One of the most useful deployment scenario for Linux in enterprise or educational environment is a fileserver with on access virus scanning, to serve Windows PCs on the network of course. Long ago there used to be samba-vscan that worked very nicely, it went missing in openSUSE 11.2 so dazuko kernel module worked in its place. On 11.3 dazuko is no longer available, enter dazukofs.
Archive for the ‘Server’ Category
OBS 2.1: ACL Feature and Status
August 15th, 2010 by Martin MohringOne and a half year is now gone since I posted about my work for ARM support in the OBS and the work for a port of openSUSE to ARM. Lots of things had happened in the meantime that are related, from my limited view most notably Nokia and Intel joining Moblin and Maemo to MeeGo (MeeGo is currently working on a number of Atom and ARM based devices), chosing to use OBS as build system and last but not least myself joining The Linuxfoundation (you will be not surprised to hear that I work at LF on OBS). In the meantime there had also been a major new OBS release 1.8/2.0 with a bunch of new features.
Interesting is the fact that we adapted the cross build system for OBS to MeeGo, first developed for use in Maemo and openSUSE @ ARM. An improved version for the standard MeeGo releases, and for the MeeGo weekly snapshots is used in the MeeGo OBS System to build all ARM releases of MeeGo (the cross toolchain will later get part of the MeeGo SDK @ ARM), thanks to Jan-Simon Möller (In the openSUSE ML, the issue of reactivating openSUSE:Factory ARM builds were brought up. So it might be a good variant to backport Jan-Simons new solution back into openSUSE @ ARM for that purpose). All the MeeGo related OBS installations will move sooner or later to OBS 2.1.
But now to the most recent work, Access Control support. A preview was shipped with OBS 1.8. Now an own OBS version, 2.1, will be dedicated to the introduction of this single new feature into the OBS mainline: Access Control (or abbrevated ACL for Access Control Lists). ACL means that there is control by the user on a per project or per package basis to protect information, source and binaries from the read access of other users in an OBS system and to hide projects or packages.
What is the intended audience of ACL? ACL is intended for installations of OBS that require protection of projects or packages during work. This can be but is not limited to commercial installations of OBS, or semi public installations of OBS.
How does ACL work? ACL sits on top of two features introduced with OBS 2.0: Role and Permission Management as well as freely definable user groups. ACL uses 4 specifically defined permissions (‘source_access’ for read access to sources, ‘private_view’ for viewing package and project information, ‘download_binaries’ for read access to binaries and ‘access’ permission to protect and hide everything and all from read access and viewing) on a user or group in the Role and Permission management. Also, the preexisting roles “maintainer”, “reader” and “downloader” had been modified with specific predifined permissions (which can at any time changed with the role and permission editor dynamically). And last but not least 4 new flags (namely ‘sourceaccess’ to signal a project/package has read protected source code, ‘binarydownload’ to signal it has read protected packages, ‘privacy’ to signal information/logfiles or status cannot be read and ‘access’ to hide and protect a project or package completely in all possible OBS API calls) had been added to the project and package descriptions to signal that some information is only readable by specific users or groups, or that information is hidden.
How do I use ACL? There are 4 steps to use ACL (a part of them a optional and can only be performed by the Administator of an OBS instance). Step one is to assign the listed permissions to a role, user or group (this step can be done only by the admin, and is not needed for the predefined roles “maintainer”, “reader” and “downloader”). Step two is to add a group for special users to projects which are intended to be run with ACL (this operations can only be performed by the admin). Step three is to protect a project with appropriate protection flags at project creation by adding them to the project meta. Step four is to add other users or groups with one of the new predefined roles that has ACL permissions added to the project meta.
What information can be protected by ACL? The protected information is grouped into 4 categories. Category 1 (flag ‘sourceaccess’) is source code. Category 2 (flag ‘binarydownload’) is binary packages or logfiles or builds. Category 3 (flag ‘privacy’) is project or package information like build status. Category 4 (flag ‘access’) is all viewable or accessable information to any project or package (full blocking of all access and information).
Example of a project configuration using ACL:
<user userid="MartinMohring" role="maintainer" />
<!-- grant user full write and read access -->
<group groupid="MeeGo-Reviewer" role="maintainer" />
<!-- grant group full write and read access -->
<group groupid="MeeGo-Developers" role="reader" />
<!-- grant group full source read access -->
<group groupid="MeeGo-BetaTesters" role="downloader" />
<!-- grant group access to packages/images -->
<sourceaccess>
<disable/>
</sourceaccess>
<!-- disable read access - unless granted explictely.
This flag will not accept arch or repository arguments. -->
<binarydownload>
<disable/>
</binarydownload>
<!-- disable access - unless granted explictely -
to packages/image and logfiles -->
<access>
<disable/>
</access>
<!-- disable access - unless granted explictely-,
project will not visible or found via search,
nor will any source or binary or logfile be accessable.
This flag will not accept arch or repository arguments. -->
<privacy>
<enable/>
</privacy>
<!-- project will not visible.
This flag will not accept arch or repository arguments. -->
What is the current status of the ACL implementation? The current status is that the complete API of the OBS git master had been instrumented with ACL code, critical portions of the API controllers had been code inspected and a big portion of these API calls now have a testcase in the OBS testsuite. Work is ongoing to make ACL as secure as possible. A code drop of current git master is under test in some bigger OBS systems, most notably the openSUSE Buildsystem. You can find snapshots of this codebase as usual in the OBS project openSUSE:Tools:Unstable. Adrian Schröter updates these “Alpha Snapshots” relatively often, on a 1-2 weekly basis, and runs the testsuite on git master daily. Thanks to Jan-Simon Möller for putting in many of the testcases into the testsuite for the ACL checks. On OBS Testing in general, read also Development and Test.
What is next? Code is tested and debugged against granting unwanted access due to some concepts inside OBS that are “working against ACL”, like project or package links, aggregates or kiwi imaging. We will inform you interested user of course about beta releases and an official 2.1 release.
Stay tuned.
Local caching for CIFS network file system – followup
August 5th, 2010 by Suresh JayaramanHere’s a follow-up to my previous post on Hackweek V: Local caching for CIFS network file system
Since the previous post, I worked on improving the patches that add local caching, fixed a few bugs, addressed review comments from the community and re-posted the patches. I also gave a talk about it at the SUSE Labs Conference 2010 took place at Prague. The slides can be found here: FS-Cache aware CIFS.
This patchset was merged in the upstream Linux kernel yesterday (Yay!) which means this feature would be available starting from kernel version 2.6.35-rc1.
The primary aim of caching data on the client side is to reduce the network calls to the CIFS Server whenever possible, thereby reducing the server load as well the network load. This will indirectly improve the performance and the scalability of the CIFS Server and will improve the number of clients per Server ratio. This feature could be useful in a number of scenarios:
– Render farms in Entertainment industry – used to distribute textures to individual rendering units
– Read only multimedia workloads
– Accelerate distributed web-servers
– Web server cluster nodes serve content from the cache
– /usr distributed by a network file system – to avoid spamming Servers when there is a power outage
– Caching Server with SSDs reexporting netfs data
– where a persistent cache remains across reboots is useful
However, be warned that local caching may not suitable for all workloads and a few workloads could suffer a slight performance hit (for e.g. read-once type workloads). So, you need to careful consider your workload/scenario before you start using local disk caching.
When I reposted this patchset, I got asked whether I have done any benchmarking and could share the performance numbers. Here are the results from a 100Mb/s network:
Environment
————
I’m using my T60p laptop as the CIFS server (running Samba) and one of my test machines as CIFS client, connected over an ethernet of reported speed 1000 Mb/s. ethtool was used to throttle the speed to 100 Mb/s. The TCP bandwidth as seen by a pair of netcats between the client and the server is about 89.555 Mb/s.
Client has a 2.8 GHz Pentium D CPU with 2GB RAM
Server has a 2.33GHz Core2 CPU (T7600) with 2GB RAM
Test
—–
The benchmark involves pulling a 200 MB file over CIFS to the client using cat to /dev/zero under `time’. The wall clock time reported was recorded.
First, the test was run on the server twice and the second result was recorded (noted as Server below i.e. time taken by the Server when file is loaded on the RAM).
Secondly, the client was rebooted and the test was run with caching disabled (noted as None below).
Next, the client was rebooted, the cache contents (if any) were erased with mkfs.ext3 and test was run again with cachefilesd running (noted as COLD)
Next the client was rebooted, tests were run with caching enabled this time with a populated disk cache (noted as HOT).
Finally, the test was run again without unmounting or rebooting to ensure pagecache remains valid (noted as PGCACHE).
The benchmark was repeated twice:
Cache (state) Run #1 Run#2
============= ======= =======
Server 0.104 s 0.107 s
None 26.042 s 26.576 s
COLD 26.703 s 26.787 s
HOT 5.115 s 5.147 s
PGCACHE 0.091 s 0.092 s
As it can be seen when the disk cache is hot, the performance is roughly 5X times than reading over the network. And, it has to be noted that the Scalability improvement due to reduced network traffic cannot be seen as the test involves only a single client and the Server. The read performance with more number of clients would be more interesting as the cache can positively impact the scalability.
Happy 15th PhP
June 9th, 2010 by Bruno FriedmannDid you remember the June 8th 1995 ?
There was a annonce here
http://groups.google.com/group/comp.infosystems.www.authoring.cgi/msg/cc7d43454d64d133
Announcing the Personal Home Page Tools (PHP Tools) version 1.0.
These tools are a set of small tight cgi binaries written in C.
They perform a number of functions including:
. Logging accesses to your pages in your own private log files
. Real-time viewing of log information
. Providing a nice interface to this log information
. Displaying last access information right on your pages
. Full daily and total access counters
. Banning access to users based on their domain
. Password protecting pages based on users’ domains
. Tracking accesses ** based on users’ e-mail addresses **
. Tracking referring URL’s – HTTP_REFERER support
. Performing server-side includes without needing server support for it
. Ability to not log accesses from certain domains (ie. your own)
. Easily create and display forms
. Ability to use form information in following documents
Here is what you don’t need to use these tools:
. You do not need root access – install in your ~/public_html dir
. You do not need server-side includes enabled in your server
. You do not need access to Perl or Tcl or any other script interpreter
. You do not need access to the httpd log files
The only requirement for these tools to work is that you have
the ability to execute your own cgi programs. Ask your system
administrator if you are not sure what this means.
The tools also allow you to implement a guestbook or any other
form that needs to write information and display it to users
later in about 2 minutes.
The tools are in the public domain distributed under the GNU
Public License. Yes, that means they are free!
For a complete demonstration of these tools, point your browser
at: http://www.io.org/~rasmus
—
Rasmus Lerdorf
ras… @io.org
http://www.io.org/~rasmus
Now 15 years after, great way. And daily basis work with it. Thanks Rasmus, Thanks PhP dev’s, thanks openSUSE packagers … For those who need php applications, framework, lib and so just have a look at this long list of what is ready to use on your favorite distribution
http://packages.opensuse-community.org/index.jsp?searchTerm=php&distro=openSUSE_112
How to set up a Production Server for your Rails App
May 28th, 2010 by Jan LoeserHi folks,
as you know it’s exciting to create a new rails application for several tasks. It’s fast, easy and everything is predefined. But what do you do if your application is (nearly) done? The next logical step is to set up a production web server – for me, this step always was a difficult issue. Mongrel/WEBrick was started via ‘ruby script/server’ and your application was reachable on your localhost, mostly on port 3000. You’re the only user who interacts with it – no problem (as long as your application is in development).
“The Web, however is an extremely concurrent environment. Production web servers, such as Apache, Lighttpd, and Zeus, can work on several requests – even tens or hundreds of requests – at the same time. A single-process, single-threaded Ruby-based web server can’t possibly keep up.” (quoted from ‘Agile Web Development with Rails’)
Therefore I want to show briefly how to set up a front-end server with an existing Rails application using an Apache server and the RubyGem ‘Passenger‘. Do the following as root.
1. Install Passenger (One-click Install) (assumed that Ruby itself and all needed Gems are installed)
2. Install Apache and it’s dependencies:
$> zypper in apache2
3. Add the Passenger module to your Apache server:
$> a2enmod passenger
4. Create a virtual host on your Apache server. Create ‘/etc/apache2/vhosts.d/myapp.conf’ and insert:
<VirtualHost *:80>
ServerName www.myapp.com
DocumentRoot /srv/rails/myapp/public
RailsEnv development
<Directory /srv/rails/myapp/public>
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
Be sure that the path to your application is correct and do not forget the public directory! As you can see this virtual host receives all requests on port 80 (http). The line ‘RailsEnv development‘ specifies the ‘RAILS_ENV’ variable (in this case ‘development’, the default value is ‘production’). Normally you want ‘production’ for your production server!
5. Activate your virtual host in ‘/etc/apache2/listen.conf’. Just enable the line (remove the leading hash mark)::
#NameVirtualHost *:80
6. Now you can start your Apache server:
$> rcapache2 start
Important: when you want to check the log file be aware of the mode Passenger runs the Rails application (‘production.log’/’development.log’). By default, the log file is written by the user who owns the ‘environment.rb’ – check the log file’s write permissions (See also: User switching).
Have a look at the documentation! There you find a lot of configuration options which you should think of.
That’s it. Sure, there are many many other ways to get such a server running and this was just scratching the surface but should be a good point to start. Thanks to Thomas Schmidt for a good introduction into the topic.
automated openSUSE testing
May 25th, 2010 by bmwiedemannTesting is an important task. But testing daily openSUSE-Factory snapshots would mean testing the same things every day. This would be pretty tiresome to people.
And there is a lot of software to test, including software unknown to most testers or new versions of known software, so how should the tester know if the results were the intended results?
My answer is: leave as much as possible to computers. Computers do not get tired. Computers do not stop testing something after a dozen identical results. Computers do not forget.
The following assumes that you have read my text on making openSUSE install videos.
So far, I am rather satisfied with my automated installations.
At the end of those, I added some basic application testing, which already showed in MS7
openSUSE-KDE-LiveCD-x86_64-Build0625a.ogv dated 2010-05-21 16:08
an issue filed 28 hours later at bnc bug 608087
Only that it currently still needs a human to look at the results.
I was thinking to improve upon that by scanning (rectangular) parts of the screenshot for known good or bad images. If either is found, the test could be automatically marked as passed or failed.
On unknown images, a human would still need to decide which part of the image is relevant and if it is good or bad. This decision can then be used to avoid human interaction (hard work) in further runs of that test.
If we push this further, it could be similar to nagios for network monitoring. Telling when something breaks and telling when something is back working. It could have an overview page about automated test status, giving totals e.g. “50 working, 10 unknown, 3 failing”. With links to more details.
The advantage in adding the application tests after the install test is that the system starts out in a clean, reproducible way. One disadvantage I see is that a newly failing test could prevent following tests to work.
I have also been working to enable others to run my isotovideo script. For that I have cleaned up my code so that it no more contains paths from my system. The other thing is that I documented how to get it working at http://www3.zq1.de/bernhard/git/autoinst/INSTALL
MS7 installation videos:
openSUSE-KDE-LiveCD-x86_64-Build0625c.ogv openSUSE-KDE-LiveCD-i686-Build0625a.ogv openSUSE-GNOME-LiveCD-x86_64-Build0625b.ogv openSUSE-NET-x86_64-Build0623b.ogv openSUSE-NET-i586-Build0623b.ogv openSUSE-DVD-Build0625-x86_64b.ogv openSUSE-DVD-Build0625-i586b.ogv
apache2-icons-oxygen is now in Factory
May 20th, 2010 by Javier LlorenteFor those who don’t know it yet, apache2-icons-oxygen is now in Factory 🙂
Go to www.javierllorente.com/tmp/ to see it in action.
If you want to try it out, take a look at README.SuSE included in the rpm package:
(more…)
Annuncing KIWI-LTSP package updates
March 31st, 2010 by Jigish GohilHello Community
openSUSE packages are updated to use the latest LTSP. Here are the highlights of this release:
* LTSP 5.2.1
* LDM 2.1.1
* LTSPFS 0.6.0
* kiwi-ltsp-prebuilt 0.8.2
* kiwi-ltsp-bootimage 0.8.2
Follow the Quick Start guide here: http://en.opensuse.org/LTSP
Give it a test and let me know your feedbacks.
On the side note, jury verdict in the Novell vs SCO Group trial, Novell wins. Good news for Novell, for Linux and for OSS
Have a lot of fun…
Into the Cloud
March 29th, 2010 by rjschweiSetting up your own Cloud infrastructure on SUSE has just become a lot easier. You can now use Kiwi and a mostly pre-configured set-up to build your own Cloud node images. Once these images are built setting up your Cloud can be accomplished in a few minutes.
Checkout the Cloud Recipe in the Kiwi Cookbook.
Happy Hacking
Li-f-e updated
March 24th, 2010 by Jigish GohilopenSUSE Education team is happy to announce the availability of the updated openSUSE Education Li-f-e DVD iso. The Linux for Education (Li-f-e) contains the wide selection of education, development, office, as well as multimedia packs to meet all possible computing needs of students, teachers and parents.
Some of the highlights of this update:
Desktop Environments:
Additions:
- Stellarium, planetarium software
- Cinelerra, movie editor
- vsftpd, a very secure ftp server
- FreeNX for secure and low bandwidth remote access
Updates:
- All official updates to openSUSE 11.2 since its release
- LTSP 0.5.1.99, includes fat-client support
- Banshee 1.6 RC1
- Code::Blocks SVN 6182
- and of course most of the education packages like gcompris and tux4kids suite got updated.
Download:
Direct Download | metalink | torrent | md5sum
More mirrors on sourceforge
More information here: http://en.opensuse.org/Education/Live
Have a lot of fun
Your openSUSE Education team
Advertisement
-
Lizards
Adrian Schröter (12)
Agustin Chavarria (6)
Alessandro de Oliveira Faria (13)
Alex Barrios (12)
Alexander Naumov (10)
Alexander Orlovskyy (3)
Alin M Elena (5)
Andrea Florio (27)
Andreas Jaeger (70)
Andreas Stieger (12)
Andrew Wafaa (31)
Arvin Schnell (9)
Atri Bhattacharya (3)
Bernhard Wiedemann (31)
Bonnie Kurniawan (1)
Bruno Friedmann (98)
Calumma Brevicorne (29)
Carl Fletcher (1)
Christopher Hobbs (17)
Ciaran Farrell (3)
Stephan Kulow (17)
craig gardner (2)
Stephan Barth (2)
Thomas Schmidt (2)
Dinar Valeev (1)
Dirk Mueller (2)
Dmitry Serpokryl (7)
Efstathios Iosifidis (21)
Fabio Mucciante (5)
Federico Lucifredi (9)
Greg Freemyer (1)
Holger Sickenberg (2)
Hubert Mantel (1)
Ilya Chernykh (5)
Ismail Donmez (1)
J. Daniel Schmidt (2)
James Tremblay (7)
Jan Blunck (4)
Jan Loeser (3)
Jan Madsen (1)
Jan-Christoph Bornschlegel (3)
Jan-Simon Möller (20)
Javier Llorente (12)
Jigish Gohil (85)
Jiri Srain (1)
Jiří Suchomel (3)
Johan Kotze (5)
José Oramas M. (6)
Josef Reidinger (16)
Juergen Weigert (1)
Julio Vannini (9)
Dinar Valeev (5)
Kevin "Yeaux" Dupuy (11)
Klaas Freitag (55)
Lars Vogdt (11)
Ludwig Nussel (13)
M. Edwin Zakaria (4)
Marcus Hüwe (39)
Marcus Meissner (2)
Marcus Moeller (3)
Marcus Schaefer (4)
Martin Lasarsch (8)
Martin Mohring (11)
Masim "Vavai" Sugianto (20)
Michael Andres (1)
Michael Löffler (7)
Michal Marek (7)
Michal Vyskocil (12)
Miguel Angel Barajas Hernandez (2)
P Linnell (2)
Nelson Marques (55)
Nenad Latinović (1)
Nikanth Karthikesan (2)
Przemyslaw Bojczuk (1)
Peter Pöml (4)
Petr Gajdos (2)
Petr Mladek (60)
Petr Uzel (5)
Ray Wang (1)
Raymond Wooninck (1)
Ricardo Chung (7)
Ricardo Varas Santana (7)
Richard Bos (11)
Robert Schweikert (16)
Rossana Motta (1)
Rupert Horstkötter (10)
Sascha Manns (66)
saydul akram (3)
Sebastian Siebert (6)
Shawn Dunn (2)
Stanislav Visnovsky (7)
Stefan Haas (1)
Stefan Hundhammer (5)
Stefan Schubert (7)
Steffen Winterfeldt (8)
Suresh Jayaraman (3)
Susanne Oberhauser (3)
Thomas Göttlicher (6)
Thomas Schraitle (26)
Togan Muftuoglu (3)
Tuukka Pasanen (36)
Will Stephenson (22)
YaST Team (90)