Some Fedora 12 issues

There are some issues with Fedora 12 and some workarounds:

- Eclipse:
-- Problem:
Some buttons, specially OK and Finish, are not responding to the mouse click. You need to focus the button (mouse over it, for instance) and then press ENTER.

-- Solution (first attempt):
You need to override an environment variable and then execute eclipse:

#---
GDK_NATIVE_WINDOWS=true eclipse
#---

-- Solution (for desktop laucher):

Create the following script and add it as the launcher command:

#---
cat > ~/bin/eclipse.sh << __END__
GDK_NATIVE_WINDOWS=true eclipse
__END__
chmod 755 ~/bin/eclipse.sh
#---



Source: http://forums.fedoraforum.org/showthread.php?s=a3c988d542abeeb3b04991ab5c12070d&p=1301362#post1301362

My Fedora 12 road map

- Basic system setup
-- Adjust [/etc/resolv.conf]
-- Adjust [/etc/fstab]
-- Adjust [/etc/sysconfig/network-scripts/ifcfg-eth0]

- Add repositories:
-- RPM Fusion (free)
-- RPM Fusion (non-free)
-- Adobe (flash plugin)

-- JPackage:

#---
wget http://www.jpackage.org/jpackage17.repo -O /etc/yum.repos.d/jpackage.repo
#---

-- Chromium:

#---
cat > /etc/yum.repos.d/chromium.repo << __END__
[chromium]
name=Chromium Test Packages
baseurl=http://spot.fedorapeople.org/chromium/F\$releasever/
enabled=1
gpgcheck=0
__END__
#---

--- Edit the /etc/yum.repos.d/jpackage.repo file:

If you want to work with J2EE, JBoss, and such change it to the following:
[jpackage-generic]
name=JPackage (free), generic
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
failovermethod=priority
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
enabled=1


[update: remove before installing, thanks to a reader comment]
-- Remove things I do NOT like (do not remove xine if you prefer KDE):

--- Multimedia players that do not play divx/mp3 and stays as default for video and audio files:
#---
yum -y erase \
xine \
gxine* \
totem*
#---

--- This is REALLY annoying, it prevents mplayerplug-in from working properly:
#---
yum -y erase \
mozplugger
#---

-- Update your system:
#---
yum -y upgrade
#---

- Install additional software:

-- Chromium:
#---
yum -y install \
chromium
#---

-- Multimedia:
#---
yum -y install \
alsa-tools \
alsamixergui \
mplayer \
mencoder \
live555 \
gecko-mediaplayer \
gnome-mplayer \
vlc \
grip \
flash-plugin \
k3b \
k3b-extras-nonfree
#---

Because Adobe Reader is usually very slow to download, I keep it separated and leave it to be last installed.
#---
yum -y install \
AdobeReader_enu
#---


-- Torrent with transmission
#---
yum -y install \
transmission
#---

-- Spell-checking
#---
yum -y install \
hunspell \
gtkspell \
hunspell-en
#---

--- Additional languages: German (de), Spanish (es), and Portuguese from Brazil (br)
#---
yum -y install \
hunspell-de \
hunspell-es \
hunspell-pt
#---

-- Email with sylpheed-claws
#---
yum -y install \
bogofilter \
claws-mail \
claws-mail-plugins
#---

-- XMMS with its most precious plug-ins
#---
yum -y install \
xmms \
xmms-libs \
xmms-skins.noarch \
xmms-mp3 \
xmms-faad2 \
xmms-flac \
xmms-arts \
xmms-esd \
xmms-musepack \
xmms-acme \
xmms2 \
xmms2-avcodec \
xmms2-faad \
xmms2-freeworld \
xmms2-mp4 \
xmms2-nonfree
#---


-- Pidgin, a very good IM client
#---
yum -y install \
pidgin \
pidgin-guifications \
pidgin-libnotify \
pidgin-otr \
pidgin-gfire \
pidgin-latex \
pidgin-musictracker \
purple-plugin_pack-pidgin \
purple-plugin_pack-pidgin-xmms \
purple-facebookchat \
purple-microblog \
purple-msn-pecan
#---

-- For kernel modules
#---
yum -y install \
kernel-PAE-devel \
kernel-headers
#---

--- For old processors (non-PAE)
#---
yum -y install \
kernel-devel \
kernel-headers
#---

-- Nautilus plug-ins
#---
yum -y install \
nautilus-open-terminal \
nautilus-search-tool \
nautilus-flac-converter \
nautilus-extensions
#---

-- Misc
--- Diagrams and images, usually old stuff that I'm used to
#---
yum -y install \
ImageMagick \
graphviz \
dia \
gv \
xfig \
xpdf \
eog \
gnuplot \
inkscape \
grace
#---

--- Editors and related
#---
yum -y install \
gvim \
kile \
dictd \
diction
#---

--- My beloved spreadsheet program
#---
yum -y install \
gnumeric
#---

--- Compression related programs
#---
yum -y install \
unrar \
p7zip
#---

--- Administration related programs
#---
yum -y install \
telnet \
lsof \
nmap \
nc \
traceroute \
mc \
tsclient \
rdesktop
#---

--- Very nice "must-have" admin programs:
#---
yum -y install \
keepassx \ # I'm not that found of this one
system-config-display \ # does not come by default
gnome-password-generator # very nice gui for generating new passwords
#---

--- For WLAN Cracking
#---
yum -y install \
aircrack-ng \
airsnort
#---


--- NVIDA
#---
yum -y install \
kmod-nvidia-PAE \
xorg-x11-drv-nvidia
#---

-- Note about the driver:
It messes the font resolution up (IMHO). So to keep the same aspect between the normal driver and the NVIDIA driver you need to edit the file: [/etc/X11/xorg.conf] and add the following line in the section Device:

Option "DPI" "90 x 90"

My section device looks like this:

Section "Device"
Identifier "Videocard0"
Driver "nvidia"
Option "AddARGBGLXVisuals" "True"
Option "DPI" "90 x 90"
EndSection

-- Development
--- Some helper programs
#---
yum -y install \
ant
#---

--- My beloved debugging program
#---
yum -y install \
ddd
#---

--- Debug related programs
#---
yum -y install \
gdb \
gcc \
strace \
ltrace
#---

--- Java support:
#---
yum -y install \
gcc-java \
java-1.6.0-openjdk \
java-1.6.0-openjdk-plugin \
java-1.6.0-openjdk-javadoc \
java-1.6.0-openjdk-src \
java-1.5.0-gcj \
java-1.5.0-gcj-devel \
java-1.5.0-gcj-javadoc \
java-1.5.0-gcj-src
#---

--- JBoss support:
#---
yum -y install \
jbossas
#---


--- Eclipse for Java:
#---
yum -y install \
eclipse-platform \
eclipse-ecj \
eclipse-jdt \
eclipse-cvs-client \
#---

--- For SVN support:
#---
yum -y install \
rapidsvn \
eclipse-subclipse \
eclipse-subclipse-book
#---

--- For C++ development:
#---
yum -y install \
eclipse-cdt
#---

--- Mylyn plugin:
#---
yum -y install \
eclipse-mylyn \
eclipse-mylyn-ide \
eclipse-mylyn-java \
eclipse-mylyn-bugzilla \
eclipse-mylyn-trac
#---

A note on the docs, you will find them in:

/usr/share/javadoc/java-1.5.0-gcj/
/usr/share/javadoc/java-1.6.0-openjdk/

-- Update your system:
#---
yum -y upgrade
#---

- Install and setup third-part programs
-- VirtualBox/VMware
-- Skype
-- Real Player (check for the RPM version)
-- Sun Java
-- Eclipse

- Setup printers
- Backup [/etc] and [/boot/grub]
#---
tar -czf bkp-system.`/bin/date +"%Y%m%d-%H%M"`.tgz /etc /boot/grub
#---

- Some issues:
Acrobat Reader install its Firefox/Mozilla plug-in, which has a memory leak. I recommend to remove it. To do so:

#---
rm -f /usr/lib/mozilla/plugins/nppdf.so
#---

Related posts:

- SELinux
- Road map for Fedora 11
- Making USB to work with VirtualBox (external link)
- Adding security to SSH

PHP and Eclipse

This post is because I'm starting to program using PHP and I found no easy documentation explaining how to integrate PHP and Eclipse. I tried PDT (hated it) and Aptana and none of them actually solved my problem that was: an IDE with text highlight and a debugger. Aptana is rather confusing (I couldn't figure it out how to start a server and connect my php to it) and PDT is kind of messy.

The best I could find was a reference at Drupal documentation: http://drupal.org/node/75242#PHPeclipse. The link is http://www.phpeclipse.com/wiki/Howto/XDebugAndPHPEclipse. This was an almost complete documentation and helped me to get the job done.

First of all, the PHPEclipse editor is the best. It actually highlights PHP files, even though they do not possess a ".php" extension. (The other editors just cann't tackle this fairly easy task.) And it is really easy to debug your code (there is a catch nonetheless) and start playing around. For this documentation I will not repeat things that are already documented, so you will need to have the documentation below opened:

http://www.phpeclipse.com/wiki/Howto/XDebugAndPHPEclipse

1. Get Eclipse Galileo (the version that I have and in which this documentation is based on) at:

http://www.eclipse.org/downloads/

2. Install Subclipse plugin (for SVN):

Eclipse update site:
http://subclipse.tigris.org/update_1.6.x

3. Install PHPEclipse plugin:

Eclipse update site:

http://update.phpeclipse.net/update/stable/1.2.x

3.1. It is VERY important that you disable the DBG plugin. See the "Special Note:" at http://www.phpeclipse.com/wiki/Howto/XDebugAndPHPEclipse

4. Install XDebug (not in Eclipse):

4.1. Get some additional packages:

#---
yum -y install \
php-devel
#---

4.2. Get XDebug source, configure, compile and install it:

#---
cd /tmp
wget http://www.xdebug.org/files/xdebug-2.0.5.tgz
tar -vxzf xdebug-2.0.5.tgz
cd xdebug-2.0.5
phpize
./configure --enable-xdebug
make
mkdir -p /opt/xdebug-2.0.5
cp /tmp/xdebug-2.0.5/modules/xdebug.so /opt/xdebug-2.0.5/
#---

Note: It will be installed at /opt/xdebug-2.0.5/

4.2. Configure the XDebug for the PHP:

#---
cat >> /etc/php.d/xdebug.ini << __END__
;
; Configuration taken from: http://www.phpeclipse.com/wiki/Howto/XDebugAndPHPEclipse
;
[xdebug]
; for non threaded php (debug and inside eclipse)
zend_extension="/opt/xdebug-2.0.5/xdebug.so"
; for threaded php (apache)
; zend_extension_ts="/opt/xdebug-2.0.5/xdebug.so"
xdebug.remote_enable=On
xdebug.remote_autostart=On
xdebug.remote_handler=dbgp
; change it if you want to debug from another server/workstation
xdebug.remote_host=127.0.0.1/32 192.168.0.0/16
xdebug.remote_port=9000
xdebug.remote_mode=req
__END__
#---

4.3. Configure your Apache to have an Alias to your workspace, but remember: you HAVE to give permission to the apache user to reach you workspace:

#---
chmod o+r ${HOME}
chmod -R o+r ${HOME}/<your workspace>
echo "Alias /dev \"${HOME}/<your workspace>/<your php project name>\"" > /etc/httpd/conf.d/php-dev.conf
service httpd restart
#---

5. Configure Eclipse to use XDebug:

Follow http://www.phpeclipse.com/wiki/Howto/XDebugAndPHPEclipse from "Test Project" section to the end.

Note: The URL for your project will be: http://localhost/dev/<your PHP file in your workspace>

Note2: When you launch a debug (in Eclipse) you have to switch to the Debug Perspective manually (that is the catch that I mentioned).

Note3: At the "pathmap" configuration (for the PHP XDebug Remote Script) you will use: /home/<your username>/<your workspace>/<your php project name> in both fields (this is due to the fact that you are running the http server locally and using an Alias).

[updated] GnuPG: PGP under Linux

Install the gnupg:

#---
yum - y install \
gnupg2
#---

To generate a key:

#---
gpg2 --gen-key
#---

To export the public key:

#---
gpg2 -a -o pubkey.asc --export <your email>
#---

To export your private key (for backup purposes only, NOT recommended):

#---
gpg2 -a -o privkey.asc --export-secret-keys <your email>
#---

To import a public key:

#---
gpg2 --import <pubkey file>
#---

To sign a key:

#---
gpg2 --sign-key <key email address>
#---

To encrypt a file, in ASCII mode:

#---
gpg2 -a -o <output file>.asc -r <your email> [-r <recipient's email>] -e <file to encrypt>
#---

To decrypt a file:

#---
gpg2 -o <output file> -d <input file>
#---

If you don't like command line you can try two GUIs:

#---
yum -y install \
kdeutils \
gpa
#---

NOTE: KDEUtils comes with KGpg which is the best among the two.

[update]

A reader (see his comment below) drove my attention a missing point: "how to import secret keys to GnuPG?" the answer is: use the old GnuPG for it:

#---
yum -y install \
gnupg
#---

To import secret keys:

#---
gpg --import <key file>
#---

Sorry, about the "hackerish" part, but it works.

PGP for Windows users

PGP for Windows:

1. Go to http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html check the box at the bottom of the page and hit "Accept"
2. Fill up the form
3. Hit the Windows XP button and wait for the download link

NOTE: Because you will use the trial version, which will switch to the freeware featured version after 30 days, be aware that only the basic features will remain active. From the agreement form you get:

What functionality continues after 30 days?
The following limited functionality (equivalent to prior versions of PGP Freeware) will continue after the initial 30-day period:

At the end of the trial period, any local disks that have been encrypted using PGP Whole Disk Encryption will automatically decrypt.

PGP file encryption and signing, PGP Zip, “Current Window”, and “Clipboard” functionality will continue to allow encryption, and you will still be able to use the decryption capabilities for all PGP Desktop Trial product functions, thus ensuring that any encrypted data remains accessible.

Installation and configuration (requires a restart at the end of the installation process):

It is pretty straight forward, but you can follow the instructions received with the download link. I'm not going to show how, but some attention must be given to the following points:

Generate your key as the pictures show, if you are concerned with Linux GnuPG compatibility, some encryption algorithms are copyright protected and are not implemented in GnuPG.





To import keys:

1. Open the PGP Desktop: Start -> PGP -> PGP Dektop
2. On PGP Desktop: Menu File -> Import...
3. Select the key file(s)
4. When the keys are on the key list, select all of them
5. Sign them: Menu Keys -> Sign...

To put on your Master Keyring:

1. Open the PGP Desktop: Start -> PGP -> PGP Dektop
2. Select one key (you need to do it "keywise", only one at a time) and: Menu Keys -> Add to Master Keys

To export your public key:

1. Open the PGP Desktop: Start -> PGP -> PGP Dektop
2. Select your key
3. Menu File -> Export -> Key...

NOTE: Do NOT check the "Include Private Key(s)" field.

To encrypt a file:

Right mouse button at the file and: PGP Desktop -> Encrypt to Master Keys...

SSH in a more secure way

SSH is a wonderful tool, I cann't praise it enough. But as all powerful tools it requires special attention to its use. In this post I want to put good recommendations into action. The guidelines are:

1. No "root" direct access;
2. Only ONE user should have remote access to the system AND "su" rights;
3. All users with full featured shells, except for the one with "su" rights, should NOT have remote access granted (you can always become any user with the access user);
4. All other users that MUST have remote access MUST have restricted shells, like "rbash".

A. The SSH server configuration at: /etc/ssh/sshd_config

(below are the excerpt from the file whose change are recommended)

# This is the default, but it is important to keep it explicit
Port 22
# If you have several interfaces it may be good to force the access to be from a specific network interface/address or mask, this is your server IP address or IP masked range.
# using 192.168.0.0 will NOT grant access to someone addressing your server outside the 192.168.X.X range.
ListenAddress 0.0.0.0
# Enforce the use of ONLY the version 2
Protocol 2
# Turns root remote access off
PermitRootLogin no
# Will log authentication failures when half the amount is tried: it does NOT block access JUST logs failures
MaxAuthTries 4
# If your clients are not behind a proxy it is wise to restrict the amount of open sessions that a single host can make to your machine
MaxSessions 4
# This can be a security issue. Suit yourself (I need it for CruiseControl)
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# I really like PAM
UsePAM yes
# This can be really annoying if you have several users trying to connect simultaneously, but it helps to prevent brute-force attacks to your server, keep it low.
MaxStartups 2

B. The PAM setup at: /etc/pam.d/sshd

(add the following line)

auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

This line tells PAM to look for the file /etc/sshd/sshd.allow for the users that are ALLOWED to access your server through SSH. This file should contain only the users that REALLY need direct remote access.

#---
cat > /etc/ssh/sshd.allow << __END__
SU_user
rbash_user
__END__
chown root:root /etc/ssh/sshd.allow
chmod 400 /etc/ssh/sshd.allow
#---

C. The IPTABLES part at: /etc/sysconfig/iptables

(Add or modify the following line):

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

D. Restart the servers:

#---
service sshd restart
service iptables restart
#---

Have fun!!!

Reference:

http://www.cyberciti.biz/tips/linux-pam-configuration-that-allows-or-deny-login-via-the-sshd-server.html

[updated] CruiseControl: Config

Before following this post you need an SVN server (post here) and a CruiseControl server (post here and here).

1. Create a special account, on the SVN server, for getting the source code from the CC server.

The objective here is to do something similar to what is described at http://svn.collab.net/repos/svn/trunk/notes/ssh-tricks

1.1. [SVN Server] On the SVN server:

1.1.1. Add two new SVN access accounts, but without shell access:

#---
useradd svn-ro
useradd svn-rw
usermod --lock svn-ro
usermod --lock svn-rw
#---

1.1.2. Verify if the SSH daemon is setup to accept public key authentication: /etc/ssh/sshd_config

It must have a line with:

PubkeyAuthentication yes

1.2. [CC Server] On the CC server:

1.2.1. Setup the key pair for the cruise user, to be used to authenticate at the SVN server (see documentation here):

a. Enter an EMPTY passphrase for the ssh key pair:

#---
mkdir ~cruise/.ssh
ssh-keygen -q -f ~cruise/.ssh/id_rsa -t rsa
#---

b. Let the user have access to own keys, but only this user:

#---
chmod -R go-rwx ~cruise/.ssh
chown -R cruise:cruise ~cruise/.ssh
#---

1.2.3. Copy the public key to the SVN server, at the svn-ro user home dir (remember that svn-ro user has no shell access, so do NOT try to transfer the key using the svn-ro account).

#---
scp ~cruise/.ssh/id_rsa.pub <user that HAS shell access in the SVN server>@<SVN server>:
#---

1.3. [SVN Server] Back at the SVN server:

1.3.1. Add the public key to the svn access user's (svn-ro) authorized key ring:

#---
mkdir -p ~svn-ro/.ssh/
mkdir -p ~svn-rw/.ssh/
cat ~<user used to deploy the public key>/id_rsa.pub >> ~svn-ro/.ssh/authorized_keys
cat ~<user used to deploy the public key>/id_rsa.pub >> ~svn-rw/.ssh/authorized_keys
chown -R svn-ro:svn-ro ~svn-ro/.ssh/
chmod -R go-rwx ~svn-ro/.ssh/
chown -R svn-rw:svn-rw ~svn-rw/.ssh/
chmod -R go-rwx ~svn-rw/.ssh/
#---

1.3.2. Edit the authorization key ring file: ~svn-ro/.ssh/authorized_keys AND ~svn-rw/.ssh/authorized_keys

a. It looks like this:

ssh-rsa AAAA<a lot more chars>= root@<CC server name>

b. change it to this:

command="/usr/bin/svnserve -t",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAA<a lot more chars>= root@<CC server name>

1.4. [CC Server] Back to the CC server:

1.4.1. Create the necessary directories for the CC:

#---
mkdir -p /var/spool/cruisecontrol/{projects,logs,artifacts}
chown -R cruise:cruise /var/spool/cruisecontrol/
#---

1.4.1. Try to access the SVN server:

#---
su - cruise
svn list svn+ssh://svn-ro@<SVN server>/var/svn/
logout
#---

2. Configuring a project to be managed under the CC policy:

a. Local working copy (for the CruiseControl): /var/spool/cruisecontrol/projects
b. Special SVN repository for the CruiseControl configuration and building ANT scripts: /var/svn/cruisecontrol
c. A special SVN Project (under the /var/svn/trunk) to hold the main build and JUnit ANT scripts, that is called Master here

2.1. [SVN Server] Create the new CC root at the SVN

#---
svn mkdir -m "Initial setup: CruiseControl development tree" file:///var/svn/cruisecontrol
#---

2.4. [Dev Workstation] Create a project, named Main, and commit/import it to svn+ssh://<SVN server>/var/svn/cruisecontrol

Note.: This project must contain at least one file called build-cc.xml.

2.5. [SVN Server] To keep it simple:

#---
su - <A regular dev user>
mkdir Main
cd Main
cat > build-cc.xml << __END__
<project basedir="." default="main" name="Main">
<target name="main">
<echo message="Working"/>
</target>
</project>
__END__
svn import -m "Initial CruiseControl build file" file:///var/svn/cruisecontrol/Main
#---

2.6. [CC Server] Checkout the CC root from the SVN at the local working dir: /var/spool/cruisecontrol/projects

#---
su - cruise
svn checkout svn+ssh://svn-ro@<SVN Server>/var/svn/cruisecontrol/Main projects/Main
logout
#---

2.3. [CC Server] Create a new config.xml

[UPDATE: NOT WORKING PROPERLY] (Thanks to Leif, see comments below).

#---
cat > /etc/cruisecontrol/config.xml << __END__
<cruisecontrol>
<property name="cruise.working.dir" value="/var/spool/cruisecontrol" />
<property name="cruise.log.dir" value="\${cruise.working.dir}/logs" />
<property name="cruise.projects.dir" value="\${cruise.working.dir}/projects" />
<property name="svn.sandbox.username" value="svn-ro" />
<plugin name="basicproject" classname="net.sourceforge.cruisecontrol.ProjectConfig">
<labelincrementer defaultLabel="\${project.name}-1"
separator="-" />
<listeners>
<currentbuildstatuslistener
file="\${cruise.log.dir}/\${project.name}/status.txt" />
</listeners>
<modificationset quietperiod="30">
<svn LocalWorkingCopy="\${cruise.projects.dir}/\${project.name}" />
</modificationset>
<log>
<merge
dir="\${cruise.working.dir}/projects/\${project.name}/target/test-results" />
</log>
<publishers>
<artifactspublisher
file="\${cruise.working.dir}/projects/\${project.name}/target/\${project.name}.jar"
dest="\${cruise.working.dir}/artifacts/\${project.name}" />
</publishers>
</plugin>
<!-- here you can change the project name, if you decided from something else -->
<project name="Main" buildafterfailed="yes"
forceBuildNewProject="yes">
<bootstrappers>
<svnbootstrapper localWorkingCopy="\${cruise.projects.dir}/\${project.name}"
userName="\${svn.sandbox.username}" />
</bootstrappers>
<schedule interval="10">
<ant antWorkingDir="\${cruise.projects.dir}/\${project.name}"
buildfile="build-cc.xml" />
</schedule>
</project>
</cruisecontrol>
__END__
#---

[UPDATE]

2.4. [CC Server] Restart the server and check if it worked by accessing: http://localhost:8080/dashboard/

3. Have fun, configuring the build-cc.xml and organising your repository and code :-)


Related posts:
Subversion and Apache with PAM
CruiseControl on Fedora: Setup
CruiseControl on CentOS: Setup

CruiseControl on CentOS: Setup

In this post I want to present a simple way to install and configure CruiseControl (hereafter just CC) to run on CentOS. For the configuration part, please refer to the Fedora procedure, since it is the same. The only difference is in how to install the CC to be similar to the RPM instalation.

1. Since I could not find any RPM specific for CentOS I have taken the binaries available at CC home-page: http://cruisecontrol.sourceforge.net/download.html

You will also need the following packages:

#---
yum -y install \
ant
#---

And Sun's Java JDK: http://java.sun.com/javase/downloads

2. Decompress the binary package from CC into /opt dir:

#---
unzip cruisecontrol-bin-<VERSION>.zip -d /opt/
ln -s /opt/cruisecontrol-bin-<VERSION> /opt/cruisecontrol
#---

3. Edit the starting script at: /opt/cruisecontrol/cruisecontrol.sh

3.1. Add the following lines, right after the commented CC_OPTS variable:

JAVA_HOME="/usr/java/default/jre"
PATH=${JAVA_HOME}/bin:${PATH}

3.2. Check if the default port is free:

#---
nc -z localhost 8080 || echo "Port is free" # default cruise control port AND tomcat's default port, watch this out
#---

OBS.: It MUST yeld NOTHING. If it returns a "succeeded" it means that the port is occupied and you need to change it to another one.

3.3. Change the final calling statements for:

#---
cat >> /opt/cruisecontrol/cruisecontrol.sh << __END__
# PAY ATTENTION: you ABSOLUTELY need to change the argument in the \"-webport\" if the port 8080 is already occupied
CMD="JAVA_HOME=\${JAVA_HOME:-/usr} \\
PATH=\${JAVA_HOME:-/usr}/bin:\$PATH \\
CC_OPTS=\"\${CRUISE_OPTS:-}\" \\
\$JAVA_HOME/bin/java \\
-Djavax.management.builder.initial=mx4j.server.MX4JMBeanServerBuilder \\
\"-Dcc.library.dir=\$LIBDIR\" \\
\"-Djetty.logs=$JETTY_LOGS\" \\
-jar \"\$LAUNCHER\" \$@ \\
-configfile /etc/cruisecontrol/config.xml \\
-jmxport \${CRUISE_JMX_PORT:-8000} \\
-rmiport \${CRUISE_RMI_PORT:-1099} \\
-webport \${CRUISE_WEB_PORT:-8080} \\
&"

echo \$CMD
# necessary to make the "out-of-box" version work regardless of the calling point
cd /var/spool/cruisecontrol/
eval \${CMD}
echo \$! > /var/spool/cruisecontrol/cc.pid
__END__
mv /opt/cruisecontrol/cruisecontrol.sh /opt/cruisecontrol/cruisecontrol2.sh
cat > /opt/cruisecontrol/cruisecontrol.sh << __END__
#!/bin/sh
su - cruise -c /opt/cruisecontrol/cruisecontrol2.sh
__END__
chmod 755 /opt/cruisecontrol/cruisecontrol.sh
#---

4. Add the cruise user:

#---
groupadd cruise
useradd \
--comment "CruiseControl User" \
--home-dir "/var/spool/cruisecontrol" \
--gid cruise \
--shell /bin/bash \
cruise
#---

5. Verify if CC is running:

#---
/opt/cruisecontrol/cruisecontrol.sh
#---

5.1. Check if it is up and running by accessing: http://localhost:8080/dashboard (remember that if you changed the default port the value 8080 must be changed as well).

5.2. If it is up and running you may want to make it starts when the server starts:

#---
cat >> /etc/rc.local << __END__

# starts the CruiseControl
/opt/cruisecontrol/cruisecontrol.sh
__END__
#---

Related post: CruiseControl on Fedora: Setup

CruiseControl on Fedora: Setup

In this post I want to present a simple way to install and configure CruiseControl (hereafter just CC) to run on Fedora. It is NOT my objective to teach you how to each and every option of the configuration file works. For that you have plenty of other sources, such as the official documentation (here) and a pretty good step-by-step install, configure, and use documentation at JavaRanch (here). My objective is to give you an example of how to install and configure a CC server. (I'm one of those guys that learn better with an example.) Feel free to adapt it to your necessities.

http://cruisecontrol.sourceforge.net/main/configxml.html
http://www.javaranch.com/journal/200409/DrivingOnCruiseControl_Part1.html

1. Since I could not find any RPM specific for Fedora I have taken the RPM for OpenSUSE from RPMpbone.net (package list here and here):

You will also need the following packages:
#---
yum -y install \
ant
#---

And Sun's Java JDK: http://java.sun.com/javase/downloads

2. Setup the CC service.

Set it to use the Sun Java (it has serious problem with openJDK) by editing the file: /etc/default/cruisecontrol and including the following lines, before the final line

JAVA_HOME="/usr/java/default/jre"
PATH=${JAVA_HOME}/bin:${PATH}

2.1. Check if the default port is free:

#---
nc -z localhost 8080 # default cruise control port AND tomcat's default port, watch this out
#---

OBS.: It MUST yeld NOTHING. If it returns a "succeeded" it means that the port is occupied and you need to change it to another one. You can change it by given another port number for the variable CRUISE_WEB_PORT in the file: /etc/default/cruisecontrol

2.2. Start the CC daemon:

#---
service cruisecontrol start
#---

2.3. Check if it is up and running by accessing: http://localhost:8080/dashboard (remember that if you changed the default port the value 8080 must be changed as well).

2.4. If it is up and running you may want to make it starts when the server starts:

#---
chkconfig --level 345 cruisecontrol
#---

Related post: CruiseControl on CentOS: Setup

Sending emails from server without a local smtp server

First of all, I do not like to have unnecessary daemons running on a server that are not related to the server's function and the excuse that it is easier that way does not convince me. So here is a cookbook recipe to send emails from a server without using the local smtp server (very useful for CRON scripts and other maintenance scripts).

1. You need to install mailx:

#---
yum -y install \
mailx
#---

NOTE.: For CentOS you will need nail instead of mailx (they crippled mailx in CentOS):

1.1. Install the repository from http://centos.karan.org/:

#---
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo -O /etc/yum.repos.d/kbsingh-CentOS-Extras.repo
#---

1.2. Install nail:

#---
yum --enablerepo=kbs-CentOS-Testing -y install \
nail
#---

2. You need a copy of your SSL root certificates in the server.

2.1. On your client box, transfer your SSL certificates to the server:

#---
scp $HOME/.mozilla/firefox/<something>.default/cert<a number>.db <server ssh user>@<your server>:/path/you/can/write
#---

2.2. Go to the server and put the certificate db at some path your script has access to

3. Create a GMail account, that will be the sender in your scripts (the password will be stored on the script, so do NOT use one of your accounts)

4. On your script put the following a line like the following:

#---
mail \
-S smtp-use-starttls \
-S smtp=smtp://smtp.gmail.com:587 \
-S smtp-auth=login \
-S smtp-auth-user=<username gmail>@gmail.com \
-S smtp-auth-password=<the account password> \
-S from="<username gmail>@gmail.com" \
-S nss-config-dir=<where you stored the certificates DB file> \
-S ssl-verify=ignore \
-s "<email subject>" <to whom the email must be sent>
#---

4.1. If you are in a CentOS box, change the command mail for nail in the above command line and all will work perfectly.

[updated] Subversion and Apache with PAM

First of all, I'm not an SELinux expert, but it really annoys me from time to time. Let me start with the whole story.

I'm simply trying to install and configure an SVN server, or subversion with you will. But I definitely want neither something like plain text authentication nor an access without authentication. Therefore I was trying to configure an access tunnelled through SSH (svn+ssh). I tried every cookbook recipe that I could put my hands on. Nothing worked. Then I started trying an SVN+Apache+SSL configuration. A little further but the authentication wasn't working. Then I figured it out: SELinux was the one to blame.

Ok, now that I just whined about SELinux lets go to the problem and how to solve it.

Problem:

- Subversion server (SVN)
- Authentication through system authentication, i.e., the linux users should have access to the SVN without requiring an extra password (the local authentication solution was no good)
- Secure access to the SVN (through SSH or HTTPS)

Solution:

1. VERY, but VERY, important FIRST step:

- reduce the SELinux enforcement level. Adjust the /etc/sysconfig/selinux file to:

SELINUX=permissive # this is definitely enough

1.1. Restart your machine. This is absolutely necessary. If you don't, none of the things will work until you do it.

2. Install the required packages:

2.1. Subversion server:

#---
yum -y install \
subversion
#---

2.2. Cyrus SASL sever (to act as a proxy for the authentication):

#---
yum -y install \
cyrus-sasl \
cyrus-sasl-md5 \
cyrus-sasl-plain
#---

2.3. The Apache server an its modules:

#---
yum -y install \
httpd \
mod_auth_shadow \
mod_auth_pam \
mod_dav_svn \
mod_ssl
#---

3. Setup your SVN repository, locally (you can visit the subversion home-page and take a look on the documentation) at, for the sake of an actual example, /var/svn/ :

#---
svnadmin create /var/svn/
svn mkdir -m "Initial setup: main development tree" file:///var/svn/trunk
svn mkdir -m "Initial setup: branches" file:///var/svn/branches
svn mkdir -m "Initial setup: tagged versions" file:///var/svn/tags
#---

3.1. Edit your SVN configuration file /var/svn/conf/svnserve.conf :

[general]
anon-access = none
auth-access = write
realm = test

[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 256

4. Setup the users groups, it is necessary to have access to the SVN repository:

#---
groupadd svnusers
chgrp -R svnusers /var/svn/
chmod -R ug+rw /var/svn/
usermod -a -G svnusers <user-name that suppose to have access to the SVN>
#---

OBS.: Remember, if you are the user in question you need to logout before trying to access the SVN. The change will only take effect on the NEXT login.

4.1. Setup the apache user to be able to read the /etc/shadow file:

#---
groupadd shadow-readers
usermod -a -G shadow-readers apache
chgrp shadow-readers /etc/shadow
chmod g+r /etc/shadow
#---

OBS.: This is security problem, minor, but still. Be aware of that!

5. Setup the Cyrus SASL:

5.1. The SVN part of the SASL, in the file (which you need to create) /etc/sasl2/svn.conf:

#---
cat > /etc/sasl2/svn.conf << __END__ pwcheck_method: saslauthd __END__ #---

5.2. The SASL Server to use PAM as the authentication method, in the file /etc/sysconfig/saslauthd :

MECH=PAM

6. Setup the Apache server:

6.1. Add the apache user to the svnusers group, this is necessary for the apache to be able to read the files to show you:

#---
usermod -a -G svnusers apache
#---

6.2. Change Apache default group in the file /etc/httpd/conf/httpd.conf to be the svnusers:
Group svnusers

OBS.: Note that this is an alternative solution. The convetional solution would be to set the owner of your repository to be the apache user:

#---
chown -R apache:svnusers /var/svn/
#---

6.3. I suppose you want an SSL server then edit the file /etc/httpd/conf.d/subversion.conf :

#---
cat > /etc/httpd/conf.d/subversion.conf << __END__

LoadModule dav_module modules/mod_dav.so

LoadModule dav_svn_module modules/mod_dav_svn.so

LoadModule auth_pam_module modules/mod_auth_pam.so

LoadModule ssl_module modules/mod_ssl.so


<Location /repos> # <<<<<<< PAY ATTENTION TO THIS

DAV svn

# v----- PAY ATTENTION TO THIS

SVNPath /var/svn/

AuthType Basic

AuthPAM_Enabled on

AuthShadow on

AuthName "test"

Order allow,deny

Allow from all

# since you are restricting to the svnusers ...

Require group svnusers # <<<<<<< PAY ATTENTION TO THIS

# Limit write permission to list of valid users.

<LimitExcept GET PROPFIND OPTIONS REPORT>

# Require SSL connection for password protection.

SSLRequireSSL

Require user valid-username

</LimitExcept>

</Location>

__END__

#---

7. Setup the PAM part:

7.1. The PAM file for the SVN, in the file /etc/pam.d/svnserve :

#---
cat > /etc/pam.d/svnserve << __END__

#%PAM-1.0

auth required pam_sepermit.so

auth include system-auth

account required pam_nologin.so

account include system-auth

password include system-auth

__END__

#---

OBS.: This is the part that will be used when accessing the SVN through an SSH connection, like:

#---
svn list svn+ssh://<user-name that suppose to have access to the SVN>@localhost/var/svn
#---

7.2. The PAM file for Apache, in the file /etc/pam.d/httpd (the same as above):

#---
cat > /etc/pam.d/httpd << __END__ #%PAM-1.0

auth required pam_sepermit.so

auth include system-auth

account required pam_nologin.so

account include system-auth

password include system-auth

__END__

#---

OBS.: This is the part that will be used when accessing in the browser: https://localhost/repos/

8. Put the services to start at boot time:

#---
chkconfig --level 345 httpd on
chkconfig --level 345 saslauthd on
chkconfig --level 345 sshd on
#---

8.1. Start the services now to test them:

#---
service httpd start
service saslauthd start
service sshd start
#---

8.2. Check if the services are actually on and serving:

OBS.: For this part you will need the "nc", so:

#---
yum -y install \
nc
#---

For all tests the response should be:

Connection to localhost port [tcp/https] succeeded!

#---
nc -z localhost 22 || echo "SSH is not running" # ssh
nc -z localhost 80 || echo "HTTP is not running" # http
nc -z localhost 443 || echo "HTTPS is not running" # https
#---

9. Check with a real example:

9.1. SSH access:

#---
svn list svn+ssh://<user-name that suppose to have access to the SVN>@localhost/var/svn/
#---

9.1.1. If you have something to import already:

#---
svn import svn+ssh://<username that suppose to have access to the SVN>@localhost/var/svn/trunk/ -m "Import version"
#---

OBS.: Check it out if it is there by running the command before this last on.

9.2. Https access (in a browser)

https://localhost/repos/

OBS.: It will ask your user-name and password, provide it and this should let you see the repository

9.3. Eclipse url:

svn+ssh://localhost/var/svn/

10. Possible problems:

10.1. Nothing works. Did you reboot your machine, as said in step 1.1?
10.2. No other machine, besides the one where the server is, can access the repository. Check the IPTABLES (out of the scope of this post)
10.3. Permission denied. Did you logout before trying to access (see OBS in step 4)
10.4. Some other problem. Check the following log files:

/var/log/messages # for daemon startup problems
/var/log/secure # for ssh/authentication errors
/var/log/audit/audit.log # typically for SELinux errors and general permission errors
/var/log/httpd/error_log # for regular http errors
/var/log/httpd/access_log # for regular http access log
/var/log/httpd/ssl_error_log # for https errors
/var/log/httpd/ssl_access_log # for https access log

10.4.1. Increase the log verbosity:

A. SASL: add the following line to the file /etc/sasl2/svn.conf:
log_level: 7 # the maximum log level

B. PAM: add, after each line in the PAM files, /etc/pam.d/{svnserve,httpd}, the "debug" string, like in:
auth required pam_sepermit.so debug

C. HTTP: edit the file /etc/httpd/conf/httpd.conf and change the "LogLevel" line to the following:
LogLevel debug

D. Restart all services and start analysing the log files.
#---
service httpd restart
service saslauthd restart
#---

[update]
Windows Eclipse users cannot benefit from this directly, they need an extra step. The procedure is at: http://www.woodwardweb.com/java/howto_configure.html or at http://stackoverflow.com/questions/620223/svn-ssh-question-in-windows

The basic configuration is to set a new environment variable for the SVN_SSH shell:

1. Download and install TortoiseSVN (link here)
2. Set-up the SVN_SSH variable:

Start -> Control Panel -> System -> Advanced (Tab) -> Environment Variables (Button)

2.1. At "User Variables" click at New... and fill the fields:

Variable name: SVN_SSH
Variable value: C:\\Program Files\\TortoiseSVN\\bin\\TortoisePlink.exe -l <ssh username>

OBS1.: Notice that the path may change according to your installation or windows language.

OBS2.: Do NOT forget the "-l <ssh username>" part or else you will be asked about your login for each and every file you check out in eclipse.

3. Set-up Eclipse:

3.1. Add Subclipse:
Update site: http://subclipse.tigris.org/update_1.6.x

3.2. Set-up SVN modus to use SVNkit:
Window -> Preferences -> Team -> SVN
SVN Interface:

4. To remove Eclipse repository "remembering" data, remove all: <path to workspace>/.metadata/.plugins/org.tigris.subversion.subclipse.*
5. Also remove the $ECLIPSE_HOME/configuration/org.eclipse.core.runtime/.keyring (reference here)

JBoss AS 4.2.3

To install JBossAS 4.2.3 is pretty straight forward with one little trick. Visit my fedora road map and add the JPackage repository for version 5.0. After that just execute the following:

#---
yum -y install \
jbossas
sun-jaxb-1.0-api \
sun-jaxb-1.0-impl \
sun-jaxb-2.1-api \
sun-jaxb-2.1-impl \
jbossweb-repolib
#---

The trick is not to install but to run it. For development you usually are on a desktop and you probably specified an invalid DNS computer name, I do. To find out which are yours:

#---
hostname
#---

To check if your name is right:

#---
ping `hostname`
#---

My returns: ping: unknown host note.tarja

So why am I telling you this. Because when running JBoss locally it will ignore your IP configurations and use the "name" returned by hostname. To avoid getting too much of a headache fix it right now with:

#---
echo "127.0.0.1 `hostname`" >> /etc/hosts
#---

And check it once again:

#---
ping `hostname`
#---

Now you can run your JBoss with this little bastard out of your way.

My Fedora 11 road map

- Basic system setup
-- Adjust [/etc/resolv.conf]
-- Adjust [/etc/fstab]
-- Adjust [/etc/sysconfig/network-scripts/ifcfg-eth0]

- Add repositories:
-- RPM Fusion (free)
-- RPM Fusion (non-free)
-- Adobe (flash plugin)

-- JPackage:

#---
wget http://www.jpackage.org/jpackage17.repo -O /etc/yum.repos.d/jpackage.repo
#---

--- Edit the /etc/yum.repos.d/jpackage.repo file:

If you want to work with J2EE, JBoss, and such change it to the following:
[jpackage-generic]
name=JPackage (free), generic
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
failovermethod=priority
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
enabled=1


[update: remove before installing, thanks to a reader comment]
-- Remove things I do NOT like (do not remove xine if you prefer KDE):

--- Multimedia players that do not play divx/mp3 and stays as default for video and audio files:
#---
yum -y erase \
xine \
gxine* \
totem*
#---

--- This is REALLY annoying, it prevents mplayerplug-in from working properly:
#---
yum -y erase \
mozplugger
#---

-- Update your system:
#---
yum -y upgrade
#---

- Install additional software:
-- Multimedia:
#---
yum -y install \
mplayer \
mencoder \
live555 \
gecko-mediaplayer \
gnome-mplayer \
vlc \
grip \
flash-plugin \
AdobeReader_enu \
k3b \
k3b-extras-nonfree
#---

-- Torrent with transmission
#---
yum -y install \
transmission
#---

-- Spell-checking
#---
yum -y install \
huspell \
aspell \
gtk-spell \
aspell-en \
huspell-en
#---

--- Additional languages: German (de), Spanish (es), and Portuguese from Brazil (br)
#---
yum -y install \
aspell-de \
huspell-de \
aspell-es \
huspell-es \
aspell-br \
huspell-br
#---

-- Email with sylpheed-claws
#---
yum -y install \
bogofilter \
enchant \
enchant-aspell \
claws-mail \
claws-mail-plugins
#---


-- XMMS with its most precious plug-ins
#---
yum -y install \
xmms \
xmms-libs \
xmms-skins.noarch \
xmms-mp3 \
xmms-faad2 \
xmms-flac \
xmms-wma \
xmms-cdread \
xmms-arts \
xmms-esd \
xmms-musepack \
xmms-acme
#---

-- Pidgin, a very good IM client
#---
yum -y install \
pidgin \
pidgin-guifications \
pidgin-libnotify \
pidgin-otr \
purple-plugin_pack-pidgin \
purple-plugin_pack-pidgin-xmms
#---

-- For kernel modules
#---
yum -y install \
kernel-devel \
kernel-PAE-devel \
kernel-headers
#---

-- Nautilus plug-ins
#---
yum -y install \
nautilus-open-terminal \
nautilus-search-tool \
nautilus-flac-converter \
nautilus-extensions
#---

-- Misc
--- Diagrams and images, usually old stuff that I'm used to
#---
yum -y install \
graphviz \
dia \
gv \
xfig \
xpdf \
eog \
gnuplot \
grace
#---

--- Editors and related
#---
yum -y install \
gvim \
kile \
dictd \
diction
#---

--- My beloved spreadsheet program
#---
yum -y install \
gnumeric
#---

--- Compression related programs
#---
yum -y install \
unrar \
p7zip
#---

--- Administration related programs
#---
yum -y install \
nmap \
mc \
tsclient \
rdesktop
#---

--- NVIDA
#---
yum -y install \
kmod-nvidia-PAE \
xorg-x11-drv-nvidia
#---
-- Note about the driver:
It messes the font resolution up (IMHO). So to keep the same aspect between the normal driver and the NVIDIA driver you need to edit the file: [/etc/X11/xorg.conf] and add the following line in the section Device:

Option "DPI" "90 x 90"

My section device looks like this:

Section "Device"
Identifier "Videocard0"
Driver "nvidia"
Option "AddARGBGLXVisuals" "True"
Option "DPI" "90 x 90"
EndSection

-- Development
--- My beloved debugging program
#---
yum -y install \
ddd
#---

--- Java support:
#---
yum -y install \
gcc-java \
java-1.6.0-openjdk \
java-1.6.0-openjdk-plugin \
java-1.6.0-openjdk-javadoc \
java-1.6.0-openjdk-src \
java-1.5.0-gcj \
java-1.5.0-gcj-devel \
java-1.5.0-gcj-javadoc \
java-1.5.0-gcj-src
#---

--- JBoss support:
#---
yum -y install \
jbossas
#---


--- Eclipse for Java:
#---
yum -y install \
eclipse-platform \
eclipse-ecj \
eclipse-jdt \
eclipse-cvs-client \
#---

--- For SVN support:
#---
yum -y install \
rapidsvn \
eclipse-subclipse \
eclipse-subclipse-book
#---

--- For C++ development:
#---
yum -y install \
eclipse-cdt
#---

--- Mylyn plugin:
#---
yum -y install \
eclipse-mylyn \
eclipse-mylyn-ide \
eclipse-mylyn-java \
eclipse-mylyn-bugzilla \
eclipse-mylyn-trac
#---

A note on the docs, you will find them in:

/usr/share/javadoc/java-1.5.0-gcj/
/usr/share/javadoc/java-1.6.0-openjdk/

-- Update your system:
#---
yum -y upgrade
#---

- Install and setup third-part programs
-- VirtualBox/VMware
-- Skype
-- Real Player (check for the RPM version)
-- Sun Java
-- Eclipse

- Setup printers
- Backup [/etc] and [/boot/grub]
#---
tar -czf bkp-system.`/bin/date +"%Y%m%d-%H%M"`.tgz /etc /boot/grub
#---

- Some issues:
Acrobat Reader install its Firefox/Mozilla plug-in, which has a memory leak. I recommend to remove it. To do so:

#---
rm -f /usr/lib/mozilla/plugins/nppdf.so
#---

Related posts:

- SELinux
- Road map for Fedora 10
- Making USB to work with VirtualBox (external link)