• The MailBag
• More 2-Cent Tips
• The Answer Gang
• News Bytes, by Michael Conry
• The Ultimate Editor, by Stephen Bint
• HelpDex, by Shane Collinge
• Ecol, by Javier Malonda
• Quick-Start Networking, by Edgar Howell
• A Keep-Alive Program You Can Run Anywhere, by Graham Jenkins
• Linux-Based Voice Recognition, by Janine M Lodato
• Perl One-Liner of the Month: The Adventure of the Arbitrary Archives, by Ben Okopnik
• Fun with Simputer and Embedded Linux, by Pramode C.E
• Qubism, by Jon "Sir Flakey" Harsem
• Yacc/Bison - Parser Generators - Part 1, by Hiran Ramankutty
• I Built a Custom Debian CD from Knoppix, by Sunil Thomas Thonikuzhiyil
• Encryption using OpenSSL's crypto libraries, by Vinayak Hegde
• The Back Page

Linux Gazette Staff and The Answer Gang

Editor: Michael Orr
Technical Editor: Heather Stern
Senior Contributing Editor: Jim Dennis
Contributing Editors: Ben Okopnik, Dan Wilder, Don Marti

Linux Gazette, http://www.linuxgazette.com/
This page maintained by the Editor of Linux Gazette, gazette@ssc.com

Copyright © 1996-2003 Specialized Systems Consultants, Inc.

...making Linux just a little more fun!

The Mailbag From The Readers of Linux Gazette

• H/W detection in Debian ?
• ppp over nullmodem cable - no response to (LCP ConfReq ...)
• How can we block mails from users using ipchains
• dual boot problem
• Custom kernel, not so custom modules
• ipchains vs iptables

H/W detection in Debian ?

Hi all,

1. kudzu is the DEFAULT H/W detection tool in RH & harddrake in MDK. is there anything in debian?
2. I have installed kudzu in debian 3.0 , but it is not running as a service. it needs to execute the command kudzu manually. more over it couldn't detect my epson C21SX printer. but under MDK 9.0 kudzu detected the printer . any solution please ?

thanks in advanced.

ppp over nullmodem cable - no response to (LCP ConfReq ...)

hi linux gazette

first thanks for your great work.

id like to connect over a serial cable to a windows 2000 ras server. i already know that the problem isnt the null modem cable, because i just could remote control my second computer while using getty and windows's hyperterminal on the other side. (btw i first tried gnu/linux's minicom instead of window's hyperterminal but it seemed to me minicom just works with a modem a the end of the cable, am i wrong or is there any other program out there which i should give a try ?) ok ive already read those Serial-* and PPP* howto but i probably missed something. further, i also set the same baud rate at the ras server side. so any idea, why i dont get any reply to my LCP ConfReq Request ??

greets

josef

melee:/home/josef/tmp# pppd /dev/ttyS0 nodetach
Serial connection established.
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/ttyS0
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x143c91f8> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x143c91f8> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x143c91f8> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x143c91f8> <pcomp> <accomp>]
....

my /etc/ppp/options.ttyS0

connect 'chat -v -f /etc/ppp/scripts/winserver.chat'
19200
debug
crtscts
local
user josef
noauth

How can we block mails from users using ipchains

HI,

I would like to know how to block mails from other users on the same system.I tried using 'ipchains' & port no,but it didnt work.Please help me with this.

Thanks

Perhaps you could be more specific about what you're trying to accomplish. For example:

• I wish to block all mail from a specific user to me
• I wish to prevent a specific user from sending any mail
• I wish to allow users to send mail, but not to other users on the same system
• I wish to prevent any mail from being sent on the system
• ??

I'll take this one to the readership as a general request for more articles about setting up mail systems to do interesting things. In fact, some things that aren't really about spam could be a fun read -- Heather

dual boot problem

I installed Redhat 8.0 on an existing system that has XP pro on it. XP is on ide0 and the Redhat is on ide1 XP hard drive is fat file system. When it boots it asks go to Redhat or dos?I don’t have dos. How do I get back to the windows? What needs to be done to change the boot loader. I thought I had set it up so Linux only booted with a floppy?I guess not Thanks for any help. Phil Harold

Go ahead and choose "DOS". That will boot into the other partition which is set up (hopefully) to boot XP.

Looks normal so far. Hardly worthy of the "help wanted" section here at the Gazette ... but nope, it's a stumper. -- Heather

just before the other symbols it says:

root no verify (hd2,0) chainloader +1

hit the enter key is when the symbols come looks like greek and chinese

Custom kernel, not so custom modules

An old question - he had said this relates to [[http://www.linuxgazette.com/issue64/tag/16.html][issue 64 #16 in The Answer Gang]] - but still a stumper. We have a lot more readers now; maybe one of you knows what happened here? -- Heather

Hello all,

I have exactly the same problem described by Michael Hansen. Modules doesn't load after recompile Kernel. I'm also a newbie in Linux, but I see (If you are using red hat at least), it creates a directory /lib/modules/2.4.xcustom (in fact kernel version pass to 2.4.18custom in my case), but when you do make modules it copies to directory 2.4.x. If you rename directories the problem comes when you try to install a new driver that use uname -r command during installation to find modules directory (uname -r result is 2.4.xcustom). I don't know how solve this problem.

Best regards

ipchains vs iptables

Dear Answer Gang members,

I have a linux home network which is connected to the internet through a gateway. This computer runs linux with a 2.2.18 kernel. I use IP-chains to block some unwanted incoming traffic. One of the machines runs mldonkey. This program needs the ports 4161 and 4162. I get the following error from server i contact:

ERROR: Your port 4662 is not reachable. You have a LOWID.

This port is open. The solution to this problem seems to be to redirect incoming packets from the internet for port 4662 directly to the machine where mldonkey runs.

The following iptable should do this:

iptables -A PREROUTING -t nat -p tcp -d $4 --dport 4662 -j DNAT --to 192.168.1.100


$4 is the gateway
192.168.1.100 runs mldonkey

I use a 2.2.18 kernel with ipchains on the gateway. In Howto's and other documentation i can't find a way to do this with ipchains. Do you know if it's possible and how?

Please your help.

greetings Dean Buhrmann.

Articles about trevails, with details are always welcome when you solve a strange problem. Of course there are HOWTO's for ipchains and for netfilters, but perhaps we could see an article about do something complicated enough to illustrate differences that might have you prefer one or the other interface. -- Heather

• Re: your mail
• POS Software in Linux

Re: your mail

I had an IBM 20G hard drive that had a lot of bogus information in the master boot record due to formatting it with 2G jumper on and then formatting with the jumper off. It wouldn't load an OS, and it locked up every time I tried to run fdisk, norton disk doctor couldn't fix it either, but your little DOS assembly program http://www.linuxgazette.com/issue63/okopnik.html saved my hard drive.

Thank you!

Glad you found it useful, Larry. A number of people have written in with comments like yours about that particular article; I find it very pleasant that my work has benefitted that many people.

I appreciate your letting me know.

POS Software in Linux

Hi!

I was reading the December 2002 issue of LG (btw, great magazine! I've just re-discovered it, and it's fantastic!) and I saw the PC-MOS thread originated by Reilly Burke.

I remembered that I saw something like a prototype for a POS software on the net and I went searching for it. The address is http://www.dnalounge.com/backstage/src/pos and the author is no other than jwz (Jamie Zawinski).

As fas as I can see, there is only an idea and a "little prototype" (as the author describes it), but maybe this prototype can be used for further developement by somebody else.

HTH!

If you need a restaurant-specific POS and don't mind going commercial (for a very small fee as compared to other POSes, actually), I have only good things to say about the ViewTouch POS <http://www.viewtouch.com> in spite of its closed-source nature. The interface is very well thought-out and beautifully done; the layout, menu, employee, and ingredient list configuration is a snap. It supports all the popular touchscreens, industry-standard narrow printers, and all the standard cash drawers. Despite the documentation that insists on "RedHat-only" compatibility, I've run it under Debian from day one (three years or so ago), and it works fine.

My biggest concern with it, of course, is that it is closed-source. I would have liked to tweak some minor features for the client I had who was interested; as well, I wonder what would happen if the developer disappeared off into the ether... but that's the nature of that particular beast. It is, however, an interesting and well-executed option. Interestingly enough, I spotted a major restaurant near Baltimore (a Brazilian steakhouse in Columbia, MD) using it about a year ago. The employees using it didn't have any negative comments, either.

P.S. Keep up the good work!

Thanks, Stelian. That's the reality and the plan.

• Wanted: Proofreaders
• Compilation Problem in Writing Your Own Toy OS (PART II)
• publishing

Wanted: Proofreaders

LG is looking for proofreaders. The main qualifications are a good command of English grammar, a native or near-native sense of English word usage, and the ability to recognize and clarify phrases that are too academic, not understood outside their own country, or unnecessarily difficult for those with limited English ability to read.

Depending on the number of proofreaders, the workload would be at most one article per month, but more likely one article every 2-3 months. Of course, you would be able to refuse articles you don't have time to proofread, or if you're not interested in the subject.

If interested, send gazette@ssc.com some samples or URLs of stuff you've written or proofread (any topic, any length) that demonstrates your wording style.

Compilation Problem in Writing Your Own Toy OS (PART II)

Dear Sir,

"Writing Your Own Toy OS" is a Great Contribution towards knowledge.

I have tried PART I successfully.

But, after compiling part II, I booted my system from Drive A. System checked Drive A and was hangged. There was no output of the string.

Could you please help me out.

Best Regards

M. R. Moghal

Forwarding to the author, Krishnakumar R.

He fixed one of the programs somewhere in the series after it was published, but I don't remember exactly where. If you're reading on a mirror, check the main site, and see whether that program has been changed. http://www.linuxgazette.com/issue79/krishnakumar.html -- Mike

publishing

Readers, please note that this was actually an exchange of mails back and forth between Mike and Felix, rather than one message which Mike responded to in gory detail. If anyone out there, either in whole or in part, takes on the Herculean task of providing paper editions of LG please let us know - we will very happily spread the word! -- Heather

Have you ever thought of publishing the gazette and require subscriptions? I would sure like to get a monthly magazine then browsing the gazette online.

We've had several requests for a print version of LG. However, the cost of producing it would be prohibitive. (Printing, postage, software to track subscriptions, customer service staff, etc. And if you want a glossy magazine rather than just a xerox copy, there's layout costs, more printer's fees, etc.) Commercial magazines like our Linux Journal can do it because most of their revenue comes from advertising, but Linux Gazette does not accept advertising (except sponsorships).

We have repeatedly asked if any readers would be willing to set up their own print-and-distribute service for LG, but nobody has offered.

What kind of equipment would be required to print-and-distribute services?

At minimum, a lazer printer, envelopes, stamps, and a list of subscribers. That's how small, do-it-yourself zines work. You'd want some kind of cover or binding unless you're just going to send a stack of loose sheets.

But mailing costs alone will soak you, especially since a single issue of LG is something like fifty printed pages. (I've never printed an issue, so that's an estimate.) Sending fifty pages via first-class mail within the US is $3-4, so that's $48/year. Would you pay $48 for LG? You may be able to get a better deal with book rate or presorted rate but you'd have to check with the post office. But how will you recoup your cost for toner cartridges, paper, printer repair/replacement (since it will wear out sooner), envelopes, and the time to write the addresses or attach labels, not to mention the time dealing with subscription requests, complaints about "I didn't receive my issue", etc?

Today many free magazines put ads into the magazine and make money to publish the magazine. It would be a good idea to maybe advertise, but I'm not sure if LG has a high number of subscribers. I can see where the management issue would be a problem (billing, distributing, etc). Hopefully one day maybe.

LG has a huge number of readers all over the world. I don't know the number because people who read via mirrors or off-line are uncountable. But there are mirrors in fifty countries, and I figure any country with a mirror must have a subtantial LG readership. Either that, or it at least has one LG fanatic....

You bring up an interesting point. LG itself is not interested in running ads, at least not at present. I like to think of LG as an ad-free zone, a safe haven from ads. But since LG content is freely redistributable, there's nothing prohibiting a print-and-deliver service from inserting ads in their version.

Actually, our author Alan Ward in Andorra said he's seen a Spanish print version of LG on the newsstands there. I assume it was the Spanish translation of Linux Journal, which may include some LG articles.

I've seen few sites publishing their works into magazine (including ads) and subscribers did not get angry at the ads, because they understood that to publish costs money and if the work is quality it's worth subscribing for.

HAPPY NEW YEAR and good luck.

There are a few articles in LG that may not be redistributed in a commercial print publication (where "commercial" means you're charging any amount of money for it). Those articles have a message to that effect at the bottom of the article. The ones that come to mind are:

• Some of Shane Collinge's HelpDex cartoons: he sold the print rights to a certain publisher. This affects only a limited number of cartoons.

• One or two other articles that have corporate ownership.

In those cases, you will have to contact the author for permission.

...making Linux just a little more fun!

More 2¢ Tips! By The Readers of Linux Gazette

• Two Sound Cards Under Linux
• rpm in debian ?
• propagating ownership and permissions
• boot to windows by default
• network programming - accepting data
• Key bindings in X
• alsa in debian
• pppd
• telnet processes not disappearing when user closes session incorrectly --or--
  Is that your FIN_WAIT Answer?
• direct rendering for nvidia RIVA 128
• xcdroast post cdrom mount problem
• iptables: What They Are and What They Do
• Code folding in Vim
• Debian "Woody" boot error
• Proxying with MAC address
• fwd: Re: [TAG] wrestling with postfix...

Two Sound Cards Under Linux

The Need

As an Amateur Radio Operator, I wanted to use "QSSTV" under Linux. This program uses the DSP in a sound card to decode pictures being transmitted on Amateur Radio. However, I did not wish to give up the basic sound ability available under KDE. Thus I started reading about dual sound cards.

Research

Searches via Google did not turn up much information on dual sound cards, just the usual "HOW TO" references on getting one sound card running. But, one key piece of information did turn up, that multiple sound drivers can coexist!

Some experimentation and...

Multiple sound cards can work together provided:

1. Each additional sound card must be a different chip set (ie. different drivers)
2. Each sound card must have its own IRQ and distinct control register address space

Installation checkup

At this point, you have physically installed the additional sound card and have verified that the BIOS has assigned different IRQs to the cards.

Now you have booted Linux and have logged in. In Mandrake Linux there is an integrated program called the MCC (or Mandrake Control Center). You can either use MCC or you can execute in a term window:

	$ /sbin/lsmod | less

You are verifying that different drivers have been assigned to each Sound Card. If you are not using one of the more recent distributions of Linux (such as Red Hat, Mandrake, or SuSE), you may have to alter the configuration files by hand to achieve the necessary loading of the proper Sound Card drivers.

Next, you run a mixer setting program, like KMIX. If all is ok, the program should display 2 distinct mixers. If not, then you need to recheck the configuration files.

Now for the tough part...

Many sound programs are not well written. That is to say that the program assumes that only one sound card exist in your system. These types of sloppy programs will lock up Linux and require using the reset button

Well written programs allow you to set which sound card is to be used. XMMS is a well written program. While it assumes that sound card 0 is the only sound card in the system, It does not lock down Linux. QSSTV is an even better written program in that it allows you to configure which sound card is to be accessed.

"ARTSD" is a poorly written program and MUST be disabled when you run dual sound cards in your system. Otherwise, you will be reaching for the reset button!

Lastly...

I am able to play my music via XMMS and Sound Card 0; while QSSTV decodes pictures using Sound Card 1 simultaneously under Linux!

rpm in debian ?

Hi, I am a Debian user and interested to install the rpm packages ( from RH or MDK cds ) in Debian. but is it possible to do so ? if yse , how ?

[Kapil] A debian package:

Package: alien
Section: admin
Architecture: all
Description: install non-native packages with dpkg
 Alien allows you to convert LSB, Red Hat, Stampede and Slackware Packages
 into Debian packages, which can be installed with dpkg.
 .
 It can also generate packages of any of the other formats.
 .
 This is a tool only suitable for binary packages.

This suggests that "apt install alien" would do the trick for you.

This works as follows. You run

   fakeroot alien -r <RPM>

This produces a .deb which can be installed.

It is a good idea to read the documentation first. In particular, please heed the warning about not installing any critical packages this way. IF (and this is a big if) some mission critical package you absolutely must have is not in Debian (stable or testing or unstable), then it is generally better to run "debmake" on the unpacked source tree to build the relevant debian package. (of course to do this you should generally have installed "build-essential").

[JimD]

... and created a debian/rules file (a makefile starting with
#!/usr/bin/make -f).

[Kapil] The "alien" package is largely for (boo-hiss) non-free stuff that is only available as binaries packaged as RPMs.

[JimD] It is also possible to install the debian rpm package. You can then directly use RPM commands. However, there won't be any dependency database (dbm files) so all dependency checks will fail.

At some point someone may come with with a very clever (and probably difficult to maintain) adapter that will generate a reasonable RPM/DBM database set from a Debian /var/lib/dpkg/info tree. Alas that is not in the cards for now.

'alien' is probably the best way to go in most cases.

Thanks a lot for ur valuable hints. alien is excellent. but *alien -i* command didn't check any dependency when I installed open office (making .deb from Mandrake cd ), hence it could not be started due to missing libraries.

[Kapil] Dependencies are certainly a problem for alien. The way I understand it, if you have the correct libraries installed then the dependencies are included in the .deb package produced by "alien". Otherwise "alien" only produces error messages about unmet dependencies...

... a bit of a catch 22 alright!

But if you create the .deb files and install them in the "correct" order (and assuming that there are no cross dependencies!) the binary dependencies should work out correctly. What "alien" does (I'm guessing here) is it runs "ldd" on the executables and looks for the package that supplied the relevant library. This is how it is often done during .deb creation.

Non-binary dependencies are probably unresolvable unless you can lay your hands on an LSB package---whatever that is.

The Linux Standards Base is an industry-wide effort to make life easier for companies that want to produce commercial shrinkwrap products. If they adhere to the filesystem layout and principles described there, then the package should be able to be installed on any Linux distro which also claims to be LSB compliant.

The installers haven't quite perfected this as far as to handle everybody's slight differences in initscript setup, but other than that it's not too bad. At the very least a knowledgeable system admin has no problem grafting such applications into the company-wide server. -- Heather

1) is it possible to let the kpackage to handle this type of converted .deb packages and their dependency ?

[Kapil] I don't know anything about kpackage but I would guess that if the information is not in the .deb file there is not much kpackage can do.

2) if I have a particular directory to store all these converted .deb packages then how to modify kpackage to display those packages in its tree view ? ( if it is possible at all )

[Kapil] There are some debian packages that allow you to create your private repositories - there is a sledge-hammer called "apt-move" but there may be something simpler for your requirement.

When the deb file is installed, if it has no section it will be placed in the "Obsolete and Locally Created Packages" section under aptitude. I assume kpackage has a similar feature, although I've been a bit shy of the X-windows based apt front-ends, since I prefer to have a minimum of processes running when updating my systems. -- Heather

once again thanks 4 ur solution.

[Kapil] As far as openoffice and other such packages are concerned your best bet is the "unofficial apt repositories" (which I forgot to mention in my list of stable/testing/unstable). You can find these unofficial repositories at:

http://www.apt-get.org

I seem to remember that this site lists a site for openoffice. You can add that site to the list in /etc/apt/sources.list and you should be able to then use apt-get (or probably kpackage) to install openoffice with dependencies resolved.

Be warned that the unofficial repositories are un-signed packages and could contain trojans and other such!

Thanks 4 all ur technical info.

best regards

propagating ownership and permissions

A while back, I wrote a utility that propagates ownership and permissions from a sample file to a group of files. Imagine a situation where you have, say, several dozen documents with a scattershot list of permissions and owners/groups (since they were created by different people.) The way to "bring them into line" would be to pick a file that already has The Right Stuff - it doesn't even have to be in the same directory - and say:

cpmod /path/to/example/file *

Note that this utility is self-documenting. Its internal "man page" can be read (as long as "cpmod" is somewhere in your path) with

perldoc cpmod

If you want an actual man page, one can be easily created with

pod2man cpmod|gzip -c>cpmod.1.gz

Put the resulting file somewhere in your man directory structure (/usr/share/man/man1, perhaps).

See attached cpmod.pl.txt

[JimD] In newer GNU utils you can use something like:

	#!/bin/sh
	reference="$1"; shift
  	for i in "$@"; do
		chown --reference="$reference" "$i"
		chmod --reference="$reference" "$i"
		done

[Ben] Very cool, Jim! I hadn't seen that one before; I was only familiar with the older versions.

[JimD] (Technically I think you can just make that for i; do ... since I think that for loops default to being in "$@" if you don't specify an explicit list. I know they default, but I'm not sure if they default to $* or "$@" --- if you care about the distinction; as usual the subtleties of soft-quoting are there to protect degenerate filenames containin whitespace!).

In other GNU utils you can use a little trickery like:

  	#!/bin/sh
	reference="$1";  shift
	UID=$(find "$1" -maxdepth 0 -printf "%U" )
	MODE=$(find "$1" -maxdepth 0 -printf "%m" )
  	for i in "$@"; do
		chown "$UID" "$i"
		chmod "$MODE" "$i"
		done

Ben, am I missing some subtleties here? (Other than the obviously argument counting, error checking and messages, and some getopts to provide --help, --owner-only, --mode-only etc.)

[Ben] Not so far as I can see. However, the Perl version is shorter (if you ignore the included man page.)

boot to windows by default

Hi Answer guy, I ahve two questions

1. I have linux and Windows both loaded on my system.i wanted to boot to windows by default.how can i chang the lilo.conf file.what are the changes to be made there.

[David] The answer to your question about lilo is to edit the /etc/lilo.conf file.

Your file might look something like this:

See attached linux-and-dos.lilo-conf.txt

Cheers, Davidm

[JimD] Essentially, add a default= directive to your /etc/lilo.conf (or edit your /boot/menu.lst file if you're using GRUB). Read the lilo.conf man (and/or GRUB info) pages for more detail on that.

The Linux Documentation Project (http://www.tldp.org ) has an entire section of HOWTOs on boot loaders and related topics (about a dozen of them):

http://www.tldp.org/HOWTO/HOWTO-INDEX/os.html#OSBOOT

network programming - accepting data

Hi Answer guy, I ahve two questions

2. This about unix network programming: How to accept any data from any given port.

thanking you
yours anurag

[Kapil] Have a look at the utlities "netcat" and "socat".

[JimD] You could use netcat (often named /usr/bin/nc) or socat directly (from shell scripts, etc) to listen on arbitrary TCP or UDP ports. Note: the process has to have 'root' privileges to listen on "privileged" ports -- those from 1 to 1023 inclusive (or maybe it's 1024 inclusive --- I never remember that one).

More to the point, you can read the source code to netcat or socat (included with most distributions on the "Source Code" disc or readily downloadable from many archive sites on the net. As a Debian user I find it most convenient to get most sources with a simple 'apt-get source' command. Debian tracks, index, and automatically fetches, unpacks and patches the sources for me. With an 'apt-get build-dep' command I can also have Debian fetch and install all of the packages that are required to build almost any other package from its sources (they're still working on that feature).

It makes me reluctant to hunt down the upstream sources, suitable for other distros and other forms of UNIX.

These things change far too frequently, but Google is our friend. It appears that the current canonical location for finding Hobbit's netcat sources is at:

http://www.atstake.com/research/tools/network_utilities

... where he (Hobbit) seems to have an e-mail address. Perhaps he works at @Stake.

As for socat its author, Gerhard Rieger, conveniently list the package's home page in the man page that comes with the package (at least with the Debian package): http://www.dest-unreach.org/socat

Reading the sources to these will teach you alot about UNIX network programming. In particular netcat has been around for a very long time and has had VERY FEW bugs reported against it. It's been scrutinized by thousands, probably tens of thousands of programmers.

You should also buy Richard Stevens' seminal textbook on UNIX Network Programming (Prentice Hall). Read more about that at:

http://www.kohala.com/start

Key bindings in X

Here's the fix I finally hit upon to get those F keys working in xterm. I edited a copy of /usr/X11R6/lib/X11/app-defaults/XTerm and added the following:

See attached XTerm.app-defaults.txt

I then saved it as .Xdefaults and it works very well.

You can use the .Xdefaults file in your home directory to add or override X internal resources for any application - so make sure that if you already have some features stored there, that you add this into it, instead of replacing it. -- Heather

alsa in debian

Hi there, u know alsa in not built in debian 3.0 by default. but alsa utils... & driver & header files are present in the 7cd set. could any one please tell me how to build the alsa modules in debian & the required packages 4 this ?

Note: there are some alsa-modules ( in the cds ) based on 2.4.16 kernel, but mine is 2.4.18

Where you got the kernel-image-2.4.18 you should also find the relevant alsa-modules-2.4.18. Anyway here is the procedure to build alsa modules for debian.

1. Use apt-get to install the relevant alsa-source package. You could also download the sources from the alsa ftp site --- I haven't tried that but it should work.

2. Install the relevant kernel source package, and the package kernel-package.

3. Unpack the kernel source and alsa-modules in /usr/src.

4. Run "make-kpkg --config=menuconfig" configure in the kernel source directory.

5. Run make-kpkg kernel-image and make-kpkg modules-image.

6. This should build a pair of compatible kernel-image and alsa-modules package files which you can install with dpkg.

7. Of course you need to edit your grub menu or lilo conf file and so on to run this kernel.

8. You can then configure alsa with alsa-conf alsa-base and so on.

Remember to set and save the mixer settings so that /etc/init.d/alsa script (which is part of alsa-base) can restore these settings.

pppd

pppd command shows a few strings character in RH, but in debian it shows error

" remote system needs to authenticate itself" & discontinue

[Ben] Ah, I'd missed this part. Neil is right - you don't have the "noauth" option defined in your "/etc/ppp/peers/provider" or whatever options file you're using.

[Iron] I haven't used ppp for years (but I will soon, when I set up my mom's computer), but yes, if you're dialing into an ISP you want "noauth". Otherwise your Linux box will require authentication from the server, which it won't do. The server thinks *it's* trusted and *you're* the one who has to authenticate yourself. And even if it was willing to authenticate itself, how could it? It doesn't have a password to authenticate itself with. The (nonexistent) password the servers would authenticate themselves with is different than the user password you authenticate yourself with.

If people are dialing into your Linux system, then you want authorization for those calls.

Thanks 4 the solution, it is working now.

Is that your FIN_WAIT Answer?

I am using RedHat Advanced Server 2.1, Kernel 2.4.9 and am having the following problem:

If I log on as userA via a telnet session and run Test_pgm and then disconnect the telnet session by closing the window instead of properly logging out, this is what is shown from the ps command:

UID    PID  PPID  C STIME TTY          TIME CMD
userA 8505     1  0 14:00 ?        00:00:00 login -- userA
userA 8506  8505  0 14:00 ?        00:00:00 -bash
userA 8540  8506 87 14:00 ?        00:00:42 Test_pgm

Notice that there is no longer a TTY associated with the running program or the original login and the PPID of the login has been inherited by process ID#1. Furthermore, if I do a top command, the results show that the CPU Idle % is zero, with the Test_pgm using up all of the CPU %. The load average goes through the roof. I've seen it up close to 30.0. However, the system's performance does not seem to be effected by me or by any of the users. These processes are not listed as zombies and are never cleaned up by the system unless I kill the login process or restart the server.

Most of this seems normal (for a program that's ignoring SIGHUP). The loadavg number seems odd.

This scenario happens whether the user is running an in-house 'C' program or an operating system utility such as Redhat's setup. Within our own 'C' programs, I have tried to capture a terminating signal, using the signal() command, but I am not seeing any of the signals that I would expect to see, such a SIGTERM or SIGHUP.

Does anyone have any ideas as to how to tell RedHat to take down the processes associated with a telnet when a tty disappears?

Thanks in advance.
DP

in.telnetd should be sending a SIGHUP to the process when the TCP connection is closed (including when the keepalive fails?).

Run 'netstat -na' and see if the TCP connection is lingering in FIN_WAIT state. This could be a case where your (probably MS-Windows) telnet client is failing to properly perform the three-way disconnection handshaking that's required of TCP. (I recall problems with some MS Windows FTP clients resulting in similar symptoms on high volume public FTP servers).

Try it with a UNIX telnet client.

Try it with ssh.

If it works with ssh, perhaps you can use that as leverage with your users and management to abandon this insecure and deprecated protocol! (PUTTY is a very good, and free, ssh client for MS Windows operating systems. There are many others).

Other than that, I would try upgrading the kernel (2.4.9 was pretty miserable under memory load) and watch one of these sessions with tcpdump and strace (so you can correlate what's happening on the wire with what's happening in the process). Upgrading to RH 7.3 might also be good since the compilers and libraries in 7.1 and 7.2 had ... issues.

Without knowing more about what Test_pgm is supposed to do, I can't immediately suggest any other workarounds.

direct rendering for nvidia RIVA 128

I have a nvidia velocity 128 video card, which uses the RIVA 128 accelerator chip. I'm running Mandrake 9.0, which sets it up with glx (3D capability), but with no direct rendering (uses software rendering). Needless to say this REALLY slows it down for games. Does anyone know how I might resolve this? I've tried changing an entry in the XF86Config file, in the MODULES section. I added the line Load "dri", to no avail. I'm pretty sure the card is dri capable, as it is able to do bus mastering, which is a must for this.

Sorry to disappoint you, but last time I checked there was no DRI driver for the Riva 128. It's among the earliest nVidia chips, and nVidia's own binary-only driver only supports TNT or later (two models newer). There was a partly accelerated Mesa-based GLX implementation for XFree86 3 that supported it, however, called Utah-GLX. You may be able to run that, but you'd obviously lose out on all other new features of XFree86 4.

xcdroast post cdrom mount problem

hello, i'm a recovering os/2 user. i used it today, and i may have to tomorrow... but i can stop any time i want to.. but my modem....

Anyway, after i use xcdroast, (which i am getting used to, under RH8-KDE) i am unable to check the cdrom just made because the cdrom will not mount. (ide double cheapo brand 48x, works great). i have to use the newly-made cd on my os/2 machine to check it. my friends laugh at me.

thanks, brian

[JimD] You probably need to change /dev/cdrom to be a symlink to /dev/scd0 or something like that.

Linux normally handles your ATAPI CD-R drive via a SCSI emulation layer. Once this layer is active (possibly via a loadable module) then all access to the CD has to go through the SCSI device nodes (/dev/sg* for writing, and /dev/scd0 for mounting CDs).

Try that. Try this command first:

mount -t iso9660 -o ro /dev/scd0 /mnt/cdrom

... from a root shell prompt.

[John] Greetings from another former OS/2 user - although I used it for about 2 yrs or so, and switched to Linux.

Anyway, have you read CD's made from that cooker before? Could be a hardware issue. Some of those really cheap devices lack some features. But chances of that would seem a bit slim if it's a 48X drive, cuz those compatibility problems are usually more common with the older drives. But I wouldn't rule it out as a possibility.

iptables: What They Are and What They Do

could you please explain to me what iptables are and what they do

IPTables are tables (lists) of packet filtering rules in the Linux kernel. They are added (passed into the kernel's address space) and manipulated using a command named: 'iptables' and they are interpreted by various kernel modules written to the "netfilter" APIs (primarily by Paul "Rusty" Russell).

Each rule is a pattern matching some sorts of network traffic based on many criteria (IP source or destination addresses, TCP or UDP source and destination ports, ICMP type, IP or other options (flags), connection status (correlated from other, previous packets), even MAC addresses, which interface and direction they're coming from or destined to, which local processes are generating them, etc.). Part of each rule is a "disposition" like: DROP, REJECT, ACCEPT, "jump" to another ruleset (table) etc.

The ability to conditionally process different packets in various ways, and even to conditionally "call" on some rulesets, makes iptables into a very specialized programming language. IPChains was somewhat different, simpler packet filtering language (also by Rusty), and ipfwadm was a much simpler packet filtering system back in the 2.0 kernel days.

It looks like the 2.6 kernel, probably due out sometime this year, will be the first one since 1.3 that hasn't had a major overhaul in the packet filtering language. IP Tables was released with 2.4 and has only undergone minor bug fixes and refinement since then.

Note that most of the packet filtering rules relate to whether to allow a packet through the system, to DROP it (with no notice) or REJECT it (providing an ICMP or error back to its sender, as appropriate), MASQUERADE or TRANSLATE it (change its apparent source address and port (usually setting up some local state to dynamically capture and re-write any response traffic related to it), REDIRECT it (change its destination address and/or port), change its "ToS" (type of service) bits. It's also possible to attach an FWMARK to a packet which can be used by some other parts of the Linux TCP/IP subsystem.

What IPTables is NOT:

There is another subsystem, similarly complex and seemingly related --- but distinct from netfilter (the kernel code that support IP Tables). This is the "policy routing" code --- which is controlled with the tersely named 'ip' command (the core of the iproute2 package).

Policy routing is different that packet filtering. Where packet filters is about whether the packets go through, and whether some parts of a packet are re-written, policy routing is purely about how they are sent towards their destination. Under normal routing every outbound and forwarded packet is sent to its next hop based exclusively on its destination address. Under policy routing it's possible to send some traffic through one router based on its source address, port or protocol characteristic, etc. This is different than the IP tables "REDIRECT" because this doesn't change the packet --- it just sends it to a different router based on the policy rules.

The two subsystems can interact, however. For example policy routing does include options to match on the ToS or FWMARK that might be attached to a packet by the iptables rules. (These FWMARKs are just identifiers that are kept in the kernel's internal data structure about the packet --- they never leave the system and can't go over the wire with the packet. ToS are only a couple of bits in the header, hints that traditionally distinguish between "expedited" (telnet) and "buld" (ftp) traffic).

The iproute2 package and the 'ip' command replace the ifconfig command and provide considerable control over interfaces. It also allows one to set "queueing disciplines" to interfaces which determine which packets get to "go first" when there are more than one of them waiting to be sent over given interface.

There is alot more I could tell you about Linux routing and network support. For example none of this relates to dynamic routing table management. There are user space programs like routed, gated, and various GNU Zebra modules, that can listening to various dynamic routing protocols such as RIP, RIPv2, OSPF, BGP, etc. to automatically add and remove entries to the kernel's routing tables. Some of these might be able to also dynamically set policies as they do so. There is also a Linux compile time option called "Equal Cost Multi-path" which is not part of policy routing. Normally if you added two static routes of "equal cost" than the first one (of the lowest cost) would always be used, unless the system was getting "router unavailable" ICMP messages from somewhere on the LAN. However, with Equal Cost Multipath the system will distribute the load among such routes. This can be used to balance the outbound traffic from a very busy system (such as a popular web server or busy mail gateway) among multiple routers (connected to multiple ISPs over multiple T1s or whatever).

(This is similar to a trick with policy routing --- assigning a couple of IP "aliases" --- different IP addresses --- to one interface; one from one ISP, another from a different one, and using policy routing to ensure that all response/outbound packets from one of these sources go through the appropriate router. DNS round robin will balance the incoming load, and policy routing will balance the response load. Equal Cost Multipath will balance traffic initiated from that host).

Again, all of these last paragraphs are NOT IP tables. I'm just trying to give you a flavor of other networking stuff in Linux apart from it, and to let you know that it, if you don't find what you need in the iptables documentation, it might be somewhere else.

To learn more about Netfilter and IP Tables, please read though the appropriate HOWTOs:

http://www.tldp.org/LDP/nag2/x-087-2-firewall.future.html http://www.netfilter.org

Code folding in Vim

Vim versions 6.0 and later support a new feature called Code Folding. Using code folding a block of code can be "folded" up into a single line, thus making the overall code easier to grasp.

The Vim commands to use code folding are quite simple.

To create a fold just position the cursor at the start of the block of code and type : zfap

To open a fold : zo

To close a fold : zc

To open all the folds : zr

To close all the folds : zm

For more commands and information on code folding in Vim query the inbuilt help feature of Vim : :help folding

[John Karns] You're quite right. Folding is particularly useful for long sections of code that contain loops, etc. I use it extensively in this context.

Other uses include long paragraphs of prose.

But make sure you are in command mode! If you are in text entry mode, just typing in "zfap" would literally embed that string into your text!

If you're in text entry mode, press Escape to get back into command mode.

Vi has two command modes and a text entry mode. When you come in you are at ordinary command mode. When you type a colon (such as what precedes the word "help" above) then you end up with a small colon prompt. The above commands are NOT colon mode commands, except for help. But you do need your cursor at the right location.

The colon prompt is also called "ex mode" by old hands at vi, but I'm not entirely sure that all the commands that use it are really old commands at all. Some are surely long words allowing you to access some enhanced features, too, because there are only so many letters in the alphabet.

To get out of the help mode you may need to type :q to quit the extra window it created. Your original textfile is still around, don't worry. -- Heather

Debian "Woody" boot error

After installing the Woody release of Debian using the idepci kernel I noticed the following boot message

modprobe: Can't locate module char-major-10-135

Some Google searching led me to the following factoid:

"char-major-10-135" refers to the character device, major 10, minor 135,

which is /dev/rtc. It provides access to the BIOS clock, or RTC, the Real Time Clock.

[Robos] OH MY GOSH! REINSTALL! (Just kidding)

This doesn't actually mean that your computer has no sense of time at all; it just means you won't be able to access the additional precision it has available, without extra code in the kernel. If you have SMP, the kernel docs warn that it's important to compile this in. Otherwise, very few things actually care.

But in a new enough kernel, with devfs support, any app which is curious about it (that is, would use the extra support if you have it, but ignore it if you don't) will provoke a complaint when the userland devfsd attempts to autoload the module. You can tell it to ignore that stuff, detailed in devfsd's man page. -- Heather

So, fine, I want it.

[Robos] Hmm, ok

I looked around in the distro CDs, but I couldn't find the char-major-10-135 module. No luck at the Debian site either. Where can I find a copy of this module compiled for the Debian Woody idepci kernel?

[Robos] Actually it has to be compiled in the kernel to be either hard integrated or to be loadable as a module. It seems as if they (the debian kernel package maintainer) did neither. So, either you bake your own kernel and tick the appropriate field in make xconfig or you need to look (grep) through some configs of kernels (packaged ones) to find one which has rtc true oder m. BTW, I have this message too on all my machines with hand made kernels and it didn't bother me a thing till now...

[Iron] char-major-10-135 is a generic name; the module itself won't be called that. Take a look in /etc/modules.conf . The "alias" lines map the generic name to a specific module that provides it, for instance:

alias char-major-10-175 agpgart

In this case, some program or daemon is trying to access the real time clock. You can also create your own aliases; e.g., I name my Ethernet cards according to their interfaces:

alias eth0 3c59x
alias eth1 eepro100

So when my network initialization script does:

modprobe eth0
modprobe eth1

I know eth0 will connect to the 3C905 card (DSL) and eth1 will connect to the EE PRO card (LAN). And if I have to change cards later, I can just change the alias lines and leave everything else along. (The only thing I can't do is use two cards of the same brand, because then I would have no control over their initialization order except by seeing which PCI slot has the lowest base address: "cat /proc/ioports". If eth0 and eth1 get reversed, the network won't work because packets will get routed to the wrong network.)

Anyway, the easiest way to "fix" your problem is to add an alias:

alias char-major-10-175 off

That tells modprobe to shut up because there is no module for that service. So whatever is asking for that module will abort or do without. Whether that's a problem or not depends on what the program is trying to do and whether you need it. I have never run into problems aliasing char-major-*-* modules off.

Of course, the "correct" solution is to find out what's using the module and disable it if you don't need it.

In my Linux 2.4.17 source, "make menuconfig", "character devices", "Enhanced Real Time Clock support", "Help" (press Help while the cursor is on the RTC line) says the module file is "rtc.o". You can also guess that from the config option name at the top: CONFIG_RTC. That's the file you want from your distribution disk. On Debian it would be in a kernel modules package.

Note that Debian has a configurator for /etc/modules.conf. Instead of editing that file directly, edit /etc/modutils/aliases and then run "update-modules". See "man 8 update-modules".

Proxying with MAC address

Thanks to Karl-Heinz Herrmann for bearing with me, just one little
question please.

Is it possible to restrict internet access by private LAN PCs taking into account their MAC address instead of the IP address by any means, i.e., Masquerading/Proxying etc. Can masquerading and proxying co-exist, and if so, what is the advantage?

Thanks
M Ganesh

It should be possible (though very cumbersome) to configure your networks so that only registered MAC addresses are routed from one internal network to another (including via the border router to the Internet).

Under Linux you could write scripts to do this using the MAC Address Match option/module in the Linux kernel configuration (*) (named: CONFIG_IP_NF_MATCH_MAC in the .config file).

*(Networking Options --> Netfilter Configuration --> IP Tables)

However, it's probably an ill-advised strategy. Many people try to limit this by setting up their DHCP servers with known MAC addresses and refusing to give out IP addresses to unknown systems. They then might couple this with monitoring using the 'arpwatch' package to detect new ARP (MAC/IP address combinations) and with 'snort' to warn them of other suspicious network activity.

As for co-existence of IP Masquerading and applications layer proxying. Yes they can co-exist --- and are even sensible in some cases. In fact it's common to use something like IP Masquerading with the Squid caching web proxy --- in its "transparent proxy" configuration.

In general you might use proxies for those protocols that support it, and for inbound connections; while letting systems fall back on IP masquerading other work (subject to your packet filtering, of course).

The advantages of application proxy systems are largely in three dimensions: They can be quite simple, and run in user space often as a non-privileged process (security and simplicity); they can reflect higher level policies because they have access to the applications and sessions layers of the protocol that is being proxied (flexibility and control), they may be able to provide better performance (performance, especially via caching).

However, any particular proxy might not provide real advantages in all (nor even ANY) of these areas. In particular the Delegate proxy system seems to be riddled with buffer overflows, for example. Squid is a nice caching proxy for web and some other services --- and it has some security and policy management features and optional modules. However, Squid configuration and administration can be quite complicated. It's far too easy to inadvertantly make your Squid system into a free anonymizing proxy for the whole Internet, or to make it into an unintentional inbound proxy to your own intranet systems.

While a proxy might have access to the application/session layer data (in the payloads of the IP packets) --- it might not have a reasonable means for expressing your policies regarding acceptable use of these protocols.

Also there are always those new protocols for which no proxies have been written. There will frequently be considerable demand by your users and their management to provide access to the latest and greatest new toys on the Internet (Pointcast was an historic example, Internet radio is, perhaps, a more recent one).

These issues are very complex, and I can't do them justice at 5am after staying up all night

fwd: Re: [TAG] wrestling with postfix...

Hi! After going twice through the postfix documentation, I still couldn't figure it out if it is possible to configure mail for groups (e.g. sales_managers@domain.com) otherwise besides aliasing all group members to that address in /etc/postfix/aliases. Does postfix reread the aliases as well if 'postfix reload' is issued or only the .cf file? Does 'service postfix restart' reset all mailques, resulting in dropped/lost mail? I've looked

For alias lists, add stuff to /etc/aliases then run

postalias /etc/aliases

If you don't care whether the new aliases are effective instantly, you're done. Very shortly Postfix will notice the aliases file is updated and will reload it.

You may keep aliases in additional files. See the

alias_maps =

parameter in main.cf. You can add as many alias files as you like.

For bigger lists, or frequently changing ones, investigate mailing list software. I use Mailman or majordomo myself. See the URL below.

around but couldn't find if postfix can be configured to use accounts other than from /etc/passwd (and I'm not talking about aliases). What I mean is normal mail spools, but for users that get specified in a separate file and who do not have any permissions on the system whatsoever.

Briefly, you can't do normal UNIX mail delivery except to users from /etc/passwd. However you can do POP3/IMAP delivery to a software that maintains its own list of users. You're looking for something like Cyrus. You'll find it under the POP3/IMAP servers section of

http://www.postfix.org/addon.html

Take the time to browse the other pages of the postfix.org site.

-- Dan Wilder

...making Linux just a little more fun!

The Answer Gang By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and... (meet the Gang) ... the Editors of Linux Gazette... and You!

Contents:

¶: Greetings From Heather Stern

LILO problem whith dual linux boot on seperate drives

filter out spam and viruses

The One Remaining (non-Depracated) Use for rsh

Greetings from Heather Stern

Greetings, everyone. It's another day, another penguin over here at The Answer Gang. I'm sorry there are only three messages this time but I think you'll find them juicy.

Statistics - there were about 460 messages - and almost none of that was spam thanks to Dan Wilder's hard work keeping the list on a leash. I'd say the most common reason to not get an answer or merely get grumped at instead of seeing a useful answer, would be to combine the twin errors of using HTML based mail, and not telling us what few things you've looked up first. We can do much better at translating technese to English than we can do at translating confused-fuzziness to a technical question.

You folks had a gazillion good tips out there and I'm digging myself out from under them right now. [Imagine: a computer workroom filled with little grey envelopes filled with pennies all gabbing about little Linux tidbits. It's quite a chatterbox.]

But that's hardly fair. The real reason I'm running late and a few pennies short is that I've been working really hard on the upcoming LNX-BBC. It's gonna be this year's membership card for the Free Software Foundation. I mean, if you're not a member then perhaps you should be anyway... but this is a definite plus. It's still a toy for experts though. More on cool toys for "the rest of us" in upcoming months. There are lots and lots of good projects out there.

[It wasn't all Heather's fault. Our FTP server played a game of "let's not but pretend we did", accepting Heather's Answer Gang upload but not storing it. Bad FTP daemon, bad! It also has been dying the past few days, which Dan has been combating via upgrades and logfile analysis. At one point logrotate was dying and taking the daemon down with it. -Iron.]

Have fun!

LILO problem whith dual linux boot on seperate drives

From Rich Price

Answered By Matthias Posseldt, Jim Dennis, Mike "Iron" Orr, John Karns, Heather Stern, Benjamin A. Okopnik

I recently bought a new IDE disk drive and installed it as /dev/hdb in my server. While leaving my current [Slackware] distribution on /dev/hda, I wish to install the Debian distribution on /dev/hdb.

After completing the basic Debian install, I edited the lilo.conf file to include a second image. The original file was:

See attached rich-price.slack.lilo-conf.txt

The newly modified file is:

See attached rich-price.slack-debian.lilo-conf.txt

when I tested this config file i got:

See attached rich-price.slack-debian.lilo-complains.txt

/boot/vmlinuz-2.2.20-idepci does exist on /dev/hdb1 but not of course on /dev/hda1. Is this the problem? If so, how do I access an image on a different hard drive?

I downloaded the "LILO User's Guide" and read about the alternate image format:

   image=/dev/hdb1
      range=sss-eee

where sss-eee is the starting and ending sector range of the image, but I don't know how to find out what to use for sss-eee.

Rich Price

[Matthias] Just mount the corresponding partition and use this path then, e.g.

image = /mnt/newdebianroot/boot/vmlinuz-2.2.20-idepci
root = /dev/hdb1
label = Debian

A different option is to separate boot and root partitions and mount the /boot partition in both Slackware and Debian while also keeping /etc/lilo.conf in sync, so that you can easily use the /boot/vmlinuz-debian-2.a.b and /boot/vmlinuz-slackware.2.x.y kernel images and use the /boot path. An easy way would be to symlink /etc/lilo.conf to /boot/lilo.conf in both installations and you can happily run lilo from Debian and Slackware.

[JimD] I'd personally avoid the esoterica of any "alternate image format" (if possible) and simply put the desired kernel and any required initrd (compressed initial RAMdisk) images unto the /boot partition (or into the /boot directory of any rootfilesystem) back on /dev/hda.

There is no problem sharing one /boot directory among multiple Linux distributions --- and it's the easiest way to do it.

Thanks to both of you for your answers.

I have sidesteped the problem for now by booting off of a floppy. But I think Jim's suggestion will make a better long term solution.

[Iron] Jim's method is the easiest and most convenient. However, there's no reason the other kernel has to be in /boot as long as it's mounted somewhere when "lilo" is run. Older Linux distributions used to put the kernel in / by default.

I am not a programmer [any more] but I think that an enhansement to LILO which would allow the use of different file systems for different boot images would be good. Something like this:

image = /boot/vmlinuz-2.2.20-idepci
root = /dev/hdb1
imagefs=/dev/hdb1
label = Debian

Where imagefs is a new parameter used to specify the file system that contains the boot image file.

[Jim] Unfortunately this suggestion exhibits a fundamental misunderstanding of how LILO works. The "image" files are access as regular files, and thus they must reside on some locally mounted filesystem when you run /sbin/lilo. /sbin/lilo then issues ioctl()s to get the low-level block address information about where the image file's parts are located. Those raw device/block addresses are written into the map file (usually found in /boot). The address of the map file is written into the boot block (usually in the MBR of the hard drive).

Your hypothetical imagefs= would require that /sbin/lilo either incorporate all the code to directly access the device/partition as a filesystem (which is infeasible for a large number of filesystem and is just bad engineering --- code duplication for even a single type), or it would have to do something like: make a temporary mount point, mount the imagefs, use this temp mount as a relative chroot point?, then proceed as before. It's VASTLY easier for you to mount the fs up yourself and simply manually refer the appropriate entries in your /etc/lilo.conf to the kernel image (and initrd images, etc) before running /sbin/lilo.

In my MANY discussions about LILO I find it convenient to distinguish between LILO (the whole package) and /sbin/lilo (the utility that reads the /etc/lilo file and various command line options and produces/writes a map file and a bootloader (into the MBR, unto a floppy or into a filesystem superblock or "logical boot record).

Run strace on /sbin/lilo some time and you may find enlightenment.

[John] Yes, Linux is nirvana! :^)

[Ben] I've found that running "strace" _often precedes enlightenment. Also, like reading the dictionary (who the heck can stop at just one entry?), it's usually enlightenment on topics far beyond the original one.

[Iron] What would the information be useful for? "lilo" uses the image= path to determine the kernel's physical location, the boostrapper uses the physical location, and at no time is /boot required to be mounted (except when running "lilo").

However, a few programs use /boot/System.map (or /boot/System.map-VERSION), and these may behave funny if it's not accessible or is out of sync with the running kernel. Currently I see that klogd (the kernel logging daemon) has it open while it's running. But stopping klogd, unmounting /boot and restarting klogd does not cause any errors, although it does generate a log message of:

Jan 10 14:55:28 rock kernel: Cannot find map file.
Jan 10 14:55:28 rock kernel: No module symbols loaded.

"man klogd" says it uses System.map to translate the numeric traceback of a kernel error to a list of functions that were active at the time, which makes it easier for kernel developers to track down what caused the problem.

Dan says modprobe also uses System.map. "strings /sbin/modprobe | grep System.map" shows that word exists in the code, although the manpage doesn't mention it. So you may need /boot mounted when loading modules.

Is there anything else that likes to have System.map around?

[Ben] Oddly enough, Netscape. I remember doing some complicated messing around with multiple kernels, way back when, where I'd hosed System.map in some way or another. It didn't seem to affect too many things, but the annoying error message I got every time I fired up Netscape finally got me to straighten it all out. I was a young Linux cub then...

[John] For a time I used to unmount the /boot partition in the init scripts to avoid risking corruption of the ext2fs there during normal operation. Then I noticed the above errors (didn't seem to affect loading modules though), and switched to remounting as ro instead, which rid me of the error, and avoids the problem of having it mounted rw. Alternatively I suppose that one might be able to change the fstab entry to mount it ro. Not sure if there is a requirement to have it rw in the early boot process.

[Iron] I have had /boot mounted read-only for years and have had no problem.

[Heather] On my multi-distro setup, I also mount /boot read-only; depmod tries to run during every boot, and complains that it cannot write. As long as I deliberately run depmod while my /boot is read-write whenever I'm adding modules or new kernels, then this is an ignorable warning because I already did that. When running depmod by hand on a kernel which you do not yet have booted, you definitely need a copy of its System.map on hand, for use with the -F parameter. If I fail to do this, the distro that wants this is a very unhappy camper, because with no depmod information at all, it cannot load any modules.

I occasionally build monolithic kernels deliberately, but that's barely viable with today's huge list of kernel features.

Thanks, Jim.

This information makes LILO much more understandable to me. It enables me to see why my suggestion doesn't make any sense. It also makes the light bulb go on about Matthias's original answer which I admit I didn't understand until now. This is great! I now have two ways to solve my problem and enough understanding about what I am doing to finally be dangerous ;-}>

I think that adding something similar to your comments to the LILO User's Guide would be helpful to part time LINUX hackers like me. Perhaps in section 3.3.1 a second paragraph could be added saying:

"The image file is accessed as a regular file, and thus it must reside on a locally mounted filesystem at the time that /sbin/lilo is run.

[JimD] ... kernel and initrd images files are accessed by /sbin/lilo ...

/sbin/lilo will then issue ioctl()s to get the low-level block address information which shows where the image file's parts are located in the file system. This file system does not have to be on the same physical drive as the root file system."

[JimD] ... but must be accessible to the bootloader code (generally via BIOS functions).

Did I get it right? Do you think I should suggest this to the maintainers?

[JimD] I've touched it up a bit --- their maintainers would, undoubtedly tweak it more to their likely if they choose to incorporate it.

Please feel free to send this to John Coffman and to the maintainers of the appropriate HOWTOs (as referenced in my earlier post).

I'd also highly recommend pointing them at the years of Linuz Gazette Answer Guy/Gang material on this topic --- so they can understand how frequently these questions come up and glean some ideas for how we people in the "support trenches" have been trying to dispel the confusion that plagues so many LILO users. (Did I mix too many metaphors there?)

In particular if they explain LILO as analogous to programming: /etc/lilo.conf is the "program source", /sbin/lilo is the compiler and the bootloader and map files are "objects" --- then a large number of people will "get it." Even people with the barest modicum of (compiler) programming experience understand why changing the source code doesn't change the program until it's recompiled.

filter out spam and viruses

From Jonathan Becerra

Answered By Faber Fedor, Neil Youngman, Kapil Hari Paranjape, Heather Stern

I'm very new to Linux but like what I see

The object here is to install a software that will filter all my e-mails and keep out viruses

[Faber] Look into Amavis (www.amavis.org) and your favorite anti-virus software (Sophos, McAffee, etc.). If you're using Postfix as your MTA, drop me a line and I can help you get the three of them working.

and catch re-occurring spam.

[Faber] Check out Spam Assassin (www.spamassassin.org). It rocks!

[Heather] Since the list which all Answer Gang members are on uses SpamAssassin as one among several defenses, I think yes - it does but it is not infallible. With any mail filtering answers I encourage you to take a look at its principles, and decide if you like them, rather than just take someone else's word on what is or isn't spam.

[Neil] LWN seem to rate bogofilter, see http://lwn.net/Articles/9186. I haven't used it myself.

[Kapil] I currently use "bogofilter" and am very happy with it. There are also alternatives such as "spamoracle" and "spamprobe". All these three programs implement Paul Graham's suggestions in "A Plan for Spam".

As far as I can make out "spamassasin" is a much more general tool that can easily incorporate the measurements used by Paul Graham.

The neatness of Paul Graham's approach is that it is entirely "Bayesian" --- spam mails self-select themselves once we have a sufficiently large database of spam and non-spam messages. Moreover, this division is entirely in the hands of the end-user.

On the other hand since this measurement is made after the mail enters the system it is not very useful if you want to reduce bandwidth consumption.

I have 2 NIC cards, etho1 and etho2. Both were picked up by my install and both work, I can get out to the Internet with either one. I need help configuring etho1 to be the incoming route for my e-mails which my software will then pick up and process and then I want etho2 to send it out to my users.

I have been all over the Internet and in the book stores, I even had to break down and buy a Linux book for dummies which was no help at all.

[Kapil] I think what you need is to take a hard look at Firewall-HOWTO.

[Faber] (at http://www.tldp.org, in case you didn't know).

Sound possible?

[Faber] With Linux, almost anything is possible.

[Heather] Though it may take a while to finish coding... no wait, that's "the impossible takes a little longer"

I would be so appreciative and so would my head (because then I can quit banging it against my desk) for any and all help you could provide.

[Heather] On behalf of the Gang, we hope you heal up soon! You're following good principles; make all emails have to follow one path into your site, then place some guardians upon that path to nail the miscreants as they come through.

Tune up your firewall to only show services to the outside world which you really provide, and that needed for your inside people to get to outside services they use (generally, using IP masquerading will make this automatic and nearly invisible). If you've got specific hosts pestering you with spam, get your MTA to blow them off with a "551 too much spam, site blocked" so your mailbox guardians don't have to waste CPU time on those bozos. Best of luck in the battle against spam.

The One Remaining (non-Depracated) Use for rsh

From Dave Falloon

Answered By Jim Dennis, Mike "Iron" Orr, Kapil Hari Paranjape

Hi Answer Guy,

I have a 32 node cluster running Debian 3.0 (Woody). The primary way we use these machines is in a batch type submission, kind of a fire an forget thing, via rsh "<command>".

[JimD] These days the knee jerk response would be: "Don't run rsh; use ssh instead."

Agreed, the reason for rsh is that this little cluster is all by itself, accessed through a "choke host" that is pretty well locked down, only a handful of users can access it on the external interface.

[JimD] However, compute clusters, on an isolated network segment, (perhaps with one or more multi-homed ssh accessible cluster controller nodes) are still a reasonable place for the insecure r* tools (rsh, rlogin, rcp). (rsync might still be preferable to rcp for some workloads and filesets).

I crippled PAM a little to allow this ( changed one line to be sufficient). This cluster is not a super critical farm so if things go haywire its not a big deal but it would be nice to figure out why sometimes you can't connect to the nodes, here is the output from one such attempt:

(503)[dave@snavely] ~$ rsh ginzu
Last login: Thu Jan 16 16:37:22 2003 from snavely on pts/1
Linux ginzu 2.4.18 #1 SMP Fri Aug 2 11:20:55 EDT 2002 i686 unknown
rlogin: connection closed.
(504)[dave@snavely] ~$

This happened once then when I repeated the command it succeeded, with no error.

[Kapil] One possible reason for the problem is the assignment of a free pty.

1. You may be running out of pty's if many processes unnecessarily open them.

This is a definate possibility, and I am recompiling a kernel as we speak to up this limit to 2048.

[Kapil] 2. Your tweaking of rsh and PAM was not sufficient to give rsh permission to open a pty.

Would this produce an intermitten connection drop or would it prevent any connection at all?

[Kapil] This would also explain the unable to get TTY name error.

So how does the chain of events happen? Is this correct; I rsh to a machine it, pam looks over its rules and see that it is crippled and should allow this connection with no passwd, passes this on to login which then tries to assigned a pty but the pty's are all currently used, then it tries to assign a TTY because there are no ptys, and in my logs I get the can't get TTY name error?

[Kapil] No, there is no separate "TTY" assignment. The "pty/tty" pair is what is assigned for interactive communication.

Let's see if we can track the sequence of events (the Gang please post corrections, I am sure I'll go wrong somewhere!):

Client "rsh" request is usually handled on the server by "inetd" which then passes this request to "tcpd" which then passes the request to "rshd".

O. However, tcpd may refuse the connection if its host_access rules do not allow the connection. This refusal could be intermittent depending on whether the name service system is responding (NIS/DNS whatever). (This possibility has already been mentioned on the list in greater detail).

At this point, I looked up the Sun Solaris man page for rshd (none of the Linux machines here has "rsh" installed!). The following steps are carried out and failure leads to closing the connection.

A. The server tries to create the necessary sockets for a connection.

B. The server checks the client's address which must be resolvable via the name service switch specification (default NIS+/etc/hosts).

C. The server checks the server user name which must be verifiable via the name service switch specification (default NIS+/etc/passwd).

D. The server checks via PAM that the either (the client is in /etc/hosts.equiv

and the client user name is the same as the server user name) or the client username is in .rhosts.

E. The server tries to acquire the necessary pty/tty's and connects them to the sockets and the server user's shell (which must exist).

I am a bit confused about the use of PAM but I think it is also used in steps C and E through the "account" and "session" entries. The "auth" entry for PAM is used in "D".

So it seems like O,A-E need to be checked on your system. My own earlier suggestion was only about E but the failure could be elsewhere.

Temporary failure of the NIS server to respond could affect B and C; it could even affect E as the "passwd" entry is required to find the user's shell. Thus, in such situations it is a good idea to run the name service caching daemon.

If NFS is used for home directories then temporary failure of the NFS server to respond could affect D as well.

Hope this helps,

Kapil.

[JimD] So it was a transient (or is an intermittent) problem.

Yup

I have adjusted the /etc/inet.conf by adding the .500 to the rsh line nowait:

shell           stream  tcp     nowait.500      root    /usr/sbin/tcpd /usr/sbin/in.rshd

in order for these machines to allow more jobs to be run at a time.

[JimD] This adjusts inetd's tolerance/threshold to frequent connections on a given service. It simply means that inetd won't throttle back the connections as readily --- it will try to service them even if they are coming in fast and furious. In this case it will allow up to 500 attempted rsh connections per minute (about 8 per second).

[JimD] That really doesn't adjust anything about the number of concurrent jobs that a machine can run --- just the number of times that the inetd process will accept connections on a give port before treating it as a DoS (denial of service) attack or networking error, and throttling the connections.

I adjusted this because we ran into lots of problems with inet dropping connections, I just wanted to make sure that it behaved like it was supposed to, ie you didn't know of some immediately relevant bug in this line

[JimD] In your example this is clearly NOT the problem. It made the connection and then disconnected you. Thus it wasn't inetd refusing the connection, but the shell process exiting (or being killed by the kernel).

[Iron] Just to clarify, I think Jim is saying that it's not inetd or tcpd refusing you, because otherwise rlogin wouldn't have started at all, and it (rlogin) ouldn't have been able to print the "last login:" and kernel version lines.

By the way, when tcpd doesn't like me, it waits a couple seconds (usually doing reverse DNS lookup), and then I see "Connection closed by foreign host" with no other messages.

One possibility is that we have everyone's home drive on NFS and if the NFS was slow to respond that may cause rlogin to find no home directory and refuse the connection. Is that a realistic possibility?

One interesting turn of events is the message you get in auth.log :

Jan 20 15:41:31 ginzu PAM_unix[31073]: (login) session opened for user dave by (uid=0) Jan 20 15:41:31 ginzu login[31073]: unable to determine TTY name, got /dev/tty6

These machines have no video cards/keyboards/otherinput, really they are processor/harddrive/ram/NIC and thats all so it would make sense to comment out the getty lines in inittab for these boxes ... correct?

That would at the very least stop the auth.log and daemon.log spamming, I think

[Iron] If inetd is not listening to the port at all and no other daemon is, you'll get an immediate "Connection refused" error. This is confusing because it doesn't mean it doesn't like you, it means there's nobody there to answer the door.

[JimD] I'd run vmstat processes on the affected nodes (or all of them) for a day or two --- redirect their output to local files or over the network (depending one which will have the least impact on your desired workload) and then write some scripts to analyze and/or graph them.

I have started collecting info on these machines.

Can you think of why these machines behave like this? Could it be a load average problem, maybe its network related, is it a setup problem? Any ideas would be appreciated

[JimD] It's not likely to be a networking or setup issue. Your networking seems to work. Things seem to be configured properly for moderate workloads, so we have to find out which host resources are under the most pressure. So it's probably a loading problem.

Its not a loading issue the system is pretty good at evening out load across the pool of machines

[JimD] (Note I did NOT say "load average" problem. "load average" is simply a measure of the average number of processes that were in a runnable (non-blocked) state during each context switch over the last minute, and five and fifteen minutes. A high load average should NOT result in processes dying as you've described --- but often indicates a different resource loading issue. Sorry to split hairs on that point but this is a case were understanding that distinction is important).

These machines can get a little bagged at times but the login failure happens regardless of the load of a given host.

[JimD] As always you should be checking your system logs. Hopefully there'll be messages therein that will tell you if the kernel killed your process and why. Otherwise you can always write an "strace" wrapper around these executables. It will kill your performance, but, if you can reproduce the problem you'll be able to see what the process died.

After a look in the logs ( I can't believe I didn't do this earlier ), I found a lot of messages about getty trying to use /dev/tty*, no such device, which makes sense considering they have no input/output hardware like video/keyboard, etc.

[JimD] Some tweaks to the setup might help.

[JimD] There are basically four resources we're concerned about here: memory, CPU, process table, and file descriptor table (space and contention). (I'm not concerned about I/O contention in this case since that usually causes processes to block --- performance to go very slowly. It doesn't generally result in processes dying like you've described here).

[JimD] vmstat's output will tell you more. You can probably make some guesses based on your workload profile.

[JimD] If you're running many small jobs spawning from one (or a small number of) dispatcher processes (on each node) you might be bumping into rlimit/ulimit issues. Read the man page for your shell's ulimit built-in command, and the ulimit(3) man page for more details on that.

Ulimits have been adjusted already we ran into file descriptor limits before

[JimD] If you're running a few large jobs than its more likely to be a memory pressure problem --- though we'd expect you'd run into paging/thrashing issues first. There are cases where you can run out of memory without doing any signficant paging/swapping (where the memory usage is on non-swappable kernel memory rather than normal process memory).

[JimD] By the way, you might want to eliminate tcpd from your configuration (remove the references to /usr/sbin/tcpd from your inetd.conf file). This will save you an extra fork()/exec() and a number of file access operations on each new job dispatched. (The use of rsh already assumed you've physically isolated this network segment with very restrictive packet filters and anti-spoofing --- so TCP Wrappers is not useful in your case and is only costing you some capacity, albeit small).

[JimD] You might even eliminate rsh/rlogin and go with the even simpler rexec command!

Some times people will run an interactive job on this cluster, so rsh/rlogin is still nice to have. We have no real policy about what can or cannot be run on these machines, like I had said it is more of a playground for our researchers, than a critical cluster.

[JimD] It goes without saying that you may wish to eliminate, renice, or reconfigure any daemons you're running on these nodes. For example, you can almost certainly eliminate cron and atd from the nodes (since your goal is to dispatch the jobs from one or a few central cluster control nodes. They could run a small number of cron/atd processes and dispatch jobs across the cluster as appropriate.

True, but really it doesn't seem related, I can't see an interaction between login and cron that would drop your connection. Although it is nice to cut down bloat