JDPFu.com 2025

Simple. They aren’t willing to spend the same amount of time they’ve spent learning some other operating system to learn Linux.

I’m happy to help them learn Linux in general (not a specific distribution), provided they display a sincere interest and a burning desire to learn.

That doesn’t mean I’ll spoon feed answers for every question they have, that is impossible, but I will help them learn how to find answers to their questions and teach them things that UNIX-like operating systems can do out of the box that most Windows-based systems cannot.

Before heading down the UNIX OS path, be aware that months of effort will probably be needed. Do you have the stomach for that commitment?

Any takers?

I attended the Atlanta area OpenSolaris Meetup last night even though we were getting some major rain in the area which made the 30 minute drive challenging. Why would I bother? Swag? Scott D presenting? Being around other nerds that like Solaris? No, although those are all valid reasons too.

Even with the nasty weather, the room was packed and we had to bring in some more chairs so everyone could sit. About 20 people attended.

New stuff in ZFS

Yep, the entire meeting was about fairly new features added to ZFS on OpenSolaris. Things like data deduplication and how well it works in normal and extreme situations. The main things I took away from the talk were:

1. ZFS is stable
2. Data Deduplication, dedup for short, should only be used on backup areas, not on live production data, until you become comfortable with it and the performance in your environment
3. Dedup happens at the block level of a zpool, anything above that level still works as designed
4. Only use builds after 129 of OpenSolaris if you plan to use dedup. Earlier versions had data loss issues with the code.
5. Solaris doesn’t have the dedup code yet. It is not currently scheduled for any specific release either.
6. DeDup is only available in real-time now, there is no dedup thread that can be scheduled to run later. This could have unknown performance impacts (good or bad).
7. ZFS supports both read and write cache devices. This means we can specify cheap and expensive SSD memory be used for caching either cache and deploy cheaper, larger SATA disks for the actual disk storage. Some cost/performance examples were shown with 10,000rpm SAS drives compared to SSD cache with 4200 SATA drives. The price was about the same, 4x more storage was available and performance was 2x better for read and about the same for write. Nice.
8. ZFS has added a way to check for disk size changes – suppose your storage is external to the server and really just a logical allocation. On the storage server, you can expand the LUN that the server sees. ZFS can be configured to manually or automatically refresh disk device sizes.
9. Device removal – currently there is no direct method to remove the disk from a ZFS pool. There are work arounds, however. Anyway, they are planning to release the method this year in OpenSolaris ZFS to remove a disk from a zpool.

To really get the demo, you need to accept the other great things about ZFS as a basis, then add the new capabilities on top. One of the demonstrations was how IT shops can charge back for data storage to multiple users since they are using the data, even when 20 other departments are also using the same data blocks. Basically, dedup gives you more disk storage without buying more disk.

ACLs are managed at the file system level, not the disk block level, so the dedup’ed data still can only be accessed appropriately.

Why OpenSolaris ?

Is an open source version of Sun Microsystems Solaris operating systems that runs on lots of hardware you may already own. It also runs inside most virtual machines as a client or guest. Since it looks and feels like Solaris, you can become familiar with it for zero cost on your PC at home for just the cost of disk storage – about 20GB. Sun also uses OpenSolaris to trial new features prior to placing them into the real Solaris releases. I run OpenSolaris in a virtual machine under Widnows7 using the free version of Sun’s VirtualBox hypervisor. I know others who run it directly on hardware, under Xen and under VMware hypervisors too. Just give it enough virtual disk storage and go. I think 10GB is enough to load it, but a little more, say 20GB, will let you play with it and applications more.

If you are in the market for NetApp storage, you really need to take a look at Sun’s storage servers running ZFS. The entry price is significantly less and you get all the flexibility of Solaris without giving up CIFS, iSCSI, NFS, and, in the future, fibre channel storage. Good sales job Sun.

Swag

No meetup is a success without some swag. Water bottles, t-shirts, hats, and books, were all available. We were encouraged to take some after the iPod Nano raffle was won (not by me). Pizza and sodas were also provided by the sponsors.

Scenario

We all get emails asking us to do something. Sometimes the email includes a link to a specific web site to help you complete the task. Well, unless you only see plain text email messages, no RTF, no HTML, then you can’t trust that the URL you click is really where you are being taken. If there are any miss-spellings or simple grammar issues, ignore the email.

Simple Solution

Don’t click links provided in emails. Rather, manually go the the website. Use your password manager, like KeePass, to open the correct page and enter your login credentials. Or you could type the known URL, just don’t click the URL in the email. Simple enough?

You know this stuff. You know not to click. But it takes just 1 small mistake to be p’wned and you may not realize it for a few days, if ever.

Examples

Hak5.org forums were hacked in 2009. When the maintainers realized it, they sent an email warning everyone and suggesting that you never use the same password on multiple websites. Good advice. If you use a password manager, like KeePass, you never need to worry about reusing the same password. Just use the Generate button to create a strong password for each website you visit.

Web site administrators are being targeted now to gain access to the servers by people who want more bot controllers in their bot network. I’ve used cPanel before at a hosting provider and it would be easy for that page to be cloned, yet still appear to work. The cloner can grab the login credentials and pass them on to the real cPanel page. When you run a web site, the management of that website often bounces between lots of unrelated web servers that you aren’t used to seeing, adding to the confusion. Even Yahoo hosting was targeted, so I can’t believe that some very popular, yet cheap, providers aren’t also.

I get spam emails that are usually sent from small business servers all the time. These servers could be misconfigured to allow email relaying or compromised by some other method. Regardless, sending an email to the administrator never seems to help.

During holidays, we all get Holiday eCards asking us to click on a URL. I’ve gotten 3 called ICQ Greeting Cards this week. The link in all three of those emails was to some nasty software, for sure. Don’t click. They even had safe links included in the email to the real ICQ site to earn my trust.

Be careful out there, especially if you are an administrator for others or public facing internet services. I expect to be hacked at some point. I have been hacked – over 10 years ago. Hopefully, being hacked again won’t happen for some time.

Sometimes you don’t realize what a great day you had until later.

Over Thanksgiving, I spent a day near Tallassee, Alabama hiking on the Cherokee Ridge Alpine Trail.

Finding the trail head from the parking lot wasn’t as easy as it should have been and later I ended up taking a turn that shortened by hike by 2 miles due to poor signage. The fallen leaves everywhere made it difficult to stay on parts of the trail. The trail was still enjoyable with ups and down parts. I rate it moderate overall with a few short difficult sections. Along the way, I saw wild turkey, deer and an interesting spider that I’d never seen before along with the normal squirrel and bird life.

According the the Bugfinder site I saw a Spiny Backed Orb Weaver in the center of its normal web. It was a little over 1cm in diameter.

Anyway, it was a nice few hours spent hiking in nature next to Martin Lake with a few overlooks.

Today I was going through my list of files to backup on my Linux laptop and removing temporary and cache files when I came across a directory that I didn’t recognize. The files were listed as changed with the last 3 days.

changed .purple
changed .purple/accels
changed .purple/accounts.xml
changed .purple/blist.xml
changed .purple/prefs.xml
changed .purple/status.xml

It turns out they are for pidgin, the extremely popular Instant Messaging software. Ok, I use that – fine. But my interest got the best of me and I looked at the accounts.xml file. Obviously it is an XML file, but I was shocked to discover the following (modified for my protection):

        

                prpl-jabber

                admin-userid@example.com/Admin

                some-really-complex-password-with-lots-of-special-characters-in-clear-text

                admin

The password isn’t encrypted. Not at all!

This is unacceptable.

There is an encryption plugin for pidgin but it is for IMs, not the stupid passwords. This is just crazy. Heck, there are ROT13 methods and trivial 2-way password encrypt/decrypt methods which could be used if necessary.

The pidgin wiki has this to say. I have to admit, they do have a point, but I still disagree with it. At least they do set the directory permissions to 700 and file permissions to 600 (user only), but this doesn’t help with my backups placed on another system, does it?

A quick script to change a capital I (eye) in the middle of a word into a lowercase l (el). If you like Asian films, you understand why I wrote this script. I had an itch. It needed to be scratched. This is useful for .srt files used in movie subtites.

#!/usr/bin/perl
# Perl script to change every 'I' into an 'l' in the middle of a word
# input is stdin and output is to stdout; redirection is your friend
my $line;
while(<>){
 chomp;
 $line=$_;
 $_=$line;
# Match lines with non-whitespace characters leading a capital I 
  if ( m/[\S]I/ ){
     $line =~ tr/I/l/;
  }
  print "$line\n";
}

It is very common for subtitle files, SRT format, to have a capital I in the middle of words since bitmap patterns are used to create the files. For native speakers of English, this is HIGHLY distracting – to the point that the subtitles must be fixed before a movie can be enjoyed.

I tried a few other methods, before determining this simple character translation was needed.

1. ispell – There were too many words that were not in the dictionary and spacing of words often groups them in strange ways.
2. replacement dictionary – I created a hundred word dictionary replacement sed script. There were always new words that needed to be added for every SRT file.
3. Manual editing – yep, I spent a few hours manually editing files. This wasn’t very efficient and ruined the movie plot since I’d already read it before viewing it.

Some combination of methods will probably be necessary. I intend to merge them into a single perl script and perform them in the most efficient order. It will begin with the I—>l translation.

I’m easily amused. You know that by now.

In a quest for great homemade curry recipes without too much difficulty, I’ve tried a few. Yesterday, I found the best mix.

The key was the curry – Kitchens of India is imported from, er, India. It is a curry paste and comes in a sealed foil package. A 6 pack runs $12 from amazon – ouch. It is worth it.

Follow the last curry chicken crock pot recipe I posted here, just use the Kitchens of India curry instead. Here’s the result

Yum.

So, Adito/VPN doesn’t really like Linux. The installation goes better than expected on 32-bit Linux, but if you change any of the configuration settings, then have the admin web page reset the server, the system won’t come back up. This happens on both 64-bit and 32-bit Ubuntu 8.04.x in my experience.

Initially, I installed Adito on a 64-bit Ubuntu Server, but problems with the startup scripts and/or wrapper, prevented it from working as far as I can tell. I never, never, never got the Adito to work after a reboot on 64-bit Linux. I ended up installing a 32-bit VM under ESXi 4 and loading Adito there. Comments below is for 32-bit Linux, since it was clear that the 64-bit startup scripts/wrapper was beyond my ability to solve.

Even on the32-bit Adito install, the system has never come back up after changing settings that require a reboot for me. NEVER without doing some extra work. After making any reboot-required changes, only the method outlined below has gotten a running Adito system again.

The Fix

I’ve tried a few methods (UTF-8 settings, hacked startup files, hacked config files, swapped versions of libwrapper crap), only the following has actually worked. As root:

1. cd /opt/adito (or whatever directory you used)
2. Delete the conf/webserver.properties
3. ant install
4. Login through the web interface at http://host:28080
5. Step through the install process keeping all the defaults from before. Only the SSL certificate/key will need to be reinstalled.
6. Reboot and all is well.

I’ve not lost userIDs or policies or tunnel settings doing this.

At some point, I’ll need to figure out how to backup just the settings and DB, without grabbing the entire server image.

What’s the issue?

I can only guess, but I believe it is too much of a mix of java and supporting java tools. According to the blueprint going forward, they plan to swap ant for some other tool and remove libwrapper. Ant is used by all java development teams, so I doubt that really is the issue. libwrapper appears to be a lazy way to set configurations for java web applications. There seem to be incompatible versions shipped with Adito as well. The startup process is overly complex too.

/etc/init.d/adito points to /opt/adito/install/platforms/linux/adito which is overly complex and reads a config file /opt/adito/conf/wrapper.conf which figures out which specific version of wrapper to call in /opt/adito/install/platforms/linux/x86-64/wrapper with the appropriate options (more than 3 options for some reason)

/opt/adito/conf/wrapper.conf is rewritten with every run of ant, which means any time you have to modify it to make it work (UTF-8 character sets), then any use of ant will overwrite those settings. CRAP. There are ways to reset everything with ant or just reset parts. The problem is these resets aren’t explicit in the build.xml file – they are implicit. More crap.

Anyway, the levels of indirection are too complex and just make something that should be

java /opt/adito/lib/adito.war

into something really complex. Yes, I know it isn’t that simple, but it should be. That’s the point.

Update a few weeks later

So we’ve been using the VPN for a few weeks and everything is working well. Performance is good. There are a few things lacking that we’d really like to have, but they are beyond our expertise. Since I’m protecting internal web sites, we didn’t want to leverage LDAP authentication. We really want RADIUS authentication with x.509 certificate exchange. That isn’t a built-in option, so I’ve force really, really long and complex passwords and don’t allow users to change their passwords to get into the VPN. Their LDAP passwords are still known only to them, it is just the VPN access which I demand use 60+ characters. I deliver the password to each of them in a KeePass database, further insisting they follow good password management and protection methods.

Deployment to the entire company happened a few months ago. We’ve had no issues and have placed all our applications behind this VPN.

Help Make This Data Better

As I review this post, I can see where it could be confusing. It isn’t particularly well written. Please let me know which parts are too confusing to be useful. Oddly, this is one of the most popular posts on this site.

Last week, I setup and configured a special desktop for the accounting system for the company. Basically, it is a Windows7 Pro desktop running under ESXi 4 that the folks responsible for accounting remote (RDP) into after connecting via VPN to the special network for it. We’re small and only a few people even need access – never more than 1 at a time.

It was fairly painless to setup, install Accounting, load Payroll CD, then validate remote VPN access (which is never trivial), then setup daily backup jobs. Of course, AV, automatic patchs and nasty IE settings were configured too. Each daily backup set is about 250MB, which isn’t too bad, but more than I would have thought given the machine is idle most of the time and won’t be used more than 3 days a month. These backups are Microsoft VHD files using the built-in backup, which could be useful, but I’d rather have a complete VDMK, VDI, or Xen img file to restore.

Of course, it isn’t possible to connect to this VM without going through our VPN.

Next I need to perform a test restore to another machine under some virtualization tool that we use. Yeah, I know with the VHD, I can perform a restore someplace else, but with the VM-image file, I just point a hypervisor at it and go. Now that VirtualBox supports VMware, vdmk, files, this test really should be trivial. If it goes well, I’ll take my WinXP (MS-Office, Visio and other WinXP-only tools VM) and put it under a server-based VM too. It will be better to not travel with that stuff on my laptop anyway.

Linux compared to the Maytag Repairman

In summary, IT consultants don’t deploy Linux because deploying Windows gets them more customers and repeat business. Windows requires more IT support than Linux.

If you are a Linux consultant, you must have many more clients to make a living, which means more effort acquiring the clients.

With Linux systems, once they are deployed, they just work and continue to work. For many systems, even patches are handled automatically with no need for onsite support. The only reason to call your Linux consultant is to upgrade a system to a new release OR for a hardware failure.

I don’t know whether any of these statements are completely true, but there is some fact in each of them.