Thoughts on Package Management

The Change in Distro-Land

Distros have changed. In the past, they were made up of a small, tightly knit group collaborators working toward a common goal. With distributions today we now have an informal, large group of collaborators…some of which may not even be aware of the main goal of the distro. That informal collaborator may just want package foo version 2.2 included in his/her distribution so that he/she can use it on their desktop. How does that informal collaborator become empowered? How can the developers reap what that collaborator sows and harness the collective collaboration of thousands of informal contributors? The answer for many software projects is version control. But how can this system benefit package management?

What If?

What if you could combine SVN/CVS/git behavior and packages? What if when you build the package properly, it is checked into the software development tree. You’d be eliminating an entire step in the process (i.e. working more efficiently) and you’d reap all the benefits of version control (diff, merge, shadow, exports, rollbacks, tags, logs) with the actual software packages without losing the benefit of working with source or binaries. Thousands of contributions could be made in the form of ready to install packages that are CERTIFIED (see how this is possible later in this post) to work on the distribution. The contributions would come in on a version control branch designed by the distribution developers…say 1-contribs (much like a contribs rpm server would be)…but unlike most distributions, they would be certified to run on your distro before they even hit the contribs server/branch. Imagine the impact that this would have for bug testing alone.

Sound too good to be true? It’s not. It’s Conary and it is getting ready to go to version 2.0. Let’s take a look at some advantages that conary has over traditional package management and how it can empower the end user.

Continue reading “Thoughts on Package Management”

ClarkConnect – Enterprise Linux for Your Home

Ever wonder how you could get a solid Security Enhanced Enterprise Grade Linux Router/Server with ftp, apache, traffic shaping, pop-up blocker, content filter, intrusion detection/prevention, and other nice handy tools that every robust server should have…and here’s the kicker…installed and running in about 30 minutes in your home? I know quite a few friends of mine that went out and bought routers from brand names like Linksys, Dlink, and Netgear and then bragged about how cool their new router was (especially concerning ‘gaming routers’. Good lord that’s a con). I then showed them that their router was hackable within a few minutes because most of them didn’t change their default password. It’s interesting also that their routers didn’t do a whole heckuva lot other than route traffic…without throttling or intrusion prevention/detection. On those that were wireless…after some intense packet sniffing, I logged into their network and began surfing the web.

The bottom line is…most routers, if not configured correctly and used to full potential, are wide open and provide only a few functions. If you’re like me, this just won’t do. To combat this in the past, I used to use Red Hat 7.2 on a PI 75Mhz like an appliance to provide DHCP addresses for the LAN and a tidy firewall via ipchains and later iptables. Now there is a Linux distro that is more robust, more organized, and much more dynamic than most Linux router/server configured systems and it provides MANY functions. That distro is ClarkConnect. Today, I’m going to take a look at ClarkConnect 3.2 and show you how you can secure your network using its web interface and excellent administration tools.

ClarkConnect is based on CentOS 4.X and offers a very robust set of tools organized into easy to navigate administration pages. The administration pages are very similar to those that you would find with IPCOP and Smoothwall. However, ClarkConnect throws in extras such as the ability to use Samba and set it up as a PDC (Primary Domain Controller), 2 click updates, a caching dns server, a transparent proxy to speed up web surfing, a pop up blocker built into the proxy, dansguardian with blacklisting, online log viewer…there just is a list of features WAY to long to list here. So I’ll link to the features page and you can read a few more things for yourself. Also, if you’re wondering Point Clark Network’s take on community and open source, please read this page. They’re committed to community AND open source.

I started using ClarkConnect at version 2.0. Back then, they used Red Hat Linux as their base. Today, they’ve ported over to CentOS packages…which are Red Hat Enterprise Linux binaries repackaged by the CentOS project. All in all, I’ve been extremely pleased with the performance and handy web interface ClarkConnect provides which enables me to monitor my home network from afar. One thing that truly impresses me is that the home version remains free and open source despite the rise in business that ClarkConnect is currently enjoying. The people at Point Clark networks have a strong sense of community and they are continuously helping in the forums. They are to be commended for keeping this version available to home users! Any problems you might have with CC can be and will be addressed in the community forums. If you get lost or need to understand something better at anytime, please check the userguides at clarkconnect.com. You can also download the Quickstart Guide to get things rolling as well.

You can download and burn the 3.2 Home version of ClarkConnect (or CC as it is commonly referred). When installing, you’ll be greeted by a variation of the old Red Hat Anaconda text installer. It’s relatively easy to follow and hardware detection is superb…although I’ve found some older computers (think 266Mhz 🙂 ) do have a bit of trouble with the newer kernel (2.6 branch). I’ll assume that you can get it installed and up and running. Please be advised that in order to route traffic on your LAN, you’ll need at least two Network Cards in the computer you’ll be installing ClarkConnect on (see requirements)…one for internal and one for external traffic. Please also be advised that if you do install ClarkConnect onto a computer, it will wipe the entire hard disk of all operating systems. After installing, point your browser in a computer on your LAN to the IP address you assigned CC during install (should be an internal IP address). So you’d point your browser to https://192.168.1.X:81. The port number 81 and https are important…81 isn’t a standard web port and https means this is a secure transaction of information.

You should be greeted by the dashboard screen. –>

The dashboard tells you what your two (or how ever many you have) interfaces are (LAN and External Internet, DMZ, whatever) as well as gives you the opportunity to set languages, set system time, and see a quick overview of current intrusion attempts. Navigating to other areas is a snap with the menu bar at the top of the screen.

Updates

First, let’s move over and update the system. To do this, we’ll have to register with Point Clark Networks (who develop ClarkConnect) using their built in registration. Registering gives you a dynamic domain name (yourname.pointclark.net but hey, it’s automatically configured and allows you remote access to your box from the outside world). You can also piece together other services should you decide to purchase them. Of course, since I use the home version, I choose only the dynamic DNS service which is free so that I can connect from work to my box at home. So, back to updating the system. After you register, click on the sidebar item “Critical Updates”. Any updates that are critical to the system, including kernel patches, will update themselves here. To install the updates, turn off your popup blocker for this site, toggle the checkmarks, and click “go”. A window will pop up and show you apt-get progress. Close it when it states it is done. Feel free to browse other updates and install them at any time.

It’s important to note that all updates are pushed through this interface. This includes major updates to new versions as well. Updating to new versions is therefore extremely easy. The upcoming ClarkConnect 4.0 release is currently in beta and ClarkConnect is looking to release this in the very near future. Look for some new packages including Horde Webmail, Kollab groupware, ClamAV, and others.

Another handy thing that ClarkConnect does is keep track of those patches you’ve installed (as long as you go through the services tab on this webconfig). You can also update via apt and the shell (soon to be yum with the next release 4.0)…I use putty to connect via SSH to the box and update from time to time. You can cycle through other updates as well and even see some of the handy community contributed modules. Install any you’d like and head to the various resources that clarkconnect has to get you started such as the forums, the newbie guide, and Ya-FAQ.

Users
To take a look at the users present and to have control over whether or not your users have shell accounts available, etc. Head over to the users tab. Here you have ultimate control over all the users on your system. This makes it handy in situations where you’d like to setup a user for VPN but don’t want that user to have a shell account (for security reasons). I leave one user and make the password as complex as I possibly can. I also change the password about once every 3 months to keep things secure. Whatever your security policy is, the web interface makes things easy to administer and easy to use.

Reports

Now that we previously updated the system, let’s take a look at the overview of all hardware. Click on the reports tab and make sure “current status” is selected. This gives us a graphical overview of all hardware and current performance. As you can see from the screenshot, you don’t need a fast computer to power your ClarkConnect install (pictured is my emachines Celeron 900). I’ve had over 194 days of uptime with this current install of ClarkConnect (version 3.2). I don’t see any reason why it won’t continue other than a hardware fail. Overall, ClarkConnect is stable, secure, and the most handy server distro I’ve ever used. I trust it so much after using it these years as my main workhorse server that I’m prepping to start a side business installing and configuring ClarkConnect boxes for small businesses. Point Clark Networks is doing a great job helping small businesses have the functionality they need at an affordable price. Anyway, back to the review.

Back to the reports tab; In reports, you’ll be able to check out all the logs on your server. This makes reading logs less of a hassle and something you can do without cracking the shell.

Services

Click the services tab. In this view, we should be defaulted to “Running Services” which is the handiest page in the admin section. Here you will find a service listing of all the system services/software that can be toggled “on” the CC box. You can start, stop, enable at boot, or disable at boot any single service you see in this view. The color scheme will tell you what is enabled (Green) and what service is disabled (red). Take a look to make sure you have running what you need to have running…since CC defaults are safe, we can leave everything as it is or turn on whatever it is we need.

Backups

Next, let’s make a quick backup snapshot of all our settings. You can do this by staying in the services tab and clicking “backup/restore”. From there, you can backup all your settings in CC. This is handy if, like me, you’re thinking of starting a business. One click snapshots means less configuring. It also makes things nice if you are planning on reinstalling. You can take this backup snapshot you’re creating and upload it to a fresh install to restore settings. Please be advised though that this backup is configuration files only (in /etc and /usr) and only for CC default apps. If you install something else, CC won’t backup that install without hacking.

Proxy Server

How about setting up a transparent proxy server to speed up your web browsing? Point Clark and CC have you covered in a couple of point-clicks. Head over to the Software tab. Select “Web Proxy” on the left side menu. From there, select the proxy to auto start if you’d like it to start at boot, then select to start the service. You can setup cache space, enable download size limits, and set maximum object size. Let’s set all to defaults for now…just make sure that if you plan on downloading larger files to set the maximum download file size to Unlimited. Also, if you want to use content filtering along with our transparent proxy, select “transparent + content filter” in the selection box titled “Transparent Mode.” You can clear your proxy out anytime by selecting “Reset Cache.”

Pop-Up Blocker

Now that you have the web proxy setup, let’s put the pop-up blocker on and look at content filtering. Select “Banner/Pop-up Blocker” from the menu on the right. Start it up by clicking on the links (Autostart if you choose). That’s it! Pretty simple eh? Let’s move over to content filtering. Click on “Content Filter” on the left side menu.

Content Filter

Now CC will automatically update your blacklists for content management for you. However, you’ll have to upgrade to one of the service levels to do so. Since I’m a home user and someone who’s run DansGuardian (the content filter system they use) for quite some time…I do my updates manually and pass on the upgrade in service. Point Clark networks has no problem with this, they simply have this in place to cater to their business clients to provide no-hassle management of their servers. Let’s get our update in place. Head over to the folks at URLBlacklist.com, specifically their download section. Download the bigblacklist.tar.gz. This is a one time free download for personal use. This is an up to date blacklisting that we can drop into our dansguardian directory to make sure that it is running with the latest and greatest. Drop all the contents of bigblacklist.tar.gz inside the /etc/dansguardian/blacklists directory. Remember, you will need to either purchase a subscription through dansguardian, urlblacklist.com, or go with purchasing the personal gateway service through clarkconnect to have a completely updated dansguardian blacklist. I’ve found that I don’t really need an up to date box…it does quite nicely on it’s own and I can add and remove sites as I see fit. Plus, you can do well to check out dmoz and their urlblacklists for squidguard which translate nicely into dansguardian (for advanced users only). You can enable dansguardian with a couple of clicks and set options for it on the Software Tab >> Content Filtering Menu.

Network

Now that we’ve seen some of the wizbang features built into ClarkConnect, let’s take a look at the rest of the tabs. You can see from the screenshot to the left of this paragraph that there is plenty other software that you can configure in CC, but let’s move over to the other tabs to show you just what you can control using the web interface. Click on the “Network” tab. ClarkConnect can operate in gateway mode (which is ‘router’ style mode with ipmasquerading, etc.), DMZ mode if you want to have a DMZ (demilitarized zone), standalone with firewall, and standalone without firewall. You can set these anytime you’d like to and control all of your network interfaces here. You can also go straight to DHCP configuration which will allow your CC box to give computers connected behind it a network address.

One thing that is a definitive plus for CC is the firewall manager. You can control incoming, outgoing, and port forwarding all from the web interface. I specifically like the group manager. Why? Because it is handy if I want to use torrents, I setup a group to open up ports 10000-60000 and forward to my desktop behind my CC box. When I’m done, I turn it off by disabling that group of rules. Handy eh?

Intrusion Detection/Prevention

Also contained in the network tab is intrusion detection and intrusion prevention. I enable both of these but will enter into the intrusion prevention exempt list my work IP address and all the addresses of my LAN. That way I don’t have my CC box thinking that I’m trying to break in and dropping my connections to it as I test things or connect to it using various methods (ftp, ssh, web, vpn, etc). Intrusion detection rules can be updated through Point Clark Networks by upgrading to gateway service level to SOHO which is around $10 USD a month. I just enable mine and let it go :D. Seems to do a fine job using the default rules and as long as I keep a watchful eye on my firewall rules, I’m just as safe as if I had a Security Enhanced Linux Fedora box running things. To read your intrusion detection and prevention logs, head over to your reports tab and then select the appropriate area on the left.

Bandwidth Management

One other area of interest here in the network tab is bandwidth management. Select “Bandwidth” from the left menu area. In this menu, you can enter in upload and download limits for bandwidth and take control of your network. Very handy if you have a multiple computer LAN and a teenager that downloads EVERYTHING. Play around with the settings and when you’re satisfied, let’s cinch things up with samba, ftp, and webserver.

Samba

CC comes ready to operate as a PDC (Primary Domain Controller) for your LAN. If you only operate a small LAN (1-2 computers) having a PDC is really for bragging rights only. Instead, you might want to configure your samba shares using CC’s handy web interface. Head over to the “Software” tab and click “Windows File Sharing”. ClarkConnect has common shares already in place for you. You can enable these or disable them. You can even add your own. It’s up to you. Starting samba is once again just a point click away. There is also an advanced setup option for those of you who are a bit more experienced with samba.

Personally, I don’t use the samba interface from ClarkConnect. I instead use Network Attached Storage which automatically is detected on my network by all my desktops (easy as connecting to another PC) so I haven’t found the need to implement samba on my CC box. In the future, when I expand to include a computer for my son, I will implement a PDC with roaming profiles so that all settings are backed up to ClarkConnect. Thus, if a computer fails, I still have all settings saved server side.

We’ve covered a varying amount of information in this review and I won’t cover everything that CC has to offer either. But two other areas I wanted to discuss was ftp and webserver. CC uses proftp for their ftp server and apache 2 for their webserver. One thing I’ve found of value for the webserver (which I’ll discuss first) is their virtual host creator.

FTP and Webserver

The webserver interface is handy. Very handy. You can enable SSL for Apache by toggling a setting. You can setup a virtual host by typing in the webaddress. Dead easy. I’ve found that setting up virtual hosts via this interface is better than doing so through webmin because it configures all defaults for you a bit better than webmin does. No idea why, but I’ve had trouble with webmin in the past with vhosts. I usually create a vhost with CC on their web server interface…such as linuxblog.sytes.net shown in the picture. This was my old blog location when I hosted it at home (2004 with CC 2.2 I think). I now have a virtual host setup so that all requests for linuxblog.sytes.net go through my CC box…I’ve written a rewrite rule to forward all traffic from the old blog to this current blog. Handy and easy with ClarkConnect. Like I said, I create the vhosts with CC and then hand them off to webmin for more detailed configuration. It’s important to note that you can install webmin through your “services” tab.

If you notice in the picture in the previous paragraph, I have linuxblog.sytes.net as a virtual host. I use the no-ip service I previously blogged about to register this name. If you plugin the topic to that article with a ClarkConnect install…you can see that they’d be a fine fit together and that you can have your own webserver running in a matter of minutes. Put that together with Gallery, which CC is bundled with, and you’ve got yourself a family photo album!

Lastly, let’s look at the ftp server in CC. Click on the “Software” tab and then select “ftp server” from the menu on the left. You are a few clicks away from having a fully operational ftp server. Change the details you’d like to using the form provided by the web interface, then click to start and autostart the service. By default, CC shares /var/ftp. It is also open to anonymous connections. You’ll have to edit /etc/proftpd.conf to your liking to get your ftp server up and operational for other directories and users. Please see the proftp homepage for more details.

Summary

We’ve taken a semi-detailed look at ClarkConnect Home Edition 3.2 and how you can benefit both from the vast amount of software/programs already enabled on it and the ability to have an up and running router/server in as little as 30 minutes. Combine this with my previous article on using a no-ip domain and there isn’t any reason why you shouldn’t be able to show off a gallery or ftp server to your friends and relatives. If you have any problems, please head over to the ClarkConnect forums and ask…but not before using their search tool to see if the topic has been covered. As previously stated, there are two websites you can also connect to Ya-FAQ and the Newbie Portal. These two sites can provide you with good info as well as How-Tos made by the community.

I’d also like to take the time to let everyone know that I am in NO WAY being compensated for this article. I’ve used the software for quite some time and felt that I might be able to repay the people at Point Clark Networks by giving them props through this review. Whenever a new user is looking for a quick server oriented distribution, I always point them to ClarkConnect. In my opinion, it is the best distro out there to have for your home LAN. Hopefully, you’ll give it a test drive and come to the same conclusion.

Bringing Linux to Work – Portal Part 3

Ubuntu just doesn’t want to be chosen for me. I’ve had nothing but problems with it since I started going on it. I decided that it would be easier to use Ubuntu (1 disk install, apt-get abilities) to house the in house Intranet portal page here where I work. However, I didn’t count on Ubuntu having so many problems.

The first of many problems was mod_ntlm. This Apache module WILL NOT compile on my server. I emailed someone who actually got this to compile in Ubuntu and asked for how they got it to work, implemented their changes in the .c file, yet still couldn’t get it to compile. This reason alone is enough for me to not use it. But there are more reasons still that Ubuntu doesn’t do it for me.

The second reason is going cold. What I mean by going cold is that it almost froze up. For example, it would take over an hour to run apt-get update, about the same to run apt-get upgrade (depending on downloads) and even 20 minutes to do a standard ls -al | grep keyword command. After a reboot everything was fine. This led me to believe that some sort of power saving module was kicking in. So I removed all power saving modules, recompiled a kernel from scratch, turned off all BIOS power saving items, crossed my fingers and rebooted. Even with all of these actions, Ubuntu still went cold after a day of uptime. This is on an IBM NetVista P4 with 1 GB RAM. Ubuntu however will not be staying on any PC at my job due to the previous problems experienced.

I’ve got an exact match of this machine to provide backup for it so I’ve simulataneously been using CentOS to experiment around with it. There’s a reason that Red Hat is the leader in the server arena…because they get it done and provide a fantastically stable Linux environment. CentOS is repackaged Red Hat Enterprise Linux and it is fantastic. So from this point on, Ubuntu will not be actively developed on by myself…I’ll be using CentOS from this point on. Which leads me to the decisions I’ve been trying to come to.

I’ve been trying to find a good portal CMS that can house documents and provide news announcements for my department. No chat is needed…no forums…just a repository for docs. With all of this being said, I need to provide a flexible solution to house these documents as well because who knows what the director will come back and say. Perhaps tomorrow he’ll change his mind and want to have all documentation developed and worked on in Sharepoint and all reports to go on our intranet page. So I need flexibility if I’m going to get a CMS running on Linux and I need it to be stable so I can show tangible results to upper managment. Otherwise, they’ll continue to go with what has been working for them…and that is Windows.

Continue reading “Bringing Linux to Work – Portal Part 3”

Brining Linux to Work – Portal Part 1

Beginning this month, I’ll be attempting to infuse my place of work with Linux. I am an new Applications Analyst and resident AIX/Linux expert for a government agency that lives and breaths Microsoft. I feel that Open Source software, mainly, Linux…can be a great addition to this agency. I’ll be documenting my attempts here while I go along. If you have tips, tricks, solutions, advice or supportive comments…please respond in kind.


You’ve Got to Start Somewhere…

Recently, I’ve been investigating portal applications (CMS portals) for an intranet server at work. The portal will act as a document repository and project status report tool. It needs to plug into the framework we have in place currently…which is a Windows 2000 Active Directory environment. Instead of powering this with IIS or WinXp with Apache…I’ve elected to go with Linux and Apache. However, I didn’t really investigate much to figure out if this would be a possibility. Problems were rampant and still are. Allow me to explain.

I’ve been given the requirements that any intranet page must be single sign on, meaning that when a user visits the page, they don’t have to login…they’re simply there and logged in already. This can be done using the apache ntlm module. I can also pass this parameter using Tomcat and JOSS with php. However, the ntlm module won’t compile on Ubuntu or SuSe and hence won’t install. So, that took away my top two choices for Linux distros (not to mention, caused me to waste 2 days of time). JOSS requires that I write and plugin my own php script which is something I don’t want to do currently. So I’m back at square one. I’ve changed direction and am instaling CentOS 4 currently…we’ll see where that takes me. I’ve had more luck with CentOS as a server (my server at home has around 120 days for uptime currently and runs CentOS at its core).

Continue reading “Brining Linux to Work – Portal Part 1”

Distributed Bugs-R-Us

I have a decent idea for an open source application. This could be one of the most important pieces of software to assist open source in a long time. I don’t have ideas often for software apps but when I do, normally they’re good ones.However, I don’t have the expertise to program this either. The only thing I have is an idea for bugtracker software…and it operates on the distributed journalism model of digg.

The idea was inspired by the article “10,000 bugs away from World Domination“, specifically these few words:

“My diagnosis is that the problem with Linux is that it doesn’t have anyone pushing to get the newbie bugs fixed first. At Microsoft, we had Program Managers and one of their responsibilities was to be customer advocates to prioritize the bugs for the devs to fix. In many open source groups, it sometimes appears that bugs get fixed when the dev decides to work on it, not because an important user scenario is broken. The Wi-Fi tool was broken in Gnome for any months, but the bugs just sat there languishing in the database. Microsoft or Apple would not have shipped a Wi-Fi UI that was completely broken in that way.”

The author is 100% correct. And since open source communities don’t have program managers that can focus the time needed to prioritize bug fixes, we can make the community become that program manager. Read on for specifics on how to do this.

Continue reading “Distributed Bugs-R-Us”

Fan the Linux Flames

Anyone who knows me knows that I HATE inefficiency. If I find a new way of doing things that eliminates the resources I spend doing that thing, I pounce on it. So when I ran across a nifty little program that makes life managing my two linux boxes easier, I pounced. The tool I’m speaking about is called “Fanterm” and it makes managing a limited amount of Linux boxes a snap. I had forgotten that I had installed this and when I brought up my second Linux box (upgrade motherboard) I remembered reading about it on the web somewhere. A quick google search refreshed my memory…although this article only talks about fanout. Fanterm really brings a powerful tool for smaller network system admins.

So what does it do? It’s pretty easy and straightforward. After you download & install the necessary files, open up an Xterm and use the following syntax to parse your command:

fansetup onemachine anothermachine user@yetathirdmachine

The command above opens up 3 xterm windows in addition to the local one you opened up. Now you type your command in the original and watch as the command is mirrored in the other xterm windows. Making quick changes to smb.conf files works like a top. If you want to know the uptime of all your systems, you’re set. This makes managing a limited number of linux boxes a snap…apt-get update; apt-get upgrade anyone? The thing I like most about it is that I get to SEE what happens on each computer…that way if something goes haywire, I’m not executing a command on a file that doesn’t exist on the remote linux box.

Make sure you give this tool a go, it makes life much easier in small networks. Hope it comes to be as useful to you as it is to me.

Creative Commons License
Except where otherwise noted, the content on this site is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.