Tagged: ubuntu

Startup Infrastructure: Where Linux Fails

Category:WikiProject Cryptography participants
Image via Wikipedia

It is no secret that I’m an open source evangelist and so when it was time to set up internal infrastructure at work, naturally the first order of business was to evaluate the various OSS projects out there — everything from wikis, bug trackers, source control, code review and project management. Running Ubuntu LTS (10.04) on all of our servers was a no-brainer and there were plenty of excellent options for most everything else as well (a follow-up post on our final choices later). The Linux ecosystem is fabulous for most of the infrastructure needs of a startup, but I learnt the hard way that there are still some areas where Linux needs a lot of work before it can become competitive with proprietary, non-Linux solutions.


Centralized account management (users and groups) and authentication is critical component in any IT deployment, no matter the size. Even for a small startup, creating users/groups repeatedly for each new server, separate authentication mechanisms for each new service is simply not scalable. That is precisely why Active Directory is so ubiquitous at enterprises.

LDAP was the obvious solution in Linux-land and I figured it would be trivial to setup an OpenLDAP server that can manage user/group information for us. It would also be the single authentication source for all servers and services. I was so wrong.

After struggling with OpenLDAP for several painful hours, I gave up — the documentation is fragmented, Google doesn’t help much and personally I think the LDAP creators had never heard of “usability” when designing it. The seemingly simple task of creating some new users and groups involved several black-magic incantations of the LDAP command line tools. Getting servers to authenticate against the resulting directory was even harder.

Just as I was about to throw in the towel and setup an AD instance in-house, I stumbled upon the 389 Directory Server (now known as the Fedora Directory Server). With a new found hope, I set about installing it on Ubuntu and hit another roadblock — there are no up-to-date packages of FDS for Ubuntu. Reluctantly, I setup a Fedora instance (the only one so far) and installed FDS. Thankfully, Red Hat has put together really comprehensive documentation and guides for the Directory Server, which was invaluable.

From there on, it was mostly downhill (only a few minor hiccups). Finally we have a nice GUI to manage users and groups, and all servers/services authenticate against a single Directory Server. But the journey was unnecessarily painful. Here’s what I’d like to see:

  • Up-to-date packages of FDS for Ubuntu. Sane defaults and functionality out-of-the-box
  • Ready to consume documentation on how to integrate LDAP with various web applications, Linux distros etc (I’ll put together some of this soon)
  • More awareness — I should have found FDS a lot sooner than I did, but it is certainly not very well marketed
  • Single sign on: This is a whole different beast

Remote Access

At my previous company, we had a Cisco VPN solution. There were plenty of Cisco compatible VPN clients on Windows and Mac. In fairness, it was relatively easy to get vpnc working on Ubuntu as well. In fact, with Network Manager, you can manage your VPN connections using a simple and intuitive UI. But the setup was not very reliable and my connections would get dropped relatively frequently. It was impossible to have a long-running VPN session without disruption. I’m not sure if the problem was with the Cisco hardware or the Ubuntu vpnc client; I did see similar issues with the built-in VPN client on Mac OS X.

But at least VPN on Linux works. I can’t say the same about other remote access mechanisms, in particular IPSec and L2TP over IPSec. It took me some time to figure out which package to use (Strongswan, Openswan, iked etc etc); another couple of hours to get the Openswan configuration just right; several hours of struggling to automatically setup DNS lookups when using the IPSec connection (gave up and ended up using entries in /etc/hosts!). There is no UI in Network Manager to manage IPSec connections either. Strongswan does have a NM plugin, but that only works for IKEv2 (certificate based authentication), while I had to use IKEv1 (shared key based authentication).

At the end of the day, I do have a working IPSec tunnel and it is definitely more reliable than the Cisco VPN (been up for more than 2 days without disruption). But all this can and should become a lot more seamless.

These are a few areas where Linux failed me in setting up the infrastructure for a startup; it shines most everywhere else. Hopefully these last few kinks will get ironed out soon.

And just like that, I’m a GNOME user

When I first started using Linux (more than a decade ago), I did my share of playing around with various desktop environments: the classic FVWM, GNOME, KDE, Enlightenment etc. I settled down with KDE. Over the years, I kept coming back to GNOME to check it out but somehow KDE always felt home to me.

Well guess what, not any more. As of a few days ago, I’m (mostly) a GNOME user.

I still love KDE (the desktop) and KDE based applications (KMail, Amarok etc). It is still infinitely more configurable than anything comparable in GNOME (Evolution and Thunderbird are still fairly limited in comparison) and over the years I’ve tweaked it to just the way I like it. But GNOME has something the KDE project does not: Canonical.

Thats right, I switched to GNOME because of Canonical, the company that drives Ubuntu development. Sure, there is a lot of effort behind the various Ubuntu variants such as Kubuntu, Xubuntu etc. But make no mistake, none of these variants are first-class citizens in the Ubuntu ecosystem.

The switch was a result of my recent experience setting up Ubuntu on my home theater PC. The effort Canonical has put into making the Ubuntu experience more seamless and pleasant is clearly visible. Pretty much everything works out of the box: folders that I share show up on other computers in my home network, bluetooth/webcam etc all work just fine, setting up remote desktop is a breeze and so on, Avahi/bonjour works like a charm; I can setup a DAAP server to share my music and it shows up on iTunes just like that.

Note that all of these things are obviously not limited to Ubuntu in any way. But the user experience in Ubuntu is unparalleled in comparison with Kubuntu etc. Subtle niceties like the notifications (the Ayatana project), the Me menu,  the messaging menu, the “light” themes etc. come together in a very cohesive way to deliver an experience that rivals that of Mac OS. But beyond the subtleties, Canonical is shaping the future of Linux on the desktop, laptop and mobile devices: the Unity interface, multi-touch support for mobile devices and more. Bottomline: having a company put its weight behind a desktop has ramifications.

So as much as I love thy, KDE, for now we shall part ways. I’m still using some KDE apps (like digiKam), but until Canonical decides to officially adopt Kubuntu, GNOME it is.

HOWTO: Ubuntu on IBM Thinkpad T42

This article was written a very long time back, so some of the information might have become outdated.

===== Intended Audience =====
Users who have or wish to install Ubuntu on their IBM Thinkpad T42s with all the bells and whistles (suspend to ram, suspend to disk etc)

===== Purpose =====
Ubuntu is a great distribution, and I am a big fan of Debian as well. Although the default Ubuntu installation work out of the box for almost everything, to get the perfect system, you still need to do some bit of tweaking! This How-To aims to cover those tweaks.

===== Prerequisites =====
* An IBM Thinkpad T-42 (duh)
* Familiarity with Linux in general and Ubuntu/Debian in particular

===== Steps =====

==== Kernel ====
The default Ubuntu installation will stick in a Linux-2.6.10-x-386 kernel (x = 5 for me), which is just fine. But you probably want to use a kernel optimized for your processor — the performance benefits mignt not be observable, but it will allow you to make use of some architectural enhancements. So first off, go ahead and do that:

sudo apt-get install linux-686

==== Sleep/Hibernate ====
This is the first distro I’ve come across that supports both suspend-to-ram and suspend-to-disk out of the box! Yay!! Suspend to ram is disabled by default though. To enable it, open up /etc/default/acpi-support and make sure that this is uncommented:


Suspend to ram is activated by pressing Fn + F4 and resumed by the same key combination. Suspend to disk is activated by pressing Fn + F12 and resumed by pressing the power button. You can always suspend to ram/disk by calling the appropriate script directly (/etc/acpi/sleep.sh or /etc/acpi/hibernate.sh).

==== KDE Fonts ====
If you’re a KDE fan (like yours truly!), you would want to install Kubuntu on top of your Ubuntu installation. You can do this by doing:

sudo apt-get install kubuntu-desktop

Kubuntu is just as slick as Ubuntu, it just uses KDE as your default environment instead of GNOME. However, my default Kubuntu setup showed up with really ugly fonts. Apparently this is a common problem (look in the forums/google), but fortunately, the its not a big problem and is easily solved.

Ideally Ubuntu/Kubuntu fonts should look identical. The only difference is that GNOME allows applications to render fonts at the DPI that is different than that of the X server. KDE seems to be lacking this functionality right now. So you have to instruct the X server to run at the DPI you want your wants to be rendered at.

There are a couple of ways to do this, but for me, the easiest was this: create a file called .Xresources in your home directory (~/.Xresources), and add the following line to it:


Thats it! Log out, restart X server (Ctrl + Alt + Backspace) and log back in — you should see good fonts now.

==== Thinkpad buttons ====
If you’re using KDE(Kubuntu), there’s really not much you need to do. By default, the ibm-acpi module should be loaded (check the output of lsmod) — this will enable all of the hotkeys and function buttons (including volume and brightness).

KDE has two nice features that make life good for Thinkpad users: the kmilo service that will handle the volume/brightness keys (with a nice OSD for the same; and the IBM Thinkpad kcontrol module which lets you bind programs to various Thinkpad keys (like the Access IBM key). However, to make best use of both of these, we need to do some tweaking.

* First, create a new group called nvram: sudo addgroup nvram
* Then add yourself to this group: sudo adduser [username] nvram
* Make sure that the nvram module gets loaded automatically on boot. Add nvram to /etc/modules on a new line.
* Finally make sure that udev gives read/write permissions for the /dev/nvram device to all members of the nvram group. Make sure your /etc/udev/permissions.d/udev.permissions has the following lines:


* Thats it! Next time you boot and log in, you should see nice OSD display when you press the volume or brightness or thinkpad light keys. And you should be able to bind the programs for the rest of the keys in the KDE control center.

==== Video ====
I use the open source radeon drivers. These drivers are fairly stable, work with both suspend to ram and suspend to disk, but do not provide 3D acceleration support. If you really need 3D acceleration, you can use the xorg-fglrx drivers or the proprietary fglrx driver available from ATI’s website. I don’t use these so I won’t spend time covering installation and usage, but you can find some useful information in the references at the end of the article.

The radeon driver works out of the box for most scenarios. However, I often had problems when trying to use my laptop with a projector — ideally I would like to clone the laptop’s display onto the projector, retain my laptop’s resolute on the laptop LCD, and scale to the appropriate resolution on the projector screen. For instance, 1400×1050 on the laptop LCD and 1024×768 on the projector screen. I modified my /etc/X11/xorg.conf as follows: (you can get more details by executing man radeon)

===== System Information =====

$ lspci
0000:00:00.0 Host bridge: Intel Corp. 82855PM Processor to I/O Controller (rev 03)
0000:00:01.0 PCI bridge: Intel Corp. 82855PM Processor to AGP Controller (rev 03)
0000:00:1d.0 USB Controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 (rev 01)
0000:00:1d.1 USB Controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2 (rev 01)
0000:00:1d.2 USB Controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3 (rev 01)
0000:00:1d.7 USB Controller: Intel Corp. 82801DB/DBM (ICH4/ICH4-M) USB 2.0 EHCI Controller (rev 01)
0000:00:1e.0 PCI bridge: Intel Corp. 82801 PCI Bridge (rev 81)
0000:00:1f.0 ISA bridge: Intel Corp. 82801DBM LPC Interface Controller (rev 01)
0000:00:1f.1 IDE interface: Intel Corp. 82801DBM (ICH4) Ultra ATA Storage Controller (rev 01)
0000:00:1f.3 SMBus: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) SMBus Controller (rev 01)
0000:00:1f.5 Multimedia audio controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01)
0000:00:1f.6 Modem: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Modem Controller (rev 01)
0000:01:00.0 VGA compatible controller: ATI Technologies Inc RV350 [Mobility Radeon 9600 M10]
0000:02:00.0 CardBus bridge: Texas Instruments PCI4520 PC card Cardbus Controller (rev 01)
0000:02:00.1 CardBus bridge: Texas Instruments PCI4520 PC card Cardbus Controller (rev 01)
0000:02:01.0 Ethernet controller: Intel Corp. 82540EP Gigabit Ethernet Controller (Mobile) (rev 03)
0000:02:02.0 Network controller: Intel Corp. PRO/Wireless 2200BG (rev 05)

===== References =====
* [[http://aaltonen.us/archive/2005/03/02/ubuntu-linux-on-the-ibm-thinkpad-t42/|Ubuntu Linux on the Thinkpad T42]]
* [[http://kudos.berlios.de/kf/kf.html|Unofficial Kubuntu FAQ]]
* [[http://ubuntuforums.org|Ubuntu Forums]]
* [[http://ubuntuguide.org|Unofficial Ubuntu Starter Guide]]

HP Pavilion a1640n USB support in Ubuntu

At work I have a fairly new box, the HP Pavilion a1640n. I’m running Ubuntu Feisty Fawn on it with all the latest updates. Unfortunately, none of the USB ports work, so I can’t use my USB mouse, or any external drives or any of the other countless USB devices. Clearly not a great situation to be in.

I’ve filed a [[https://bugs.launchpad.net/ubuntu/+bug/135342|bug report]] on [[http://launchpad.net|Launchpad]]. If you’re facing this same problem, please go vote on the bug and/or give additional information. If you know a fix, that would be even better.

Finally ATI learns!

It has finally happened. ATI [[https://support.ati.com/ics/support/KBAnswer.asp?questionID=1176|has released]] (still proprietary though) drivers for Linux with initial suspend/resume support. There’s a [[http://ubuntuforums.org/showpost.php?p=423584|howto for Ubuntu]] available. It works perfectly on my machine — now I have suspend-to-ram working with 3D acceleration! Yippeee!

But it still needs some more testing. I haven’t tested suspend-to-disk yet, but its usually less problematic than suspend to ram so should work. Now that ATI has found the right road, hopefully they will quickly make good progress.