Tim Retout's www presence

Sat, 11 Sep 2010

Debian Perl talk

Today I went to HantsLUG at IBM Hursley.

I delivered a talk on the Debian Perl team aimed at end users, which was well received - I got a head start by getting people in #debian-perl to review the slides beforehand, which was very helpful. I'm told there will be a video uploaded in a month or so.

I also plugged SmoothWall Express on Debian to some new people, and there was interest. My most recent discovery is that I probably need to extend netcfg in the debian installer to allow configuring more than one network interface.

Posted: 11 Sep 2010 19:07 | Tags: , , , ,

Mon, 30 Aug 2010


Here in the UK we've had a bank holiday weekend. Usually I would have gone to Cambridge for the Debian BBQ, but this year I joined forces with Thomas Adam for some SmoothWall Express on Debian hacking.

There are several challenges involved in moving the SWE3 code from its native distribution to Debian; this weekend we worked around some of the permissions problems.

On SWE3, the web server and most of the service daemons run as the user 'nobody'. This means that the web server can write out configuration files as the same user as everything else; it can also read the system log files. When the web interface needs to run a privileged action (like setting firewall rules), it sends a command to 'smoothd', which is a daemon running as root. (Admin ssh access is always directly as the root user.)

However, web servers in Debian tend to run as user 'www-data', which does not have permission to read log files. Similarly, writing out configuration files as that user would mean that any cgi script (not just ones in the swe3 package) could modify them. I would prefer to run the swe3 cgi scripts as a separate user, and grant this user permission to view logs etc. This debian-webapps thread makes it sound very easy, but if you want to do that with cgi scripts rather than fastcgi, I think you have to run a separate web server for each user.

On Sunday afternoon, in a dramatic display of corner-cutting, I gave up on that approach and added www-data to the 'adm' and 'proxy' groups in the postinst. Thomas heroically patched all the cgis to call the "config writers" via smoothd, although I'm wondering whether some careful use of the chgrp command in the postinst might be better than running that code as root.

Another hack: in order to actually start a firewall, we needed to know which network card is the "RED" interface, in SWE3 terms; i.e. which one is meant to be the public-facing network device. It's also nice to know which one is "GREEN". So two debconf questions and some hardcoded magic numbers later, we have a basic firewall init script. Lovely.

Oh, and at some point I removed the htaccess file, so any user on your network can mess with your firewall. Should probably fix that.

Today I started some awful scripts which use Simple-CDD to build an iso containing all the packages we want. We are going to need to extend the networking configuration in the installer to set up multiple network cards. Then we need to figure out a nicer way of assigning IP addresses to devices; unlike on the proprietary version of the product, there seems to be no web configuration of network settings in Express. I've not figured all of this out yet.

So, in summary: we are deliberately trading some technical debt in order to quickly produce an initial release that might interest people. (But please note the disclaimer of warranty in the README file in that directory.) And in other news, I've been working at Smoothwall Ltd. for just over one year. Hmm. So this is what they call 'experience'.

Posted: 30 Aug 2010 21:38 | Tags: , ,

Mon, 16 Aug 2010

SmoothWall Express on Debian

SmoothWall Express is a GNU/Linux distribution geared towards firewalling, with an installer, a web interface, and some common software like squid that can be useful when running a small business router. It is theoretically the basis for the corporate products of SmoothWall Ltd., who happen to employ me; but all opinions here are my own, and I'm not speaking for them.

Unfortunately, the SmoothWall Express kernel is somewhat "stable", which leads to problems installing the distro on modern hardware. There is a new version of Express in the works, but I'm afraid SmoothWall Ltd. currently has a bit of a "code dump" mentality with respect to delivering updates to their community, because they don't recall seeing any significant contributions from outsiders.

At DebConf I created proof-of-concept Debian packages of two components of Express 3.0: the swe3 web interface, and the smoothd daemon which executes privileged commands. Currently these can show a basic web interface; some of the less complicated bits will even run, and I can shut down my laptop using the "shutdown" button via smoothd. (Note that I still need to add boring stuff like debian/copyright files, but I plan to release these as soon as I can.)

In the near future, hopefully I can implement some of the more important features (like, er, firewalling), and add some other components like the traffic shaping and IM filtering daemon. I'm working towards a demonstration Debian Pure Blend that can show off some of the advantages of working with a third-party distribution as a base.

If anyone would like to help me... send me patches. :) I expect I'll be blogging my progress occasionally.

Posted: 16 Aug 2010 00:16 | Tags: , ,

Thu, 29 Oct 2009

SmoothWall Express - ntpd

Part one of an occasional series about SmoothWall Express (SWE).

The SmoothWall Express source tree contains two NTP daemons - both ntpd and OpenNTPD. SWE uses the openntpd daemon, but installs the ntpdate and ntpq utilities from the ntpd package.

This is justified because openntpd is apparently more lightweight than ntpd. But note that ntpq does not work with openntpd.

On my machine, the saving in memory is not massive. As observed in the thread, openntpd needs to run two processes (with one running as root), while ntpd can use Linux capabilities. From a cursory look at the Debian bug tracker, ntp has more bugs, but they don't seem as important as openntpd's. I suspect ntp gets more testing. The latest portable release of openntpd was in May 2006.

If I ruled the world, I'd choose ntpd over openntpd.

Posted: 29 Oct 2009 00:38 | Tags: , ,


Tim Retout tim@retout.co.uk
JabberID: tim@retout.co.uk


I'm afraid I have turned off comments for this blog, because of all the spam. Let's face it, I didn't read them anyway. Feel free to email me.

Me Elsewhere

Copyright © 2007-2014 Tim Retout