Here in the UK we've had a bank holiday weekend. Usually I would have gone to Cambridge for the Debian BBQ, but this year I joined forces with Thomas Adam for some SmoothWall Express on Debian hacking.
There are several challenges involved in moving the SWE3 code from its native distribution to Debian; this weekend we worked around some of the permissions problems.
On SWE3, the web server and most of the service daemons run as the user 'nobody'. This means that the web server can write out configuration files as the same user as everything else; it can also read the system log files. When the web interface needs to run a privileged action (like setting firewall rules), it sends a command to 'smoothd', which is a daemon running as root. (Admin ssh access is always directly as the root user.)
However, web servers in Debian tend to run as user 'www-data', which does not have permission to read log files. Similarly, writing out configuration files as that user would mean that any cgi script (not just ones in the swe3 package) could modify them. I would prefer to run the swe3 cgi scripts as a separate user, and grant this user permission to view logs etc. This debian-webapps thread makes it sound very easy, but if you want to do that with cgi scripts rather than fastcgi, I think you have to run a separate web server for each user.
On Sunday afternoon, in a dramatic display of corner-cutting, I gave up on that approach and added www-data to the 'adm' and 'proxy' groups in the postinst. Thomas heroically patched all the cgis to call the "config writers" via smoothd, although I'm wondering whether some careful use of the chgrp command in the postinst might be better than running that code as root.
Another hack: in order to actually start a firewall, we needed to know which network card is the "RED" interface, in SWE3 terms; i.e. which one is meant to be the public-facing network device. It's also nice to know which one is "GREEN". So two debconf questions and some hardcoded magic numbers later, we have a basic firewall init script. Lovely.
Oh, and at some point I removed the htaccess file, so any user on your network can mess with your firewall. Should probably fix that.
Today I started some awful scripts which use Simple-CDD to build an iso containing all the packages we want. We are going to need to extend the networking configuration in the installer to set up multiple network cards. Then we need to figure out a nicer way of assigning IP addresses to devices; unlike on the proprietary version of the product, there seems to be no web configuration of network settings in Express. I've not figured all of this out yet.
So, in summary: we are deliberately trading some technical debt in order to quickly produce an initial release that might interest people. (But please note the disclaimer of warranty in the README file in that directory.) And in other news, I've been working at Smoothwall Ltd. for just over one year. Hmm. So this is what they call 'experience'.
Posted: 30 Aug 2010 21:38 |
SmoothWall Express is a GNU/Linux distribution geared towards firewalling, with an installer, a web interface, and some common software like squid that can be useful when running a small business router. It is theoretically the basis for the corporate products of SmoothWall Ltd., who happen to employ me; but all opinions here are my own, and I'm not speaking for them.
Unfortunately, the SmoothWall Express kernel is somewhat "stable", which leads to problems installing the distro on modern hardware. There is a new version of Express in the works, but I'm afraid SmoothWall Ltd. currently has a bit of a "code dump" mentality with respect to delivering updates to their community, because they don't recall seeing any significant contributions from outsiders.
At DebConf I created proof-of-concept Debian packages of two components of Express 3.0: the swe3 web interface, and the smoothd daemon which executes privileged commands. Currently these can show a basic web interface; some of the less complicated bits will even run, and I can shut down my laptop using the "shutdown" button via smoothd. (Note that I still need to add boring stuff like debian/copyright files, but I plan to release these as soon as I can.)
In the near future, hopefully I can implement some of the more important features (like, er, firewalling), and add some other components like the traffic shaping and IM filtering daemon. I'm working towards a demonstration Debian Pure Blend that can show off some of the advantages of working with a third-party distribution as a base.
If anyone would like to help me... send me patches. :) I expect I'll be blogging my progress occasionally.
Posted: 16 Aug 2010 00:16 |
On my last night in New York, I didn't sleep much. At 6am, I said farewell to Central Park by running round the reservoir, which I hadn't yet done. There was a very nice red sunrise to be seen from the west side.
Unfortunately I didn't sleep much on the flight home either. The British accents sounded quite unusual when we landed in Heathrow, and it was quite confusing not being able to find a Starbucks.
Once I was back home, I crashed, and woke up at 10pm. I spent last night clearing the pkg-perl review queue - gregoa is taking a short break after DebConf.
Then I went running at sunrise again. This is quite a different experience to Central Park - first, you have to run 2.5km just to get to Southampton Common, and secondly it is raining quite heavily. I dug out some winter gear that had turned out to be completely inappropriate for New York.
Posted: 10 Aug 2010 08:06 |
I have a relatively new laptop, and have spent some time today fixing some of the rough edges in my setup. (One day I'll throw all the config files into git, or something, but not yet.)
PS1='%n@%m:%~$ 'I also "setopt nohup", and copy some useful stuff like ls colour aliases from .bashrc.
Posted: 04 Aug 2010 06:51 |
I was up early this morning for the 17km run with bubulle over the George Washington Bridge and back. We had an interesting diversion near the start, as we tried to go cross-country through a woodland path that slowly disappeared. I was quite happy to have finished at the same time as the "real" runners... and grabbed a bagel with cream cheese for breakfast.
During the day I attended a few talks from the Java track. I had afternoon tea with Safir, and then chatted to a few people before the Cheese & Wine party this evening. My kettle and teapot were commandeered to provide Taiwanese tea.
The US supplies electricity at about half the voltage of the UK. So my US kettle has a power rating of a mere 1500W (compared to 3kW for my UK one) and takes twice as long to boil water. Also, if I took it home, it would probably blow a fuse, I guess. This is probably why everyone uses stove-top kettles here.
While walking back from the hacklab to Carman, there were some fireflies glowing yellow on the corner near where the Columbia flag flies. They didn't seem to be there on the way back from the party - maybe they only shine at dusk.
Posted: 03 Aug 2010 04:47 |
| < | August 2010 | > | ||||
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 | ||||
Tim Retout tim@retout.co.uk
JabberID: tim@retout.co.uk
I'm afraid I have turned off comments for this blog, because of all the spam. Let's face it, I didn't read them anyway. Feel free to email me.