Always wondered if there is way in SELinux to disable the deadlyrm -rf at / path. Maybe the command rm can be asked by selinux not to allow anyone to run it at / location with the option -rf *?
Could never find the time to experiment in a VM to find out. Have you? Please let me know through the comments section!
Its been really long since I blogged. Before going ahead, want to tell you that will be posting my endeavours on running virtual machines soon.
This, however, is my experience/guide for creating a super pen drive (a.k.a. a usb disk that if booted from presents a grub menu with options - GParted, Fedora, .. and any other linux distro hopefully, and has Fedora persistence, and has a spare partition too for you to use it as a normal pen drive).
It wasn’t as straight forward as I thought (like… all other things).
Steps:
Decide the partitioning layout and partition the pen drive.
Install grub on one partition
Install GParted on another
Install Fedora on another
Install grub again on the partition in step 2 :P, and setup grub.conf
Sit back, and enjoy (may need to crouch forward in some cases.. ) A super neat trick:
To check at any time how you pen drive would behave if you boot from it, use the command : qemu -hda /dev/sdb -m 256 -vga std
This command reduced my research time to one third.
1) Decide the partitioning layout
I used GParted on my Fedora installation (on my harddisk) to set up the partition of the pen drive.
2) Install grub on one partition
Make sure you manually mount the grub partition. The /media/something folder in which it gets mounted automatically gave me some trouble. So unmounted it from there, and mounted /dev/sdb5 to /mnt/usbgrub
# grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,1) # kernel /vmlinuz-version ro root=/dev/mapper/VGSahil-LVRoot # initrd /initrd-version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,4)/boot/grub/splash.xpm.gz hiddenmenu title Fedora (2.6.30.8-64.fc11.i686.PAE) root (hd1,1) kernel /vmlinuz-2.6.30.8-64.fc11.i686.PAE ro root=/dev/mapper/VGSahil-LVRoot rhgb quiet initrd /initrd-2.6.30.8-64.fc11.i686.PAE.img
This is guide relevant to those who wish to spread fedora to friends and loved ones who don’t necessarily always have an internet connection (or a good one atleast). The problem faced in such situations, almost always (talking from my experience), is that there are a huge number of rpms that need to be downloaded to make fedora capable of playing media, and fill it with good stuff like k3b, amarok etc.
This isn’t always possible with the skimpy internet connections that our not-so-tech-savvy aunts have. (We’ll assume that it is our aunt on whose system we need to install fedora for the sake of this guide.)
So, I devised a way of spreading fedora to our aunt’s system, without getting embarrassed by that fact that we weren’t able to run mp3 on their system.
The way to do this, is to install a fresh copy of fedora on our system, and then bring it to perfect shape by installing many more rpms, and while doing this, keeping a copy of the rpms required, and then copying this repository of rpms (which we are sure don’t require any more rpms as dependencies as we install them on our own system in offline mode) on a pen drive and taking it along with the fedora installation media to our aunt’s home. And after installing fedora on her system, we simply install all the rpms on her system.
Steps: On our system: Download all rpms required for the extra packages (the package rpms + dependencies) yumdownloader --destdir=rpmsForAunt --resolve rpmName(s)
OR
create a service pack of all pending updates or certain rpms using gpk-service-pack yum install gnome-packagekit-extra
OR
Edit /etc/yum.conf and change the value of keepcache to 1. After the update is done, the downloaded rpm files then can be found in (and copied from) subfolders named “packages” in /var/cache/yum. When you’re done with them you can get rid of them to save disk space with yum clean packages. On our aunt’s system:
Install fedora.
Install the extra downloaded rpms:
You need to disable all repositories before yum localinstall will work without net access. To do so, go to System > Administration > Add/Remove Software and go the System > Software Sources and **uncheck **all sources.
Installing the rpms:(1 : see footnote) cd rpmsForAunt; yumlocalinstall --nogpgcheck * The above command is to be run for every category of rpms below after copying the resultant directories on our Aunt’s system.
For getting all updates: I wrote a script for downloading all updates (after a fresh install) to a directory:
1 2 3 4 5
for i in `yum list updates | grep fc11 | cut -d ' ' -f 1` do echo Now downloading rpms for package $i yumdownloader --destdir=localUpdate --resolve $i done
(1)I faced an issue while bash was updated using this method. It said transaction failed.
To resolve this, I ran
--clean
1
rpm -e bash
The above command listed two bash versions (I don’t remember the version numbers), on saying rpm -e bash.version1, it said there are many dependencies, then I tried rpm -e bash.version and it worked. Then, I went back to the yumlocalinstall step and then that worked.
KDE 4 seems to be following the footsteps of some of its latest applications like Basket. The new start menu now acts like that of IPOD. And the inbuilt search as shown in the following video is simply amazing!. The whole desktop has been given a major revamp. And so has been the theme. The widgets on the desktop now act a bit like widgets on Vista.
Among the key features, the feature that i think will prove to be indispensable later in making fedora more famous is the windows fedora live usb creator.
A feature (a release method actually) that really helped me a lot in creating the live DVD is Jigdo. Here is what the official release notes say about Jigdo :
Fedora releases are also available via Jigdo. This distribution method can improve the speed of obtaining the installation ISO images. Instead of waiting for torrent downloads to complete, Jigdo seeks the fastest mirrors it can find via the Fedora Project Mirror Manager infrastructure, and downloads the bits it needs from these mirrors. To optimize seeking these bits, you can tell Jigdo to scan a DVD or CD you already have, and cut down on redundant downloads. This feature becomes particularly useful if you:
1. Download all the test releases and then get the final release, in which case you have 90% of the data already with each subsequent download.
2. Download both the DVD and the CD set, in which case the DVD holds 95% of the data needed for the CD sets.
3. Download any combination of the above.
Anaconda, the installer for fedora, now supports resizing of ntfs, ext3 and ext4 partitions during installation. This will be of great help to windows users. (yes, it supports ext4 now.) Also, it gives an option of installing encrypted partitions. Business users ought to try this, but with caution. Here is a list of all the new features in fedora 9.
Here is a list of things I have done in the past three years. I have written for the sake of personal record.
As a member of Delta : Created a “PC Based Oscilloscope“ in IIT Bombay, as a summer project. Used java servlets on the server side and a java applet on the client side. Was responsible for the whole of the software side - 2006 Summers Worked in Pragyan CMS V1, which finally got implemented in our college website - 2005-2007 Made Dalal Street, a stock market simulator using java servlets on the server side and using eclipse to make a java based ui compiled using gcj to eliminate the need of jvm to run the final executable - 2006 Dec - 2007 Jan Used CVS for the development of Dalal Street, understood the importance of a code versioning system.
As being a part of Delta Core (Technology Changes) : Implemented LDAP using openldap, in Delta, allowing everyone to have a central authentication server, with a common login everywhere, where everywhere includes : system login in Sun Lab comps Implemented NFS on Delta, which gets mounted on all Sun Lab comps, using the default nfs service provided by default on fedora, so everyone has the same home irrespective of the comp they login to, which they do through their ldap accounts. Implemented pure-ftpd on Delta, configured it to work through ldap, allowing everyone to access their home drives even from “outside” (the user labs). Setup, and advocated use of Doku for information keeping, made it work through LDAP. Implemented and introduced SVN on Delta, setup three repositories : pragyan, delta and dalal, delta for the use of all delta projects. Implemented and introduced trac on delta, setup three repositories : pragyan, delta and dalal. Customized all of these three. Learned how to customize through .egg files. Made svn and trac work through httpd authentication, which used LDAP to get authentication details. (this was hell) Revived delta as a student group - meaning, made sure many meetings were held, made sure everyone knew each other, everyone contributed something to delta and felt a part of the group, made sure many treats were held, and chucked a few inactive members out of delta. Created Pragyan CMS V2, from scratch.
As being Pragyan’08 Systems head : Implemented mail system through postfix, made its authentication work through ldap. Implemented mailman like features using contact attribute in ldap and aliases in postfix. Made dovecot work through ldap too. Learned what SSL certificates are, how they work, created a self signed ssl certificate for pragyan.org, using tinyCA2 provided in Fedora, and made it use it. (basically, allowed the use of https://pragyan.org/…) Implemented FDS (Fedora Directory Server) as a much better alternative to LDAP on Pragyan Server.
What I needed for mailman like functioning while making postfix work with ldap was an attribute that stores content of type DN (Distinguished Name) i.e. a node address, or holding a data type that stores nothing but data of type that can hold address of the data type itself.
In openldap, I used a schemas called evolutionPerson and evolutionPersonList (available with my fedora openldap distribution by moving evolutionperson.schema in /usr/share/evolution-data-server-1.12/ to /etc/opanldap/schemas/). evolutionPerson is very similar to inetOrgPerson class, which stores basically everything that could ever be used to describe a person. The reason I chose evolutionPerson over inetOrgPerson was the availablity of the evolutionPersonList class. Its attributes are : mail, contact and listnName, where both mail and contact can contain more than one values. mail and listName attribute type is text, and contact attribute type is DN. contact’s were used to create groups, and mail’s were used to forward the email to a third party server. Here is a screenshot of the same in action :
The contact attribute worked like charm. If any contact attribute turns out to be another evolutionPersonList, it repeats the whole process again for it, collecting new mails from it, and if it turns out to be evolutionPerson, it takes its mail attribute. The whole process repeats itself, taking care that infinite loops do not get created. In the end, what we get a list of mail ids to which the mail has to be sent.
Now, I haven’t yet figured out how to add evolutionperson.schema to schema. So, what did I do for delta?? I simply created my own schema. For a user, I already had whatever I needed in inetOrgPerson. All I need was some sort of an inetOrgPersonList. So, here are the steps :
I am assuming you have already setup fedora directory server through the wonderful install scripts provided. (/usr/sbin/setup-ds-admin.pl and then /usr/sbin/setup-ds.pl)
Open Fedora Directory Server admin console : /usr/bin/fedora-idm-console
Under the server groups entry in the default view tree, select your directory server and open it, using the DN and password you provided earlier during the directory server setup.
Under the to configuration tab, select schema. Select Attributes in the right hand pane.
Create a new attribute by clicking on the new attribute button at the bottom of the right pane.
I needed two new attributes for my purpose :
contact : of type DN, multi valued.
listName : of type String, single valued.
The third multivalued attribute I needed, mail, already exists.
Now, under the Object Classes pane, create any number of Objects you nees, using the attributes you just now created, or the preexisting ones.
The one created was inetorgpersonlist having Required Attributes listName and objectClass, and Allowed Attributes contact and mail. That’s it!!
MDA : Mail delivery agent : A Mail Delivery Agent (MDA) is software that delivers e-mail messages right after they’ve been accepted on a server, distributing them to recipients’ individual mailboxes. (Eg: dovecot)
MUA : Mail user agent : An e-mail client, aka Mail User Agent (MUA), aka email reader is a frontend computer program used to manage email. (Eg: gmail, evolution, horde, squirrelmail, Outlook Express.) Now that thats out of the way, lets get our hands dirty.
But again, not so fast. As with anything in linux, when you set off to configure something, you end up knowing much more than you bargained for. ;)
Aliases are mappings between one source name and one or many destination name (in mail).
Aliases can be found out from flat files in the form of mapping, from sql queries or from ldap (man ldap_table). The source itself can be in the destination.
Link to alias files is given in /etc/postfix/main.cf at line alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
Type /usr/sbin/postmap -q core@pragyan.org ldap:/etc/postfix/ldap-aliases.cf to see its effects.
The local_transport parameter corresponds to the mail delivery agent used.
The default with postfix is local. The problem with local is that is requires local users and hence, a posixAccount schema to be an objectClass of every mail account. Rejected. Btw local also has to ability of mail forwarding to a user. i.e. if mailbox of user user1 is user1@gmail.com (user forwarding), then local will also forward to user1@gmail.com. By default, it assumes the uid of the user it is delivering mail to while delvering mail.
Next is virtual. This is the one used. Virtual accepts users who are system users. But virtual (for security purposes) does not forward to hosts other than the localhost. So how do we forward to external hosts? virtual forwards in case the mails are aliases. So we simply put the gmail address as the entry of one of the aliases of the mail. If virtual MDA is used then whose uid does it use? (because the uid of the user himself doesn’t exist on the system). Another parameter value has to be used :
Excellent notes are available in /usr/share/doc/postfix-2.4.3/README_FILES/LDAP_README.
Any “map” parameter value, like alias_maps, can be either given a flat mapping file name, or a .cf file, with tells it what to do to get the mapping, in this format : protocol:filename. Eg.
mbox is a format for storing mails. It is the default format used in postfix and dovecot. This is a line from dovecot conf : mail_location = mbox:/var/spool/mail/virtual/PragyanMail/%u:INBOX=/var/spool/mail/virtual/%u
The first part (mbox:/var/spool/mail/virtual/PragyanMail/%u:INBOX=/var/spool/mail/virtual/%u) refers to the user’s mail folder, which contains all his mail folders (Trash, drafts, sent mail.. ) (the user’s mail folders are files in mbox format)
The second part (mbox:/var/spool/mail/virtual/PragyanMail/%u:INBOX=/var/spool/mail/virtual/%u) refers to the one specific user folder (i.e. server file) which postfix writes to, that is his INBOX. (All other folders are written to and handled by the IMAP client - dovecot.) Other variables which could have been used for specifying this are : %u - username, %n - user part in user@domain, same as %u if there’s no domain, %d - domain part in user@domain, %h - home directory etc.
A virtual user can specify his mail folder to be anywhere. So, the following is a security config for postfix INBOX files :
virtual_mailbox_base = /var/spool/mail/virtual
Also chmod g+s /usr/bin/procmail for it to be able to create mail directories
User mailboxes virtual_mailbox_maps - mapping between mailaddress (user1@pragyan.org) and mailbox location (/var/spool/mail/virtual/user1). A confirmation that the mail address corresponds to a real virtual user. For mail to be delivered, this entry needs to be there, which contains the mailbox address. This is but only a one to one mapping. (Ignores all following values) local_recipient_maps = $virtual_mailbox_maps This line is required whenever the local_transport is changed to something else. (in this case to virtual)
The final main.cf entry that fits it all : virtual_mailbox_base = /var/spool/mail/virtual . A file with the name that is a result of the previous query (uid), gets created in this directory as the inbox of the user. Workflow is mailid → getaliases → Use alias result to get mail ids → deliver. That is, first alaises get processed, then accountsmap.
Having gone through the hell of installing an LDAP server once, I thought I could I could install the openldap server on the old server that we had to shift to.
Anshu had already broken his head on it and was at the verge of losing his sanity. And so i stepped in.
First I checked /etc/openldap/slapd.conf, line by line. Everything was fine. ldapadd -W -x -D "cn=Manager,dc=pragyan,dc=org" -f base.ldif **invalid credentials (49)**
slappasswd Enter password: {SHA}xyxzsdf;alskjdf;lasjdf;lajd I put the password in slapd.conf
tried again. **invalid credentials (49)**
Changed the rootdn in slapd.conf **invalid credentials (49)**
Uninstalled openldap-server, openldap-client, db4utils rpm -e --nodeps openldap-server openldap-client db4utils etc... Reinstalled all of these from yum yum install openldap-server openldap-client db4utils etc... Reconfigured slapd.conf **invalid credentials (49)**
I started making strange sounds, started laughing without reason.
Opened a website listing down installation steps, followed them line by line **invalid credentials (49)**
Thats when I remembered Fedora Directory Server. (It wasn’t fully developed when I was implementing LDAP in Fedora 7, so didn’t use it then).
To my pleasant surprise they have the concept of “install scripts”. I felt like a king when the script asked me, “What would you like your domain root to be? Usually, you should keep it the same as your fully qualified domain name”. A smile appeared on my face. I knew the meaning of true happiness then.
Man!! This really is great! Here is what the site says -
Fedora Frog is GUI install script that jumps your Fedora Core 5 to life in no time… Fedora Frog supports 32 bit installations, some parts may work also on 64 bit installations. This script installs most of the stuff you will ever need to get things really working in Fedora Core 5. Here’s what it can do (Hold your breath!) -
Install extra repositories [RPMForge]
Install GUI frontend for yum [yumex]
Install commonly needed multimedia codecs
Install DVD playback capability
Install Java JRE and its plugin for Firefox
Install Macromedia Flash plugin for Firefox
Install extra fonts (including msttcorefonts)
Install graphics drivers for nVidia and ATI cards
Install Gnome Configuration Editor
Install numlockx to turn on NumLock on startup
Set up Gnome to open System Monitor every time you push Alt-Ctrl-Del
Disable CD blocking in CD-ROM
Set up Nautilus to open new folders in the same window