|
|
Wouter described how to get Akonadi (the back-end for KDE PIM) to use PostgreSQL [1].
I don’t agree with his “MySQL is a toy” sentiment. But inspired by his post I decided to convert some of my systems to use a MySQL instance running on a server instead of one instance for each user. In the default configuration you have 140M of disk space and 200M of RAM used by each user for a private MySQL installation which has about 24K of data (at least at the moment on systems I run, maybe more in future).
Here’s some pseudo shell script to dump the database and get a new config:
mysqldump --socket=$HOME/.local/share/akonadi/socket-$HOSTNAME/mysql.socket akonadi > dump.sql
akonadictl stop
rm -rf .config/akonadi
rm -rf .local/share/akonadi
mkdir .config/akonadi
cat > .config/akonadi/akonadiserverrc <<EOF
[%General]
Driver=QMYSQL
SizeThreshold=4096
ExternalPayload=false
[QMYSQL]
Name=${USER}_akonadi
Host=IP_OR_HOST
User=$USER
Password=$PASS
StartServer=false
Options=
ServerPath=/usr/sbin/mysqld
[Debug]
Tracer=null
EOF
Then with DBA privs you need to run the following in the mysql client:
create database $USER_akonadi;
GRANT ALL PRIVILEGES ON $USER_akonadi.* to '$USER'@'%' IDENTIFIED BY '$PASS';
Then run the following to import the SQL data:
mysql $USER_akonadi < dump.sql
Ideally that would be it, but on my test installation (Debian/Squeeze MySQL server and Debian/Unstable KDE workstations) I needed to run the following SQL commands to deal with some sort of case problem.
rename table schemaversiontable to SchemaVersionTable;
rename table resourcetable to ResourceTable;
rename table collectionattributetable to CollectionAttributeTable;
rename table collectionmimetyperelation to CollectionMimeTypeRelation;
rename table collectionpimitemrelation to CollectionPimItemRelation;
rename table collectiontable to CollectionTable;
rename table flagtable to FlagTable;
rename table mimetypetable to MimeTypeTable;
rename table parttable to PartTable;
rename table pimitemflagrelation to PimItemFlagRelation;
rename table pimitemtable to PimItemTable;
I am not using any PIM features other than the AddressBook (which hasn’t been working well for a while), so I’m not sure that this is working correctly. But I would prefer that something I don’t use and is probably broken take up disk space and RAM on a server instead of a workstation anyway.
One of the reasons why I’m moving from a laptop to a cloud lifestyle [1] is that laptops suck nowadays.
Engineering Trade-offs
Laptops have always had disadvantages when compared to desktop systems. The screen has to be smaller, the keyboard is inconveniently small on the smaller laptops and netbooks, you don’t get PCI slots (CardBus isn’t nearly as good), you usually can’t have multiple hard drives and expansion options for other things are limited. Also due to the difficulty in designing a computer that uses a small volume it’s very difficult to repair a laptop and there are no realistic options for upgrading the motherboard to use a faster CPU etc. This is OK, it’s engineering trade-offs that we have to deal with.
CPU Speed
Modern laptops however have some bad design choices. Firstly they appear to be trying to compete with desktop systems for CPU speed. This was reasonable when desktop systems had 200MHz CPUs which dissipated about 15W (see the Wikipedia page about CPU power dissipation) but now that desktop CPUs are dissipating 65W at the low end and more than 100W at the high end it’s really not practical to try and compete. My Thinkpad T61 has a T7500 CPU that can dissipate 35W, getting that much heat out of a laptop case is a significant engineering challenge no matter how you do it.
It’s a pity that no-one seems to be making laptops with large screens that have a low-power CPU. Sure it takes a moderate amount of CPU power to use a large display for games or playing video, but if you want to use a laptop for work purposes then not much CPU power is required. For tasks which take a lot of CPU power you can offload it to the cloud, I can ssh to a server to do compiles, and one of my clients is setting up an Adobe After Effects render farm [2] (in the broadest sense of the word “Cloud” can include a server accessed by ssh and a few servers on the LAN running After Effects).
Thin Laptops
The next problem is laptops being thin, it is really convenient to have a thin laptop, but the thinner it is the smaller the fans have to be and the faster the cooling air has to travel through small heat sinks. At the best of times this results in more noise from the cooling fan (which really isn’t so bad). But it also increases the rate at which dust builds up inside the case and insulates the heat sink. When a laptop is thin and light for convenience and also wide to have a large display it just can’t be that strong, so laptops tend to bend. If I put an Australian 10c piece (the size of a US Quarter) under one of the feet of my Thinkpad T61 the other three feet touch the desk! Presumably the laptop would bend in every way imaginable if you were to put it on your lap – which of course you can’t do because there are cooling vents in the bottom so it can give you a hot lap and an overheated laptop.
My first Thinkpad was 61mm high according to the IBM spec sheet. I measured my latest one at 34mm. As 61mm wasn’t too bad I think I could survive now with a laptop that was 45mm high and had more strength and less cooling problems.
My Thinkpad T61 currently has some serious cooling problems, I suspect that something is broken inside. As it’s out of warranty I took it apart but couldn’t find anything wrong, so I guess I’ll have to pay to get it repaired. This will be the third time I’ve had a Thinkpad repaired because of cooling problems, but the first time one has been out of warranty. I blame the engineering trade-offs required to make them thin.
Portable Desktop/Server systems
If you want a small portable computer that delivers great performance then a Mac Mini seems to be a good option [3]. The people who use a laptop at their desk at work and their desk at home would probably be better served by a Mac Mini. The Mac Mini can be purchased with SSD storage to reduce the risk of data loss due to being dropped. Admittedly the Mac Mini needs to be plugged in before it can be used, but if you had a USB Ethernet device and a USB hub then only three cables would be required, power, USB, and video – one more cable than the typical office laptop use with Ethernet and power.
Some modern laptop/netbook systems (such as the Thinkpad T61 and the EeePC 701) seem to be designed to use the keyboard as part of the cooling system. If you run it with the lid closed then it becomes significantly hotter. This makes laptops unsuitable for use as a portable server. Probably one exception to this is the Apple laptops which have a rubbery keyboard that doesn’t allow air flow – of course anyone who likes the feel of a real keyboard won’t buy an Apple laptop for that reason (but a keyboard that has one really hot section above the CPU doesn’t feel great either). In the past I’ve used laptops as servers once they become unsuitable for their primary use, probably in future I won’t be able to do that.
ARM Laptops
There are some laptops and tablets with ARM CPUs that should dissipate little heat. But I’m not aware of any such devices that I consider to be practical Linux laptops. I’ve done some work with iPaQ’s running Familiar in the past, it was a nice system but it was a niche market and everything was different from every other system I’ve ever used. That made all the work take longer.
What would be ideal is an ARM based laptop (not netbook – a big screen is good) that boots from a regular CF or SD card (so the main storage can be installed in another machine to fix any boot failures) and which is supported by a major Linux distribution. Does anyone know of any work towards such a goal?
My Laptop History
In 1998 I bought my first laptop, it was a Thinkpad 385XD, it had a PentiumMMX 233MHz CPU, 96M of RAM, and an 800*600 display. This was less RAM than I could have afforded in a desktop system and the 800*600 display didn’t compare well to the 1280*1024 resolution 17 inch Trinitron monitor I had been using. Having only 1/3 the pixels is a significant loss and a 12.1 inch TFT display of that era compared very poorly with a good Trinitron monitor.
In spite of this I found it a much better system to use because it was ALWAYS with me, I used it for many things that were probably better suited to a PDA (there probably aren’t many people who have carried a 7.1 pound (3.2Kg) laptop to as many places as I did). But some of my best coding was done on public transport.
But I didn’t buy my first laptop for that purpose, I bought it because I was moving to another country and there just wasn’t any other option for having a computer.
In late 1999 I bought my second laptop, it was a Thinkpad 600E [1]. It had twice the CPU speed, twice the RAM, and a 1024*768 display that displayed color a lot better. Since then I had another three Thinkpads, a T21, a T43, and now a T61. One of the ways I measure a display is the number of 80*25 terminal windows that I can display at one time, my first Thinkpad could display four windows with a significant amount of overlap. My second could display four with little overlap, my third (with 1280*1024 resolution) could display four clearly and another two with overlap, and my current Thinkpad does 1680*1050 and can display four windows clearly and another five without excessive overlap.
For most of the last 13 years my Thinkpads weren’t that far behind what I could afford to get as a desktop system, until now.
A Smart Phone as the Primary Computing Device
For the past 6 months the Linux system I’ve used most frequently is my Sony Ericsson Xperia X10 Android phone [2]. Most of my computer use is on my laptop, but the many short periods of time using my phone add up. This has forced some changes to the way I work. I now use IMAP instead of POP for receiving mail so I can use my phone and my laptop with the same mail spool. This is a significant benefit for my email productivity, instead of having 100 new mailing list messages waiting for me when I get home I can read them on my phone and then have maybe 1 message that can’t be addressed without access to something better than a phone. My backlog of 10,000 unread mailing list messages lasted less than a month after getting an Android phone!
A few years ago I got an EeePC 701 that I use for emergency net access when a server goes down. But even a 920g EeePC is more weight than I want to carry, as I need to have a mobile phone anyway there is effectively no extra mass or space used to have a phone capable of running a ssh client. My EeePC doesn’t get much use nowadays.
A Cheap 27 inch Monitor from Dell
Dell Australia is currently selling a 27 inch monitor that does 2560*1440 (WQHD) for $899AU. Dell Australia offers a motor club discount which pretty much everyone in Australia can get as almost everyone is either a member of such a club or knows a member well enough to use their membership number for the discount. This discount reduces the price to $764.15. The availability of such a great cheap monitor has caused me to change my working habits. It doesn’t make sense to have a reasonably powerful laptop used in one location for almost all the time when a desktop system with a much better monitor can be used.
The Plan
Now that my 27 inch monitor has arrived I have to figure out a way of making things work. I still need to work from a laptop on occasion but my main computer use is going to be a smart-phone and a desktop system.
Email is already sorted out, I already have three IMAP client systems (netbook, laptop, and phone), adding a desktop system as a fourth isn’t going to change anything.
The next issue is software development. In the past I haven’t used version control systems that much for my hobby work, I have just released a new version every time I had some significant changes. Obviously to support development on two or three systems I need to use a VCS rigorously. I’m currently considering Subversion and Git. Subversion is really easy to use (for me), but it seems to be losing popularity. Git is really popular so if I use it for my own projects then I could allow anonymous access for anyone who’s interested – maybe that will encourage more people to contribute.
One thing I haven’t even investigated yet is how to manage my web browsing work-flow in a distributed manner. My pattern when using a laptop is to have many windows and tabs open at the same time for issues that I am researching and to only close them days or weeks later when I have finished with the issue. For example if I’m buying some new computer gear I will typically open a web browser window with multiple tabs related to the equipment (hardware, software, prices, etc) and keep them all open until I have received it and got it working. Chromium, Mozilla, and presumably other modern web browsers have a facility to reopen windows after a crash. It would be ideal for me if there was some sort of similar facility that allowed me to open the windows that are open on another system – and to push window open commands to another system. For example when doing web browsing on my phone I would like to be able to push the URLs of pages that can’t be viewed on a phone to my desktop system and have them open waiting for me when I get home.
It would be nice if web browsing could be conceptually similar to a remote desktop service in terms of what the user sees.
Finally in my home directory there are lots of random files. Probably about half of them could be deleted if I was more organised (disk space is cheap and most of the files are small). For the rest it would be good if they could be accessed from other locations. I have read about people putting the majority of their home directory under version control, but I’m not sure that would work well for me.
It would be good if I could do something similar with editor sessions, if I had a file open in vi on my desktop before I left home it would be good if I could get a session on my laptop to open the “same” file (well the same named file checked out of the VCS).
Configuring the Desktop System
One of the disadvantages of a laptop is that RAID usually isn’t viable. With a desktop system software RAID-1 is easy to configure but it results in two disks making heat and noise. For my new desktop system I’m thinking of using a DRBD device for /home to store the data locally as well as almost instantly copying it to RAID-1 storage on the server. The main advantage of DRBD over NFS, NBD, and iSCSI is that I can keep working if the server becomes unavailable (EG use the desktop system to ask Google how to fix a server fault). Also with DRBD it’s a configuration option to allow synchronous writes to return after the data is written locally which is handy if the server is congested.
Another option that I’m considering is a diskless system using NBD or iSCSI for all storage. This will prevent using swap (you can’t swap to a network device to avoid deadlocks) but that won’t necessarily be a problem given the decrease in RAM prices as I can just buy enough RAM to not need swap.
The Future
Eventually I want to be able to use a tablet for almost everything including software development. While a tablet display isn’t going to be great for coding I’m sure that I can make use of enough otherwise wasted time to justify the expense. I will probably need a tablet that acts like a regular Linux computer – not an Android tablet.
Alex Steffen gave an interesting TED talk summarising the ways that greater urban density can reduce energy use while increasing our quality of life [1].
Geoffrey West gave an interesting TED talk about the way animals, corporations, and cities scale [2]. The main factor is the way that various variables scale in proportion to size. On a logarithmic graph the growth of a city shows a steady increase in both positive factors such as wages and inventions and in negative factors such as crime as it grows larger. So it seems that we need to decrease the crime rate significantly to permit the growth of larger cities and therefore gain more efficiency.
The Mankind Project (MKP) has a mission of “redefining mature masculinity for the 21st Century” [3]. They have some interesting ideas.
Phillip Zimbardo gave a provocative TED talk about the demise of men [4]. He provided little evidence to support his claims though.
In May I gave a talk for LUV about the basics of creating video on Linux. As part of the research for that I investigated which cameras were good for such use. I determined that 720p was a good enough resolution, as nothing that does 1080p was affordable and 1080i is lower quality. One thing to note is that 854*480 and 850*480 are both common resolutions for mobile phones and either of those resolutions can be scaled up to full screen on a 1920*1080 monitor without looking too blocky. So it seems that anything that’s at least 850*480 will be adequate by today’s standards. Of course as Dell is selling a 27 inch monitor that can do 2560*1440 resolution for a mere $899 in the near future 720p will be the minimum that’s usable.
Cheap Digital Video Cameras
The cameras I suggested at the time of my talk (based on what was on offer in Melbourne stores) were the Panasonic Lumix DMC-S3 which has 4*optical zoom for $148 from Dick Smith [1] and the Olympus MJU 5010 which has 5*optical zoom camera for $168 (which is now $128) from Dick Smith [2]. Both of them are compact cameras that do 720p video. They are fairly cheap cameras but at the time I couldn’t find anything on offer that had significantly better specs for video without being unreasonably expensive (more than $600).
Update: In the comments Chris Samuel pointed out that Kogan has a FullHD digital video camera for $289 [13]. That’s a very tempting offer.
More Expensive Digital Video Cameras
Teds Cameras has a good range of Digital Video Cameras (including wearable cameras, and cameras that are designed to be attached to a helmet, surfboard, or car) [3]. These are specifically designed as video cameras rather than having the video function be an afterthought.
Ted sells the Sony Handycam HDR-CX110 which does 1080p video, 3MP photos, and 25* optical zoom for $450 [4].
They also sell the pistol-style Panasonic HX-WA10 which is waterproof to 3M, does 1080p video, 11MP pictures, and 5* optical zoom for $500 [5].
For my use I can’t justify the extra expense of the digital video cameras (as opposed to digital cameras that can take video), I don’t think that they offer enough. So a cheap $128 Olympus MJU 5010 is what I will probably get if I buy a device for making video. I can afford to replace a $128 camera in a year or two but a device that costs $500 or more needs to last a bit longer. I expect that in a year or two I will be able to buy something that does 1080p for $200.
Features to look for in Great Digital Cameras
The other option when buying a camera is to buy something that is designed to be a great camera. It seems that RAW file capture [6] is a requirement for good photography. RAW files don’t just contain uncompressed data (which is what I previously thought) but they have raw sensor data which may not even be in a cartesian grid. There is some processing of the data that can be best done with raw sensor data (which may be in a hexagonal array) and which can’t be done properly once it’s been converted to a cartesian array of pixels. Image Magick can convert RAW files to JPEG or TIFF. I haven’t yet investigated the options on Linux for processing a RAW file in any way other than just generating a JPEG. A client has several TB of RAW files and has found Image Magick to be suitable for converting them so it should do.
The next issue is the F number [7]. A brief summary of the F number is that it determines the inverse-square of the amount of light that gets to the CCD which determines the possible shutter speed. For example a camera set to F1 would have a 4* faster shutter speed than a camera set to F2. The F rating of a camera (or lens for interchangeable lens cameras) is a range on many good cameras (or lenses for detachable lens cameras), if you want to take long exposure shots then you increase the F number proportionally. A casual scan of some web sites indicates that anything less than F3 is good, approaching F1 is excellent, and less than F1 is rare. But you don’t want to only use low F numbers, having a higher F number gives a larger Depth of Field, that means that the distance between the nearest and furthest objects that appear to be in focus is greater. So increasing the F number and using a flash can result in more things being in focus than using a low F number without a flash.
Another important issue is the focal length, cheap cameras are advertised as having a certain “optical zoom” which apparently isn’t quite how things work. The magnification apparently varies depending on the distance to the object. Expensive cameras/lenses are specified with the range of focal lengths which can be used to calculate the possible magnification. According to DPReview.com Optical zoom = maximum focal length / minimum focal length, so a 28mm-280mm lens would be “10* optical zoom” [8]. Finally it seems to be that the specified focal length of cameras is usually in “35mm” equivalent. So a lens described as “280mm” won’t be 28cm long, it will be some fraction of that based on the size of the CCD as a proportion of the 35mm film standard (which is 36*24mm for the image/CCD size).
Update: In the comments Aigars Mahinovs said: Don’t bother too much with the zoom. The view of a normal person is equivalent to 50mm lens (in 35mm film equivalent). Anything under 24mm is for landscapes and buildings – it is for sights where you would actually have to move your head to take in the view. Zooms are rarely useful. Something in 85-100mm range is perfectly fine to capture a bird or a person some distance away or some interesting piece of landscape, but anything more and you are in the range of silly stuff for capturing portraits of football players from the stands or for paparazzi photos. And the more zoom is in the lens the crappier the lens optics will be (or more expensive, or both) that is why the best optics are prime lenses with no zoom at all and just one specific optical length each. For example almost all my Debconf photos of the last two years are taken with one lens – Canon 35mm f/2.0 (a 50mm equivalent on my camera) and only the group shots are taken with a lens that is equivalent to 85mm.
So I guess if I was going to get an interchangeable lens camera then I could get fixed focus lenses for things that are close and far away and one with a small zoom range for random other stuff. Of course that would get me way outside my budget unless I got some good deals on the second hand market. Also having a camera that can fit into a pocket is a real benefit, and the ability to rapidly get a camera out and take a picture is important!
A final item is the so-called ISO Number which specifies how fast the film is. A higher number means that a photograph can be taken with less light but that the quality will generally be lower. It seems that you have a trade-off between a low F number (and therefore low Depth of Field), good lighting (maybe a flash), a long exposure time (blurry if the subject or camera isn’t still) and a grainy picture from a high ISO number.
Comparing Almost-Affordable Great Digital Cameras
I visited Michaels camera store in Melbourne [9] and asked for advice about affordable cameras that support RAW capture (every DSLR does but I don’t want to pay for a DSLR). The first option they suggested was the Samsung EX1 that does 10MP, F1.8-F2.4 with a 24-72mm equivalent focal range (3* optical zoom), and 640*480 video [10] for $399.
The next was a Nikon P7000 that does 10MP, F2.8-5.6 with 7* optical zoom (28-200mm equivalent), and 720p video [11] for $599.
The final option they had was the Canon G12 that does 10MP, F2.8-4.5 with 5* optical zoom (28-140mm equivalent), and 720p video [12] for $599.
3* optical zoom isn’t really enough, and $599 is a bit too much for me, so it seems that RAW format might not be an option at this time.
Conclusion
I can’t get what I want for great photography at this time, there seems to be nothing that meets my minimum desired feature set and costs less than $550. A client who’s a professional photographer is going to lend me an old DSLR that he has hanging around for some photography I want to do on the weekend.
I am also considering buying a Olympus MJU 5010 for making videos and general photography, it’s better than anything else I own at this time and $128 is no big deal.
Please let me know if I made any errors (as opposed to gross simplifications) in the above summary of the technical issues, also let me know if there are other things to consider. I will eventually buy a camera that can capture RAW images.
About 24 hours ago I rebooted the system that runs the secondary DNS for my zone and a few other zones. I’d upgraded a few things and the system had been running for almost 200 days without a reboot so it was time for it. Unfortunately it didn’t come back up.
Even more unfortunately the other DNS server for my zone is ns.sws.net.au which is also the only other server for the sws.net.au zone. Normally this will work because the servers for the net.au zone have a glue record containing the server IP address. So when asked for the NS records for the sws.net.au domain the reply will include the IP address of ns.sws.net.au. The unfortunate part was that the IP address was the old IP address from before the sws.net.au servers changed to a new IP address range, I wonder whether this was due to the recovery process after the Distribute IT hack [1], as forgetting to change a glue record is not something that I or the other guy who runs that network would forget. But it is possible that we both stuffed up.
The DNS secondary was an IBM P3-1GHz desktop system with two IDE disks in a RAID-1 array. It’s been quite reliable, it’s been running in the same hardware configuration for about four years now with only one disk replacement. It turned out that the cooling fan in the front of the case had seized up due to a lot of dirt and the BIOS wouldn’t let the system boot in that state. Also one of the disks was reporting serious SMART problems and needed to be replaced – poor cooling tends to cause disk errors.
It seems that Compaq systems are good at informing the user of SMART problems, two different Compaq desktop systems (one from before the HP buyout and one from after) made very forceful recommendations that I replace the disk, it’s a pity that the BIOS doesn’t allow a normal boot process after the warning as following the recommendation to backup the data is difficult when the system won’t boot.
I have a temporary server running now, but my plan is to install a P3-866 system and use a 5400rpm disk to replace the 7200rpm that’s currently in the second position in the RAID array. I’ve done some tests on power use and an old P3 system uses a lot less than most new systems [2]. Power use directly maps to heat dissipation and a full size desktop system with big fans that dissipates less than 50W is more likely to survive a poorly cooled room in summer. Laptops dissipate less heat but as their vents are smaller (thus less effective at the best of times and more likely to get blocked) this doesn’t provide a great benefit. Also my past experience of laptops as servers is that they don’t want to boot up when the lid is closed and getting RAID-1 and multiple ethernet ports on a laptop is difficult.
Finally I am going to create a third DNS server for the sws.net.au domain. While it is more pain to run extra servers, for some zones it’s just worth it.
In my previous post I expressed a desire to use regular expressions for files that may appear in multiple places in the tree due to bind mounts for /run and /var/run etc [1]. However there is a problem with this idea.
The SE Linux file labeling program restorecon reads the file /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts which contains a set of regular expressions to assign labels to files. That file is ordered and the last entry which matches is the one that counts. When the file_contexts file is created the order is based on how many characters at the start of the file specification aren’t regular expression meta-characters. For example the entry “/.*” is at the top of the file (and therefore has the lowest precedence), which makes it the catch-all entry for files that have no other match. So an entry for “/var/run/REGEX” will have a higher precedence than one for “/var/REGEX”, this means however that when I replaced the “/var/run” part with a regular expression then it had a lower precedence and it didn’t work properly.
I should have remembered this as I did a lot of work on setfiles (which became restorecon) in the early days. I have now developed a new way of solving this and this time I’m testing it before blogging about it.
I have written the following PERL program to fix the file contexts, this adds multiple lines and uses a distro_debian conditional on them so that they don’t slip into upstream use – and so that if I lose track of where each patch came from I’ll know that I can delete them in future because it only matters to Debian.
#!/usr/bin/perl
use warnings;
use strict;
open(LIST, "find . -name \"*.fc\"|xargs egrep \"^/(var.*run)|(var/lock)|(dev/shm)\"|cut -f1 -d:|uniq|") or die "Can't get file list\n";
while(<LIST>)
{
my $filename = $_;
chomp $filename;
open(my $infile, "<", $filename) or die "Can't open file $filename";
open(my $outfile, ">", $filename . ".new") or die "Can't open file ". $filename . ".new";
while(<$infile>)
{
print $outfile $_;
my $newline;
if($_ =~ /^\/var\/run/)
{
print $outfile "ifdef(`distro_debian', `\n";
$newline = $_;
$newline =~ s/^\/var//;
print $outfile $newline;
print $outfile "')\n";
}
if($_ =~ /^\/var\/lock/)
{
print $outfile "ifdef(`distro_debian', `\n";
$newline = $_;
$newline =~ s/^\/var/\/var\/run/;
print $outfile $newline;
$newline =~ s/^\/var//;
print $outfile $newline;
print $outfile "')\n";
}
if($_ =~ /^\/dev\/shm/)
{
print $outfile "ifdef(`distro_debian', `\n";
$newline = $_;
$newline =~ s/^\/dev/\/run/;
print $outfile $newline;
print $outfile "/var" . $newline;
print $outfile "')\n";
}
}
close($infile);
close($outfile);
rename $filename . ".new", $filename or die "Can't rename " . $filename . ".new to " . $filename;
}
The next policy thing that I have to work on is systemd. From a quick test it seems that systemd policy changes will be more invasive than is suitable for Squeeze. This means that someone who wants to upgrade from Squeeze to Wheezy+systemd will have to upgrade to Wheeze policy before installing systemd. I think that I will make 0.2.20100524-10 the last version in Unstable based on the 2010 release, I will now start work on packaging the latest upstream policy for Unstable.
PS I’m not much of a PERL programmer, so if anyone has suggestions for how to improve the above PERL code then please let me know. Please note however that I’m not interested in making my code look like line-noise.
Currently Debian/Unstable is going through a transition to using /run instead of /var/run. Naturally any significant change to the filesystem layout requires matching changes to SE Linux policy. We currently have Debian bug #626720 open about this. Currently the initscripts package breaks selinux-policy-default in Debian/Unstable so that you can’t have initscripts using /run if the SE Linux policy doesn’t support it.
A patch has been suggested to the policy which uses a subst file, basically that causes the SE Linux labeling programs to treat one directory tree the same way as another. The problem with this is that it depends on a libselinux patch that is not in any yet released version of libselinux (and certainly won’t be in a Squeeze update). The upside of such a fix is that it would work for policy that I package as well as custom policy, so if someone wrote custom policy referring to /var/run it would automatically work with /run without any extra effort.
I think that the only way to do this is to just have regular expressions that deal with this in the file contexts. It’s a bit ugly and slows the relabel process down a little (probably no more than about 10%) but it will work – and work on Squeeze as well. One thing I really like to do is to have the SE Linux policy for version X of Debian work with version X+1. This makes upgrades a lot easier for the users. Ideally upgrading a server could be a process that involves separate upgrades of the kernel, the SE Linux policy, and user-space in any particular order – because upgrading everything at once almost guarantees that something will break and it may be difficult to determine the cause.
At this time I’m not sure whether I’ll add a new policy using the subs file before the release of Wheezy (the next stable release of Debian) or just keep using regular expressions. I can have the Wheezy policy depend on a new enough libselinux so it won’t be a problem in that regard (a new upstream version of libselinux with the subst feature should be released soon). In any case I need a back-port to Squeeze to use regular expressions to make an upgrade to Wheezy easier.
for n in $(find . -name "*.fc"|xargs grep var/run|cut -f1 -d:|uniq) ; do
sed -e "s/\/var\/run/\/(var\/)?run/" < $n > $n.new
mv $n.new $n
done
for n in $(find . -name "*.fc"|xargs grep var/lock|cut -f1 -d:|uniq) ; do
sed -e "s/\/var\/lock/\/((var\/run)|(run)|(var))\/lock/" < $n > $n.new
mv $n.new $n
done
for n in $(find . -name "*.fc"|xargs grep dev/shm|cut -f1 -d:|uniq) ; do
sed -e "s/\/dev\/shm/\/((var\/run)|(run)|(dev))\/shm/" < $n > $n.new
mv $n.new $n
done
I used the above fragment of shell code to change “/var/run” to “/(var/)?run”, “/var/lock” to “/((var/run)|(run)|(var))/lock”, and change “/dev/shm” to “/(var/run)|(run)|(dev))/shm”. It involves a reasonable number of changes to policy (mostly for /var/run), but hopefully this will be acceptable to the release team for inclusion in the next Squeeze update as the changes are relatively simple and obvious and the size of the patch is due to it being generated code.
There is one final complication, Squeeze currently has selinux-policy-default version 2:0.2.20100524-7+squeeze1, but initscripts in Unstable breaks versions <= 2:0.2.20100524-9. So I guess I could submit a proposed version 2:0.2.20100524-9+squeeze1 to the release team to fix this. I would really like to have the Squeeze policy work with initscripts from Unstable or Wheezy.
Any suggestions for how to deal with this?
Update:
I wrote the above before testing the code, and it turned out to not work. I’ve written another post describing a better solution that I have now uploaded to Unstable. I still have to sort something out with an update for Squeeze.
There is always been an ongoing debate about how to assign disk space into multiple partitions. I think that nowadays the best thing to do is to assign about 10G for the root filesystem for every desktop and server system because 10G is a small fraction of the disk space available (even the smallest laptops seem to all have disks larger than 100G nowadays). Even if 10G turns out not to be enough using separate filesystems for /var or /usr provides little benefit now that it’s easy to resize the root filesystem with LVM – and a separate /usr is known to be broken [1].
In a discussion on a private mailing list there was a suggestion that multiple filesystems should be used for security.
DoS Attacks
There are some minor security benefits in having multiple filesystems. If a critical program will fail when there is no free disk space then allowing an unprivileged process to use up all the space on that filesystem is a minor security issue, so having unprivileged processes not being permitted to write to important filesystems is a benefit. But most failures of this type are merely DoS attacks which usually aren’t a big deal – if you can control a local process there are usually lots of other ways of DoSing a system.
Links
Links have been the cause of many security issues in Unix over the years. Using different filesystems for different tasks can prevent the use of hard links in attacks aimed at exploiting race conditions. But even if you prevent hard links there are similar issues with symbolic links. SE Linux is one of many security improvements for Linux which allow restrictions on the creation of hard links. SE Linux also allows restricting the ability of processes to follow symbolic links, so a privileged process can be denied access to follow a sym-link that was created by an unprivileged process.
NFS
The subtree_check option in /etc/exports causes the NFS server to verify that file access is in the correct subtree. So if you export only one subdirectory of a filesystem to a given server then hostile code on that server (or on a network device which impersonates that server) can’t access other subdirectories. This option is documented as having performance implications and working best for filesystems that are mostly read-only, for this reason it’s turned off by default in recent versions of the NFS utilities.
So if you want to NFS export /home then it’s probably a good idea to have /home be on a separate filesystem to prevent attacks on the root filesystem. But of the systems with significant use of /home (IE anything other than accounts used solely for “su –“) most of them have a separate filesystem for /home anyway so this shouldn’t be an issue.
SE Linux
When mounting filesystems with SE Linux there is a “context=” mount option that allows specifying the context for all files on the filesystem. This can save a small amount of storage space for XATTRs and theoretically improve performance (although the difference is unlikely to show up on benchmarks for anything other than fsck). Generally the context mount option is only used for a filesystem that has a huge number of files with the same context, such as a mail spool that uses Maildir, Cyrus, or any of the other formats that involve one file per message. But again such data is generally stored on a separate filesystem for other reasons anyway.
I found one interesting corner case in regard to SE Linux systems mounting files from an NFS server. When an NFS server exports multiple subdirectories of a filesystem mounted on /foo then if one NFS client running SE Linux is to mount two subdirectories of /foo with different contexts then the second mount attempt will give the error “an incorrect mount option was specified”. This is because as of kernel 2.6.18 by default it’s not permitted to mount parts of the same filesystem with different mount options. The option “nosharecache” allows you to use different mount options, but does apparently permit some undesirable behavior in the case of hard links that cross between the subtrees. Thanks to Eric Paris for the tip about nosharecache.
The best example I can think of for which you might want context mount options that differ among files that are used for the same purpose on an NFS mount is a web server which has data files and CGI-BIN scripts. So it seems that a SE Linux web server that mounts it’s data over NFS and is at risk of having hard links between the CGI-BIN directory and the data directory is a corner case in which multiple filesystems is required for security. This seems to be a very unlikely case.
Conclusion
Servers that are deployed in the real world are complex enough that there are always systems with some unusual corner cases demanding configuration choices that aren’t expected. There are some real corner cases for SE Linux where multiple filesystems are compelled for security or for a combination of security and best performance.
But I wouldn’t make a generic recommendation of using lots of filesystems for security. I think that the people who encounter the strange corner cases can usually work out that they need to do something different. So a small number of filesystems seems like a good general aim that doesn’t conflict with security.
|
|
