Xubuntu

I've been running Ubuntu 10.04 for a couple of years, but it goes end-of-life soon. I knew that upgrading would more-or-less mean learning a new window manager: Unity or something else. I decided to try going with XFCE in Xubuntu 12.04 (which will have support until April 2017).

I have so far been pretty happy with it. I backed up everything I could think of to a second hard drive, and then did a fresh install off of a USB drive. It didn't take long, and then I spent a couple of hours restoring files and setting up software and stuff, such as...

• installing google chrome and importing bookmarks (I'd exported them prior to the upgrade)
• restoring ~/.purple so that pidgin would work
• installing postfix and configuring it to relay off of gmail, so that logwatch and my cron jobs would land in my gmail inbox (I'd already done this, so I just had to restore a couple of files)
• installing VirtualBox and restoring ~/.virtualbox (and my guest machines booted without much complaint)
• pointing gmusicbrowser at my MP3 collection and skinning it to look like rhythmbox (there are some minor differences I'm still getting used to, but it looks like the playlists I exported from rhythmbox import right into gmusicbrowser, so that's a pleasant surprise)
• setting up an encrypted subdirectory in $HOME

I find that I don't much care for the panel at the bottom (the one that's supposed to look like OS X), so I may end up removing it. And I'm finding that the keyboard shortcut for "maximize window" is flaky for some reason. But those are about the only two wrinkles I've found. It was otherwise pretty painless, and it took less time than I expected.

HTTPS in Apache in Ubuntu

If there's an easy way to make Apache in Ubuntu (v7.10, gutsy) do HTTPS, I can't find it. So I played around with it this morning and got it working.

First you need to generate an SSL certificate. I just went with self-signed certificates:

openssl genrsa -out apache.key 1024
openssl req -new -key apache.key -x509 -out apache.crt \
    -days 365 -set_serial `date +%s`

I saved these two files as /etc/ssl/certs/apache.crt and
/etc/ssl/private/apache.key.

And then I saved the following as
/etc/apache2/sites-available/default-ssl:

NameVirtualHost *:443
<VirtualHost *:443>
    DocumentRoot "/var/www"
    ServerName www.example.com:443
    ErrorLog /var/log/apache2/ssl_error.log
    TransferLog /var/log/apache2/ssl_access.log
    LogLevel warn
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apache.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key
</VirtualHost>

Then after enabling the new site (a2ensite default-ssl) and restarting Apache (/etc/init.d/apache2 reload), I was able to connect to https://localhost/. FireFox3 complained bitterly about the self-signed certificate, but adding the exception straightened that out.

xephem in Ubuntu

I was out with friends last night (4th of July fireworks), and they asked me to identify a bright object in the sky (I used to be an astronomer). I'm really out of practice at that kind of thing, so I speculated that it was Sirius (there was some light cloud cover, and I couldn't see whether or not this object was southeast of Orion, but it was pretty bright). Turns out I was wrong.

There's a really cool desktop ephemeris program called Xephem from the Clear Sky Institute. So I installed that on my Ubuntu desktop this morning to find what that thing was last night. I had to fulfill a few dependencies to compile xephem. Here's what I had to install first (I just explicitly installed the ones in bold--apt-get installed the packages in parentheses as dependencies):

• libxt-dev (libsm-dev, libice-dev)
• x11proto-print-dev
• libxp-dev
• libxext-dev (x11proto-xext-dev)
• libxmu-headers (?)
• libxmu-dev
  

(I'm not sure I needed libxmu-headers.)

After that I mostly just followed the directions in the INSTALL file from the xephem download. I copied the data directories (auxil, catalogs, etc.) to /usr/share/xephem (a directory I created) and put the following in ~/.xephem/XEphem (xephem didn't seem to want to read /usr/X11R6/lib/X11/app-defaults/XEphem as the INSTALL file suggested):

XEphem.ShareDir: /usr/share/xephem

I also gziped the man page (xephem.1) before copying it to /usr/share/man/man1/xephem.1.gz. And I created /usr/share/doc/xephem-3.7.3/ and copied in the Copyright, INSTALL, and README files.

By the way, that object turned out to be Jupiter. shrug

apt-get: "kept back"

I have the following (executable) file in /etc/cron.daily on my Ubuntu desktop:

#!/bin/bash

apt-get update
apt-get -s upgrade

This lets me know when updates are available: the -s option lists available updates without running them unattended.

Occasionally I'll get a list saying that some updates have been "kept back." I always have trouble remembering what to do in this case. It's typically just some dependency problem. This issue is addressed in the APT HOWTO on the Debian Web site. In my (limited) experience, this has always been overcome by doing apt-get instal pgkname, where pkgname is the offending package which is being "kept back."

syntax highlighting in vim in Ubuntu

Today I finally noticed that syntax highlighting wasn't working in vim in Ubuntu. Installing vim-full and adding syntax on to ~/.vimrc did the trick.

Ubuntu asking for the CD to install software

Sometimes I ask apt-get or synaptic to install something, and it asks for the CD. Turns out that this is an easily-remedied nuisance. A fosswire post (which I found by way of fsdaily) gives a GUI-based solution. An equivalent solution is to comment out the line in /etc/apt/sources.list which starts w/ 'deb cdrom:' (that's probably line 1).

Ubuntu firewall

This post offers a way of telling your Ubuntu system to set up a simple firewall at boot time. It assumes that you have a single network adapter called eth0.

I saved my firewall rules (in iptables-save format) to /etc/network/fwrules. My firewall rules are fairly specific to my setup, but the following might serve as a good starting point if you want to try this:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
COMMIT

And then I just saved the following to /etc/network/if-pre-up.d/fw:

#!/bin/bash

iptables-restore < /etc/network/fwrules

(Be sure to make this file executable: sudo chmod 755 /etc/network/if-pre-up.d/fw).

This loads the firewall rules prior to bringing up the network interface, so that the firewall is in place by the time the network connection is active.

udev in Ubuntu

This post will be a recipe for configuring udev in Ubuntu so that if you plug in a USB storage device (like a flash drive, an MP3 player, etc.), it will get a consistent and predictable device name which you can attache as a non-root user to a fixed mount point. I'll be using my new Verbatim thumb drive as an example.

Plug in the flash drive, wait a few seconds, and type 'dmesg | tail'. The last few lines should show the USB system detecting the device and giving it the first available device name. In my case, the flash drive got /dev/sdd. Next, ask udevinfo for details about the device:

udevinfo -a -p $( udevinfo -q path -n /dev/sdd ) | less

Page through the output looking for the device's values for idVendor and idProduct. The udevinfo output for my thumb drive contained the following lines:

   ATTRS{idProduct}=="1e23"
   ATTRS{idVendor}=="13fe"

Next thing is to tell udev about the device. Create a udev rule file (I used /etc/udev/rules.d/99-thumb.rules) with something like the following:

SUBSYSTEMS=="usb", SYSFS{idVendor}=="13fe", SYSFS{idProduct}=="1e23", NAME="thumb", MODE="0660" OWNER="mbrisby" GROUP="mbrisby"

(Naturally, replace mbrisby with your username and group name.) You may need to run udevcontrol reload_rules to tell udev to read the new addition into its in-memory ruleset.

Now you can make a mount point:

$ sudo mkdir /media/thumb
$ sudo chown mbrisby.mbrisby /media/thumb

Finally, add the mount point to /etc/fstab:

/dev/thumb /media/thumb vfat user,noauto 0 0

And from now on, you should be able to plug in the thumb drive, wait a couple of seconds, type mount /media/thumb, and start accessing the files at /media/thumb.

fetchmail in Ubuntu

I recently wrote about using fetchmail for gmail. In the meantime I've switched my main desktop (at home) from CentOS to Ubuntu. Ubuntu's fetchmail build is a bit more picky about SSL certificates than the CentOS build, so this post will describe some of the changes I had to make to my ~/.fetchmailrc file.

(By the way, fetchmail should work OK without these changes, it'll just whine about the certificates.)

First I needed to install the ca-certificates package from the Ubuntu repositories, and then I needed to change the gmail line of my ~/.fetchmailrc file from

poll imap.gmail.com protocol IMAP user "my_gmail_username@gmail.com" there with password "my_password" nofetchall keep ssl

to

poll imap.gmail.com protocol IMAP user "my_gmail_username@gmail.com" there with password "my_password" nofetchall keep ssl sslcertck sslcertpath /etc/ssl/certs

This tells fetchmail where to find the public certificate it needs to verify the SSL connection to the gmail server.

I also use fetchmail to check some IMAP accounts on a server using self-signed certificates, certificates which don't appear in /etc/ssl/certs. One way of doing this is to compute the IMAP certificate's fingerprint and telling that to fetchmail. If the IMAP server is imap.example.com and it's running on the standard port (993), you can use openssl to grab the certificate like this:

openssl s_client -ign_eof -connect imap.example.com:993 > imap.cert

(You may need to Contol-C to get back to the command prompt.)
Then use openssl to find the MD5 fingerprint:

openssl x509 -fingerprint -md5 -in imap.cert

The output of this latter command should contain a line starting with MD5 Fingerprint. Add the fingerprint to your ~/.fetchmailrc file with something like this:

poll mail.example.com via imap.example.com protocol IMAP user mbrisby there with password "my_password" nofetchall nokeep ssl sslfingerprint "4C:69:E2:E6:F9:6B:6C:4E:E9:8B:E1:C8:2B:B9:4F:B9"

And then just run fetchmail in cron every now and then.

desktop Ubuntu

I recently converted my laptop from CentOS 5 to Ubuntu 7.10 and liked the change. So I did the same to my main desktop at home this weekend. Naturally, there were a few bumps in the road. Over the next several days I'll be posting about some of them.

But first, a couple of annoyances.

Ubuntu likes to beep. It rings the system bell a lot more than CentOS seemed to do: tab completion at the bash prompt, unsuccessful page text searches in Firefox, trying to go past the end of the file in vim, etc. It really enjoyed beeping at me, and putting set bell-style none in ~/.inputrc didn't help much.

It turns out to be a kernel module. A post in Dell's Linux desktop forums suggested modprobe -r pcspkr, and that worked right away. The post also suggests putting blacklist pcspkr in a file in /etc/modprobe.d to make the change permanent (I haven't rebooted yet, but I figure that oughtta do it.)

The other annoyance is that Ubuntu's grep isn't compiled with libpcre support (that's the Perl-compatible regular expression library). One of the bash scripts I use for backups has a grep -P in it. The -P options tells grep to regard the search pattern as a Perl-style regex. This gives the following charming error message:

The -P option is not supported

Someone else noticed this and filed a bug report. Looks like the Ubuntu developers aren't interested in fixing it in this version. Someone suggested installing the pcregrep package, but this has a few problems:

1. the binary is installed as /usr/bin/pcregrep
2. pcregrep doesn't have the same performance or options as grep
3. oddly, pcregrep doesn't accept the -P option (you'd think it would just ignore it)

So pcregrep is hardly a drop-in replacement for grep, even if you rename the binary to /bin/grep.

As it happens, I got lucky. My the regex in my bash script is dull enough that I was able to replace grep -P with egrep. But if you use something more sophisticated, you'll have a harder time of it.

But all in all, I'm enjoying my shiny new Ubuntu installation. I'll be back later to yammer on about using udev, fetchmail, iptables, and maybe some other stuff in Ubuntu.

Ubuntu

I finally gave Ubuntu a try recently. I'd previously tried it as a VMWare Server guest and hated it. But that probably wasn't a fair shake, so I installed it on my laptop last week. I was really impressed by how easy it was to get everything set up. It only took a few hours to get it installed and pretty highly customized with some of my favorite packages, including gtkpod, grip, easytag, mplayer, fluxbox, VMWare Server, gkrellm (and a few of its plugins), and grisbi.

About the only thing that really took a while was getting fluxbox to work, and that's because Ubuntu does it rather differently than CentOS (what I'm used to). It took me a little while to realize that I needed to be using ~/.fluxbox/startup rather than ~/.Xclients, and it took me forever to cotton on to the fact that the ~/.fluxbox/keys syntax had changed between v0.9.x and v1.0.x. I'd never had the following three lines in my keys file before, but they're pretty important (you can't easily get to the fluxbox menu without them):

OnDesktop Mouse1 :HideMenus
OnDesktop Mouse2 :Workspacemenu
OnDesktop Mouse3 :RootMenu

About the only thing I couldn't do was install native drivers for one of my wireless cards. I have two cards: a Linksys WPC11v4 802.11b card and a Netgear 802.11g card. The Linksys card has open-source drivers which support monitor mode (so that I can run kismet), while the Netgear card only has Windows drivers. It was very easy getting ndiswrapper and wpa_supplicant set up for the Netgear card, but I never got the Linksys drivers working. Looks like other people have had the same trouble, and the solution may be to try a different kernel. Oh, well.

Anyway, it was all pretty easy, and I may start using Ubuntu on all my desktops. And O'Reilly's Ubuntu Hacks was pretty helpful.