If you are wondering about the Git vs Mercurial (Hg) debate, don’t bother. Both work well and can even be used in tandem. The focus here will be on Git because it has alphabetical priority, and Joel has already written Hg Init: a Mercurial tutorial.

For experienced developers, the hardest part about learning Git is unlearning Subversion or other legacy VCS. Here are a few things to keep in mind (if you get bored, just substitute “jedi” for “repository”):

• Any repository can be cloned.
• Any repository can be a master.
• Distributed VCS doesn’t mandate distribution.
• Local changes: checkout, commit
• Remote changes: pull, push

A New Repository

Don’t be put off the ‘distributed’ bit, git is perfectly happy to have just one folder — repository and working copy all rolled into one:

mkdir /srv/git/foo
cd /srv/git/foo
git init
# add some files
git add .
git commit -m'initial checkin'

So Git scales down nicely, but with shared repositories it is important to know that Git will grouse if asked to push changes to a destination where files are checked out. This problem is easily avoided with a bare repository, essentially a repository which cannot have files checked out locally:

mkdir /srv/git/foo
cd /srv/git/foo
git --bare init

Send in the Clones

Where git repositories already exist, new ones can be cloned; optionally, the new clone can be –bare:

# new working copy:
git clone ssh://user@gitserver/srv/git/foo
git pull
 
# bare clone:
git clone --bare ssh://user@gitserver/srv/git/foo
git pull

Go with the Workflow

Much of the Git workflow is straightforward, especially if your working copy was cloned from a (bare) master repository:

# get the latest changes
git pull
 
# make some changes
find . -type f -exec dd if=/dev/zero of={} count=1 \;
 
# oh crap! I just (sort of) Zeroed all my files
# no worries, just abandon the changes
 
git checkout .
 
# double check
git status
 
# make changes worth keeping
# ... then commit
git commit -a
 
# need to amend the last check-in message?
git commit --amend
 
# push local changes to master
git push

There’s enough to jump in and get into trouble with git; to find out more, try the following resources:

• Git Documentation
• Git Tools & Hosting
• Why is it called “git”?

The configuration has fairly sensible defaults, but certain parameters merit careful consideration. In the common case of port scans from an interminable list of different source IP addresses, it probably makes sense to periodically purge hosts.deny (e.g. PURGE_DENY = 5d) while setting a threshold for permanent banishment (e.g. PURGE_THRESHOLD = 2).

The ability to set a lower threshold for failed logins to specific accounts (e.g. root, nobody, www-data) is nice, but the default configuration sets different thresholds for valid vs invalid user accounts. This seems unnecessary, as any attacker is unlikely to guess the password for an account which does not exist; moreover, this configuration makes it possible to enumerate valid login accounts. The best threshold value depends on how many legitimate shell users exists, whether authentication is interactive or dual key, etc., but I strongly recommend setting DENY_THRESHOLD_INVALID and DENY_THRESHOLD_VALID to the same value.

Perhaps my favorite feature of Denyhosts is the ability to enable server synchronization (SYNC_SERVER), which allows the server to share blocked IP addresses with a central server at denyhosts.net. Whilst it would be nice if the author would publish the XML RPC server daemon under an open source license, the availability of an active public server seems have sufficiently offset the incentive to reinvent this particular wheel.

A fix was recently released for an ec2 kernel bug causing high load averages to be reported. The new kernel package was linux-image-2.6.32-309-ec2 and aptitude reports the exact version:

% aptitude show linux-image-2.6.32-309-ec2 | grep Version
Version: 2.6.32-309.18

We can get a list of available kernels with ec2-describe-images, official Ubuntu kernels are owned by account #099720109477. We can filter the results based on the image name, the following example (edited for brevity) shows stable kernels for Ubuntu Lucid:

% ec2-describe-images -o 099720109477 \
    --filter name=ubuntu-kernels/ubuntu-lucid-i386\*
IMAGE	aki-754aa41c	... linux-image-2.6.32-305-ec2 ...
IMAGE	aki-5037dd39	... linux-image-2.6.32-308-ec2 ...
IMAGE	aki-3204f15b	... linux-image-2.6.32-308-ec2 ...
IMAGE	aki-6603f70f	... linux-image-2.6.32-309-ec2 ...

While not shown above, the full version is displayed; however in this case there is only one kernel in the 2.6.32-309 series. This is easily seen by altering the example filter to ubuntu-kernels\*/ubuntu-lucid-i386\*, which will include images from ubuntu-kernels-testing, ubuntu-kernels-sandbox, etc. The second column lists the kernel ID, which may be used with ec2-modify-instance-attribute to actually change the kernel used by an EC2 instance:

ec2-modify-instance-attribute --kernel aki-6603f70f ${instance_id}

A list of your instances and the current kernels is conveniently displayed with ec2-describe-instances as well as the AWS Management Console.

Eventually the Ubuntu package maintainers would like to have the package manager (at a minimum) provide specific instructions whenever a new kernel is available; until they do, or Amazon adds such a feature to the AWS Console, this is the way to upgrade the kernel on EC2 instances.

I don’t work for MySQL, so I shan’t extol it’s virtues in any detail, but having installed it on Ubuntu 10.10, it does seem to be a robust and feature rich application for SQL Development, Data Modelling, and Server Administration. There is, however, one feature I will praise as brilliant forward thinking: built in support for MySQL connections over SSH (see screenshot below).

“A good solution applied with vigor now is better than a perfect solution applied ten minutes later.”
- General George Smith Patton III (source)

Most readers are probably familiar with X.509 certificates as used with TLS/SSL to secure websites with strong encryption. For commercial websites, this usually means presenting a digital certificate which has been verified and signed by a certificate authority , once the secure connection is established, user credentials are passed, e.g. username/password; however, X.509 certificates may also be used on the client side to supplement or even eliminate the need for users to enter passwords.

Intranets and temporary web applications are two examples wherein developers may choose to forgo the use of a widely accepted certificate authority in favor of a self-signed certificate. Naturally, this is a compromise which may or not impinge overall security depending on factors which will not be considered here.Strictly considered, this text has little information on security at all, rather, it is simply outlines an expedient way to set up X.509 client certificate authentication.

1. The Server Certificate

The following command will generate a self-signed web certificate and unencrypted key (no password required).

openssl req -new -x509 -nodes -out server.crt -keyout server.key -days 1825 \
 -subj "/C=US/ST=NY/O=Example Inc/CN=example.com/emailAddress=info@example.com/"

2. Configuring Apache

This example illustrates enabling SSL in the apache config, note that because this is a self signed certificate, the same file is used for the Certificate and CA Certificate. The <Location> directive specifies where client certificates will be required; visit the Apache site for additional relevant directives.

  DocumentRoot /var/www/example.com
  ServerName example.com
  ServerAlias *.example.com
 
  SSLEngine on
  SSLCertificateFile conf/ssl/example.crt
  SSLCertificateKeyFile conf/ssl/example.key
  SSLCACertificateFile conf/ssl/example.crt
 
    SSLRequireSSL
    SSLVerifyClient require
    SSLVerifyDepth 10

3. Client Certificates

The server certificate is used to generate a client certificate using the PKCS#12 standard

openssl pkcs12 -export -out example.pfx -in example.crt -inkey example.key \
-name "Example Client Certificate"

If a password was entered during the previous command, users will need to enter the same password when installing the certificate. Firefox users can import example.pfx by navigating through:

Prefs ⇨ Encryption ⇨ View Certs ⇨ Your Certs ⇨ Import

Upon visiting https://example.com/clients users will be prompted to present the client certificate.

I generally favor ‘net neutrality, and I certainly don’t take a kindly view of the arbitrary packet discrimination employed by unscrupulous companies; left unchecked, such practices easily (perhaps inevitably) lead to “the pseudo service scenario of bribery … extortion“, but the same slippery slope analogy could slide the other way. Had the appellate court ruled in favor of the F.C.C. it would have set a precedent for allowing a regulatory authority to essentially invent new powers not specifically delegated to it by any act of Congress. If you would prefer that Congress pass such a law, you may wish to ask your representatives to support H.R. 3458.

Now some may ask, “Why automount removable media at all?” It is unwise to remove an active device, such as unplugging a USB drive without first unmounting it, and automounting may encourage this sort of recklessness. I don’t contend this, but if one runs a server using an external USB drive, there are two words which should spark an immediate interest in automatic mounts: power failure.

To manually mount an external USB drive, a user might enter a command such as: mount /dev/sdd1 /mnt/usbdrive. Naturally this assumes that sdd1 is the correct device node, and that’s the thing about mounting things like USB drives– there is no guarantee which device node it will use.

Fortunately UDEV, which is what handles all those devices in the /dev directory, has a rules syntax to control how those device nodes are named and what happens next. I’ll explain briefly how to automount a USB drive, but readers looking for detailed information about UDEV rules should consult Writing udev rules by Daniel Drake as well as the udev man page (man udev).

Start by plugging in the device you want to mount, for these examples I have used a USB thumbdrive.  Run dmesg and look for something like:

[6388458.851691]  sdb: sdb1
[6388458.852594] sd 15:0:0:0: [sdb] Attached SCSI removable disk
[6388458.852635] sd 15:0:0:0: Attached scsi generic sg2 type 0

This tells me that the assigned device node is /dev/sdb1. To find out more about that device, run: udevinfo -a -p /sys/block/sdb and look for a single block of text that has a useful attribute– a single rule may only match elements from a single block. In the example below, I’ve highlighted two lines I can use in my rule:

looking at parent device '/devices/pci0000:00/0000:00:02.1/usb2/2-5/2-5.1':
KERNELS=="2-5.1"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{dev}=="189:152"
... lots more ATTRS ...
ATTRS{manufacturer}=="Prolific Technology Inc."
ATTRS{product}=="USB Mass Storage Device"


I now have four bits of information I can use to write a useful rule:

• The device node will be similar to /dev/sdb1, which I can match with sd?1
• SUBSYSTEMS==”usb”
• ATTRS{product}==”USB Mass Storage Device”
• I want to run /bin/mount and mount the device at /mnt/usb

After looking up the correct syntax in the man page, I wrote my rule like so:

KERNEL=="sd?1", SUBSYSTEMS=="usb", ATTRS{product}=="USB Mass Storage Device",
↪ RUN+="/bin/mount /dev/%k /mnt/usb"

This I saved in a file at /etc/udev/rules.d/10-codefix.rules. The rule should be picked up automatically, but one can always run sudo udevcontrol reload_rules or sudo /etc/init.d/udev reload.

With the device attached, this rule can be tested with udevtest /sys/block/sdb/sdb1 usb. If the rule is correct, the output of udevtest will include the mount command.

1. Defective hardware.

If there is a working volume control in Applications  Sound & Video ⇨ Volume Control or Applications ⇨ Sound & Video ⇨ AlsamixerGui, or on the desktop toolbar, then defective hardware is less likely. On new installations, the case may be simply that the Master or PCM channel is muted. If no sound card is detected these controls should be “grayed out” and unusable. If the volume controls are missing or disabled (i.e. you cannot move the slider control), you can confirm the diagnosis by following the instructions in the next section, then take the machine back to the shop that sold it to you or seek assistance from a professional.

2. Incorrectly detected hardware.

Whether or not volume controls work, it is worthwhile to check whether and what devices have been detected by Linux.  Most Linux distributions should have the command line tool lspci or lshw available, however hardinfo provides a nice graphic interface & report generation. Ubuntu users can install it via the package manager or at the command line with: sudo aptitude install hardinfo

The menu icon should appear in Applications ⇨ System Tools ⇨ System Profiler & Benchmark but may also be launched with at a command line: sudo hardinfo

In any case, the audio device will be listed under PCI devices. The reported device should be compared with the actual installed hardware to determine if it was correctly detected. If no audio device is listed, then this is a clear indication of missing or defective hardware.

3. Application Issues

If the hardware appears to be correctly identified and in good working order, the Master and PCM channels are enabled and volumes are set sufficiently high, speakers are plugged in and their volume is also turned up, and you are still unable to produce any sound in any application, professional assistance is probably in order. Those who are brave, foolish, lucky, or eager to learn can poke around online for reports of similar issues, in particular, users of Ubuntu Karmic (or any derived distributions) should check Ubuntu’s Karmic Caveats as well as the Ubuntu Multimedia & Video Forums as many users have reported issues related to the Pulse Audio sound server.

If you’re still stuck after all the above, your best bet is to seek out your local Linux User’s Group where you are sure to find someone willing to help.

I don’t often have the opportunity to experiment on computers running Windows, but every once in a long while it simply cannot be avoided. I recently found myself wanting to look up a password in Revelation, a password manager for the Gnome Desktop on Linux; I have previously written about using OpenSSH’s ProxyCommand directive to tunnel through a firewall and forward X11 (GUI) applications remotely from a an isolated workstation on a private LAN, the difference here was that I needed to forward that application to a Windows workstation.

I haven’t used Windows enough to do this sort of thing for about ten years, so it took a bit of fiddling, but I eventually worked out the following methodology. Like the other posts in this series, it is assumed that the reader is familiar with the basics, specifically the use of PuTTY and Pageant to log in to Linux hosts using ssh keys; a windows installer is available to install all needed utilites, but the only others used in this experiment were PuTTYgen (to generate an SSH key) and plink which I simply tossed in the Windows directory so I wouldn’t need a full path in the local proxy command (below). Some additional software is needed to run X Windows applications on Windows, and in this case I used Xming. I had never used Xming before, and may never need it again, but I was impressed that it was as easy as point, click, run– as long as it’s running in the background, it will do what’s needed. All the configuration is done in PuTTY.

Session Settings
A proxy connection has only a few specific settings, all others can be left at default values or the user’s preference; this screen shot is only included to emphasize that the Session Host is the box on the private LAN running the application we want, not the proxy host which has the public Internet connection we will be using.

Proxy Settings
The proxy hostname is the box with the public connection; it will use the local proxy command to connect our SSH client to the session host specified on the previous screen. Note that SSH will only use the Auto-login username (Connection=>Data=>Login Details) with the session host, which is why I have specified a username here.

X11 Forwarding
There is nothing complicated about the X forwarding settings, this must be enabled in PuTTy, as well as on the remote Linux box, and on the proxy. In my case, the proxy was an Ubuntu server not running X Windows, so I first had to install xauth (sudo aptitude install xauth).