with Fedora 5 seems very slow (more so on my laptop) particularly when scrolling. Cpu usage can easily hit 100% when scrolling up and down a page. A short term solution until they fix it is to put:

export MOZ_DISABLE_PANGO=1

In your .bash_profile.

Zeroconf service discovery

Another new addition to the latest release of Fedora is avahi support, better known as zeroconf or bonjour in the Apple world. This allows for service discovery on the network, such as printers automatically anouncing their presence or bookmarks being broadcast to the LAN. The avahi-daemon takes care of advertising services whilst application such as Gnome (2.14) are avahi aware. Here is an example of how to get avahi up and running.

1. Configure some services. The directory /etc/avahi/services is initially empty, so we'll create a few files:

apache.service
ssh-ftp.service
ssh.service

We populate the files with the following data:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name>Apache Server Documentation</name>
<service>
<type>_http._tcp</type>
<port>80</port>
<txt-record>path=/manual</txt-record>
</service>
</service-group>

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">SFTP File Transfer on %h</name>
<service>
<type>_sftp-ssh._tcp</type>
<port>22</port>
</service>
</service-group>

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">Remote Terminal on %h</name>
<service>
<type>_ssh._tcp</type>
<port>22</port>
</service>
</service-group>

2. Enable the avahi-daemon, and have it auto start on system boot.

# service avahi-daemon start
# chkconfig avahi-daemon on

3. We can also enable Gnome file sharing from "Desktop/Preferences/Personal File Sharing" which provides WebDAV access to ~/Public.

4. If we now start nautilus and click on "network" or go to the "network:///" Gnome-VFS, you can see that in addition to the Windows SMB network we also have the "Public" WebDAV share as well as the secure FTP resources displayed:



5. Epiphany (the Gnome web browser) is the only browser which supports avahi bookmarks at this time. We can see this working if we start Epiphany:



There are a couple of other tools which can display zeroconf services, the avahi provided 'avahi-discover' and the 'Zeroconf discovery applet' which is avaible from the avahi website. Download the service-discovery-applet tarball, unpack and run:

# ./configure && make && make install

You should now be able to add the applet to your gnome-panel:



It's clearly early days for zeroconf support in Linux, but what there is works well. I hope that the Gnome team and other application developers continue to integrate and extend avahi support.

Sendmail SmtpGreetingMessage

Call me old fashioned, but I still use sendmail. Yeah, I know there are lots of more modern and easy to use MTA's out there but I don't have the time to learn them right now. Sometimes best to stick with what you know. Anyhow...

I was wondering how to change the greeting message on an smtp connection and a long search through my O'Reilly sendmail 3rd Edition provided the answer. The following is an mc configuration for versions 8.7 or above:

define(`confSMTP_LOGIN_MSG',`message')

Where "message" is a string that must at least contain the localhost name. By default message would be:

$j Sendmail $v/$Z; $b
In sendmail.cf which results in something like:

220 mailhost.mydomain.com ESMTP Sendmail 8.13.6/8.13.6; Thu, 1 Jun 2006 23:19:51 +0100

Where:

$j = fully qualified hostname
$v = sendmail version
$Z = configuration file version
$b = current date and time
I placed this new definition in my sendmail.mc:

define(`confSMTP_LOGIN_MSG',`$j MTA ready and waiting ; $b')
Which displays:

220 mailhost.mydomain.com ESMTP MTA ready and waiting ; Fri, 2 Jun 2006 00:06:08 +0100

Why did I do this? Well it's usually better with sendmail (or indeed any MTA or service) to hide the version from the outside world as this can make it a little harder to exploit.

Power Management

Fedora Core 5 comes with the new "gnome-power-manager" which is rather good, as it provides a few more features than the old battery applet such as suspend-to-ram (suspend) and suspend-to-disk (hibernate). However, I can't get my Compaq Presario 2104EU to suspend-to-ram properly; it suspends ok, but powering on just gives me a blank screen. I'd tried to add boot options such as 'acpi_sleep=s3_bios', but to no avail. Either it's a flaky bios or I need to remove some modules before putting the laptop into suspend. What does work is hibernate, though I do have to run 'service network restart' upon resume as it seems to loose its network settings.

For FC5 you can update the 'gnome-power-manager' to the lastest version by adding this file to /etc/yum.repos.d/ and running:

# yum -y update gnome-power-manager.i386

Restarting your gnome session you get this new applet:



Choosing "information" from the menu displays extra's that aren't on the official FC5 release:

Loopback file systems

I had to mount a hard disk image today and found this excellent guide for loopback filesystems on Linux.

Picasa for Linux

Picasa, the google photo manager, has been released for Linux. It's not a fully native port as it runs using WINE, but even so the performance doesn't seem to suffer for it and I've not noticed any missing features. Download and further information from here .

I'd suggest setting the 'Folder Manager' to only scan /home as by default it scans the whole file system, which makes Picasa take forever to load subsequently!

For anybody that doesn't like the ugly 'winfile' when you 'Locate on Disk' in Picasa just create a script called 'picasa-hook-filemanager.sh' with the following content somewhere in your path (this only works for Gnome):

#/bin/bash
nautilus `dirname "$1"`

This is from the Picasa/Linux FAQ.

"You may be surprised that Picasa can't locate files on your Gnome system. Unfortunately, we weren't able to find a way to make Nautilus to open with the correct file highlighted."

I couldn't get the highlight working either even though this link suggests it may be possible on 2.14.

Fix that eject button!

On Linux systems there really is no need to have the cd-rom drawer locked when a disc is inside and having to run the "eject" command to open the tray. This behaviour can be easily fixed with:

# echo "dev.cdrom.lock=0" >> /etc/sysctl.conf

Followed by a reboot. To have it take effect immediately:

# sysctl -w dev.cdrom.lock=0

Nautilus Actions

As much as I like the Gnome desktop there are times when I want to perform a specific action (send a file via bluetooth for example) on a file or directory and have to use gnome-terminal because nautilus (the gnome file manager) doesn't support what I'm trying to do. Forunately I have now discovered two ways around this; the package nautilus-actions and the native nautilus scripting. I prefer the first method which allows custom right-click actions on objects in nautilus, and here is how you go about it (tested on FC5):

1. Install "nautilus-actions"

#yum -y install nautilus-actions

2. Launch the nautilus-actions configurer from the Gnome panel

Desktop/Preferences/More Preferences/Nautilus Actions Configuration

3. Nautilus-actions will start with no preconfigured actions so we must click on "Add"

4. I'm using "Send files via bluetooth" as an example



Here is the definition of the editable values:

"Label"
How this will appear on the right-click menu

"Tooltip"
An optional descriptive text that will appear at the bottom of the nautilus window

"Icon"
Optional icon to precede the label

"Path"
The executable or script that we wish to perform the action (full path is only necessary if the executable is outside of your normal path ie /sbin )

"Paramters"
Paramters passed to the executable



I'm using "%M" which will pass the full name and path of the files selected to the executable, in this case "gnome-obex-send".

5. Configure the conditions and advance conditions. These allow you to set the actions behaviour so that it will only work on certain file types, or if the action applies to local or remote (network) file systems.

6. Click ok to save then close the application.

7. Test by opening a naultilus window, selecting a file and right clicking:



We have a new nautilus action!

I also tried to add an action to send files via thunderbird (I don't like evolution much) by using this command:

thunderbird -compose "attachment='file:///%M'"

It seems that Thunderbird 1.5 is broken at this time and doesn't process its command line arguments properly.