What manageability means and How to get there

I’m a little frustrated that when I talk about manageability, people get confused. Manageability makes it simple for system administrators to deploy desktops and for users to share data.

This isn’t just about setting up servers. Ubuntu, based on Debian, is great as a server OS.

This isn’t just about automating tasks. Landscape or puppet can help out here, but that only goes so far. They’ll take care of monitoring, package updates, and automating tasks.

A sysadmin of an office or an IT group for a larger organisation still needs some central management interface for all his users. He needs to make it easy for people to share data across a network and have unified, secure credentials for login, email, and web access. If a user’s login account isn’t the same as their email account — if they can’t use the same address book in their desktop mail client as they do in webmail — then you have a management problem.

There is a known solution to this problem. Kerberize your apps and make them speak LDAP. Many applications already have this capability. The manageability problem that Ubuntu has is not really a lack of capability, it is one of integration. System and Network administrators tend to understand the problem better than developers of desktop or server software, but most of them already have their hands full managing their own organisation and don’t have time or, often, the capability to start integrating all the software and configuration into something that anyone can deploy easily.

And so, Microsoft continues to win on the desktop. Not because an individual PC running Windows is easier for most people to use, but because its easier to set up Active Directory to work with Outlook and Exchange than it is to roll your own directory service with the tools available out of the box on Ubuntu. Bug #1 will never be solved until directory services and authentication are integrated into every aspect of Ubuntu.

Now, as frustrated as I am that most people don’t seem to understand the problem when I talk about it, I am pleased to see that others are aware of the problem, and have actually put some effort into planning out an approach to solving it.

The best example of this would be the EDUbuntu people. Their EDUbuntu User Managment blueprint is a great outline of exactly what needs to take place to solve this managability problem.

But they created this blueprint over four years ago and almost nothing has happened on it.

Launchpad is littered with similar blueprints (below) that show other people’s aborted efforts to solve part or all of the problem. Unfortunatly, no one group has really tried to spear-head this and so most of these efforts (at least when I did my survey a few months ago) are dead or dying.

I’d really like to get this problem solved so that setting up an Ubuntu-based directory service would be as easy — easier, even — as setting up Active Directory.

Look over the blueprints below, find a place you can help. Let’s get this moving forward!

Managing Ubuntu Systems, the next step in ease-of-use

(This is a copy of the message I sent to the UbuntuNGO mailing list.) As a system administrator for several years (I got my first sysadmin job back in ‘97), I’ve been frustrated with the lack of manageability of Linux systems. To reduce the cost of managing desktop systems, directory services that provide single-sign-on and centralized management capabilities are needed. Sure, there are things you can cobble together, there are ways you can integrate Ubuntu into an AD network (see this article on “Seamless Smartcard login” for an example), but these things are more complicated than they need to be. And, while I don’t think the goal should integration with AD, when Microsoft provides tools to easily manage computers throughout an organization, the cost of supporting Microsoft systems is going to be less since the cost of licensing is nothing compared to the cost of paying for the increasingly complex IT support Ubuntu requires without Directory services support built in. No, this isn’t a specifically NGO goal, but it is integral to the goal that UbuntuNGO has of getting NGOs to adopting Ubuntu on the desktop. I went through Launchpad looking for blueprints pertaining to management and directory services and found a number of initiatives. The problem, though, is the hodgepodge of efforts and lack of focus. Directory services integration is absolutely vital to getting NGOs and others to adopt Ubuntu on any sort of scale. Canonical and Ubuntu have done a great job of providing an excellent out-of-the box experience for the individual user, but scaling that up to groups of non-technical users needs work. We can make management of Ubuntu systems on a network just as easy as the use of a Ubuntu itself is, but it will take some work and we can’t expect that a great desktop experience will solve all problems. I’m interested in your thoughts.

Patch and directions to build 64bit Google Gears

Ok, it’s been a couple of weeks since I posted the 64bit Linux installer for Google Gears. And some people have asked for the diff or a smaller installer. Fair enough. There they are. The directions for compiling your own are simple enough. Here is a cut-n-paste list of directions:

svn co http://gears.googlecode.com/svn/trunk gears  cd gears  curl http://mah.everybody.org/gears.diff | patch -p0  chmod +x third_party/gecko_1.9/linux/gecko_sdk/bin/xpidl  cd gears  make

If you look at the diff, you’ll see there is nothing particularly 64bit-ish about it. Its mostly just fixing warnings and declarations. So the real question I have is: Why doesn’t Google offer 64bit builds? (Now, if only I could come up with an Ubuntu package for this…)

Server setup: forwarding only local email

Often, when setting up email on a server, you want to receive email from local processes (cron jobs, etc) but don’t want email accounts to be abused by spammers. For example, on Ubuntu systems you might have a cron job that runs as www-data that you want to get mail from, but you don’t want spammers sending email to www-data@example.com. I just had a client ask me to fix this problem for them, so I thought I’d share the solution I came up with. Typically, the /etc/aliases file directs mail from all these extra accounts (like www-data, nobody, etc) to root and you’re expected to set up an forwarder for root (e.g. mah@example.com). Instead of directing mail for all these accounts to root, I created a locked out account. The only purpose of this account is to verify that only locally generated email is sent on to the end recipient. No more Viagra spam for www-data@example.com! To set up the locked out account:

$ sudo /usr/sbin/useradd localmail  $ sudo /usr/sbin/usermod -L -s /dev/null localmail  $ echo '"|exec /usr/bin/procmail"' | sudo -u localmail tee ~localmail/.forward  $ echo <<EOF | sudo -u localmail tee ~localmail/.procmailrc  # replace example.com with whatever domain locally generated email has  :0:  * !^Return-Path: .*example.com  /dev/null    :0:  !root  EOF

This works with postfix, but I haven’t tried other MTAs.

Google Gears for 64bit Linux Firefox

Since I run 64bit Ubuntu, I couldn’t use use Google Gears. Which was annoying. The Google Gears site says 64bit OSes are not supported. But it is open source. So I grabbed the source code, tweaked a few things here and there and I now have Google Gears up and running on my 64bit OS. It hasn’t crashed and burned yet, but I haven’t really tested it heavily yet, either (suggestions welcome). Anyway, here’s the XPI to install it. I’ll post the source soon. Or maybe just the diffs to the Google Gears list.

Ubuntu, for Humans

Amber, a non-technical mother, tries Ubuntu. This sounds like Alexis‘s use of Ubuntu. I’m a geek (like her husband) and my wife wants to learn how to use Linux. The amazing and amusing thing (to me) is that she when I installed Ubuntu on our kids laptops, Alexis was the one who began talking to them about the philosophy of Free Software and the obligations of the GPL. I wish Amber the best and hope that she can join the ranks of other “normal” people I know who use Ubuntu: my mother, my friend, Jim Bonewald, my cousin, Jeremy Stein (and the rest of his family), and of course, Alexis and my kids. Linux users may not yet be measurable, but we’re growing. And a lot of credit goes to Canonical and Ubuntu.

Ubuntu: Rite of Passage

My son was annoyed that his school-provided laptop includes NetNanny configured in such a way to keep him out of game sites like PopTropica. Now, I understand the desire to censor our children’s forays onto the Internet. There is a ton of stuff out there that is a lot easier to get to than when I was a kid. And, often, as adults our first instinct is to protect them from where we know their curiosity will lead them. But blocking game sites? Now you’ve gone too far! Since I like to pretend I’m somewhat subversive, I was completely ready to let him install Ubuntu on the laptop. It plays into one of my goals for 2009: teaching my kids to program. I mean, sure, you can do it under Windows, but I’m just so much more comfortable with Linux. There was one snafu: I neglected to backup and defragment the disk before starting, so we lost some files. But, once his sisters saw the wobbly windows they just had to have it installed on their laptops, too. So now every laptop in the house runs Ubuntu. My daughter summed it up nicely: “I just feel so grown up now that I’m using Ubuntu like Mom and Dad!” As if to make sure I wouldn’t become too proud, she did add that she became acutely aware that I wasn’t quite the Super Geek she imagined me to be when I managed to lose her weather charting homework. Win some, lose some, I guess. But I count this as mostly a win.

Referrer Blacklist

In addition to helping bring IntraHealth’s web stats up-to-date, I’ve been working on my own. I’ve been playing around with Webalizer and awstats. While I prefer awstats, I really hate referrer spam. Awstats allows you to specify a blacklist and suggests using MT-Backlist for a list of blacklisted, referrer-spamming domains. The problem? MT-Blacklist is abandoned and the author suggests using TypePad’s Antispam service as a replacement. This is all well and good if you’re just worried about comment spam, but it does me no good when I’m trying to keep referrer spam out of my parsed logs. I looked around for someone maintaining a more up-to-date list, but couldn’t find it. Maybe that just means I’m the only person interested in such a list. Maybe the old list works for most people who want to use it. But I found several referrers that it doesn’t block and added them. If you’re interested in a more up-to-date list, you can pull from my github repository. If you have domains to add, you can ask me to pull from your repository. It may be that I am the only person interested in this, but if not, github will give us a way to collaborate on a list.

IntraHealth OPEN launched

Almost two years ago, when I started working at IntraHealth, dcm told me about IntraHealth Open. Being a neck-bearded freetard, the idea really appealed to me: Use open source in the education of students in developing countries across Africa to build a workforce that could support the IT infrastructure of the continent without using Western consultants. The use of Free and Open Source Software (FOSS) is essential to the goal. Using software that is freely licensed for perpetuity avoids the "First Hit is Free" model many software companies use to get developing countries hooked on their software. Building the use and understanding of FOSS into the curricula gives the students the skills they need to use software on the job. And deploying freely-licensed software like Ubuntu, OpenOffice, iHRIS Suite and OpenMRS into these developing countries will create a local demand for workers who can use, understand, and maintain the very software they’ve learned about in school. I’m very excited about the new IntraHealth OPEN initiative. You can even take part. Senagalese musician Youssou N’Dour is working with other musicians to help raise funds for the OPEN initiative by making his music and remixes of it available for free download under a Creative Commons license. So go download some music and consider making a donation to IntraHealth OPEN. UPDATE: Listen to dcm talk about Open in the Launchpad podcast.

Hotplugging disks on a headless Ubuntu Box

Since I’ve been using Ubuntu, I’ve been blessed in comparison with Linux of even just a few years ago. Hotplugging cameras, disks, and almost any other USB device “just works”. As a general rule, I don’t have to worry about configuring it, installing drivers, or compiling my kernel. Still, there are some times I need to figure out how to do things at the lower level. Today, I wanted to figure out how to mount a usb drive automatically on a headless Linux box. Since Gnome isn’t running and no one is logged in, the usual methods don’t work. After some poking around, plugging and unplugging a disk several times, I have a working solution. The first thing to know is udev. udev is a user-space process that interacts with the Linux kernel to set up devices at boot time and, in the case of USB devices, as they are plugged in. On Ubuntu, you can drop a file in /etc/udev/rules.d to tell udev to execute commands when it sees a particular device. Setting up a USB drive is a two stage process. First, udev sees the disk and fires off a series of events you can hook into. Then, after you probe the disk, udev will fire off another list of events for the partitions. To intercept these and call a script to probe the drive and mount the partitions, create a file named /etc/udev/rules.d/50-usbdisk.rules (there is a README file in that directory that explains the naming convention). Into 50-usbdisk.rules put the following text:

ACTION=="add", DEVTYPE=="disk", RUN="/usr/local/bin/usb-add-disk"  ACTION=="add", DEVTYPE=="partition", RUN="/usr/local/bin/usb-mount-partition"  ACTION=="remove", DEVTYPE=="partition", RUN="/usr/local/bin/usb-unmount-partition"

This will cause udev to run usb-add-disk when a disk is plugged in, usb-mount-partition when it sees the partitions, and usb-umount-partition when the drive is unplugged. Next, create /usr/local/bin/usb-add-disk with the following contents:

#!/bin/sh -e    # Maximum times to probe a disk  MAX=30    logger "Probing ${DEVNAME} using parted"  COUNT=0  ERR=1    while [ $COUNT -lt $MAX -a $ERR -ne 0 ]; do      sleep 1      ERR=0      parted ${DEVNAME} || ERR=$?      COUNT=$(($COUNT + 1))  done    if [ $ERR -ne 0 ]; then      logger "Couldn't probe $DEVNAME for media after $COUNT times"  fi    exit 0  

This script will log a message that it is “Probing…” to syslog, probe a a disk up to MAX times (30 in this case), and, if it isn’t successful after 30 probes, log a message to syslog about its failure. A couple of notes. I’m not sure about the $((…)) syntax. It works in bash and dash, but I’m not sure it is a POSIX standard. Second, you may be wondering why I’m pausing and probing so many times. Usually this should work on the first try. Still the “disk” I was using in this case was my Blackberry‘s SD card. Since I’m a little paranoid, I have a password on my Blackberry. Every time I plug it into a computer, it prompts me for the password. Until I enter the password, Ubuntu can see the drive, but thinks the drive is empty. Once I enter the password, the disk’s partitions appear. (Ubuntu doesn’t appear to see the partitions until after parted probes the drive. If you know a better way to get the partions to show up besides probing the drive like this, please let me know.) At this point (and, on most usb disks, this is almost immediately since you don’t have to provide a password), udev will call usb-mount-partition. Let’s give udev something to run. In /usr/local/bin/usb-mount-partition put the following:

#!/bin/sh -e    BASE=`basename $DEVNAME`  if [ -x /media/$BASE ]; then      logger "Can't mount usbdisk, /media/$BASE already exists"  else      mkdir -p /media/$BASE      mount ${DEVNAME} /media/$BASE      logger "Mounted usbdisk at /media/$BASE"  fi    exit 0

If everything works smoothly, the disk will now be mounted under /media. Whether the script is able to mount the disk or not, a message will be sent to syslog letting you know what happens. When you want to unmount the disk, you should run umount first and then remove the USB drive. That’s what you should do. But you might forget. If you do forget, then you’ll be left with a dead mount point. In that case, we have one more script to handle the clean up: usb-umount-partition. In /usr/local/bin/usb-umount-partition, put the following text:

#!/bin/sh -e    BASE=`basename $DEVNAME`  if [ -d /media/$BASE ]; then      logger "Unmounting usbdisk from /media/$BASE"      umount /media/$BASE || true      rmdir /media/$BASE  else      logger "Couldn't find mount point for $DEVNAME"  fi    exit 0

This script will umount any dead mount points and remove the mountpoint that usb-mount-partition created. Make sure the scripts you just created in /usr/local/bin are executable (sudo chmod +x /usr/local/bin/usb-*)and that’s it: your headless Ubuntu box should now be automatically mount disks. If you want to signal some other program or run a script when the drive is mounted, you can add that to usb-mount-partition. A couple of notes on these scripts. First, it is a good idea to start your shell scripts with the -e flag. This will force you to handle any error conditions. For example, in usb-umount-partition, I run umount to unmount the drive. But suppose you already did this (as you should have). The umount command would return an error. Since I’m using the -e flag, I need to handle that, so I added || true. Handling errors like this really helps during testing to make sure errors don’t hide in your scripts. logger is extremely helpful for debugging. When I was testing my udev rule files, I found it helpful to pipe env to logger. I could just tail -f /var/log/messages and find out what environment my scripts were getting.