...making Linux just a little more fun!
My name is Jeff Rohloff, and I am the IT manager of the detention center here in Las Vegas, NV. I am involved in a project that uses Oracle DB and application servers. We have investigated the deployment of this app on a server running Linux, and have been very excited what we have found so far. We have presented this to the executive staff and they too are excited. My last hurdle is do a risk assessment of the deployment of Linux into our environment that is primarily Microsoft. Do you know of a site, or do you have info that you maybe able to share that might help me put this document together. Thanks in advance..
This is extremely situation dependent. You should at least ensure that the people that'll be using this database are trained to do so. -- Thomas
In my experience, Oracle in a mixed Windows/Linux environment works quite well. I recently taught a class on Linux implementation at the CapitalOne bank headquarters where they're converting to exactly that setup. Their tech people were highly positive in their reactions to my questions about the integration process; it eliminated several of the problems they'd experienced under Wind0ws (I can't recall exactly what the former problems were, but they had something to do with failing to service a query during high traffic periods.)
You're definitely not riding the bleeding edge with this; many companies have implemented this configuration by now, and you could certainly benefit from their experience. Oracle themselves probably have case studies on file that you could examine, although it may require a bit of digging and prodding. -- Ben
Perhaps our readers could point out some specific resources that Jeff could use while making his decision about their Oracle setup.
But it does raise a neat idea for an article. The core of any good advocacy (in my not too humble opinion) is the ability to take the other viewpoint(s) and examine all the data from a broader perspective - what will really serve the needs best from the options available. Soooo... a good article on risk analysis, itself, with managers like Jeff and businesses in mind, would be a welcome sight. Any takers? Read our Author Guidelines - then contact our articles@ staff. -- Heather
Sorry if we're a bit light on the tips this month, folks.
As mentioned in a past issue, people have been asking us for more Tips that are the little bitty tidbits you can nibble on, the quick answer, the really handy pencil to tuck in your Linux pocket. Some of our meatier tips come from The Answer Gang, maybe a little too meaty for some tastes. The fact is the very best of the tidbit-style Two Cent Tips come from you, dear readers...
Send 'em in! mail your tip to email@example.com. Ideally, they aren't faq's, aren't obvious (until you see them, at least), but give you a "wow! I wish I'd known that a few weeks ago" feeling.
Debian, ahhh Debian. Don't care about any cutesy install, easy enough IMHO.
[Mike] I managed to stay out of this thread so far because the author is so closed-minded, but just to set the facts straight, Gentoo's install is less cutesy than Debian. No curses dialogs to guide you through. There is one little dialog program you can run to configure the network, but it's optional. Everything else is done by hand the old-fashioned way or by running little console programs. What more do you want?
[Jason] Alternatively phrased, what less do you want?
For instance, the only thing in the Crux install that doesn't happen on the command line is a curses-based package selection program. Everything else (creating the target filesystem, mounting it, installing a bootloader if you need to, etc.) you did yourself.
Which, oddly enough, I found to be simpler than trying to figure out how someone else designed an installer.
I had not realized that Gentoo had a minimal install. Sounds like I might like it. (If only I had the bandwidth...)
[Mike] Gentoo is not the first or only compile-it-yourself distro, but it happens to be the one that's supported enough to make a lot of first-time compile-distro users try it out. So it's creating a "market" for a different kind of distribution. Something like that deserves press coverage. Will it remain in that privileged position forever? Probably not. I first encountered Red Hat some months after it appeared when a guy recommended it saying, "These guys actually test their distribution." RH brought a new level of quality control to Linux, which SuSE and others then stepped up to compete with. No doubt other distros modelled after BSD ports will appear too, and the binary distros may start focusing more on their (already existing) option of letting users install from source if they wish.
Rock Linux is another compile-it-yourself distro, and last time I looked at it, it had an install similar to Gentoo's. You might also look at Slackware, which is more simplistic than Debian (and I mean that in a good way), although it's more cutesy than Gentoo.
Gonna stick with it because
1. It is FREE, never gonna have to pay for it in any way, really a strange concept...
[Mike] Gentoo is free, and Rock and Slackware and Fedora and...
[Raj] ...so is the Mandrake Community Edition (it lacks the acrobat reader, crossover office and other proprietary stuff)
2. APT works sooo well. Just install Woody base, set sources to testing, and invoke aptget ugrade dist to get Sarge installed. Then aptget for whatever else over the net
[sic] folks. Debian's actual command (to do mass upgrades without breaking holds or allowing package removals for apps that changed drastically) is: apt-get upgrade dist -- Heather
[Raj] You can do that with yum too. MDK provides rpmuri (might have got the name wrong). I am surprised that people still complain about the RPM dependency hell. Then there are some people who can run apt on redhat too, but I have not looked at it.
[Mike] Debian can justly be proud of its pioneering work in distro technology. It was the first distro to create a package searcher/downloader like apt, a program many of the RPM-based distros have now adopted. Debian was also the first with individually-upgradeable packages (the dpkg system), although rpm came out not long after. I think Debian was also the first distro with dependencies.
But these all must be weighed against the much larger set of quirky Debian technologies and policies which have not been universally adopted. Debian has very specific and complicated policies for how software must be packaged, which files go where, how the application must behave, etc -- these policies fill two whole books (the Debian Policy Manual, the Developer's Reference, and we should add the New Maintainer's Guide and the smaller doucments: Emacs policy, Perl policy, Spelling Dictionaries and Tools policy, etc). These provide a steep learning curve for package maintainers, as well as for those who just want to use dpkg for their own private software. Automated tools exist now to help with this, but they do so much magic it can be hard to figure out what all they're doing. Last time I tried to build a package, you even had to make a PGP key to sign it with, as if that's necessary for private packages. All this complication regularly results in (1) Debian packages with broken dependencies: e.g., packages that depend on themselves, packages that depend on packages that don't exist, (2) lots of fixer releases to get the minutae of the policies correct, (3) months or years between releases, and (4) several-month periods where you can't install two favorite packages simultaneously because one uses a newer version of a library than the other. Debian was my primary OS for nine years, so I've had lots of experience with this. When a package is broken, you have to decide whether it's worth spending several hours fixing the package, or spending the same several hours building the upstream software locally and waiting for Debian to catch up. The latter is fine for really standalone programs, but it's a pain if it's a library or program that lots of other packages depend on.
3. When Sarge goes maninstream, gonna set cron to update automatically any packages that get security fixes.
[Raj] Again yum can be made to run from cron too.
Do not want to start a distro-flamewar, but yes most distros do provide a very decent method of upgrading/installing packages now. And some utils do provide means to manage source installs too. (checkinstall is one from the top of my head). Linux is out of the dark ages now
Not that I recommend letting cron change how production systems work - or don't - every night. brrrrrr... I have enough cares when upgrading while a sysadmin is present. -- Heather
[Mike] That may be safe with Debian Stable, but you definitely don't want to do that with Unstable or you may wake up to a hosed computer. I would never let any distro automatically upgrade packages without me being on hand to monitor for problems, not unless I'd had success with that same package version on other computers, but if you really want to, you can put "emerge sync" and "emerge world" in Gentoo's cron too.
can the others boast these wonderful qualities? Not sure I care, but it would be good to know. I installed Suse, and about went to the bathroom to retch when I realized I had installed a proprietary system. It is still there on my hd, but I haven't used it.
[Mike] Some of us are like Linus: we care less if our computer is 100% politically correct than if it has the software we need. I strongly prefer free software, but the BSD license is good enough for me; I don't need GPL (or Lignux). And I'm not against installing RealAudio or Wing IDE/Komodo or a semi-commercial office suite if there's no adequate free alternative.
[Jason] I don't understand this. The BSD license has less restrictions on use than the GPL. Could you please elaborate?
[Mike] Bad wording on my part. The GPL fanatics think the BSD license has holes big enough to drive a proprietary truck through. Users can make closed-source derivatives of BSD-licensed products, and that really gets the free software purists' goat.
As an example, last week in LWN there as an article (http://lwn.net/Articles/106353) about Jeff Merkey's (ex-Novell) offer to buy a BSD-style license for a certain version of Linux (assuming all the kernel copyright holders were locatable and agreed, which is about as likely as Ben Okopnik selling you a bridge in Brooklyn). That would allow Microsoft to incorporate portions of Linux into Windows if it desired. There are rumors MS already did this with BSD code, in Windows 95's TCP stack and telnet/FTP utilities. Does that bother me? No, I'm just glad they borrowed quality code rather than using whatever homemade crap they might have come up with otherwise. Actually, what I care more about is compatibility and interoperability, and borrowed code at MS has a better track record in that regard than homemade stuff.
I've made some contributions to Cheetah (http://cheetatemplate.org), a template system for Python, which has a BSD-style license. So nothing is keeping MS from using Cheetah in MS Office or making a commercial Cheetah derivative. Does that bother me? No, I thought about that before I released the code. Their making money off it doesn't hinder me from using it for free, and I'm glad if it gets wider use, that's why I wrote it.
Back to answering our reader... -- Heather
[Mike] Why didn't you realize SuSE was "proprietary" before you installed it? It's hardly a secret that its closed-source install/upgrade tools are what make SuSE SuSE. (Or does SuSE provide the source somewhere? RH provides the source to all its tools.) Or are you referring to the third-party software SuSE bundles with a one-user license, software which completely optional and in no way required for a functional SuSE system?
[Jason] nods What works, works. I'm don't use free softcare because it's free ("free" in the "free speech" sense of the word), I use it because it isn't broken.
Thanks for the great articles!!
Thanks, Ed. It's always good to hear from our readers.
I was really tempted not to pub this. It's lively, but our Gang aren't really argumentative with each other about our choices, we just know how to enjoy a juicy debate. We know there are fans out there for every distro. Each one's got its good points, some of those are even much the same. And for others, "good" is in the mind of the beholder. For users who crave the lumbar support that sitting in the driver's seat of a commercial distro brings, we seem to have more of those every year. A few of us will continue to enjoy our hot rods and race around in the desert of really new software, trusting our experience to be our roll bars, and expecting - some even enjoying the chance - to hit a few potholes now and then. Open source gives us that choice.
In spite of my recent hardware problems, there's been a very pleasant and positive change in my computing experience over the past few months; namely, the amount of spam that I have to "handle" (i.e., false positives and negatives) has gone to nearly zero. I wanted to mention it here, since Neil's article was responsible for getting me started down this path.
Here's the snapshot of what it took:
1. Followed the recommendations in the article, all except DNS blocklists. Biggest surprise: the amount I could reduce the spam point threshold (currently at 3.0) without any resulting false positives. I could probably go even lower...
2. Training the Bayesian filter on the odd false negatives became trivial once I set up the Mutt macros:
macro index \eb "|sa-learn --spam^M" macro pager \eb "|sa-learn --spam^M"
Other than that, I've built up its database by dumping my spambox into it when it exceeds 100 emails:
sa-learn --spam --mbox /var/mail/spam
3. Whitelisted those of my friends who routinely BCC mails to me.
As a result of all of the above, plus a very simple procmail recipe - other than basic sorting into my various mailboxes, it considers as spam anything that is not sent to one of my valid addresses - the last 1000 emails have resulted in 0 false positives and 2 false negatives. Given that 57%+ of the total (so says a quick analysis of my /var/log/procmail) was spam, those are pretty impressive results.
Thanks for the initial push, Neil!
[Neil] I'm pleased to have been some help.
A couple of things I've learnt since I posted the article.
SpamAssassin has a maximum database size and frequently expires tokens in the database, so the database won't grow too large. this size can be tuned with the bayes_expiry_max_db_size setting in the configuration. The value seems to be the number of tokens, rather a size in bytes.
If you've misclassified something and you need to relearn it there's no need to use sa-learn --forget. If you've classified ham as spam, sa-learn --spam will automatically forget the learning as ham when told to learn it as spam and vice-versa.
[Mike] Good to know, I've been meaning to look at SA's scoring more closely.
My ISP recently went to rejecting mail with more than fifty recipients in the headers, and that alone cut down my spam by 75%. They also use Postini, but there was a huge shrinkage in my Postini spambox after they did this. As in, down from a thousand messages a month to fifty.
Got this email from Philips with some additional information about my article in LG 107 on how to reset root passwords. He talks about a special case where the process I described wouldn't work.
He has graciously give me permission to share this with you and since I think you might find this interesting I am cc'ing this to the TAG.
What do you think, would it be too hard to reset passwords on SELinux?
[Ben] Nope. Just as you would pass "init=/bin/bash" or whatever on the command line, you could pass "selinux=0" to completely disable the SELinux features. You said it in your article: "physical access equals root access."
Sure, there are things you can do that would definitely prevent somebody from modifying your /etc/shadow - a large rusty axe vigorously applied to the hard drive comes to mind (encrypting the entire HD would be a close modern equivalent) - but we're talking about very rare exceptions. People who run specialized secured systems but haven't built up a kit of tools to take care of the now-different set of problems have only themselves to blame, while the rest of us laugh at them.
Thing here, it wasn't something specialized, but rather normal setup of Fedora Core 2.
People didn't knew a thing about SELinux, besides /promotion/ on RH site that FC2 is secure as it wasn't ever before. Then just realized week later that they have forgotten root password. I did precisely what you have said with 'init=/bin/bash' (I beleive selinux=0 was a default, /etc/rc.d/rc was activativating and configuring SELinux before anything else - it has a flag in /etc/sysconfig) and after reboot no-one was able to login into system.
Everything worked Ok with disabled SELinux.
If any-one wants to make a correction to article, best of all is to warn users that some security systems a-la SELinux do store checksums on files, what can make file unaccessible if it was changes outside of given security system. To make file accessible again they will need to consult manuals on how to do that.
Hi, Thanks for emailing me with this info. I haven't yet tried SELinux so I wasn't aware of this problem. Apparently whats happening is that changing the password file trips a checksum or something in SELinux stoping people from hacking the system.
I think it would still be possible to get past it by disabling SELinux at statup, changing the password and then do a proper password reset and then activate SELinux. We could also try edting the sudo file to give a particular user su rights and then use that login to change the root password.
You would not do that on system, where you do care about security. Wouldn't you?
Would you mind if I posted your comments on my site as followup on the article? I will of-course credit you for it but I think that this info would be useful to others also. I would also like to post this to the LG TAG mailing list so that they know about this too and who knows this might show up in next months LG as reader feedback.
Do what ever you like at your discretion. Spell checking is welcome
SELinux notes by "Ihar 'Philips' Filipau"
On http://linuxgazette.net/107/tomar.html you wrote:
* Boot into single-user mode (easiest, least risky)
* Boot using a boot disk and edit the password file
* Mount the drive on another computer and edit the password file
On SELinux enabled system, all this methods will make system unusable. Have had negative experience with on one of the Fedoras - due to some kind of bug/feature, SELinux was refusing to accept foreignly modified /etc/passwd - no-one was able to read /etc/passwd. I believe that was one of the problems why Fedora removed SELinux from default installation.
I cannot be sure how to fix that, since I didn't manage to repair those Fedora. Fedora's FAQ has command to repair file label (whatever it is called in SELinux, used to track file modifications) - but it was failing for me. Another option was to turn off SELinux, but I (mischieviously) used this problem as reason to /upgrade/ system to SuSE And it worked
When ever I write an article on something I usually send an e-mail to the developers/maintainers/webmasters/etc of whatever I write about letting them know it's on the Gazette in case they wish to link to it. In the case of last months stunnel I e-mailed the author of stunnel (Michal Trojnara) to which he replied below (and gave his permission to have it reproduced in Mailbag if Heather so wishes).
Michal Trojnara, Saturday 23 October 2004 19:31
Your article is just great. It's very clear and easy for beginners.
Some hints could possibly be added like:
- disabling the Nagle algorithm for improved performance
Any webmasters or bloggers out there who want to help promote LG can do
Simply add this to your site/blog:
socket = l:TCP_NODELAY=3D1
socket = r:TCP_NODELAY=3D1
- creating special user/group just for stunnel instead of nobody
By the way: Nagle's algorithm is used to decrease the number of packets
sent over a connection by buffering smaller messages so that only a
single packet will be transmitted instead of one for each message.
Although "nagling" addresses some network problems it can be
undesirable in highly interactive environments.
Thanks again for your comments Mike - and your permission to print.
Nice! I always like getting the comments "from the horse's
mouth"; much like historical research using primary sources, it has good
solid authority behind it. Thanks for forwarding it, Barry - it'll make
a nice Mailbag item (and adds the benefit of knowing that your article
was vetted by *the* expert.)
It's actually a really good idea in general, on reflection. I've added
it, as a suggestion (original idea credited to you) to the bottom of the
Thu, 21 Oct 2004 00:41:49 +0100
Jimmy O'Regan (The LG Answer Gang)
Simply add this to your site/blog:
Comments, complaints, etc. are welcome.
Nice, Jimmy. This might be something to note in, what, Gazette Matters? Our adoring fans will want to know. Might be worth adding right after your RDF, etc. notes on the front page, too. -- Ben
It's added there too, now. Thanks Jimmy! -- Heather