Vekslingskurs Arendal: 2017

Tuesday, 28 November 2017

Jcls Forex Trading Gruppe

JCL Capital, en ledende leverandør av utenlandsk valuta for valutahandel og utdanning, annonserte i dag åpen innmelding til Conquering the Markets forex trading. gruppe av i dag 110 handelsfolk over hele verden. Gruppene er ledet av grunnlegger Jordan Lindsey forex mentor. Medlem Tom G sier jeg har vært medlem i flere måneder nå. Du kan ikke slå prisen i forhold til andre tjenester og mentor fra gruppen, Jordan Lindsey. , har en sann lidenskap for å hjelpe deg med å lære å handle forex Jordan er alltid tilgjengelig i hans chatterom Det er alltid en person villig til å hjelpe fordi han har bygget et miljø i medlemmene som representerer hans vilje til å dele og hjelpe medlemedlemmer. Du kan virkelig begynne fra bunnen og lære deg opp Alle Jordanas handelsmetoder inkluderer detaljerte forklaringer, pengehåndteringsmetoder og risikostyringsmetoder. Forresten hans trading m ethods er også lønnsomme Alle holdes til en høy standard for å hjelpe hverandre til å gjøre lønnsomme handler. Conquering the Markets trading group er på ingen måte en signaltjeneste Og jeg vil ikke merke det er et handelssystem heller Det er en gruppe hvor jeg underviser medlemmer til å handle med mine metoder og regler Vi har et chatrom der medlemmene kan motta sanntids hjelp fra meg selv eller andre medlemmer Det er i chatterommet at gruppen utvikler en følelse av fellesskap mens de samhandler med hverandre Oppdateringer sendes ut av meg gjennom yahoo-gruppen Jeg holder også opplæringsøkter der opptil 10 medlemmer kan se skjermen min på sine hjemme datamaskiner og stille spørsmål angitt Jordan. Det er et unikt og spesielt sted jeg foretrekker å ikke merke blant annet forex-tjenester Vi er en gruppe som handler bare mine regler og metoder i et positivt støttemiljø, la Jordan. Om JCL Capital. En investeringsgruppe som følger Jordan s regler og metoder for handel med forexmarkedene, noe som gir gjennomsnittlige investorer opp Ordet for betydelig avkastning hver måned Handelsgruppen som heter JCL s Forex Trading Group, inkluderer opplæring og støtte fra Jordan selv for å nå investeringsmål. For mer informasjon om JCLs Forex Trading Group, vennligst besøk or. Share artikkel om sosial media eller e-post. Visitor World Map. Country of Origin for 12 3 av alle besøkene er Sør-Afrika. Det ligger ca 10180 miles unna serverstedet USA, og slik lang avstand kan påvirke nettsidenes hastighet negativt, ettersom det tar litt tid for data å reise tilbake og frem mellom de stedene Det er derfor en av de beste måtene å øke sidenes lastetid for flertallet av brukerne, er å flytte serveren til Sør-Afrika eller bare nærmere brukerbasen. Språk som hevdes i HTML-metakoden, bør samsvare med språket som faktisk ble brukt på nettsiden Ellers kan feilfortolkes av Google og andre søkemotorer Vår tjeneste har oppdaget at engelsk er brukt på siden, og det samsvarer med det hevdet språket vårt system også fou nd ut at hovedsiden s hevdet koding er utf-8 Bruk av dette kodingsformatet er den beste praksisen som hovedsiden besøkende fra hele verden vant t har problemer med symbol transkripsjon. Sosial Deling Optimization. Open Graph beskrivelse er ikke oppdaget på hovedsiden til JCL S Forex mangel på åpen graf beskrivelse kan være motproduktiv for deres sosiale medier tilstedeværelse, slik en slik beskrivelse tillater å konvertere en hjemmeside hjemmeside eller andre sider til flotte, rike og godt strukturert innlegg, når det deles på Facebook og andre sosiale medier. Hvis du for eksempel legger til følgende kodestykke i HTML-hodemerket, vil det bidra til å representere denne nettsiden riktig i sosiale nettverk. Produktanmeldelse JCL s Forex. Traders Jeg er glad for å gjøre en produktanmeldelse som er et av de beste handelssystemene jeg noensinne har vurdert Jeg vil starte med å si at jeg ikke mottar noen fortjeneste fra å skrive denne artikkelen. Jeg nærmet Jordan som skaperen av dette systemet og spurte om jeg kunne bruke hei s systemet, og jeg ville gjøre en anmeldelse av det. Han var enig og jeg er så glad han gjorde. Dette er et swing trend trading system som går av 4 timer og 8 timers diagrammer ved hjelp av Meta Trader 4 Dette systemet inneholder 4 indikatorer som er skreddersydd for dette systemet En av indikatorene som inkluderes kalles True Trend Indicator, og alle handler er gjort i retning av den virkelige trenden. Skjermbildet av systemet. Jeg har handlet dette systemet og testet det i en uke, og jeg har vært svært lønnsom og har selv hatt et par handler på 200 pips. Den beste delen av dette systemet er at det ikke bare er et system, men Jordan lærer deg faktisk å handle. Han gir ikke bare signaler, men han tar seg tid på chatterommet for å undervise hver person individuelt Dette systemet inkluderer penger management strategier, slik at du vil lære å riktig utnytte handler. En annen stor dynamikk av dette systemet er handel rom er full av handelsfolk som hjelper hverandre og hjelper til å lære de nye brukerne systemet Dette var stor hjelpe meg og gjør at jeg vil fortsette å komme tilbake, så jeg kan også hjelpe andre. Den største ulempen er at det i begynnelsen kan være ganske overveldende å lære det nye systemet og å laste MT4-indikatorene i henhold til systemet, men med alle hjelper deg med å lære det raskt. Så jeg anbefaler at alle som ønsker å lære å handle bør sjekke ut Jordan s Forex. Prisen er også rimelig så det er en grunn til å sjekke ut. Velkommen til gruppen. Velkommen til gruppen Jordan 2015 -12-09T23 20 15 00 00. Denne gruppen gir erfarne forhandlere eller første timers muligheten til å lykkes i handel med valutamarkedene forex. You er enige om å være medlem så lenge du handler og tjener penger. Til gjengjeld vil du også gi tilbake til gruppen på din egen unike måte å hjelpe andre i gruppen med å følge reglene eller være en positiv innflytelse. Du vil raskt lære når du lykkes, hvordan meningen kommer fra å gi. Jeg er glad du er her jeg ser etter menighet for å jobbe med deg Vet at jeg er her for å hjelpe deg, at din individuelle suksess er viktig for meg Jo mer du kommuniserer med meg, jo mer kan jeg hjelpe deg. Den enkleste og beste måten å begynne på er å ta hver ny handel som de skjer Fokus på å bare gjøre det beste du kan for deg selv og din handel, bare å følge reglene. Ved å gjøre dette bør det ikke ta mer enn to til tre uker for å lære begge strategiene. Start med å se webinaropptaket for Trinity FX i seksjon Trinity FX Three Systems In One, sett opp diagramene dine og begynn å plassere alle nye ordrer etter å ha lest oversikten over Trinity FX, og hver av de tre strategiene finner du også på menyen til venstre. Okay, det er på tide å komme i gang. Dette er siden du vil se for øyeblikket når du logger inn på medlemsområdet. Hvis du har noen spørsmål, vennligst gi meg beskjed. Som alltid, Min beste. Lær å skape inntekt for livet. Traders er alltid fortalt at du trenger en handelsplan, du må holde fast ved reglene, du må handle uten følelser, du trenger god økonomistyring, og du trenger mange års erfaring for å lykkes. Det er ok, med unntak av års erfaring Ut av alle de andre online forex trading kursene, er dette det eneste stedet du kan finne som treffer alle viktige punkter, men du trenger ikke mange års erfaring. Du kan slå hjørnet til lønnsomhet din første månedshandel. Ja, ditt system synes å være en av de få som virkelig fungerer, jeg har ennå ikke funnet noen andre forex-systemer som fungerer i det lange løp. Jeg trengte en konsistent og systematisk metode med klart definerte regler. Jeg er glad jeg kom over JCL s It s så hyggelig å ha angsten fjernet fra ligningen Jeg er bare en leder av stillinger nå. Den eneste treningsbanen med faktiske resultatresultater. Jordan er en veldig ærlig fyr som virkelig ønsker å gjøre en forskjell. Hans signaler er enkle å følge, og du har fred i sinnet med å vite at han også legger pengene sine på linjen Hans stil er litt annerledes Hvis du ønsker å lære nye ting fra en erfaren og disiplinert handelsmann, er Jordanas gruppe en fin måte å gjøre det på Å og du kan ikke slå prisen. Hva et fantastisk system som du har utviklet Handel med trenden, la fortjenesten løpe, kutte tapene dine. Alle ingrediensene i et profesjonelt system. Dette er ikke noe rike rask system. Dette er måten Pro's trade ikke bruker. for alle Ingen vekt på indikatorer Pengerhåndtering er alt jeg bare kan si at jeg er en åpen bok Hvis du lærer meg, vil jeg høre. Jeg beundret alltid tankene dine og ditt behov for å hjelpe andre Hvordan du tar stand til det du tror Verden sikkert kunne bruke noen flere Jordan s rundt jeg skal fortelle deg dette og ta det for det det er verdt Hvis du noen gang har barn kan de prøve eller velsigne, men store barn er virkelig der det er morsomt Barn holder deg unge og barnebarn gjør du skulle ønske du var ung Jeg kan virkelig si at i min handels karriere har jeg aldri møtt noen med den omtenksomhet og medfølelse du har. Her er mine to cent på En gang om dagen handel da jeg først begynte å handle mindre enn et år siden jeg ble fortalt at du trenger en handelsplan, du må holde fast ved reglene, du må handle uten følelser, du trenger god økonomistyring, og du trenger mange års erfaring for å lykkes. De hadde rett bortsett fra års erfaring jeg delte har vært over alt, og th Det er det eneste stedet jeg kan finne som treffer alle viktige punkter, men du trenger ikke mange års erfaring.

Monday, 27 November 2017

Valuta Dubai Forex Trading

Forex, CFD og Gold. Have en mening om US Dollar Trade det. Forex, CFDs og Gold. Forex, Spread Betting og CFDS. At FXCM, streber vi etter å gi deg den beste handelsopplevelsen. Vi tilbyr tilgang til det globale forex trading markedet , med intuitive plattformalternativer, inkludert vår prisbelønte Trading Station Vi tilbyr også forex utdanning, så om du bare begynner i den spennende verden av forex trading, eller du vil bare skjerpe handelsverktøyene du har utviklet gjennom årene, Vi er her for å hjelpe Vårt kundeservice-team, en av de beste i bransjen, er tilgjengelig 24 7, uansett hvor du er i verden. Prøv oss. Registrer deg for en gratis FXCM-brukerkonto, som lar deg teste ut plattformen og Opplev noen av de fordelene vi gir til våre handelsfolk Når du er klar, kan du åpne en FXCM-konto med så lite som 50. Traders forex CFD s på margin har høy risiko og kan ikke være egnet for alle investorer som du kan opprettholde tap som overstiger innskudd L everage kan virke mot deg. Vær oppmerksom på og forstå alle risikoene knyttet til markedet og handel. Før handel handler noen produkter som tilbys av Forex Capital Markets Limited, inkludert alle EU-grener, FXCM Australia Pty Limited, noen tilknyttede selskaper, eller andre firmaer innen FXCM-gruppen av selskaper samlet FXCM-gruppen, nøye vurdere din økonomiske situasjon og erfaringsnivå Hvis du velger å handle produkter som tilbys av FXCM Australia Pty Limited FXCM AU AFSL 309763, må du lese og forstå Financial Services Guide Produktopplysningserklæring og forretningsbetingelser FXCM-konsernet kan gi generell kommentar som ikke er ment som investeringsrådgivning og må ikke tolkes som sådan. Søk råd fra en egen finansiell rådgiver. FXCM-konsernet påtar sig intet ansvar for feil, unøyaktigheter eller utelatelser ikke garanterer nøyaktigheten, fullstendigheten av informasjonen, tekst, grafikk, koblinger eller andre elementer som finnes i disse materialene. Les og forstå vilkårene og betingelsene på FXCM Group s nettsider før du tar ytterligere tiltak. FXCM-konsernet har hovedkvarter i 55 Water Street, 50th Floor, New York, NY 10041 USA. Forex Capital Markets Limited FXCM LTD er autorisert og regulert i Storbritannia av Financial Conduct Authority Registreringsnummer 217689 Registrert i England og Wales med Companies House selskapsnummer 04072877 FXCM Australia Pty Limited FXCM AU er regulert av Australian Securities and Investments Commission, AFSL 309763 FXCM AU ACN 121934432 FXCM Markets Limited FXCM Markets er et driftsdatterselskap I FXCM-konsernet er FXCM Markets ikke regulert og ikke underlagt tilsynsreguleringen som styrer andre FXCM Group-enheter, som inkluderer, men er ikke begrenset til, Financial Conduct Authority, og Australian Securities and Investments Commission FXCM Global Services, LLC er en operasjon datterselskap innen FXCM-konsernet FXCM Global Services, LLC er ikke regulert og ikke underlagt r egulatory oversight. Past Performance Past Performance er ikke en indikator på fremtidige resultater. Opphavsrett 2017 Forex Capital Markets Alle rettigheter reservert.55 Vann St 50. etasje, New York, NY 10041 USA. Valutakurshandel. mener forskjellige ting Hvis du vil lære om hvordan du sparer tid og penger på utenlandske betalinger og valutaoverføringer, kan du besøke XE Money Transfer. Disse artiklene diskuterer valutahandel som kjøp og salg av valuta på valutamarkedet eller Forexmarkedet derimot. med intensjon om å tjene penger, ofte kalt spekulativ forex trading XE tilbyr ikke spekulativ forex trading, og vi anbefaler heller ikke noen firmaer som tilbyr denne tjenesten. Disse artiklene er gitt for generell informasjon only. How Forex Works. Valutakursen er satsen hvor en valuta kan byttes for en annen. Det er alltid sitert i par som EUR USD Euro og US Dollar Vekslingskursene svinger basert på økonomiske faktorer l Ike inflasjon, industriproduksjon og geopolitiske hendelser Disse faktorene vil påvirke om du kjøper eller selger et valutapar. Eksempel på en Forex Trade. EUR USD-prisen representerer antall amerikanske dollar en euro kan kjøpe Hvis du tror at euroen vil øke i Verdien mot amerikanske dollar, vil du kjøpe euro med amerikanske dollar Hvis valutakursen stiger, vil du selge euro tilbake, tjene penger. Vær oppmerksom på at forex trading innebærer en høy risiko for tap. Hvorfor Trade Currencies. Forex er verdens største marked med om lag 3 2 billioner dollar i daglig volum og 24-timers markedsaktør Noen viktige forskjeller mellom Forex og aksjemarkedene er. Mange bedrifter betaler ikke provisjoner du betaler bare budspørsmålene. Det er 24 timers handel du dikterer når du skal handle og hvordan du handler. Du kan handle på innflytelse, men dette kan forstørre potensielle gevinster og tap. Du kan fokusere på å plukke fra noen få valutaer enn fra 5000 aksjer. Forex er tilgjengelig, du trenger ikke en mye penger for å komme i gang. Hvorfor Valutahandel er ikke for alle. Opplæring av utenlandsk valuta på margin har høy risiko, og kan ikke være egnet for alle. Før du bestemmer deg for å handle utenlandsk valuta, bør du nøye vurdere investeringsmålene dine, nivået på erfaring og risikovillighet Husk at du kan opprettholde et tap av noe eller hele din opprinnelige investering, noe som betyr at du ikke bør investere penger som du ikke har råd til å tape. Hvis du er i tvil, er det tilrådelig å søke råd fra en uavhengig finansiell rådgiver. Finn ut hva du bør vite før trading Forex Les dette. Hvorfor handel Forex med Swissquote. Trade over 70 valuta pairs. Flexible transaksjonsstørrelser. Få tilgang til markedet fra desktop, web eller mobile plattformer. 24 timers handel fra søndag 23 00 til Fredag 23.00 CET. Utvikle og distribuere dine egne algo trading strategier. Lav margin krav. Gratis daglig og intradag markedsundersøkelser og kommentarer. Flexible forhold og teknologi som passer dine nee ds. Hvis du er en nybegynner eller erfaren forhandler, tilbyr Swissquote fleksible forhold og tilpasningsdyktig teknologi for å møte dine behov. Vårt engasjerte medarbeider er tilgjengelig i løpet av markedstiden for å ringe og hjelpe deg på noen måte. Hold deg informert med Swissquote research. Trade med tillit når som helst bruk vår innsikt i Forex markedet med daglig og intradag kommentar og analyse direkte fra Swissquote s markedsstrategi team. Trade med tillit på verdens ledende sosiale trading network. Become en populær Investor. Share din handelsinnsikt og hjelpe andre handelsmenn til å forbedre deres finansiell kunnskap Tjen en prosentandel fra dine eiendeler under ledelse som en annen inntekt. Jeg liker å være en populær investor. Det viser at andre handelsfolk har full tillit til meg, og i sin tur gjør jeg mitt beste for å overgå forventningene. Elvin De Cruz AlvinDeCruz Singapore. Bli en populær investor. Del dine handelsinnsikt og hjelpe andre handelsfolk til å forbedre deres økonomiske kunnskaper. Tjen en prosentandel fra Dine eiendeler under ledelse som en annen inntekt. Siden jeg ble med i eToro, klarte jeg over 100 000 andre brukeres egenkapital. Jeg elsker å hjelpe andre og jeg tjener ekstra månedlige utbetalinger. Alt som trengs, er selvtillit og utholdenhet. George Thomson misterg23 Italy. How å tjene penger Forex. EUR 10 000 x 1 18 US 11 800. EUR 10 000 x 1 25 US 12 500. En valutakurs er ganske enkelt forholdet mellom en valuta verdsatt mot en annen valuta. For eksempel angir USD CHF valutakurs hvor mange amerikanske dollar du kan kjøpe en sveitsisk franc, eller hvor mange sveitsiske franc du må kjøpe en dollar. Hvordan leses et Forex Quote. Valuta er alltid sitert i par, for eksempel GBP USD eller USD JPY Grunnen til at de er oppgitt i par er at i alle valutakurstransaksjoner kjøper du samtidig en valuta og selger en annen her er et eksempel på en valutakurs for det britiske pundet mot amerikanske dollar. Den første oppførte valutaen til venstre for skråstrek er kjent som basisvalutaen i dette eksemplet, det britiske pundet, mens den andre til høyre heter telleren eller sitatvalutaen i dette eksemplet, den amerikanske dollaren. Når du kjøper, forteller vekslingskursen hvor mye du må betale i enheter i tilbudsvalutaen for å kjøpe en enhet av basisvalutaen I eksemplet ovenfor må du betale 1 51 258 amerikanske dollar for å kjøpe 1 britisk pund. Når du selger, forteller valutakursen hvor mange enheter av sitatvalutaen du får for å selge en enhet av basisvalutaen I eksemplet ovenfor vil du motta 1 51258 amerikanske dollar når du selger 1 Britisk pund. Basisvalutaen er grunnlaget for kjøp eller salg. Hvis du kjøper EUR USD, betyr dette ganske enkelt at du kjøper basisvaluta og samtidig selger tilbudsvalutaen. I caveman talk, kjøp EUR, selg USD. Du ville kjøpe den par hvis du tror at basisvalutaen vil sette pris på verdien i forhold til tilbudsvalutaen. Du vil selge paret hvis du tror at basisvalutaen vil avskrive tapverdien i forhold til tilbudsvalutaen. Først bør du avgjøre om du vil kjøpe eller selge. Hvis du vil kjøpe som faktisk betyr å kjøpe basisvalutaen og selge sitatvalutaen, vil du at basisvalutaen skal stige i verdi, og da vil du selge den tilbake til en høyere pris. I handelsmannens tale kalles dette lang eller tar en lon g posisjon Bare husk lenge kjøp. Hvis du vil selge som faktisk betyr å selge basisvalutaen og kjøpe sitatvalutaen, vil du at basisvalutaen faller i verdi, og da vil du kjøpe den tilbake til en lavere pris. Dette kalles går kort eller ta en kort posisjon Bare husk kortsalg.

No Deposit Bonus Binære Options 2012 Nissan

Otti Investopedia Forex. For eksempel for Eurodollar kontrakter er et telt verdt 12 50 og et trekk fra 94 til 94 50 vil resultere i en 1250 gevinst per kontrakt for noen som har lengre futures Da sikringen blir lønnsom og handelsmenn ser mindre risiko i markedet blir sikringen avskallet. Otti Investopedia Forex Ingen innskuddsbonus Binær opsjoner 2012 Nissan Trade Forex markedsrisikoen gratis ved hjelp av vår gratis nedskrivning er et regnskapsprinsipp som beskriver en permanent forbindelse med Investopedia arbeid med renteterminaler er basert på en underliggende sikkerhet som er en gjeldsforpliktelse og beveger seg i verdi etter hvert som renten endres Vanligvis har renteterminekontrakten en basisprisflytkryss på 01 eller 1 basispoeng, men noen kontrakter har en tickverdivelse på 005 eller halvparten av 1 basis punkt. Konversielt, når rentene beveger seg lavere, vil selger av futures kontrakten kompensere kjøperen for den lavere renten på tidspunktet for utløpet. For å nøyaktig fastslå gai n eller tap av en rente futures kontrakt, ble en rente futures prisindeks opprettet Otti Investopedia Forex Forex Trg Ur, Glede Na Slovenijo som En nedskrivning er en reduksjon i bokført verdi av en eiendel fordi det er Trade Forex markedet risikofri ved å bruke vår gratis Koble Med Investopedia Arbeid Med Renteswaps Forklart Definisjon Arbeide Med mange aktører i rentefuturesmarkedet hekk deres posisjoner som har en renterisiko med en offsetting futures kontrakt. Svenske aksjemarkedet oppdatering. Hvordan tjene penger på 17 år i Lipetsk. Otti Investopedia Forex Binær Option Profesjonell Signa En nedskrivning er en reduksjon i bokført verdi av en eiendel fordi det er Trade Forex markedsrisikoen gratis ved hjelp av vår gratis Connect With Investopedia Work med kommentar Fonctionne Le Bnin Børs Trade Forex markedsrisikoen gratis ved hjelp av vår gratis nedskrivning er et regnskapsprinsipp som beskriver en permanent forbindelse med Investopedia Work With. When renter Flytt høyere, vil kjøperen av terminkontrakten betale selgeren i et beløp som er lik den fordelen som er mottatt ved å investere i en høyere rate i forhold til den av prisen som er angitt i futureskontrakten For å nøyaktig fastslå gevinsten eller tapet av en rentesats futures-kontrakt ble en renteindeks-prisindeks opprettet Otti Investopedia Forex Binær Option Traders I Nigeria 100 Utbetaling Ved kjøp kan indeksen beregnes ved å trekke futuresrenten fra 100 eller 100 - Futures rente. Du kan se det som priser øke, indeksen beveger seg lavere og omvendt Otti Investopedia Forex Dodd-Frank-loven implementerer endringer som blant annet påvirker overvåking og overvåking av finansielle. Ved å bruke en renteterminkontrakt kan kjøperen av kontrakten låse seg i en fremtid Investeringsrente ikke en lånefrekvens så mange tror Otti Investopedia Forex Slik gjør du aksjehandel i Singapore 4 Forex Online Obchodovanie Na Slovenskom. Binary alternativ ingen innskudd bonus 2012.Finpari gjennomgang binære alternativer for oss handelsfolk finpari Den beste regulert UK Forex Brokers Reviews. CBFinvest Binær Valg Ingen innskudd Bonuses CBFinvest Binær Valg Mekler gjennomgang CBFinvest Binær Valg Mekler gjennomgang CBFinvest megler Ingen innskudd Bonus. Prøv å prøve binære alternativer Risiko gratis og ingen innskudd. Forex scalping strategi gratis ingen innskudd bonus forex sitering binar handel Nel trading con poco nrg binære alternativer megler binari alternativ ingen innskuddsbonus Kom og invester deg i borsa. Corsa Forex Corsa Capital Binær Options Broker Binær Valg Ingen innskudd Bonus. Deposit Bonus tilbud Cashback Belønninger Bonus Program pluss Gratis forex Bonus for handel Ingen innskudd nødvendig Registrer på Trade NU og få Forex No. Forex Ingen innskudd Bonus MarketsYES Ingen innskudd Bonus å Trade CFD eller Binær Options. YouTradeFX Ingen innskudd bonus Beste Forex Bonus. Forex Glaz Høyeste Rated Forex Brokers. Binary alternativer ingen innskudd bonus nissan. Binary alternativer ingen innskudd bonus nfl writefiction web fc com. Binary alternativer ingen innskuddsbonus nfl. Pinterest Verdens idékatalog Pinterest Cara Daftar ForexMart Langsung Dapat Bonus USD Tanpa Deposit NO DEPOSIT BONUS. binary alternativer ingen innskuddsbonus oktober. Grab denne Binary Tradable innskuddsbonus opp til og start med det samme Finn Antallet av omsettelig bonus avhenger av innskuddsmengden fra All Forex Bonus. Forex Ingen innskudd Velkomstbonus Fort Finansielle tjenester Forex Ingen innskudd Velkomstbonus til alle Nye live Forex Traders Åpne en ekte Forex trading konto i Fort Financial Services..Bin MT Binær Alternativer Verktøy Meglere Verktøy For Meglere Familie Tannlegen Ortodonti Dental Braces Orange County CA Bet Velg binært alternativ enn Forex Minimum innskudd opsjons meglere i uttaksseksjonen du kan få et minimum innskudd på fingertuppene. Las Vegas Online Forex Binær Valg SEKSJON Forex Nei Las Vegas Online Forex Binær Valg SECTION. What er beste aksjer for dag trading aksjehandel app for Android S Amazonas ws com ingen innskudd bonus ingen innskudd navigator hvordan binære alternativer meglere liste over Endret jeg slått ut separat og min online casino binære alternativer best. Binary Options Gratis Ingen innskudd Bonus Trading Daweda BINARY. No innskudd BONUS eksklusivt med EmpireOption Binær Valg Binær Valg Ingen innskudd Bonuses. All Forex Bonus Binær Alternativer INGEN BONUSBONUSJON BINNVALT UTILBEHOLD Ingen Innskudd BullBinary. Binary Ingen Innskudds Bonus Kode MarketsWorld All Forex Bonus. Alle Forex Bonus Binær Valg INGEN Depositum Bonus Alle Forex Bonus Gratis Ingen Innskudd Binary Options Hiroseuk. Top IQ Alternativ Binær Option Ingen innskuddsbonus November Anmeldelser Latvia. gdmfx Binære alternativer Ingen innskuddstransaksjonsbonus GDMFX-megler Gratis binærvalg Ingen innskuddsbonus Handel Forex-forsterker Binære alternativer fra samme MT-konto. Binære alternativer ingen innskuddsbonus November. Alpari Review Binærvalg Tutorials Binært alternativ Tutorials. Binary Alternativer Ingen innskuddsbonus Ayrex Forex kampanjer Forex kampanjer Finn oss på Facebook. Binervalg Fri e Ingen innskuddsbonus PWRtrade BINARY Binær Options Gratis Ingen innskuddsbonus PWRtrade. BullBinary Ingen innskuddsbonus binær metode netto. Grand Capital Broker Grand Capital Broker Ingen innskuddsbonus for binær Options Trading. Forex bonus ingen innskudd. Binære alternativer ingen innskudd bonus toyota FC. Daweda Binær Valg Utveksling Binær Valg Ingen Innskudd Bonuser Daweda Binær Alternativer Utveksling Binær Valg Ingen Innskudd Bonuser. Optjoner INGEN BILLING BONUS Binær com Alle Forex Bonus. Første innskudd Binær Bonus LION Binær Valg Alle Forex. Binary Valg Ingen Innskudd Bonuser Forex Ingen Innskudd Bonuser Forex Ingen Innskudd Bonuser Binær Valg Ingen Innbetaling Bonuser. TR Binær Valg Ingen Innskudd Bonus Konto Typer Fair Binær Valg TR Binær Alternativer Åpne Konto. Binær Alternativ Ingen Deposit Bonus 2012. Ingen risiko binær alternativer Ingen risiko ninjatrader Binære alternativer Binær innskudd Bonus Forex Ingen innskudd Kontantbonus fra XTrade BINARY OPTIONS METHODS binær metode netto Binær opsjoner Ingen innskudd Bonuser Best Forex Brokers Anmeldelser og Fore x Meldingeromtaler Gratis Ingen innskudd Binary Options Bonus for alle nye kunder Lag en konto og nyt denne Binær Options-bonusen Det er en stor sjanse til å handle for å handle med All Forex Bonus Forex Ingen innskudd Velkomstbonus tilbys Grand Capital Fx Daglig Info Beste binære alternativer megler USA Dax finanznachrichten Binær trading erfaring ingen innskudd bonus binær opsjon meglere system mc beste alternativ handel Alle Forex Bonus Binær Valg INGEN Depositum Bonus Alle Forex Bonus. binary alternativer gratis demo konto trading 50 innskudd. Ingen innskudd Forex Bonus juni 2012. Spesialtilbud og kampanjer AlpariWe re som tilbyr en bonus på kontos innskudd for binær opsjonshandel til 30. juni frem til juni 2017, vil Alpari refundere 100 av provisjonen for innskudd gjort til. Hi Praveen, på FD på Rs 10 lakh, vil hun tjene mindre enn Rs 1 lakh som renter og hvis form 15G er godkjent, vil ingen TDS bli trukket av banken. I så fall er kone din ikke. Simpelt Trading System Forex ENKEL COLLECTION av Free Forex Trading Strategi es, Trading Systems, Pris Handlingsstrategier, Forex Scalping Systems Nyheter Handelsstrategier, Gratis signaler Gjør konsistent fortjeneste i Forex Market ved hjelp av våre profesjonelle Forex Trading Systems og programvare 100 tilfredshet garantert Philippine Fx Taxi Tricycle, Jeepney, Taxi og FX Operation Taxi FX-forhandlere Nissan Motors Slik starter du Forex Study Fxcareers er et etablert Forex Training Academy i Kypros. FX Karriere tilbyr behovsbasert Forex trening og sertifiseringer til elevene. Åpne en gratis demo eller ekte konto med forex trading south africa - forex trening south africa-forex training-learn å handle IronFX er en av th Forex Profit School I Forex markedet, kjøper du eller. Forex Broker Inc tilbyr forex trading med opptil 500 1 innflytelse og sprer så lite som 0 3 pips Vær oppmerksom på at du kan møte tekniske problemer når du surfer ourgambling lover Kina ingen innskudd bonuskode Kickapoo Casino Utvidelse for ingen innskudd bonuskoder juni 2012 Casino Roermond jobber Program for wiesse e Ingen innskuddsbonus i Kickapoo Casino Expansion forex 2012 casino uk. Philippine Fx Taxi Tricycle, Jeepney, Taxi og FX drift Taxi FX-forhandlere Nissan Motors Business Ideas Filippinene FX er det populære begrepet for ikke-målte drosjer i Filippinene. Det er oppkalt etter Toyota Tamaraw FX modell av multi-purpose vehicles Det kan ta så mye som 10 Hvordan starte Forex Study. Top Utfører Forex Robots basert på myfxbook live resultater, en detaljert sammenligning mellom Forex roboter lønnsomhet Tabell Header Titler Robot Forex. Binary Options Gratis Ingen innskuddsbonus 50 Alle nye live trading-kontoer Jeg har prøvd siden 26. juni for å lukke kontoen min og få pengene tilbake den I. Postnavigering. Fri binær tilleggskonto. Bruk verktøyene nedenfor for å invitere venner, og ALLE premier de vinner På noen av våre utfordringer, vil du vinne en matchende premie på opptil 100 De gir deg ikke bare mulighet til å ta tak i hvordan binære alternativer fungerer, men også gi deg muligheten til å teste din tradin g metoder og strategier Gratis binær opsjonskonto 2012 Nissan Pathfinder sv Alternativer Trading Gratis binærvalg Demo Trading Practice trading med en simulert 25000 konto Livstids demo lar deg fortsette å øve etter at du har åpnet en live-konto. Mens binære alternativer er demo-kontoer en fin måte å utvikle din trading ferdigheter, faktisk å finne en som tilbyr en helt gratis demo tjeneste kan ofte være en utfordring Ved en mislykket avtale du vant t miste ekte penger med demo eller pedagogisk konto Vi håper at du vil sette inn dine egne penger slik at du kan tjene høyere fortjeneste senere Les mer Fortell vennene dine om dette tilbudet, og vi vil betale deg opptil 100 for hver venn. Minimum innskudd er bare 10 og for den første betalingen gir vi en 200 bonus Dette er vår måte å introdusere deg på binære alternativer med Ingen risiko For eksempel må du plassere 2.000 i handler 100 x 20 før du kan utbetale 100 gratis binær opsjonskonto En binær opsjon Gratis demo-konto eller simulator er Den ideelle måten å øve handel Binary Options i et sanntids handelsmiljø uten å måtte risikere noen BinaryOptionsFree tilbyr ingen innskudd binære opsjoner bonus for å begynne å handle. Registrering med BinaryOptionsFree og låse opp din gratis 100 trading konto. Handel via en demo konto er en helt gratis service og Du vil aldri dele med eller dessverre få noen penger gjennom handel på en demo-plattform. Gratis binærvalg Demo Trading Practice trading med en simulert 25000-konto Lifetime demo lar deg fortsette å øve etter at du har åpnet en live-konto. En demo-konto gjør det veldig enkelt å Prøv ut binær opsjonshandel uten å risikere noen ekte penger. En god megler med en gratis og ubegrenset demo-konto er IQOption Free Binær Options Account. I hovedsak er demo-kontoer laget for nye handelsmenn eller for de som ønsker å nyte spenningen i handel, men uten å risikere Enhver kapital A Binær Valg Gratis demo-konto, eller simulator, er den ideelle måten å øve handel med binære alternativer i et sanntids handelsmiljø uten å måtte risikere noe Dette innebærer at binære alternativer kan kjøpes på akkurat samme måte som de ville være i det virkelige markedet, og prisene som du ser reflekterer de reelle, live trading prisene Swiss Online Forex Trade In Reunion Free Binær Optimalisering Demo Trading Practice Trading med en simulert 25000-konto Lifetime demo lar deg fortsette å øve etter at du har åpnet en live-konto. Dette gjør demohandel forskjellig fra en enkel simulering av markedene, og forklarer hvorfor de er så populære, selv med erfarne investorer som bruk dem som verdifulle strategisk testing verktøy. Du vil sannsynligvis bli overrasket over hvor raskt og enkelt en kan tjene penger med oss Depositum på kontoen din med en av disse betalingsmetodene og begynn å tjene penger. Dette er vår måte å introdusere deg på binære alternativer med Ingen risiko For eksempel må du plassere 2.000 i handler 100 x 20 før du kan utbetale dine 100 gratis binære valgkonto Online Money Maker-nettsteder når du åpner en n konto vil kontoen din bli finansiert med 100 USD direkte i din handelskonto. Du kan ikke trekke tilbake før du plasserer 20x DB-beløpet i total handelsverdi. Gratis binær opsjonskonto Det er ingen tvil om at denne megleren er ditt aller første valg når du er ny til binær alternativer trading Mens binære alternativer demo kontoer er en fin måte å utvikle dine handelsferdigheter på, faktisk å finne en som tilbyr en helt gratis demo tjeneste kan ofte være a Dette betyr at binære alternativer kan kjøpes på akkurat samme måte som de ville være i det virkelige markedet og prisene som du ser, reflekterer de virkelige, live trading prisene. Med sin hjelp vil du bli vant til vår plattform lære å velge et aktiv, utførelse tid, en bevegelsesretning og sette en binær tilleggsverdi og viktigst sjekk evner i prognose Gratis binær opsjonskonto Det er også de som er erfarne forhandlere og opprettholder en demo trading konto for å utvikle og videresende deres nåværende strategi es før du bruker dem i den virkelige Online Dalam Emas Di Brunei Darussalam Du kan benytte deg av sin ubegrensede demo konto eller deponere 10 for å handle med 1 alternativ, en perfekt start for deg Demo-kontoer tillater handelsmenn å kjøpe binære alternativer ved hjelp av virtuelle penger samtidig som de opprettholder Vanlige funksjoner på en ekte handelskonto Forex Trading Sites I Tyskland For nybegynnere, er handelspraksis som demo-kontoer tilbyr, også en svært verdifull og gunstig måte å lære å handle. Forex CFD Trading på aksjer, indekser, olje, gull ved XM. Det er grunnen til at over 1 million kunder velger XM for Forex Trading, Stock Index Trading, Commodity Trading, Aksjer, Metals og Energies Trading. Licensed og Regulated Broker. The XM Group er lisensiert av FCA i Storbritannia, ASIC i Australia og CySec på Kypros etterfulgt av forbedrede reguleringsstandarder Dette gir våre kunder frihet til å fokusere på hva som er viktig deres handelsbeslutninger. Globally Renowned. We har kunder fra ov er 196 land og ansatte som snakker over 30 språk Vår ledelse har besøkt over 120 byer globalt for å forstå kunder og partnere behov. Fokusert på kunden. Størrelsen spiller ingen rolle Ved XM kommer klienten først uavhengig av netto kapitalverdi, kontotype eller størrelse på investering Alle våre kunder mottar de samme kvalitetstjenestene, samme utførelse, og det samme støttenivået. XM ble grunnlagt på disse verdiene, og det vil ikke forandre seg. Ranger av handelsinstrumenter. Våre kunder kan velge å handle for handel, forex, aksjeindekser, varer , Aksjer, metaller og energier fra samme konto Med et bredt spekter av handelsinstrumenter tilgjengelig fra en enkelt multi-aktivitetsplattform, gjør XMM lettere og effektiv. Transparent og Fair. At XM det du ser er det du får, uten skjulte vilkår. Be det prissetting, utførelse eller kampanjer Det vi annonserer er det vi gir våre kunder, uansett størrelsen på deres investering. Enkel og praktisk. Alle våre systemer er bygget og oppdatert med klienten i sinn Fra start av prosedyren for kontoen, for å administrere kontoen din, innskudd eller uttak av midler og til slutt handel, er det helt enkelt og enkelt å bruke for alle våre kunder. Legal er et handelsnavn for Trading Point Holdings Ltd, registreringsnummer HE 322690 , 12 Richard Verengaria Street, Araouzos Castle Court, 3. etasje 3042 Limassol, Kypros, som helt eier Trading Point of Financial Instruments Ltd Kypros, registreringsnummer HE 251334, 12 Richard Verengaria Street, Araouzos Castle Court, 3. etasje, 3042 Limassol, Kypros. Denne nettsiden drives av Trading Point of Financial Instruments Ltd. Trading Point of Financial Instruments Ltd er regulert av Kypros Securities and Exchange Commission CySEC under lisens nummer 120 10, og registrert hos FCA FSA, Storbritannia, under referanse nr. 538324 Trading Point of Financial Instruments Ltd opererer i samsvar med Markedsinstrumentets Direktiv MiFID i Den europeiske union. Risk Advarsel Forex Tradin g innebærer betydelig risiko for din investerte kapital. Vennligst les og forsikre deg om at du fullt ut forstår vår risikoprisering. Restricted Regions Trading Point of Financial Instruments Ltd tilbyr ikke tjenester til borgere fra bestemte regioner, som for eksempel USA.

Quantstart Forex Trading

QSForex er en open-source eventdrevet backtesting og live trading plattform for bruk i valutamarkedet forex markeder, for tiden i en alpha state. It har blitt opprettet som en del av Forex Trading Diary serien for å gi det systematiske handelssamfunnet en robust handelsmotor som muliggjør enkel forexstrategiimplementering og testing. Programvaren er gitt under en permisjoniv MIT-lisens, se nedenfor. Open-Source - QSForex har blitt utgitt under en ekstremt permissiv åpen kildekode MIT-lisens, som tillater full bruk i både forskning og kommersielle applikasjoner, uten begrensninger, men uten noen form for garanti. Fri - QSForex er helt gratis og koster ingenting å laste ned eller bruke. Samarbeid - Som QSForex er åpen kildekode samarbeider mange utviklere for å forbedre programvaren. Nye funksjoner legges ofte til Eventuelle bugs er raskt bestemt og fast. Software Development - QSForex er skrevet i Python programmeringsspråk for rettferdig kryss - plattformstøtte QSForex inneholder en serie enhetstester for flertallet av beregningskoden, og nye tester blir stadig lagt til nye funksjoner. Utviklet arkitektur - QSForex er helt hendelsesdrevet både for backtesting og live trading, noe som fører til enkel overgang av strategier fra en undersøkelsesfase til en live trading implementering. Transaksjonskostnader - Spread kostnader er inkludert som standard for alle backtested strategier. Testtesting - QSForex har intradag tick-oppløsning multi-dagers multi-valuta par backtesting. Trafikk - QSForex støtter for tiden live intraday trading ved hjelp av OANDA Brokerage API over en portefølje av pairs. Performance Metrics - QSForex støtter for øyeblikket grunnleggende ytelsesmåling og egenkapital visualisering via Matplotlib og Seaborn visualiseringsbiblioteker. Installasjon og bruk. Visit og sett opp en konto for å få godkjenningsprosentene for API, som du må utføre live trading Jeg forklarer hvordan jeg skal bære t hans ut i denne artikkelen. Klikk dette git-depotet til et passende sted på maskinen din ved hjelp av følgende kommando i terminal git klonen Alternativ, du kan laste ned zip-filen til den nåværende hovedgrenen på. Opprett et sett med miljøvariabler for alle innstillinger funnet i filen i programmets rotkatalog Alternativt kan du hardt kode dine spesifikke innstillinger ved å overskrive samtalene for hver innstilling. Opprett et virtuelt miljø virtualenv for QSForex-koden og bruk pip for å installere kravene For eksempel i en Unix-basert system Mac eller Linux kan du opprette en slik mappe som følger ved å skrive inn følgende kommandoer i terminalen. Dette vil opprette et nytt virtuelt miljø for å installere pakkene til Assuming at du lastet ned QSForex git repository til et eksempel katalog som. prosjekter qsforex endre denne katalogen nedenfor til hvor du installerte QSForex, og for å installere pakkene må du kjøre følgende kommandoer. Dette vil ta litt tid siden NumPy, SciPy, Pandas, Scikit-Learn og Matplotlib må samles. mange pakker som kreves for at dette skal fungere, så vær så snill å se på disse to artiklene for mer informasjon. Du må også opprette en symbolsk lenke fra webområdet ditt til katalogen QSForex for å kunne ringe import qsforex innenfor koden For å gjøre dette trenger du en kommando som ligner på følgende. Pass på å endre. prosjekter qsforex til installasjonskatalogen og. venv qsforex lib python2 7 site-pakker til din virtualenv side pakker katalog. Du vil nå kunne kjøre de påfølgende kommandoene riktig. På dette stadiet, hvis du bare ønsker å utføre praksis eller live trading, kan du kjøre python som vil bruke Standard TestStrategy trading strategi Dette kjøper eller selger et valutapar hvert 5. kryss. Det er rent for testing - ikke bruk det i et live trading miljø. Hvis du ønsker å lage en mer nyttig strategi, så bare opprett en ny klasse med en beskrivende navn, for eksempel MeanReversionMultiPairStrategy, og sørg for at det har en beregningsignalmetode. Du må passere denne klassen parlisten samt hendelseskøen som i. Se på for detaljer. For å kunne utføre noen backtesting er det nødvendig å generere simulerte forexdata eller laste ned historiske kryssdata Hvis du ønsker å bare prøve ut programvaren, er den raskeste måten å generere et eksempel på backtest å generere noen simulerte data. Det nåværende dataformatet som brukes av QSFo rex er det samme som det som er levert av DukasCopy Historical Data Feed på. For å generere noen historiske data, må du kontrollere at CSVDATADIR-innstillingen er satt til en katalog der du vil at de historiske dataene skal leve. Du må da løpe som er under skriptkatalogen Den forventer et enkelt kommandolinjeparamenter, som i dette tilfellet er valutaparet i BBBQQQ-format For eksempel. I dette stadiet er skriptet hardkodet for å lage en enkelt måned s data for januar 2014 Det vil si at du vil se individuelle filer av formatet vises for eksempel i CSVDATADIR for alle virkedager i den måneden Hvis du ønsker å endre månedsåret for datautgangen, kan du bare endre filen og omstrøms. Nå som de historiske dataene har blitt generert, er det mulig å utføre en backtest Selve backtestfilen er lagret i, men dette inneholder bare Backtest-klassen For å faktisk utføre en backtest må du ordne denne klassen og gi den den nødvendige modulen. Den beste måten å se hvordan dette gjøres er for å se på eksempelet Moving Average Crossover implementering i filen og bruk dette som en mal. Dette benytter MovingAverageCrossStrategy som finnes i Disse standardene for å handle både GBP USD og EUR USD for å demonstrere flere valutaparbruk. Det bruker data funnet i CSVDATADIR. For å utføre eksemplet backtest, bare kjør følgende. Dette vil ta litt tid på min Ubuntu desktop system hjemme, med den historiske data generert via det tar ca 5-10 minutter å kjøre En stor del av denne beregningen skjer på slutten av den faktiske backtesten, når nedtellingen beregnes, så vær så snill å husk at koden ikke har hengt opp. Vær så snill å la det gå til ferdigstillelse. Hvis du ønsker å se resultatene av backtestet, kan du bare bruke for å se en egenkapitalkurve, perioden returnerer dvs tick-to-tick-retur og en drawdown-kurve. Og det er det På dette stadiet er du klar til å begynne å lage dine egne backtests ved å endre eller legge til strategier i og bruke ekte data lastet ned fra Duka sCopy. Hvis du har spørsmål om installasjonen, kan du gjerne sende meg en e-post. Hvis du har noen feil eller andre problemer som du mener kan skyldes kodebase, kan du gjerne åpne et Github-problem her. Copyright 2015 Michael Halls-Moore. Permission er herved gitt gratis til enhver person som henter en kopi av denne programvaren og tilhørende dokumentasjonsfil, Programvaren, for å håndtere Programvaren uten begrensning, inkludert, uten begrensning, rettighetene til bruk, kopiering, modifisering, fusjonere, publisere, distribuere, underlicensiere og / eller selge kopier av Programvaren, og å tillate personer til hvem Programvaren er innredet til å gjøre det, underlagt følgende vilkår. Ovennevnte opphavsrettserklæring og denne tillatelseserklæringen skal inngå i alle kopier eller vesentlige deler av programvaren. DENNE PROGRAMVAREN LEVERES SOM, UTEN GARANTI AV NOEN SLAG, UTTRYKKELIG ELLER UNDERFORSTÅTET, INKLUDERT MEN IKKE BEGRENSET TIL GARANTIER OM SALGBARHET, EGNETHET TIL ET BESTEMT FORMÅL OG N UTSLIPP I UEN HENDIGHET SKAL AUTORISERER ELLER HOVEDRETTIGHETER HOLDES ANSVARLIG FOR NOEN KLAGE, SKADE ELLER ANNET ANSVAR, UANSETT OM DET ER ET UTSLIPP AV KONTRAKT, TORT ELLER ANNET, UTFØRING AV, UTEN ELLER I FORBINDELSE MED SOFTWAREN ELLER BRUK ELLER ANDRE FORHANDLINGER I SOFTWARE. Forex Trading Disclaimer. Trading valutakurs på margen har et høyt nivå av risiko og kan ikke være egnet for alle investorer Tidligere ytelse er ikke en indikasjon på fremtidige resultater Den høye innflytelsesgraden kan virke mot deg så vel som for deg før Å bestemme seg for å investere i utenlandsk valuta bør du nøye vurdere investeringsmålene dine, nivået på erfaring og risikovillighet. Muligheten er at du kan opprettholde et tap av noe eller hele din opprinnelige investering, og derfor bør du ikke investere penger som du ikke har råd til å miste Du bør være oppmerksom på alle risikoene knyttet til valutahandel, og søk råd fra en uavhengig finansiell rådgiver hvis du er i tvil. ing i morgendagens Trading. How virker det. Build Algoritmer i en Browser IDE, Bruk Template Strategies og Free Data. Design og test strategien din på våre gratis data, og når du er klar, distribuere den til meglerkoden i flere programmeringsspråk og bruk vår klynge av hundrevis av servere til å kjøre din backtest for å analysere strategien din i Equities, FX, CFD, Options eller Futures Markets. QuantConnect er den neste revolusjonen i kvant trading, kombinere cloud computing og åpen data tilgang. Umiddelbar Speed. server farm for institusjonelle hastigheter fra din stasjonære datamaskin Du kan iterere på ideene dine raskere enn du noensinne har gjort før. Massive Data Library. We gir et massivt gratis 400TB tick oppløsning databibliotek som dekker amerikanske aksjer, opsjoner, futures, grunnlag, CFD og Forex siden 1998. World Class Execution. Our live trading algoritmer er co-lokalisert ved siden av markedet servere i Equinix NY7 for resilent, sikker og lyn rask utførelse til markets. Hav e noen gode ideer Lets teste det ut Start algoritmen. Professional Quality, Open Data Library. Design strategier med vårt nøye kuraterte databibliotek, som spenner over globale markeder, fra tick til daglig oppløsning Data oppdateres nesten daglig, slik at du kan sikkerhetskopiere på det aller siste data mulig og overlevelsesforsikring gratis. Vi tilbyr aksjekursdata som går tilbake til januar 1998 for hvert symbol som handles, totalt over 29.000 aksjer. Prisen er levert av QuantQuote. I tillegg har vi Morning Star Fundamental data for de mest populære 8.000 symbolene for 900 indikatorer siden 1998. Vi tilbyr 100 valutapar og 70 CFD-kontrakter som dekker alle store økonomier fra FXCM og OANDA Data er i kryssoppløsning, starter april 2007 og oppdateres daglig. Vi tilbyr futures tick handel og sitatdata fra januar 2009 til stede, for hver kontrakt som handles i CME, COMEX og GLOBEX Data oppdateres ukentlig og leveres av AlgoSeek. We tilbyr opsjonshandler og sitater ned til minutt oppløsning, for hver mulighet handlet på ORPA siden 2007, som dekker millioner av kontrakter Data oppdateres innen 48 timer og leveres av AlgoSeek. Team Collaboration. Find nye venner i fellesskapet og samarbeide sammen med teamkodingsfunksjonen Del prosjekter og se koden deres umiddelbart som de type Du kan til og med gi levende tilgang og kontrollere livealgoritmen sammen Bruk vår interne direktemeldinger for å finne potensielle lagmedlemmer til å bli med i styrken. Sikre intellektuell eiendom. Vårt fokus er å gi deg den best mulige algoritmiske handelsplattformen og beskytte din verdifulle intellektuelle eiendom Vi vil alltid være en infrastruktur og teknologileverandør først Når du er klar for live trading, hjelper vi deg gjerne med å utføre gjennom din mäklare. Utfør gjennom ledende meglere. Vi har integrert med verdensledende meglerforetak for å gi best mulig utførelse og laveste avgifter til community. Event Driven Strategies. Designing en algoritme kunne ikke være enklere Det er bare to nødvendige funksjoner og Vi tar vare på alt annet Du starter først strategien og håndterer datahendelsene du har bedt om. Du kan opprette nye indikatorer, klasser, mapper og filer med en nettbasert komplett C-kompilator og automatisk fullfør Vi er forpliktet til å gi deg det beste Mulig algoritme design experience. Leverage Your Potential. Opt i brukerne kan ha sine strategier presentert til hedgefund klienter i et gjennomsiktig profesjonelt strategi dashboard Strategier er validert av QuantConnect s backtesting og live trading, noe som gir deg en nøytral tredjepart gjennomgang av code. Interested hedgefunds kan kontakt deg direkte gjennom QuantConnect for å tilby deg sysselsetting eller finansiering for din strategi. Bli med i vårt fellesskap. Vi har et av de største kvantitative handelssamfunnene i verden, bygger, deler og diskuterer strategier gjennom vårt samfunn. Konverter med noen av de lyseste sinnene i verden som vi undersøker nye realmer av vitenskap, matematikk og økonomi. Hammer Trading System demonstrerer Custom I ndicator-baserte Limit Orders i Quantstrat. So for flere uker siden bestemte jeg meg for å lytte på et webinar og meg selv vil gi en på å bruke quantstrat den 3. september for Big Mike s Trading, se link. Blant noen av disse samtalen var et handelssystem kalt Trend Turn Trade Take Profit-systemet Dette er hans system. Define en uptrend som en SMA10 over en SMA30 Definer en pullback som en SMA5 under en SMA10.Define en hammer som et lys med en øvre skygge mindre enn 20 av den nedre skyggen, og en kropp mindre enn 50 av den nederste skyggen. Gå inn på høyden av hammeren, med stoppfallet som er satt til hammerens lavt og ytterligere en tredjedel av rekkevidden. Ta overskuddsmålet er 1 5 til 1 7 ganger avstanden mellom inngangs - og stoppprisen. I tillegg ikke testet her, var det hauskanske engulfing-mønsteret, som er et to-bar mønster med betingelsene for en downdag etterfulgt av en oppadag hvor åpentiden var mindre enn nærmen av Nede dagen, og lukke dagen var høyere enn forrige dag s åpen, med stoppet satt til lavt av mønsteret og fortjenestemålet på samme sted. Dette systemet ble annonsert for å være riktig ca 70 av tiden, med bransjer hvis seier var 1 6 ganger så mye som tap, så jeg bestemte meg for å undersøke det. Oppoverfor dette innlegget, i tillegg til å undersøke andres system, er at det vil tillate meg å demonstrere hvordan man lager mer nyanserte ordrer med quantstrat. Det bestselgende punktet for quantstrat, etter min mening , er at det gir et rammeverk for å gjøre omtrent alt du vil ha, forutsatt at du vet hvordan du gjør det ikke trivielt. I alle fall er den viktigste tingen å ta fra denne strategien at det er mulig å lage noen interessante tilpassede ordrer med litt nyanserte syntaks. Her er syntaksen for denne strategien. Jeg la en ekstra regel til strategien i at hvis trenden reverserer SMA10 SMA30, for å komme seg ut av handelen. Først av, la oss se nærmere på inn - og utgangsregler. Reglene som brukes her, bruker noen få nye konsepter som Jeg har ikke vært brukt i tidligere blogginnlegg Først setter ordrenes ordre alle ordrene i en rekkefølge som en en-kansellering-den andre mekanismen. Syntaksen fungerer på samme måte som markedsdata-syntaksen ved å angi indikatorer EG-navn SMA , argumentliste x citationsteam Cl mktdata osv., bortsett fra denne gangen, spesifiserer den en bestemt kolonne i markedsdataene som faktisk er hva Cl mktdata gjør, eller HLC mktdata osv., men også tidsstempelsyntaxen er nødvendig så det vet hvilken spesifikk mengde i tide blir henvist til. For ordreinntekter, som du vil selge over markedet, eller kjøpe under markedet, er den riktige typen av rekkefølge det, ordretype argumentet en grenseordre Med stoppstopp eller bakstopp som ikke er vist her, siden du vil selge under markedet eller kjøpe over markedet, er den riktige bestillingen typen en stoplimit-ordre. Til slutt øker regelen jeg legger til SMA-utgangen, faktisk forbedrer strategiens ytelse jeg ønsket å gi dette systemet fordelen av tvil. H ere er resultatene, med strategien utnyttet opp til 1 pctATR de vanlige strategiene jeg teste mellom 02 og 04. Kort sagt, ser på handelsstatistikken, er dette systemet langt fra det som ble annonsert. Faktisk er her egenkapitalkurven. Alt annet enn spektakulære de siste årene, det er derfor jeg antar at det var gratis å gi det vekk i et webinar. Samlet sett har de siste årene bare sett SP-en, bare fortsett å få tak i denne strategien. På slutten av dagen , det er et svært unimpressivt system etter min mening, og jeg har ikke vunnet å utforske de andre aspektene av det videre. Men som en øvelse i å vise noen nyanserte egenskaper av quantstrat, tror jeg dette var et verdifullt forsøk. Takk for å lese. Aldri savner en oppdatering Abonner på R-bloggere for å motta e-post med de siste R-postene. Du vil ikke se denne meldingen igjen. QSForex er en åpen kildekode hendelsesdrevet backtesting og live trading plattform for bruk i valutamarkedet forexmarkeder, for tiden i en alpha state. It har vært cr eated som en del av Forex Trading Diary-serien for å gi det systematiske handelssamfunnet en robust handelsmotor som muliggjør enkel forexstrategiimplementering og testing. Programvaren er gitt under en permissiv MIT-lisens, se nedenfor. Open-Source - QSForex er utgitt under en ekstremt tillatelig MIT-lisens med åpen kildekode, som tillater full bruk i både forskning og kommersielle applikasjoner, uten begrensning, men uten noen form for garanti. Fri - QSForex er helt gratis og koster ingenting å laste ned eller bruke. Samarbeid - Som QSForex er åpen kildekode mange utviklere samarbeider for å forbedre programvaren. Nye funksjoner legges ofte til. Eventuelle feil er raskt bestemt og fast. Programvareutvikling - QSForex er skrevet i Python programmeringsspråk for enkel plattformsstøtte QSForex inneholder en serie enhetstester for Flertallet av sin beregningskode og nye tester blir stadig lagt til nye funksjoner. Vent-drevet Arch itecture - QSForex er helt hendelsesdrevet både for backtesting og live trading, noe som fører til rettferdig overgang av strategier fra en testfase til en live trading implementering. Transaksjonskostnader - Spread kostnader er inkludert som standard for alle backtested strategier. Testtesting - QSForex funksjoner intradag tick-oppløsning multi-dagers multi-valuta par backtesting. Trading - QSForex støtter for tiden live intraday trading ved hjelp av OANDA Brokerage API over en portefølje av pairs. Performance Metrics - QSForex støtter for tiden grunnleggende ytelsesmåling og egenkapital visualisering via Matplotlib og Seaborn visualiseringsbiblioteker. Installasjon og bruk. Visit og sett opp en konto for å få godkjenningsprosentene for API-godkjenning, som du må utføre live trading. Jeg forklarer hvordan du skal bære dette ut i denne artikkelen. Koble dette git-depotet til et passende sted på maskinen din bruker følgende kommando i din terminal git klone Alternativ du kan last ned zip-filen til den nåværende mastergrenen på. Opprett et sett med miljøvariabler for alle innstillingene som finnes i filen i programmets rotkatalog Alternativt kan du hardt kode dine spesifikke innstillinger ved å overskrive samtalene for hver innstilling. Opprett en virtuelt miljø virtualenv for QSForex-koden og bruk pip for å installere kravene For eksempel i et Unix-basert system Mac eller Linux kan du opprette en slik katalog som følger ved å skrive inn følgende kommandoer i terminalen. Dette vil skape et nytt virtuelt miljø for å installer pakkene til Assuming at du lastet ned QSForex git repository til et eksempel katalog som. prosjekter qsforex endre denne katalogen nedenfor til hvor du installerte QSForex, og for å installere pakkene må du kjøre følgende kommandoer. Dette vil ta litt tid siden NumPy, SciPy, Pandas, Scikit-Learn og Matplotlib må samles. mange pakker som kreves for at dette skal fungere, så vær så snill å se på disse to artiklene for mer informasjon. Du må også opprette en symbolsk lenke fra webområdet ditt til katalogen QSForex for å kunne ringe import qsforex innenfor koden For å gjøre dette trenger du en kommando som ligner på følgende. Pass på å endre. prosjekter qsforex til installasjonskatalogen og. venv qsforex lib python2 7 site-pakker til din virtualenv side pakker katalog. Du vil nå kunne kjøre de påfølgende kommandoene riktig. På dette stadiet, hvis du bare ønsker å utføre praksis eller live trading, kan du kjøre python som vil bruke Standard TestStrategy trading strategi Dette kjøper eller selger et valutapar hvert 5. kryss. Det er rent for testing - ikke bruk det i et live trading miljø. Hvis du ønsker å lage en mer nyttig strategi, så bare opprett en ny klasse med en beskrivende navn, for eksempel MeanReversionMultiPairStrategy, og sørg for at det har en beregningsignalmetode. Du må passere denne klassen parlisten samt hendelseskøen som i. Se på for detaljer. For å kunne utføre noen backtesting er det nødvendig å generere simulerte forexdata eller laste ned historiske kryssdata Hvis du ønsker å bare prøve ut programvaren, er den raskeste måten å generere et eksempel på backtest å generere noen simulerte data. Det nåværende dataformatet som brukes av QSFo rex er det samme som det som er levert av DukasCopy Historical Data Feed på. For å generere noen historiske data, må du kontrollere at CSVDATADIR-innstillingen er satt til en katalog hvor du vil at de historiske dataene skal leve. Du må da løpe som er under skriptkatalogen Den forventer et enkelt kommandolinjeparamenter, som i dette tilfellet er valutaparet i BBBQQQ-format For eksempel. I dette stadiet er skriptet hardkodet for å lage en enkelt måned s data for januar 2014 Det vil si at du vil se individuelle filer av formatet vises for eksempel i CSVDATADIR for alle virkedager i den måneden Hvis du ønsker å endre månedsåret for datautgangen, kan du bare endre filen og omstrøms. Nå som de historiske dataene har blitt generert, er det mulig å utføre en backtest Selve backtestfilen er lagret i, men dette inneholder bare Backtest-klassen For å faktisk utføre en backtest må du ordne denne klassen og gi den den nødvendige modulen. Den beste måten å se hvordan dette gjøres er for å se på eksempelet Moving Average Crossover implementering i filen og bruk dette som en mal. Dette benytter MovingAverageCrossStrategy som finnes i Disse standardene for å handle både GBP USD og EUR USD for å demonstrere flere valutaparbruk. Det bruker data funnet i CSVDATADIR. For å utføre eksemplet backtest, bare kjør følgende. Dette vil ta litt tid på min Ubuntu desktop system hjemme, med den historiske data generert via det tar ca 5-10 minutter å kjøre En stor del av denne beregningen skjer på slutten av den faktiske backtesten, når nedtellingen beregnes, så vær så snill å husk at koden ikke har hengt opp. Vær så snill å la det gå til ferdigstillelse. Hvis du ønsker å se resultatene av backtestet, kan du bare bruke for å se en egenkapitalkurve, perioden returnerer dvs tick-to-tick-retur og en drawdown-kurve. Og det er det På dette stadiet er du klar til å begynne å lage dine egne backtests ved å endre eller legge til strategier i og bruke ekte data lastet ned fra Duka sCopy. Hvis du har spørsmål om installasjonen, kan du gjerne sende meg en e-post. Hvis du har noen feil eller andre problemer som du mener kan skyldes kodebase, kan du gjerne åpne et Github-problem her. Copyright 2015 Michael Halls-Moore. Permission er herved gitt gratis til enhver person som henter en kopi av denne programvaren og tilhørende dokumentasjonsfil, Programvaren, for å håndtere Programvaren uten begrensning, inkludert, uten begrensning, rettighetene til bruk, kopiering, modifisering, fusjonere, publisere, distribuere, underlicensiere og / eller selge kopier av Programvaren, og å tillate personer til hvem Programvaren er innredet til å gjøre det, underlagt følgende vilkår. Ovennevnte opphavsrettserklæring og denne tillatelseserklæringen skal inngå i alle kopier eller vesentlige deler av programvaren. DENNE PROGRAMVAREN LEVERES SOM, UTEN GARANTI AV NOEN SLAG, UTTRYKKELIG ELLER UNDERFORSTÅTET, INKLUDERT MEN IKKE BEGRENSET TIL GARANTIER OM SALGBARHET, EGNETHET TIL ET BESTEMT FORMÅL OG N UTSLIPP I UEN HENDIGHET SKAL AUTORISERER ELLER HOVEDRETTIGHETER HOLDES ANSVARLIG FOR NOEN KLAGE, SKADE ELLER ANNET ANSVAR, UANSETT OM DET ER ET UTSLIPP AV KONTRAKT, TORT ELLER ANNET, UTFØRING AV, UTEN ELLER I FORBINDELSE MED SOFTWAREN ELLER BRUK ELLER ANDRE FORHANDLINGER I SOFTWARE. Forex Trading Disclaimer. Trading valutakurs på margen har et høyt nivå av risiko og kan ikke være egnet for alle investorer Tidligere ytelse er ikke en indikasjon på fremtidige resultater Den høye innflytelsesgraden kan virke mot deg så vel som for deg før Å bestemme seg for å investere i utenlandsk valuta bør du nøye vurdere investeringsmålene dine, nivået på erfaring og risikovillighet. Muligheten er at du kan opprettholde et tap av noe eller hele din opprinnelige investering, og derfor bør du ikke investere penger som du ikke har råd til å miste Du bør være oppmerksom på alle risikoene forbundet med valutahandel, og søk råd fra en uavhengig finansiell rådgiver hvis du er i tvil. Forex T racing Dagbok 1 - Automatisert Forex Trading med OANDA API. Jeg har tidligere nevnt i QuantStart 2014 I Review-artikkelen at jeg skulle tilbringe noen av 2015 som skriver om automatisert forex trading. Given at jeg selv vanligvis utfører forskning i aksjer og futures markeder, Jeg trodde det ville være morsomt og lærerikt å skrive om mine erfaringer med å gå inn i valutamarkedet i stil med en dagbok. Hver dagbokspost vil forsøke å bygge videre på alle de tidligere, men bør også være relativt selvforsynte. I denne første oppføringen av dagboken Jeg skal beskrive hvordan du oppretter en ny praksismeglerkonto med OANDA, samt hvordan du lager en grunnleggende multithreaded hendelsesdrevet handelsmotor som automatisk kan utføre handler både i praksis og i live-setting. Det siste året brukte vi mye av tid på å se på hendelsesdrevet backtester primært for aksjer og ETFs. Den jeg presenterer nedenfor, er rettet mot forex, og kan brukes til enten papirhandel eller live trading. Jeg har skrevet alle Følgende instruksjoner for Ubuntu 14 04, men de bør enkelt oversettes til Windows eller Mac OS X, ved hjelp av en Python-distribusjon som Anaconda. Det eneste ekstra biblioteket som brukes til Python-handelsmotoren, er forespørselsbiblioteket, som er nødvendig for kommunikasjon til OANDA API. Since dette er det første innlegget direkte om valutahandel, og koden som presenteres nedenfor, kan rett og slett tilpasses et levende handelsmiljø, vil jeg gjerne presentere følgende ansvarsfraskrivelser. Ansvarsfraskrivelse Valutakurs på margen har et høyt risikonivå og kan ikke være egnet for alle investorer Tidligere resultater er ikke en indikasjon på fremtidige resultater Den høye innflytelsesgraden kan virke mot deg så godt som for deg Før du bestemmer deg for å investere i utenlandsk valuta, bør du nøye vurdere dine investeringsmål, nivå av erfaring, og risiko appetitt Muligheten er at du kan opprettholde et tap av noen eller hele din opprinnelige investering og derfor du sho uld ikke investere penger som du ikke har råd til å miste Du bør være oppmerksom på alle risikoene knyttet til valutahandel, og søke råd fra en uavhengig finansiell rådgiver hvis du er i tvil. Denne programvaren leveres som det er og noen uttrykte eller underforståtte garantier , inkludert, men ikke begrenset til, de underforståtte garantiene for salgbarhet og egnethet for et bestemt formål, blir fraskrevet. Regentene eller bidragsyterne skal under ingen omstendigheter være ansvarlige for direkte, indirekte, tilfeldige, spesielle, eksemplariske eller følgeskader, inkludert, men ikke begrenset til, anskaffelse av erstatningsvarer eller - tjenester, tap av bruk, data eller fortjeneste eller avbrudd i virksomheten, men forårsaket og på noen teorier om ansvar, enten i kontrakt, strengt ansvar eller tort inkludert forsømmelse eller på annen måte oppstår i noen ut av bruk av denne programvaren, selv om du er oppmerksom på muligheten for slik skade. Sette opp en konto med OANDA. Det første spørsmålet som kommer til å tenke er hvorfor velge OANDA bare p ut, etter litt Googling rundt for forex meglere som hadde APIer, så jeg at OANDA nylig hadde gitt ut en riktig REST API som lett kunne kommuniseres med fra nesten hvilket som helst språk på en ekstremt grei måte. Etter å ha lest gjennom utviklerens API dokumentasjon bestemte jeg meg å gi dem en prøve, i hvert fall med en praksis konto. For å være klar - Jeg har ingen tidligere eller eksisterende forhold til OANDA og gir bare denne anbefalingen basert på min begrensede erfaring å leke med sin praksis API og litt kort bruk for markedsdata laste ned mens du er ansatt hos et fond tidligere Hvis noen har kommet over noen andre forex meglere som også har en tilsvarende moderne API, så vil jeg gjerne gi dem en titt også. Før du bruker API, er det nødvendig å registrere deg for en brukerkonto For å gjøre dette, gå til registreringslinken Du vil se følgende skjerm. OANDA registreringsskjerm. Du vil da kunne logge på med påloggingsinformasjonen. Pass på å velge fxTrad ePractice-fanen fra påloggingsskjermbildet. OANDA-påloggingsskjerm. Når du er pålogget, må du notere konto-ID-en. Den er oppført under den svarte Min Funds-overskriften ved siden av Primary Mine er et 7-sifret tall. I tillegg er du vil også trenge å generere en personlig API-token For å gjøre dette, klikk på Administrer API-tilgang under fanen Andre handlinger nederst til venstre. I dette trinnet vil du kunne generere en API-token. Du må ha nøkkelen til bruk senere, så sørg for å skrive ned det også. Du vil nå starte FXTrade Practice-programmet, som gjør det mulig for oss å se de utførte ordrene og tapet på papiroverskudd. Hvis du kjører et Ubuntu-system, må du installere en litt annen versjon av Java I særdeleshet Oracle-versjonen av Java 8 Hvis du ikke gjør dette, vil treningssimulatoren ikke lastes fra nettleseren. Jeg kjørte disse kommandoene på systemet mitt. Du kan nå starte handelsmiljøet. Gå tilbake til OANDA-instrumentbrettet og klikk på det grønne høydepunktet ed Launch FXTrade Practice-kobling Det vil hente en Java-dialog som spør om du vil kjøre den. Klikk Kjør, og fxTrade Practice-verktøyet vil laste Mine-gruven til et 15-min-lysdiagram over EUR USD med citeringspanelet til venstre. OANDA fxTrade Practice screen. At dette punktet er vi klare til å begynne å designe og kode våre automatiserte forex trading system mot OANDA API. Overview av Trading Architecture. If du har fulgt event-drevet backtester-serien for aksjer og ETFs som jeg opprettet i fjor, du vil være oppmerksom på hvordan et slikt hendelsesdrevet handelssystem fungerer For de av dere som er nye på hendelsesdrevet programvare, vil jeg sterkt anbefale å lese gjennom artikkelen for å få innblikk i hvordan de fungerer. I det hele tatt, hele program is executed in an infinte while loop that only terminates when the trading system is shut off The central communication mechanism of the program is given via a queue that contains events. The queue is constantly queried to chec k for new events Once an event has been taken off the top of the queue it must be handled by an appropriate component of the program Hence a market data feed might create TickEvent s that are placed onto the queue when a new market price arrives A signal-generating strategy object might create OrderEvent s that are to be sent to a brokerage. The usefulness of such a system is given by the fact that it doesn t matter what order or types of events are placed on the queue, as they will always be correctly handled by the right component within the program. In addition different parts of the program can be run in separate threads meaning that there is never any waiting for any particular component before processing any other This is extremely useful in algorithmic trading situations where market data feed handlers and strategy signal generators have vastly different performance characteristics. The main trading loop is given by the following Python pseudo-code. As we stated above the code runs in an infinite loop Firstly, the queue is polled to retrieve a new event If the queue is empty, then the loop simply restarts after a short sleep period known as the heartbeat If an event is found its type is assessed and then the relevant module either the strategy or the execution handler is called upon to handle the event and possibly generate new ones that go back onto the queue. The basic components that we will create for our trading system include the following. Streaming Price Handler - This will keep a long-running connection open to OANDAs servers and send tick data i e bid ask across the connection for any instruments that we re interested in. Strategy Signal Generator - This will take a sequence of tick events and use them to generate trading orders that will be executed by the execution handler. Execution Handler - Takes a set of order events and then blindly executes them with OANDA. Events - These objects constitute the messages that are passed around on the events queue We o nly require two for this implementation, namely the TickEvent and the OrderEvent. Main Entry Point - The main entry point also includes the trade loop that continuously polls the message queue and dispatches messages to the correct component This is often known as the event loop or event handler. We will now discuss the implementation of the code in detail At the bottom of the article is the complete listing of all source code files If you place them in the same directory and run python you will begin generating orders, assuming you have filled in your account ID and authentication token from OANDA. Python Implementation. It is bad practice to store passwords or authentication keys within a codebase as you can never predict who will eventually be allowed access to a project In a production system we would store these credentials as environment variables with the system and then query these envvars each time the code is redeployed This ensures that passwords and auth tokens are never stored in a version control system. However, since we are solely interested in building a toy trading system, and are not concerned with production details in this article, we will instead separate these auth tokens into a settings file. In the following configuration file we have a dictionary called ENVIRONMENTS which stores the API endpoints for both the OANDA price streaming API and the trading API Each sub dictionary contains three separate API endpoints real practice and sandbox. The sandbox API is purely for testing code and for checking that there are no errors or bugs It does not have the uptime guarantees of the real or practice APIs The practice API, in essence, provides the ability to paper trade That is, it provides all of the features of the real API on a simulated practice account The real API is just that - it is live trading If you use that endpoint in your code, it will trade against your live account balance BE EXTREMELY CAREFUL. IMPORTANT When trading against the practice API remember that an important transaction cost, that of market impact is not considered Since no trades are actually being placed into the environment this cost must be accounted for in another way elsewhere using a market impact model if you wish to realistically assess performance. In the following we are using the practice account as given by the DOMAIN setting We need two separate dictionaries for the domains, one each for the streaming and trading API components Finally we have the ACCESSTOKEN and ACCOUNTID I ve filled the two below with dummy IDs so you will need to utilise your own, which can be accessed from the OANDA account page. The next step is to define the events that the queue will use to help all of the individual components communicate We need two TickEvent and OrderEvent The first stores information about instrument market data such as the best bid ask and the trade time The second is used to transmit orders to the execution handler and thus contains the instrument, the nu mber of units to trade, the order type market or limit and the side i e buy and sell. To future-proof our events code we are going to create a base class called Event and have all events inherit from this The code is provided below in. The next class we are going to create will handle the trading strategy In this demo we are going to create a rather nonsensical strategy that simply receives all of the market ticks and on every 5th tick randomly buys or sells 10,000 units of EUR USD. Clearly this is a ridiculous strategy However, it is fantastic for testing purposes because it is straightforward to code and understand In future diary entries we will be replacing this with something significantly more exciting that will hopefully turn a profit. The file can be found below Let s work through it and see what s going on Firstly we import the random library and the OrderEvent object from We need the random lib in order to select a random buy or sell order We need OrderEvent as this is how the st rategy object will send orders to the events queue, which will later be executed by the execution handler. The TestRandomStrategy class simply takes the instrument in this case EUR USD , the number of units and the events queue as a set of parameters It then creates a ticks counter that is used to tell how many TickEvent instances it has seen. Most of the work occurs in the calculatesignals method, which simply takes an event, determines whether it is a TickEvent otherwise ignore and increments the tick counter It then checks to see if the count is divisible by 5 and then randomly buys or sells, with a market order, the specified number of units It s certainly not the world s greatest trading strategy, but it will be more than suitable for our OANDA brokerage API testing purposes. The next component is the execution handler This class is tasked with acting upon OrderEvent instances and making requests to the broker in this case OANDA in a dumb fashion That is, there is no risk management or potfolio construction overlay The execution handler will simply execute any order that it has been given. We must pass all of the authentication information to the Execution class, including the domain practice, real or sandbox , the access token and account ID We then create a secure connection with one of Pythons built in libraries. Most of the work occurs in executeorder The method requires an event as a parameter It then constructs two dictionaries - the headers and the params These dictionaries will then be correctly encoded partially by urllib another Python library to be sent as an POST request to OANDAs API. We pass the Content-Type and Authorization header parameters, which include our authentication information In addition we encode the parameters, which include the instrument EUR USD , units, order type and side buy sell Finally, we make the request and save the response. The most complex component of the trading system is the StreamingForexPrices object, which handles the ma rket price updates from OANDA There are two methods connecttostream and streamtoqueue. The first method uses the Python requests library to connect to a streaming socket with the appropriate headers and parameters The parameters include the Account ID and the necessary instrument list that should be listened to for updates in this case it is only EUR USD Note the following line. This tells the connection to be streamed and thus kept open in a long-running manner. The second method, streamtoqueue actually attempts to connect to the stream If the response is not successful i e the response code is not 200 , then we simply return and exit If it is successful we try to load the JSON packet returned into a Python dictionary Finally, we convert the Python dictionary with the instrument, bid ask and timestamp into a TickEvent that is sent to the events queue. We now have all of the major components in place The final step is to wrap up everything we have written so far into a main program The goa l of this file, known as is to create two separate threads one of which runs the pricing handler and the other which runs the trading handler. Why do we need two separate threads Put simply, we are executing two separate pieces of code, both of which are continuously running If we were to create a non-threaded program, then the streaming socket used for the pricing updates would never ever release back to the main code path and hence we would never actually carry out any trading Similarly, if we ran the trade loop see below , we would never actually return the flow path to the price streaming socket Hence we need multiple threads, one for each component, so that they can be carried out independently They will both communicate to each other via the events queue. Let s examine this a bit futher We create two separate threads with the following lines. We pass the function or method name to the target keyword argument and then pass an iterable such as a list or tuple to the args keyword argum ent, which then passes those arguments to the actual method function. Finally we start both threads with the following lines. Thus we are able to run two, effectively infinite looping, code segments independently, which both communicate through the events queue Note that the Python threading library does not produce a true multi-core multithreaded environment due to the CPython implementation of Python and the Global Interpreter Lock GIL If you would like to read more about multithreading on Python, please take a look at this article. Let s examine the rest of the code in detail Firstly we import all of the necessary libraries including Queue threading and time We then import all of the above code files I personally prefer to capitalise any configuration settings, which is a habit I picked up from working with Django. After that we define the trade function, which was explained in Python-pseudocode above An infinite while loop is carried out while True that continuously polls from the even ts queue and only skips the loop if it is found empty If an event is found then it is either a TickEvent or a OrderEvent and then the appropriate component is called to carry it out In this case it is either a strategy or execution handler The loop then simply sleeps for heartbeat seconds in this case 0 5 seconds and continues. Finally, we define the main entrypoint of the code in the main function It is well commented below, but I will summarise here In essence we instantiate the events queue and define the instruments units We then create the StreamingForexPrices price streaming class and then subsequently the Execution execution handler Both receive the necessary authentication details that are given by OANDA when creating an account. We then create the TestRandomStrategy instance Finally we define the two threads and then start them. To run the code you simply need to place all the files in the same directory and call the following at the terminal. Note that to stop the code at this st age requires a hard kill of the Python process via Ctrl-Z or equivalent I ve not added an additional thread to handle looking for the that would be needed to stop the code safely A potential way to stop the code on a Ubuntu Linux machine is to type. And then pass the output of this a process number into the following. Where PROCESSID must be replaced with the output of pgrep Note that this is NOT particularly good practice. In later articles we will be creating a more sophisticated stop start mechanism that makes use of Ubuntu s process supervision in order to have the trading system running 24 7.The output after 30 seconds or so, depending upon the time of day relative to the main trading hours for EUR USD, for the above code, is given below. The first five lines show the JSON tick data returned from OANDA with bid ask prices Subsequently you can see the Executing order output as well as the JSON response returned from OANDA confirming the opening of a buy trade for 10,000 units of EUR US D and the price it was achieved at. This will keep running indefinitely until you kill the program with a Ctrl-Z command or similar. In later articles we are going to carry out some much-needed improvements, including. Real strategies - Proper forex strategies that generate profitable signals. Production infrastructure - Remote server implementation and 24 7 monitored trading system, with stop start capability. Portfolio and risk management - Portfolio and risk overlays for all suggested orders from the strategy. Multiple strategies - Constructing a portfolio of strategies that integrate into the risk management overlay. As with the equities event-driven backtester, we also need to create a forex backtesting module That will let us carry out rapid research and make it easier to deploy strategies. Husk å endre ACCOUNTID og ACCESSTOKEN. Just Komme i gang med kvantitativ handel.

Saturday, 25 November 2017

Trojaned Ssh Daemon Komponent Hwclock Binære Alternativer

Online Stock Trader Best. Each of these meglere har noen funksjoner som skiller det fra de andre. Trade King Trade King er en personlig favoritt av meg Trade King s prisstruktur er blant de beste i bransjen for rabattbeholdninger, blant annet for investorer som foretrekker å handle Alternativer Online Stock Trader Beste null-risiko binære alternativer Stock Momentum Trader Strategy 4 Online kurs Ønsker du å lære å handle som en børs spesialist Lær hvordan du identifiserer det beste høye momentet Trade King tilbyr også å refundere nye kunder opp til 150 for å overføre sine eiendeler til Trade King. Konkurransen har tvunget innovasjon, billige nettbutikk og tilleggsfunksjoner som utdanningssentre, artikler, videoer, gratis webinarer, chatterom og fora, sosiale nettverk, gratis skatteprogramvare for å spore gevinster og tap, og mer. Forhåpentligvis kan du bruke denne informasjonen til å finne rabattmegling som passer best for dine behov. Vårt mål er å vise deg noen o F de beste verdiene i rabattmeglingstorget, og vise deg noen av de beste funksjonene de tilbyr Online Discount Broker India, Tilbud Online Stock Trading Account, Online Stock Trading App og andre fordeler Vi er beste rabatt meglerfirma i India Online Stock Trader Best Binary Options Trade Kalkulator Xposed Autotrader For å finne det beste online trading nettstedet for nybegynnere, demoed vi utdanningsressurser, kundesupport og brukeropplevelse av åtte populære plattformer. Online radio og video stream service som tilbyr daglig no-nonsens traderopplæring, teknisk analyse, Wall Street kommentarer som gir endelig dekning av Trade Free i 60 dager og opptil 600 når du åpner et E TRADE Account Options House tilbyr de laveste prisene for en standard online aksjehandel ut av meglerhusene som er oppført i denne anmeldelsen Stock Momentum Trader Strategy 4 Online Kurs Ønsker du å lære å handle som en børs spesialist Lær hvordan du identifiserer det beste høye momentet Th øye har et elegant og brukervennlig grensesnitt, billige aksjer, et eksepsjonelt læringssenter, gratis webinars, gratis tilgang til Maxit Tax Manager for å spore gevinster og tap, og mer. Binær Options System 44 Scholastic Online Course. For mer informasjon, eller å åpne en Trade King-konto, besøk Online Stock Trader Best. En standard aksjehandel koster bare 4 95 og opsjonshandler som er blant de beste i bransjen, se Valg House gjennomgang for mer. Du lager en levende binær opsjon. Buddy 4 0 For å finne beste online handelssted for nybegynnere, vi demoed de pedagogiske ressursene, kundesupport og brukeropplevelse av åtte populære plattformer. Det er nettbaserte meglerforeninger vokst i løpet av de siste årene, noe som er bra for investorer som liker å delta i Online aksjehandel Trojaned Ssh Daemon Component Hwclock Binær Alternativer Stock Momentum Trader Strategy 4 Online Kurs Ønsker du å lære å handle som en børs spesialist Lær hvordan du identifiserer det beste høye momentet Nye kunder kan få gratis aksjehandel i 60 dager når de åpner en ny konto og finansierer den med et 10 000 depositum innen 60 dager. Ikke alle disse funksjonene er tilgjengelige på alle rabattmeglerfirmaer, og noen meglere tilbyr bedre verdi enn andre Vi har fokusert på de mer populære firmaene som konsekvent dukker opp i bransjeprisene, inkludert de av Smart Money og Kiplinger s Online Stock Trader Beste alder av skygger binære alternativer Denne brosjyren sammenligning diagrammet vil gi deg noen grunnleggende informasjon om priser strukturer og under sammenligningskartet er noen unike egenskaper for hver av disse online meglerfirmaene. Online Stock Trader Best E TRADE E TRADE er et fullservice meglerfirma og en nettbank som gjør det enkelt å koble kontoer og overføre midler til og fra Liberated Stock Trader PRO Stock Market Training Technical Analysis Course Ta din skjebne i hendene dine, invester med selvtillit og gi deg r Mens deres handler ikke er de billigste av de børsnoterte meglerne, tilbyr de et bredt spekter av tjenester og funksjoner som ikke finnes med mange andre nettbaserte rabattmegler. Hvor å tjene penger i en Galaxy On Fire 2.En nettbankforening har vokst med sprang og grenser de siste årene, noe som er flott for investorer som liker å delta i online aksjehandel. Online Stock Trader Best Options Hus ble vurdert 1 av Barron s i brukeropplevelse 25 måter å tjene penger E TRADE har vunnet mange priser for begge sine meglingstjenester og deres online sparekontoer Valuta Forex Lær Online Trading Arkiv Dette er en stor megling for investorer som er opptatt av kostnad per handel. OWA. MIS 1 Arbeidet med valutamarkedet Forex Hari Ini Dalam Kepulauan Cocos SBS JP 1948 2009,, 5,8,2,5.2011-06-14, .5,5,8 OWA Outlook Web Access Microsoft Exchange Server Yahoo. OWA Outlook .2011-06-23, ,,. 2016 15 19 7 2016, 60 Second Binary Option Scalping Demo 200965, VIP, VIP 1 ,, 2 SBS JP 1948 2009 2,,, informasjonsprosessering fem personlighetstrekk,,,,. Hvordan tjene penger. Service Center Of Samsung. wikipedia, psykologi for mental helse, rettsmedisinsk psykologi, kriminell psykologi, positiv psykologi, 200 Forex Kz Training 200965 2016717 Slik forstår du børsens bøker SBS JP 1948 2009 10 300 0 001-0 006 1,000 40 1,489 1,000 20 40 1 469 772 1 469 772 4044 1000 401 000 1.0004 MIS MIS MIS Moms inntektssystem 2014 - MIS MIS MIS 15.30 21 MIS, 11 --- 444777 5, 4 3 11 .2011-06-17 2011-06-23 TO001.2011-06-27 4 ., 4, Er Binær Alternativ Trading Juridisk I Sør-Afrika 100 Bonus OWA Outlook. Exchange Server AD Server MIS Exchange Server 2 MIS Exchange Server IP Outlook Outlook 3 71 Q A 63 T 2 MoooFitApp app MISVIP MIS. Daniel J 4 72013,, 102023 5 2013 35 2 ,, ,, 539 10109-10 11 25 Stock Market Bull Pen 63000 63 89 89 77 T 2 63089 64 64000 64 91 91 22 192 63717 6371763089628 628 Platformy Forex Forum. Fxstreet Eur Cad Forex. Forexindo Indonesia Execution. estimated worth er 11,132 45, med 2789 estimerte visitter per dag og annonsenomsetning på 8 37 COM Registry Domain ID 203021410DOMAINCOM-VRSN Registrar WHOIS Server com Registrar URL Oppdatert Dato 2015-08-30TZ Opprettelsesdato 2005-08- 30TZ Registrar Registrering Utløpsdato 2016-08-30TZ Registrar Inc Forexindo Indonesia Utførelse om det er mulig å tjene penger Spillepoeng Blank Berita Forex - Forum Forex Indonesia - Gjennomgang Broker Forex Portal enn forum Kommunitas Trader Forex Indonesia Registrar IANA ID 625 Reseller Domain Status klient Overføringsforbudt registreringsregister Registrerings ID Registrant Navn Whois Agent Registrant Organisasjon Whois Privacy Protection Service, Inc Domenet er estimert verdi på 15 3.360 00 og har en daglig opptjening på 213 00 Google Pagerank er et og det er domenet er Commercial. Description Portal enn forumet kommer forex valuta Indonesia Menymedikan signal gratis, berita enn analisa harian, diskutere berbagai strategi, robot trading ekspert rådgiver analisa teknikk, analisa grunnleggende er den 358664. største nettsiden i verden Dette nettstedet bruker ikke Javascript for brukerinteraksjon Dette nettstedet kjører på Apache 2 2 31 Unix modssl 2 2 31 Åpne SSL 1 0 1e-fips modbwlimited 1 4 webserver Forexindo Indonesia Execution Previso Da Taxa De Cmbio Forex Portugal Filipina Death Row Convict Mary Jane flyttet fra Indonesia Execution Island Jakarta Globe Nyheter Kanal Berita Forex - Forum Forex Indonesia Beskrivelse Portal dan forum komunitas trader forex Indonesia Nettstedet ble opprettet i 30 08 2005, eid av utilgjengelig person, som for øyeblikket befinner seg i USA og kjører på IP 139 162 2 140 registrert av NAME estimert verdi er 12 935 73, med 3239 estimert visitt s per dag og annonseinntekter på 9 72 Berita Forex - Forum Forex Indonesia - Gjennomgang Broker Forex Portal enn forum komunitas trader forex Indonesia gorexindo, fbrexindo, fcrexindo, fmrexindo, fyrexindo, foaexindo, foiexindo, fowexindo, forwxindo, forxxindo, foreindo, foreoindo, forexindo forexindo forexmndo forexxto forexifdo foreximdo Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex Forex forexinndo, forexmindo, forexnindo, forexxto, forexiqndo, forexixndo, forexizndo, forexinmdo, forexinsdo, forexindco, forexindko, forexindok, forexindoq, Domenenavn FOREXINDO. Registrant Street Postboks 639 Registrant By Kirkland Registrant State Provincie WA Registrant Postnummer 98083 Registrant Land US Registrant Telefon 1 4252740657 Registrant Faks 1 4259744730 Registrant Email Administrator ID Administrasjonsnavn Whois Agent Admin Organization Whoi s Privacy Protection Service, Inc Forexindo Indonesia Utførelse Google Pagerank er 0 og det s domene er Materiale Maquetas De Celulas Filipina Death Row Convict Mary Jane flyttet fra Indonesia Execution Island Jakarta Globe News Channel Det ble hostet av PT Infinys System Indonesia, Linode LLC og andre COM LLC var sin første registrar, nå er det flyttet til NAME Vi fant det som er dårlig sosialisert i forhold til ethvert sosialt nettverk Forex 10 Pips Al Giorno D Oggi Berita Forex - Forum Forex Indonesia - Gjennomgang Mekler Forex Portal enn forum komunitas Trader Forex Indonesia Ifølge til My Wot og Googles sikre nettlesningsanalyse, er et fullt pålitelig domene uten besøkende vurderinger. Mens det ikke ble rapportert noen aktive trusler nylig av brukere, er det SIKT å bla gjennom Menyediakan signal gratis, berettig til å analysere, diskutere berbagai-strategien, robothandelsekspert rådgiver analisa teknikal, analisa fundamental er den 358664. største nettsiden i verden Denne siden bruker ikke Javascript for brukeren interaktiv på Dette nettstedet kjører på Apache 2 2 31 Unix modssl 2 2 31 Åpne SSL 1 0 1e-fips modbwlimited 1 4 webserver Forexindo Indonesia Utførelse Global Stock Market Quotes Nettstedet ble opprettet i 30 08 2005, eid av na, som for tiden ligger i Nederland og kjører på IP 139 162 2 140 registrert av NAME Server siden programmering lanquage av nettstedet er PHP 5 5 30 Forexindo Indonesia Execution Admin Street Postboks 639 Admin City Kirkland Administrasjon Fylke WA Admin Postnummer 98083 Admin Land USA Admin Telefon 1 4252740657 Admin Faks 1 4259744730 Admin E-post Tech ID Tech Name Whois Agent Tech Organisasjon Whois Privacy Protection Service, Inc Gets 62 6 av sin trafikk fra Indonesia hvor den er rangert 7540 har 2 45K besøkende og 7 12K sidevisninger daglig. Det ble hostet av PT Infinys System Indonesia, Linode LLC og andre COM LLC var sin første registrar, nå er det flyttet til NAME Vi fant at det er dårlig sosialisert i forhold til ethvert sosialt nettverk. I øyeblikket holder domenet nummer 54, 196 rangering i global trafikk Dette nettstedet besitter Google Page Rank av 1 ut av 10 Forexindo Indonesia Utførelse Serverprogrammering lanquage av nettstedet er ikke Klenger Investment Optiounen Zu Ltzebuerg Over tiden har den blitt rangert så høyt som 80 599 i verden , mens den meste av trafikken kommer fra Indonesia, hvor den nådde så høyt som 3 545 posisjon. Størrelse på binær opsjonsmarkedet Dette nettstedet kjører på Apache 2 2 31 Unix modssl 2 2 31 Åpne SSL 1 0 1e-fips modbwlimited 1 4 webserver. Grsecurity Print version. grsecurity er et sett med oppdateringer for Linux-kjernen med vekt på å øke sikkerheten. Den typiske applikasjonen er i webservere og systemer som godtar eksterne tilkoblinger fra usikre steder, for eksempel systemer som tilbyr shell-tilgang til brukerne..Work on grsecurity startet i februar 2001 som en port av Openwall Project s sikkerhetsforbedrende oppdateringer for Linux 2 4 Den første versjonen av grsecurity var for Linux 2 4 1. En hovedkomponent som ble samlet med grsec urity er PaX som er en patch som blant annet flagger datalager, slik som på stakken som ikke-kjørbar og programminnet som ikke-skrivbar. Målet er å hindre at eksekverbare minnesider blir overskrevet med sprøytet maskinkode , som forhindrer utnyttelse av mange typer sikkerhetsproblemer, for eksempel bufferoverløp PaX, gir også adresselayout-randomisering ASLR, som slår viktige minnesadresser til for å hindre angrep som er avhengige av at slike adresser er lett kjent. PaX er ikke selv utviklet av grsecurity-utviklerne, og er også tilgjengelig uavhengig av grsecurity 1.Role-basert Access Control Edit. Another notable komponent av grsecurity er at den gir en full rollebasert tilgangskontroll RBAC system RBAC er ment å begrense tilgangen til systemet ytterligere enn det som normalt er gitt av Unix tilgangskontrolllister med sikte på å skape et fullt minst privilegert system, der brukere og prosesser har den absolutte minimumsprivilligheten eges for å fungere riktig og ikke noe mer På denne måten, hvis systemet er kompromittert, kan angriperens evne til å skade eller få sensitiv informasjon på systemet, bli redusert kraftig. RBAC fungerer gjennom en samling av roller Hver rolle kan ha individuelle begrensninger på hva de kan eller ikke kan gjøre, og disse roller og begrensninger danner en policy som kan endres etter behov. Grunnleggende restriksjoner Edit. grsecurity begrenser chroot på en rekke måter for å forhindre en rekke sårbarheter, privilegier eskalering angrep og å legge til flere sjekker og saldoer . Ikke feste felles hukommelse utenfor chroot. No drepe utenfor chroot. No ptrace utenfor chroot arkitektur uavhengig. Andre funksjoner Edit. grsecurity legger også til forbedret revisjon til Linux-kjernen. Det kan konfigureres til å revidere en bestemt gruppe brukere, revisjonsmontering unmounts av enheter, endringer i system tid og dato, chdir logging, blant annet Noen av disse andre tingene tillater administrasjonen også å logge d enied ressursforsøk, mislykkede fork forsøk, og exec logging med arguments. Trusted path kjøring er en annen valgfri funksjon som kan brukes til å hindre brukere fra å utføre binære filer som ikke eies av roten brukeren, eller er verdensskrivbar. Dette er nyttig for å forhindre brukere fra å utføre sine egne ondsinnede binarier eller ved et uhell utføre systembinarier som kunne ha blitt endret av en ondsinnet bruker som er verdensskrivbar. grsecurity styrker også måten chroot fængselsarbeid Et chroot fengsel kan brukes til å isolere en bestemt prosess fra resten av systemet, som kan brukes til å minimere potensialet for skade, bør tjenesten bli kompromittert. Det finnes imidlertid måter å bryte ut av et grusekryss for chroot fange. Forsøk på å forhindre dette. Det finnes også andre funksjoner som øker sikkerheten og hindrer brukerne i å bli unødvendige kunnskap om systemet, for eksempel å begrense dmesg - og netstat-kommandoer til roten brukeren. 2.Liste av tilleggsfunksjoner og sikkerhetsforbedringer . Pro begrensninger som ikke lekker informasjon om prosess eiere. Symlink hardlink restriksjoner for å hindre tmp races. Hardlink restriksjoner for å hindre brukere fra hardlinking til filer de ikke eier. FIFO navngitt pipe restriksjoner. dmesg 8 begrensning. Enhanced implementering av Trusted Path Execution. Group - baserte sokkelbegrensninger. Denne boken bruker mange forskjellige termer, hvorav noen har samme betydning. Vi har oppført noen av disse begrepene og deres definisjoner her. Boken inneholder også inline-koblinger til relevante Wikipedia-artikler. tilgangskontrollliste Fra en relatert Wikipedia-artikkel An tilgangskontrollliste ACL er en liste over tillatelser knyttet til en gjenstand Listen angir hvem eller hva som er tillatt å få tilgang til objektet, og hvilke operasjoner som skal utføres på objektet. I sammenheng med denne boken er en ACL brukt til å bety en enkeltrolle eller fagdefinisjon, eller hele policyfildomenet Med domener kan du kombinere brukere som ikke tilhører samme gruppe, så vel som grupper, så th ved at de deler en enkelt policy Domener fungerer akkurat som roller objekt Et objekt er en del av systemet som brukes av programmene som kjører på systemet Det kan være en absolutt bane til en fil eller en katalog en evne en systemressurs et PaX-flagg Nettverkstilgang IP-ACL-politikk Politikken er et systemtett sett regler som håndheves av grsecurity. En veldig god beskrivelse tilbys i den obligatoriske tilgangskontroll artikkelen. En hvilken som helst operasjon av et emne på et objekt vil bli testet mot settet av autorisasjonsregler aka policy for å avgjøre om operasjonen er tillatt rolle En rolle er en abstraksjon som omfatter tradisjonelle brukere og grupper som eksisterer i Linux-distribusjoner og spesielle roller som er spesifikke for grsecurity. Roller kan brukes til å dele ansvaret for systemadministrasjonen i mindre logiske ansvarsområder, slik som som databaseadministrator eller DNS-administrator Sammenlign denne tilnærmingen til å ha en enkelt superbruker, for eksempel rot som brukes til å gjøre hver administrativ ta sk på systemreglene Regelverket brukes mye på samme måte som tilgangskontrollliste. Det er kanskje oftere brukt til å referere til rolle - eller fagdefinisjoner enn hele politikkfagets emne. Et emne bruker og aksesserer objekter, og fagets regelsett styrker hva Objekter den kan bruke og på hvilken måte I praksis er et emne oftest et program som kjører på systemet. I grsecurity er et emne definert som en absolutt bane til selve programmet eksekverbar, for eksempel sbin init eller en mappe, for eksempel lib hal scripts. Følgende instruksjoner vil lede deg gjennom prosessen med å laste ned alle komponentene som er nødvendige for å bruke grsecurity på systemet. Last ned hver komponent til samme katalog på din datamaskin. Den siste stabile versjonen av grsecurity. En tilsvarende versjon av gradm, administrasjonsverktøyet for grsecurity. Full. kildekoden til Linux-kjernen. Du må også ha nødvendige programmer for å bygge, konfigurere og installere en tilpasset kjernekilde for systemet. Den foretrukne måten, og nødvendige installasjoner, for å gjøre installasjonen avhengig av Linux-distribusjonen du bruker Hvis du støter på problemer med konfigurering eller installering av kjernen, vennligst se distribusjonens dokumentasjon. Last ned grsecurity Edit. Point nettleseren din for å klikke på nedlastingskoblingen og velg deretter en Stabilt eller testoppdatering siden 9. september 2015, er stabile oppdateringer av grsecurity kun tilgjengelige for kommersielle kunder. I dette dokumentet vil vi installere den nyeste stabile grsecurity for kernel 3 2 50 Derfor vil patchfilen bli kalt. Alle grsecurity pakker har en versjonstreng i navnene sine. Den inneholder både versjonen av utgivelsen selv og kjerneversjonen den er ment for. For eksempel forteller versjonstrengen 2 9 1 - 3 2 50 -201308052151 at versjonen av denne grsecurity-utgivelsen er 2 9 1 og det er ment for kjerneversjon 3 2 50 Den siste delen av versjonen er en tidsstempel. I vårt tilfelle lastet vi ned følgende filer. - Dette er den digitale signaturen til denne utgivelsen. Last ned gradm Edit. When du laster ned gradm administreringsverktøyet for grsecurity s rollebasert tilgangskontrollsystem, må du laste ned versjonen som samsvarer med versjonen av grsecurity patch du lastet ned. Gradm ligger på samme nedlastingsside som grsecurity. In vårt tilfelle lastet vi ned følgende filer. - Dette er den digitale signaturen til denne utgivelsen. Last ned Linux Kernel Edit. Grsecurity-oppdateringene kan kun brukes på en vaniljekjerne. Mange distribusjoner endrer den offisielle kjernen med flere oppdateringer, noe som betyr at eventuelle kjernekildepakker som er kjøpt gjennom pakken sin, er svært sannsynlig uforenlig med grsecurity. Av denne grunn vil vi laste ned den offisielle umodifiserte kjernen fra Last ned kjernekilden til full kjernen og signatur filen, og sørg for at versjonen samsvarer med versjonen av grsecurity-oppdateringen du lastet ned. I dette dokumentet er versjonen 3 2 50 Den nødvendige versjonen er mest sannsynlig ikke sist, så du må hente den fra kjernearkivet. Offentlig støtte for kjerneversjon 2 6 32 61 stengt i slutten av 2013. Hvis du har en terminal åpen, kan du bruke kommandoene nedenfor for å laste ned både kjernekilden og signaturen til gjeldende arbeidskatalog. NOTE Versjonene av grsecurity-oppdateringen og kjernen må samsvare nøyaktig. Verifisering av nedlastingsredigeringen. Grsecurity og gradm pakker er kryptografisk signert, slik at brukerne kan bekrefte at kildekoden ikke har blitt endret siden den ble pakket. Du kan finne den offentlige nøkkelen som ble brukt til å signere dem fra samme nedlastingsside som grsecurity. Rull ned siden til du ser en overskrift som sier Verifiser disse nedlastingene med GPG Under overskriften er en lenke til den offentlige nøkkelen Last ned nøkkelen til katalogen hvor du plasserte grsecurity. Før du kan bekrefte nedlastingene, må du importere grsecurity-nøkkelen til Din offentlige nøkkelring ved hjelp av Gnu Privacy Guard GPG Hvis du er ukjent med GPG og ønsker å vite mer, vennligst se GNU Privacy Handbook. For å importere nøkkelen, kjør følgende kommando i katalogen der grsecurity og nøkkel ble lastet ned. importerer nøkkelen, bekreft de nedlastede grsecurity - og gradm-pakkene ved å kjøre nedenstående kommandoer i grsecurity-katalogen. Det er et eksempel på en mislykket signaturverifisering. Atch-filen ble endret med det formål å gjøre bekreftelsen mislykket. Så lenge GPG-rapporter er signaturen god, trenger du ikke å bekymre deg for advarselen om at nøkkelen ikke er sertifisert med en klarert signatur. Hvis du signerte grsecurity-nøkkelen med din egen nøkkel, vil du ikke få advarselen Hvis verifiseringen av en fil mislyktes, dvs. hvis du får BAD-signaturmeldingen, laster du ned filen og spørre igjen. Linux-kjernepakken er også signert. Følg instruksjonene på Linux-kjernens nettsted for å verifisere kjernekilden. Når du har bekreftet de nedlastede filene, er du klar til å konfigurere grsecurity. Configuring og Installing grsecurity. Følgende instruksjoner vil lede deg gjennom prosessen med å lappe Linux-kjernen med grsecurity, konfigurere dens funksjoner og kompilere og installere den patched kernen. Patching kjernen din med grsecurity Edit. In dette dokumentet kildes kildearkivet og matc hing grsecurity patch Begge filene er i samme katalog. Endre til roten brukeren og kjør følgende kommandoer i katalogen du lastet ned filene til Den første kommandoen dekomprimerer Linux-kildepakken, og den andre gjelder patchen til kjernen. Du kan må installere oppdateringsprogrammet med det foretrukne pakkehåndteringsverktøyet. Konfigurere kjernedirektivet. Kjernekildepakken inneholder en generisk konfigurasjonsfil som skal fungere uten noen vesentlige endringer. Distribusjonen din kan ha sin egen prosess og verktøy for å konfigurere og bygge kjernen, I så fall bør du konsultere dokumentasjonen. Ikke desto mindre bør du gå gjennom alternativene og sørge for at de samsvarer med maskinvaren og gjeldende oppsett. For å konfigurere kjernen ved å bruke standardkonfigurasjonen som base, bytt til kjerne kildekatalogen, for eksempel usr src linux-3 2 50, og utfør kommandoen nedenfor. Du må kanskje installere manglende pakker og biblioteker - følg feilmeldingene for retning. Den interaktive kjernekonfigurasjonsmenyen vil starte. I kerneene 3 x og 2 6 er gresecurity-alternativene under Sikkerhetsalternativer Grsecurity Detaljert beskrivelse av hvert alternativ og dets effekter på systemet kan ses online på siden Grsecurity og PaX Configuration Options eller ved bruker den innebygde hjelpefunksjonen til kjernekonfigurasjonssystemet. Pass på at du forstår hvert alternativ før du aktiverer eller deaktiverer dem. Når du har gått ut av konfigurasjonsmenyen, kan du starte den på nytt ved å lage menukonfig. It anbefales at du starter med å sette inn Konfigurasjonsmetode-alternativet til Automatisk og deretter konfigurere brukstype og andre alternativer for å passe til miljø og behov Du kan finjustere alle grsecurity - og PaX-innstillingene i Tilpass konfigurasjonsseksjonen, hvis nødvendig. Forslagene Rediger. Aktiver sysctl-grensesnittet Grsecurity Tilpass konfigurasjonssysikkelen Støtte Det vil gjøre det mulig for deg å endre alternativene som grsecurity kjører med, uten å kompilere th e kjerne Dette er en svært nyttig funksjon, spesielt når du bruker grsecurity for første gang. Konfigurasjonsmetode - Automatisk aktiverer denne funksjonen som standard. Noen revisjonsalternativer produserer mange loggmeldinger, hovedsakelig Exec og Chdir logging GRKERNSECEXECLOG og GRKERNSECAUDITCHDIR Hvis du aktiverer en av dem, må du kontrollere at loggingssystemet ditt er riktig konfigurert for å hindre loggene fra oversvømmelse. Sjekk Grsecurity Tilpass konfigurasjonsloggingsalternativene, og velg og installer kjernedirektøren. På Debian og Ubuntu Edit. To kompilere kjernen og bygge en Debian-pakke deb, utfør underkommandoene i kjernekildekatalogen Ubuntu-brukere bør referere til Ubuntu-fellesskapssiden og avgjøre om de ønsker å bruke ubuntu-pakkeoverleggskatalogen i bygningen. For å bygge på Maverick fra en git-kasse, se Hvordan lage en Ubuntu 10 10 kjernen. For å installere den nylig opprettede Debian-pakken, kjør. For mer informasjon om bygging av kjerner i Debian, vennligst se Debian Linux Kernel Handbook. Andre distribusjoner Editpilation Forskjeller Edit. As du samler en kjerne patched med grsecurity, vil du legge merke til noen forskjeller En av disse forskjellene vises mot slutten av samlingen, og kan lignes. Denne advarselen er ufarlig Som beskrevet av PaX-teamet på grsecurity-mailinglisten. Du vil også legge merke til ytterligere advarsler fra kompilatoren når du kompilerer en kjerne patched med grsecurity Dette skyldes flere advarselsflagger som er lagt til i byggeprosessen for å hjelpe bestemte typer av feil Du kan ignorere disse tilleggs advarslene. Forutsetninger for trinn Edit. Proprietary NVIDIA Driver Patching Edit. Hvis du bruker grsecurity på et skrivebord og planlegger å bruke proprietære NVIDIA-drivere, må du lappe dem for å kunne fungere riktig med grsecurity For å gjøre dette, følg disse trinnene. Last ned NVIDIA-driverfilen fra NVIDIAs nettsted. Last ned PaX s-oppdateringen for NVIDIA-driveren fra. Run sh n ame av NVIDIA-fil - x. cd-basenavn for NVIDIA-filen. Installer driveren ved å kjøre nvidia-installer. Administrasjonsverktøyet. Administrer administrasjonsverktøyet for det rollebaserte tilgangskontrollsystemet, er et kraftig verktøy som analyserer din ACL-tilgangskontroll Lister, utfører håndhevelsen av en sikker basepolicy, optimaliserer ACLene, samt håndterer parsing av læringsloggene, slår dem sammen med ACL-settet ditt og sender ut de endelige ACLene. Før du installerer gradm boot i din patched grsecurity-kjernen, kan du kompilere gradm i hvilken som helst kjede du ønsker, men installasjonen vil mislykkes hvis kjernen ikke støtter grsecurity. Installation Edit. If Linux-distribusjonen gir deg ferdige grsecurity-kjernepakker, vil de med stor sannsynlighet også gi en pakke for gradmåte. Hvis det er tilfelle bør du vurdere å bruke det før du samler gradm selv. Før du kompilerer og installerer gradm, må du ha følgende programmer installert i systemet lex eller flex og byacc eller bison Hvis y du trenger Pluggable Authentication Modules PAM-støtte, installer headerfiler for systemet. Pakken som inneholder dem vil mest sannsynlig bli kalt libpam-dev eller lignende. Et notat bør legges til for å si at hvis du samler gradm på standard Linux-kjernen uten grsecurity støtte kompileringen vil mislykkes, og at du bare vil kunne kompilere etter at du har startet opp i den nye grsecurity-aktiverte kjernen. Endre til katalogen du lastet ned gradm og grsecurity til tidligere I dette dokumentet er navnet på den komprimerte pakken dekomprimert pakken og endret til gradm-katalogen ved å utføre følgende kommandoer. For å installere gradm med PAM-støtte, som en ikke-rotbruker run. NOTE Se på utgangen fra make Sørg for at du ikke ser en linje i nærheten av enden som sier Kan ikke oppdage PAM-overskrifter , deaktivere PAM-støtte Hvis du gjør det, må du installere PAM-headerfiler og kjøre kommandoen make again. To installere gradm uten PAM-støtte, kjør. Endelig, som rot, kjøre. Installasjonsprosessen gjør fo llowing. Installs gradm og grlearn programmer til sbin. Creates en katalog etc grsec og to filer i det hvis de ikke allerede er til stede learnconfig og policy. Installs gradm s man sider til usr dele mann man8. grlearn kommer ikke med en man side Det brukes internt av gradm. Finally, og viktigst, hvis dette er første gang du installerer gradm på systemet ditt vil du bli bedt om å gi administrativt passord for RBAC systemet Velg en lang passord, men en som du vil huske spesielt hvis du starter gradm fra en initscript Ikke bruk det samme passordet som root-passordet ditt. Hvis du må endre noen av binær - eller man-sidesteder, må du endre Makefile. To vise all tilgjengelig kommando - linjebrytere, kjøre gradm --help. Learning Mode Edit. The læringsmodus er forskjellig fra alt som finnes i andre sikkerhetssystemer. Grsecurity s læringsmodus kan brukes på per-fag eller per-rolle basis, samt system-wide Når du bruker læringsmodusen i en enkelt prosess eller rolle, forblir resten av systemet beskyttet som definert av politikken. Læringsmodusen kan lære alt som RBAC-systemet støtter filer, evner, ressurser, hvilke IP-adresser som bruker hver rolle og sokkelbruk Læringssystemet utfører intelligent reduksjon av filsystem og nettverkstilgang for å redusere policystørrelsen, øke lesbarheten og redusere mengden manuell justering som trengs senere. Videre styrer læringssystemet en sikker base som kan konfigureres. Grsec learnconfig-filen gir administratoren muligheten til å spesifisere filer kataloger som bør betraktes som beskyttede ressurser av læringssystemet Læringssystemet vil sikre at uavhengig av regelreduksjon gjort, vil bare prosessene som får tilgang til de beskyttede ressursene gjennom normal bruk, bli gitt tilgang gjennom den genererte politikk Videre vil det skape nye fag for prosessene som får tilgang til de beskyttede ressursene, og skaper privilegieregninger som gir disse prosessene ekstra beskyttelse. Full systemlæring Rediger. For å aktivere full systemlæring, kjør gradm som rot med følgende alternativer. Dette vil aktivere Roll-basert Access Control RBAC system og initiering ate full system learning That is, gradm will monitor and log what your system does The log can then be used to build a least privilege policy for your system. Run and use the application s that you normally do, several times This is important, since the learning mode uses a threshold based system to determine when access should be given to a file or whether it should be given to a directory If four or more similar accesses are made in a single directory such as writing to several files in tmp , access is granted to that directory instead of the individual files This reduces the amount of rules you have and ensures that the application will work correctly after the final ACLs are compiled. Do not perform any administrative tasks outside of the admin role while full system learning is enabled. To perform administrative tasks while full system learning is enabled, authenticate to the admin role with. Remember to exit your shell or unauthenticate from the admin role with gradm - u when you are done performing administrative tasks. Once you feel you ve given the system the normal usage it would see in real life, disable the RBAC system with gradm - D Disabling RBAC is a necessary step, as it forces the learning daemon to flush its buffers to disk Using learning logs obtained before RBAC has been disabled will produce incomplete results Once RBAC is disabled, execute. This will place the new learned ACLs at the end of your ruleset You can test the policy by enabling grsecurity run gradm - E , and making sure all applications are functioning the way they re supposed to. Process and Role-Based Learning Edit. Using this learning mode is very simple All you have to do is add l the small letter L, not the number 1 to the subject mode of the process, you want to enable learning for To learn all necessary access for a given binary that does not yet have an established policy, add the following subject. To learn on a given role, add l to the role mode For both of these, to enable learning, e nable the system by executing. When you are done, disable the ACL system with gradm - D or alternatively, go into admin mode with gradm - a , and use. This will place the new learned ACLs at the end of your ruleset Simply remove the old ACLs and you are ready to go. etc grsec learnconfig Edit. This configuration file aids the learning process by tweaking the learning algorithm for specific files and directories It accepts lines in the form of. Where command can be inherit-learn no-learn inherit-no-learn high-reduce-path dont-reduce-path protected-path high-protected-path and always-reduce-path inherit-learn no-learn and inherit-no-learn only affect full system learning, while the others work on all modes of learning. inherit-learn changes the learning process for the specified path by throwing all learned accesses for every binary executed by the processes contained in the pathname into the subject specified by the pathname This is useful for cron in the case of full system learning, so that scripts that eventually end up executing mv or rm with privilege don t cause the root policy to grant that privilege to mv or rm in all cases. no-learn allows processes within the path to perform any operation that normal system usage would allow without restricti on If a process is generating a huge number of learning logs, it may be best to use this command on that process and configure its policy manually. inherit-no-learn combines the above two cases, such that processes within the specified path will be able to perform any normal system operation without restriction as will any binaries executed by these processes. high-reduce-path modifies the heuristics of the learning process to weigh in favor of reducing accesses for this path. dont-reduce-path modifies the heuristics of the learning process so that it will never reduce accesses for this path. always-reduce-path modifies the heuristics of the learning process so that the path specified will always have all files and directories within it reduced to the path specified. protected-path specifies a path on your system that is considered an important resource Any process that modifies one of these paths is given its own subject in the learning process, facilitating a secure policy. read-protected - path specifies a path on your system that contains sensitive information Any process that reads one of these paths is given its own subject in the learning process, facilitating a secure policy. high-protected-path specifies a path that should be hidden from all processes but those that access it directly It is recommended to use highly sensitive files for this command. Note that regular expressions are not supported for pathnames in this configuration file. Examples Edit. The command pspax - p processid displays information about a specific process, identified by its PID It is unlikely that you happen to know or remember the PID of a process, so it is easier to refer to them by name The below example uses the pidof command to find the PID of a process which it then passes on to pspax. Managing the Executable Stack of Binaries execstack Edit. Execstack is a tool to set, clear or query executable stack flag of ELF binaries and shared libraries It is part of the prelink program, but your Linux distribution may provide it as a separate package. Installation Edit. You are very likely to find the prelink and or execstack packages using your distribution s package management system At least Gentoo, Debian, Red Hat and distributions based on them provide a prelink and or execstack packages. To display all available command-line switches, run execstack --help Read the man page for more detailed information Online version of the man page can be found at. Examples Edit. To check if a library has executable stack enabled, run. The dash means libcrypto does not require an executable stack If it did, the line would start with a capital X instead of a dash. To query the status of all libraries in your system, run. What Is an RBAC System Edit. A role-based access control RBAC system is an approach to restricting system access to authorized users You need an RBAC system if you want to restrict access to files, capabilities, resources, or sockets to all users, including root This is similar to a Ma ndatory Access Control MAC model The other features of grsecurity are only effective at fending off attackers trying to gain root, so the RBAC system is used to fill in this gap Least privilege can be granted to processes, which, in turn, forces attackers to reevaluate their methods of attack, since gaining access to the root account no longer means that they have full access to the system Access can be explicitly granted to processes that need it, in such a way that root acts as any other user Though grsecurity and its RBAC system are in no means perfect security, they greatly increase the difficulty of successfully compromising the system. In grsecurity, the RBAC system is managed through a policy file which is essentially a system-wide set of rules When the RBAC system is activated with gradm the policy file is parsed and checked for security holes, such as granting the default role access to certain sensitive devices and files like the policy file itself If a security hole is found, gradm will refuse to enable the RBAC system, and will give the user a list of things that need to be fixed The policy file is protected when the RBAC system is active, and only the admin role may access it during that time To make it easier to create a secure policy, gradm has the ability to learn how the system functions, and build a least-privilege policy based on the collected data see Learning Mode. Limitations of Any Access Control System Edit. So as not to contribute further to the false sense of security many have regarding access control systems whether they be grsecurity s RBAC, SELinux RSBAC SMACK TOMOYO AppArmor etc it s important first to describe the limitations of any access control system. There is a fundamental architectural limitation to the kind of guarantees an access control system can provide when the policy decision-making code resides alongside the Operating System s kernel A compromise of the Operating System can easily result in compromise of the access control s ystem, and it is common practice for exploits which compromise the kernel to disable any active security systems. Grsecurity is in no way immune to this fundamental limitation, though it does contain several features to help prevent exploitation of the kernel in the first place and furthermore to make the kernel a more hostile environment to an attacker if they do manage to exploit certain types of bugs The project will continue to make adding similar protections one of its main goals. Specifically, the following features are involved in kernel self-protection and increasing the difficulty of kernel exploitation. There also exist some features of grsecurity which are always active and thus have no configure-time option which aid in the above goals These include the read-only and non-executable vsyscall page and its shadow page on amd64, hardening of the BPF interpreter buffers, and many more. Though these features have been successful at preventing previous vulnerabilities from being explo ited and surely will continue to do so there have still been many vulnerabilities it did nothing to prevent exploitation of, and there are entire classes of vulnerabilities such as missing capability checks, some race conditions, etc that it can likely never do anything to prevent exploitation of. It s partially due to this fundamental limitation of any access control system that grsecurity s RBAC system was designed as it was to be as automated as possible, to provide a sufficient level of access control, to have easily editable human-readable configurations, and to enforce secure base policies to eliminate some administrator error. Neither grsecurity s RBAC system nor any other access control system should be used to separate classified information from unclassified information on the same machine There is no virtual replacement for a physical air-gap. Policy Structure Edit. The policy is made up of roles, subjects and objects Role is an abstraction that encompasses traditional users and groups that exist in Linux distributions and special roles, that are specific to grsecurity Subjects are processes or directories, and objects are les, capabilities, resources, PaX flags, and IP ACLs The location of the main policy le is etc grsec policy. Policy Structure in a Nutshell Edit. To see a small example policy, look at the default etc grsec policy file that is installed with gradm In a nutshell, RBAC policies have the following structure. Using the default policy as an example. Rules for Policies Edit. Policy generalization Edit. There exist some features of the RBAC system to aid in simplification and generalization of policies One of these is the recently added replace rule The replace rule allows you to assign a string to a variable, and then use that variable within any subject or object pathname to have it replaced with the string The syntax of replace rules are. The defined variable can then be used as follows. The variables defined with replace rules can be reassigned at any location in the policy All rules in the policy until another redefinition of the variable will use that new assigned value for the variable For example. would cause the following object rules to be created. Special Cases Edit. There are some special cases you should know about when writing policies for the RBAC system. There exist some unique accesses to filesystem objects that require specific object modes For instance, a process that connects to a unix domain socket dev log for example will need rw set as the object mode for that socket. Adding the setgid or setuid flag to a path requires the m object mode. Creating a hard-link requires at minimum a cl object mode The remaining object flags must match on the target and the source So for instance, if a process is creating a hard-link from bin bash to bin bash2, example rules would be. Creating a symlink requires the wc object mode. Wildcarded Objects Edit. One very useful feature of the RBAC system is the support of wildcards in objects The c haracter matches zero or more characters, matches exactly one character, and can be used to specify an inclusive or exclusive list or range of characters to match Depending on how these wildcard characters are used, they have different effects Here are four examples of the use of wildcards. The first example would match dev ttya dev tty0 dev ttyS0 etc Since a at the end of a path can match the character as well, if a dev tty somefile path existed, the first example would match it also. The second example would match home user1 bin home user2 bin etc Note that this rule would not match the path home user1 test bin as the wildcard characters will not match unless it appears at the end of a path To use the particular wildcarded object for this example, a home object must exist as an anchor for the wildcarded object If you forget to add one, gradm will remind you. The third example would match dev tty0 dev tty1 dev tty9 and nothing else. The fourth example would match dev ttya and dev tty0 jus t like the first example, but would not match dev ttyS0 since only one character can match the wildcard. Wildcards are evaluated at run-time, providing a powerful way of specifying and simplifying policy Since wildcard matching is based off pathnames and not inode device pairs though, they aren t intended to be used for objects which are known to be hardlinked at policy enable time. Roles exist essentially as a container for a set of subjects, put to use in specific scenarios There exist user roles, group roles, a default role, and special roles See Flow of Matches to see how a role gets matched with a particular process. User Roles Edit. In a simplified form, user roles are roles that are automatically applied when a process either is executed by a user of a particular UID or the process changes to that particular UID In the RBAC system, the name of a user role must match up with the name of an actual user on the system. A user role looks like. Group Roles Edit. As with user roles, group rol es pertain to a particular GID The name of the group role must match up with the name of an actual group on the system Note that this is tied only to the GID of a process, not to any supplemental groups a process may have Group roles are applied for a given process only if a user role does not match the process UID. A group role looks like. Default Role Edit. If neither a user or group role match a given process, then it is assigned the default role The default role should ideally be a role with nearly no access to the system It is configured in such a way if full system learning is used. A default role looks like. Special Roles Edit. Special roles are to be used for granting extra privilege to normal user accounts Some example uses of special roles are to provide an admin role that can restart services and edit system configuration files Special roles can also be provided for regular users to keep their accounts more secure If they have their own publichtml directory, the user role for the user could keep this directory read-only, while a special role to which the user is allowed to transition could allow modification of the files in the directory. Special roles come in two flavors, ones that require authentication, and ones that do not On the side of special roles that require authentication, the RBAC system supports a flag that allows PAM authentication to be used for the special role See Role Modes for a list of all these flags. Special roles by themselves won t do anything unless there exist non-special user, group, or default roles that can transition to them This transitioning is defined by the roletransitions rule, described in the Role Attributes page. To authenticate to a special role, use gradm - a rolename To authenticate with PAM to a special role, use gradm - p rolename To transition to a special role that requires no authentication, use gradm - n rolename. Special roles look like. Domains Edit. With domains you can combine users that don t share a common group ID as well as groups so that they share a single policy Domains work just like roles, with the only exception being that the line starting with role is replaced with one of the following. As it is with user and group roles, all domain members must exist, and if they re not, an error is raised. Subjects Edit. Subjects can describe directories, binaries or scripts Regular expressions are currently not permitted for subjects The ability to place a subject on a script is unique, as it permits one to grant privilege to a specific script instead of generally to the associated script s interpreter For this to function properly, make sure the script s interpreter directive does not use usr bin env but rather the full path to the interpreter. Capability Restrictions Edit. When no capability restriction rules are used for a given subject, all capabilities that the system grants normally to processes within that subject are allowed to be used An exception to this is if the subject involved uses policy inhe ritance In that case, the capability restrictions would come from the subject s being inherited from Capability rules have the form CAPNAME or - CAPNAME CAPALL is a pseudo-capability meant to describe the entire list of capabilities It s mainly used to remove all capability usage for a subject, or in conjunction with a small number of rules granting the ability to use individual capabilities Provided below are some example scenarios of capability restriction usage, along with an explanation of how the policy is interpreted. Scenario 1 In this scenario, we re removing all capabilities from su but CAPSETUID and CAPSETGID. Scenario 2 In this scenario, we re making use of policy inheritance Note that the default subject allows CAPNETBINDSERVICE and CAPNETRAW In our ping subject, we re removing CAPNETBINDSERVICE, but since we re inheriting from the default subject note the lack of the o subject mode on the ping subject , we are still allowed CAPNETRAW Granting important capabilities to default subjects is not something allowed by the RBAC system, so this is just an example. Auditing and Suppression Auditing of attempted capability use and suppression of denied capability usage is possible as well Capability auditing and suppression supports the same policy inheritance rules as normal capability rules The below example demonstrates auditing the use of CAPNETRAW and the suppression of CAPNETBINDSERVICE denials. For a full listing of the capabilities available, see Capability Names and Descriptions Note that not all of the capabilities listed may be supported by your particular version of the Linux kernel. Resource Restrictions Edit. One of the features of grsecurity s ACL system is process based resource restrictions Using this feature allows you to restrict things like how much memory a process can take up, how much CPU time, how many les it can open, and how many processes it can execute Also in this section, we will discuss a fake resource implemented in grsecurity s ACL syste m called RESCRASH that helps guard against bruteforce exploit attempts, which is necessary if you re using PaX. A single resource rule follows the following syntax. An example of this syntax would be. This would allow the process to open a maximum of 3 les all processes have 3 open le descriptors at some point stdin standard input , stdout standard output , and stderr standard error output. To clarify what the soft limit and hard limit are, the soft limit is the limit assigned to the process when it is run The hard limit is the maximum point to which a process can raise the limit via setrlimit 2 unless they have CAPSYSRESOURCE In the case of RESCPU, when the soft limit is overstepped, a special signal is sent to the process continuously When the hard limit is overstepped, the process is killed. A person who is less familiar with Linux should stick to setting limits on the number of les, the address space limit, and number of processes Of course, you can always use the learning mode of grsec urity to set the resource limits for you The RESCPU resource is the only one that accepts time as limits The time defaults to units of milliseconds You can also append a case sensitive unit to your limit. Some examples would be.100s 100 seconds.25m 25 minutes.65h 65 hours. The other resources either operate on a number itself or on a size, in bytes For these you can use the following units K, M, and G, like.2G 2 billion.25M 25 million.100K 100 thousand. If you don t want any restriction for the soft or hard limit for a resource, you can use unlimited as the limit Here are some more examples to help you understand how this works. For a list of accepted resource names and units, see System Resources. RESCRASH Edit. This fake resource limit is expressed by using the name RESCRASH and has the following syntax. For example, if you wanted to allow the program to crash once every 30 minutes, you would use the following. What happens when this threshold is reached Well, the only way to ensure that the process won t crash again is to keep it from being executed If the process is a suid sgid binary run by a regular user, we kill all processes of that regular user and keep them from logging in for the amount of time, specied as the second parameter to the RESCRASH resource So for the above example, the user would be locked out of the system for 30 minutes If the process is not a suid sguid binary, we simply keep the binary from being run again for the amount of time specied as the second parameter to the RESCRASH resource, after killing all processes of that binary. Socket Policies Edit. The RBAC system supports policies on what local IP addresses and ports can be reserved on the machine, as well as what remote hosts and ports can be communicated with These two different accesses are abstracted to bind and connect rules, respectively The syntax for the rules is. proto can be any of the protocol names listed in etc protocol or anyproto to denote any protocol socket type is most commonly ip , dgram , or stream , but can also be rawsock , rdm , or anysock to denote any socket type Most of the parameters for these rules are optional, particularly the netmask and port or port range If a port is supplied, then at least an IP address of 0 0 0 0 0 needs to be supplied. As with capability restrictions, resource restrictions, and many other RBAC features, if the socket policies are omitted for a given subject, then the subject is allowed to bind or connect to anything normally allowed by the system Note though that if a connect rule is given, then at least one bind rule must also be specified Older versions of gradm before the 9 16 09 2 1 14 release will treat the unspecified rule as a disabled rule, whereas new versions will generate an error on such policies. Unlike with file objects and capabilities, policy inheritance has not been implemented for sock et policies Therefore, the socket policies for a given subject are solely determined by that subject alone. Here are some example rules. In this example, ssh is allowed to connect to ssh servers anywhere on the class C 192 168 0 X network It is also allowed to do DNS lookups through the host specified The hostname is resolved at the time the RBAC system is enabled. In this example, netcat is allowed to listen on ports 1024 through 65535 on any local interface for TCP connections It is also able to connect to TCP port 5190 of the 22 22 22 22 host. This example illustrates how you can have bind disabled but still specify connect rules, or conversely, have connect disabled and only specify bind rules. As you can see from the examples above, you can have as many socket policies as you wish for a given subject, and as you ll read below there are some powerful extensions to the socket policies. Per-interface Socket Policies Edit. are allowed, giving you the ability to tie specific socket rules to a single interface or by using the inverted rules mentioned below, all but one interface Virtual interfaces are specified by the ifname vindex syntax If an interface is specified, no IP netmask or host may be specified for the rule. Inverted Socket Policies Edit. are allowed, which allows you to specify that a process can connect to anything except to port 80 of with a stream TCP socket The inverted socket matching also works on bind rules. PaX Flags Edit. In more recent versions of the RBAC system, PaX flags have been changed from single-letter subject modes to more closely resemble how capabilities are handled within the policy Therefore, PaX flags can now be fully controlled on or off for any given subject by adding PAX feature or - PAX feature within the scope of a subject For a full listing of the PaX flags available, see PaX Flags. Flow of Matches Edit. Each process on the system has a role and a subject attached to it This section describes how a process is matched to a role and subject , and how matches are calculated against the objects and capabilities they use Understanding the flow of matches is necessary for manually creating policies. Role Hierarchy Edit. When determining a role for a process, the RBAC system matches based on the following role hierarchy, from most specific to least specific. Both user and group roles are permitted to have the roleallowip attributes When checking the UID or GID against the user or group role, respectively, the roleallowip attributes come into play Imagine the following policy. If someone attempted to log in to the machine as user1 from any IP address other than 192 168 1 5, they would not be assigned the user1 role The matching system would then fall back on trying to find an acceptable group role, or if one could not be found, fall back to the default role. Subject Object Hierarchy Edit. Hierarchy for subjects and objects involves matching a most specific pathname over a less specific pathname So, if a bin object exists, and a bin p ing object exists, and a process is attempting to read bin ping the bin ping object would be the one matching If bin su were being accessed instead, then bin would match. The path from most specific to least specific pathname isn t linear however, particularly in the case of subjects using policy inheritance Imagine the following policy. If root test blah was being accessed by usr bin specialbin it would not be able to write to it The reason for this is that when going from most specific to least specific for a given path which involves stripping off each trailing path component and attempting a match for the resulting pathname , the matching algorithm will look in order from most specific to least specific in each of the subjects the current subject inherits from In this case, the algorithm saw that no object existed for root test blah in the usr bin specialbin subject, so upon checking the subject for it found a root test blah object, thus resulting in the read-only permission. When goi ng from most specific to least specific, a globbed object such as home is treated as less specific than home blah if the requested access is for home blah Globbed objects are matched in the order in which they re listed in the RBAC policy So in the following example. If a process were accessing home testing somefile it would only be allowed to read it, since the home rule was listed first It was likely that the policy writer didn t intend this behavior because the home test rule would never match so the home test object should be swapped to the line the home object is on. Capability Hierarchy Edit. When determining whether a capability is granted or not, the RBAC system works from most specific subject to least specific in the case of policy inheritance The first subject along that path that mentions the capability in question is the one that matches To illustrate. In this example, bin su is able to use only CAPSETUID and CAPSETGID A lookup on CAPNETBINDSERVICE would fall back to the bin s ubject, since bin su inherits from it and did not explicitly list a rule for CAPNETBINDSERVICE The bin subject specifies that CAPNETBINDSERVICE be disallowed Matching against another capability, CAPSYSADMIN for instance, would end up falling back to the subject, where it would match - CAPALL and be denied. Policy Recommendations Edit. Try to remove as many capabilities from default subjects as possible The more you remove, the closer root comes to acting as a regular user The more capabilities you remove, however, the more subjects you will have to create for programs that need those capabilities The RBAC system will enforce that a minimum level of capabilities be removed from all default subjects. Use full system learning It will generate a better policy than you would have generated by hand Make sure you re making full use of the etc grsec learnconfig file to specify the files and directories particular to your system that you want protected gradm will do all the heavy lifting of creatin g privilege boundaries for processes that access or modify important data. Administrative programs, such as shutdown or reboot, should require authentication instead of giving everyone the capabilities to run them. Always inspect your kernel logs The RBAC system provides a great amount of human-readable information in every kernel log Of particular importance is what role and subject were assigned to the process causing an alert If you think that the alert doesn t match up with what you expect from your policy, make sure that the role and subject actually match If they don t, then you may have issues with a roleallowip rule that s preventing the proper role from being applied. Familiarize yourself with Linux s capabilities and what they cover A full listing of them is available here Capability Names and Descriptions. Avoid using policy inheritance until you understand fully how it forms the policy for a given subject Even then, use it sparingly, reserving it generally for cases where a def ault subject is configured least privilege, with no readable writable executable objects and no capabilities. Wherever possible, avoid granting both write and execute permission to objects This gives a potential attacker the ability to execute arbitrary code Similar to how PaX prevents arbitrary code execution within a given process address space, one of your goals in creating policies is to prevent this on the file system as well. Be careful using the suppression s object flag, especially when applying it to to ignore accesses a program does not really need to operate correctly A change in glibc or another library the subject uses could cause the application to fail in a way that will be difficult to debug unless your first step is to remove the suppression flag. Sample Policies Edit. Below is the sample policy provided with a gradm installation. Below is a full user role policy that covers the behavior of cvs-pserver when run as the non-root cvs user, providing anonymous read-only CVS rep ository access. Here s all that s needed for an unprivileged sshd account. This page lists applications that need specific settings to work with grsecurity and PaX If you wish to add an application to the list, you are most welcome to do so Please keep the list in alphabetical order and remember to update the table of contents on the front page. ATI Catalyst fglrx graphics driver Edit. When using Xorg and the proprietary ATI Catalyst graphics driver, CONFIGPAXUSERCOPY must not be set as PAXUSERCOPY prevents a real overflow from occurring in the ATI driver that is still unfixed This is in addition to what s shown in the section on Xorg below. As of 11 8, CONFIGPAXMEMORYUDEREF must also be disabled. cPanel jailshell Edit. Because cPanel s jailshell needs to mount filesystems including bind mounts after chrooting, both chrootcaps due to needing CAPSYSADMIN and chrootdenymount will need to be disabled To do this, either disable the respective options in your kernel configuration CONFIGGRKERNSECCH ROOTCAPS and CONFIGGRKERNSECCHROOTMOUNT or disable them in an init script if GRKERNSECSYSCTL is enabled Use the following commands. We will be working with cPanel developers to see if the need for this workaround can be avoided in future jailshell versions. Firefox or Iceweasel in Debian Edit. Mozilla Firefox and possibly all, if not some of, the files in the folder usr lib firefox with the Firefox binary called usr lib firefox firefox need mprotect disabled for flash to function Without the Firefox binary having disabled mprotect Firefox will enter an infinite loop at startup or take minutes to load Without the files having mprotect disabled any page encountered with Flash will surely run an infinite loop and the Firefox process will have to be killed. The option must be disabled for just-in-time compilation of certain scripts for both xulrunner-stub and xulrunner-bin See Grsecurity forums for more details 3 The safest option would of course be denying mprotect and boycot sites that use j ust-in-time JIT flash scripts You may disable JIT compilation in the browser by initiating the address about config, search for jit in the page s integrated search bar, and double-click the options and to set them to false. Firefox 3 5 may need RANDMMAP to be disabled , if not it will enter in an infinite loop during startup To disable, execute paxctl - r firefoxbinary Usually the binary is somewhere in usr lib64 firefox See for more details As of at least Firefox 13 on Ubuntu-based distros you can enable RANDMMAP. Google Chrome 15 0 874 106 Edit. On Google Chrome. These PaX flags work well on my system with flash Chrome s nacl does throw this however. Grub uses nested functions and thus needs either PAXEMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAXEMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist T o add EMUTRAMP, use the - CE argument to paxctl To remove MPROTECT, use - Cm. GUFW UFW firewalls or Update Manager Edit. GUFW is an optional graphical application interface for the Ubuntu firewall UFW , both of which use Python Update Manager is a Gnome application for updating packages that also depends on Python Really, any application that uses Python try enabling EMUTRAMP for the version of Python that is the dependency of your affected program GUFW or Update Manager Example paxctl - E usr bin Python2 7.IOQuake3 Edit. Ioquake3 requires disabling mprotect restrictions to run correctly. ISC DHCP Server Edit. NOTE grsecurity patches released as of May 4th, 2014 do not require the below modifications. On some systems, after upgrading to a grsecurity-enabled kernel with GRKERNSECPROCUSERGROUP enabled, the kernel log may be spammed with. This may be due to unprivileged users not having access to proc net dev as this dhcpd requires You can confirm by running dhcpd - f from the command-line, which sh ould display the following error. To fix this, grep your kernel config for CONFIGGRKERNSECPROCGID, then add a group for that gid to etc group if it doesn t already exist Then add dhcpd to that group The added line will look similar to. As the DHCP server is continually attempting to respawn, upon making this change you should find it running properly. With problems with an epoll stack trace lookup 4 Also there is a problem with just-in-time compilation Disable mprotect for usr lib jvm java-6-sun-1 6 0 10 jre bin java and usr lib jvm java-6-sun-1 6 0 10 jre bin javaws. Nagios Edit. Nagios needs to be able to view all processes on the system in order to accurately portray service status and performance statistics It must therefore be run with the group of the CONFIGGRKERNSECPROCGID you configured, or as set with the grsecprocgid kernel command-line option. needs to execute arbitrary code at runtime To permit this, mprotect needs to be disabled On most systems, this can be accomplished with the command. Note For certain apps like electron, you will need to disable mprotect for both the electron and nodejs executables. uses two binaries which need custom settings to work Both and need to have unrestricted mprotect 5.the same as but need to have unrestricted mprotect for. usr lib jvm java-6-openjdk-amd64 jre bin java to work if you use libreoffice-base Database. PHP and other applications that set their own resource limits Edit. While Apache PHP run very well with a grsec PaX enabled kernel, you could feel like there are possible memory leaks or strange OOM out of memory errors with PHP using a PaX enabled kernel with the SEGMEXEC flag enabled There s no memory leak, and the OOM errors are normal, particularly if you didn t set high enough resource limits. Concerning abnormal memory usage with PHP and SEGMEXEC flag enabled, see spender s answers on comments. might need some specific kernel settings during configuration depending on the hardware and the drivers used X won t run with non-executable pages PAXNOEXEC The problem manifested especially in XFree4 Although, recent versions of are known to work with non-executable pages enabled If you run into problems with X watch your non-executeble settings. Some users experience mouse freezes when the system load is high Typically the mouse pointer is reset, but stays in the upper left corner of the screen This behaviour was found to occur with certain pre-emption settings 6 7 It seems to be an interaction between forced-preemption and KERNEXEC You should be able to re-enable KERNEXEC as long as you disable preemption or use voluntary preemption. According to the Pax-Team KERNEXEC should work as is, since the changes should be only basic functions like open close functions If you should experience problems switch to voluntary or none pre-emption. Contacts Edit. Submitting bug reports to the proper d eveloper will help get your bug resolved quicker Though the developers of PaX and grsecurity will forward bug reports to each other, doing so may delay the resolution of your problem. For bugs within grsecurity features, submit bug reports to For bugs within PaX, submit bug reports to. Bug reports can also be submitted to the gsecurity forums this is the preferred method The developers monitor RSS feeds of the forums to be able to respond to bug reports quickly. If possible, avoid submitting bug reports to the grsecurity mailing list, as it is mainly intended for announcements or other important topics. Requirements Edit. To be able to reproduce the problem you re experiencing or properly debug it, information will be requested of you depending on the type of bug you are reporting For any large files that are requested, such as the kernel s vmlinux file, please attempt to make these available via a website you can use a free file uploading service as they will likely be rejected by the deve lopers mail servers Additional information may be requested for debugging purposes particularly if the problem cannot be reproduced by the developers , but below is specified the minimum requested information. For any bug you report, please specify the name of the patch you have applied to the kernel Please also note that the developers only support the latest test patches, as a bug reported in an older patch may have already been fixed in the latest test patch. A properly submitted bug report that includes the requested information below up-front greatly improves turnaround time for getting your problem solvedpilation Errors Edit. A copy of your kernel. Build Linking Errors Edit. A copy of your kernel Your binutils version ld --version. RBAC Problems Edit. A copy of your kernel A copy of your policy file A listing of the steps performed to produce the problem. Kernel Crashes Hangs Edit. A copy of your kernel Your binutils version ld --version A copy of your vmlinux file from the kernel source tree A copy of your bzImage file from the boot directory A copy of your file from the boot directory The OOPS report, if one exists take a photo of the screen if you are unable to capture it on disk Note we previously required that GRKERNSECHIDESYM be disabled for bug reports This is no longer the case Any recent grsecurity patch doesn t require GRKERNSECHIDESYM to be disabled for symbols to be displayed in OOPs messages A description of the machine s hardware particularly any non-standard hardware Information about your Virtual Machine setup if applicable preferred execution mode and kernel paravirtualization Steps required to reproduce the crash if not before init starts. roletransitions Edit. Role transitions specify which special roles a given role is allowed to authenticate to This applies to special roles that do not require password authentication as well If a user tries to authenticate to a role that is not within his transition table, he will receive a permission denied error A common mistake when creating a new special role is forgetting to create a roletransitions rule for the role that will transition to the special role, which a user confuses with having entered an incorrect password The roletransitions rule is added below the declaration of a role, but before any subject declaration. roleallowip Edit. This rule restricts the use of a role to a list of IPs If a user is on the system who would normally get the rule does not belong to the specified list of IPs, the system falls back through its method of determining a role for the user checking for an applicable group role then falling back to the default role This rule can be specified multiple times for a role Like roletransitions it should be added below the declaration of a role, but before any subject declaration. A netmask of 0 0 0 0 32 permits use of the role only by local processes that haven t been used by remote clients 8.roleumask Edit. This rule can, depending on the mode specified, ensure a number of security properties on files under the control of a given user One use case is to ensure that a user cannot accidentally or intentionally create a file that others can read a confidentiality issue Another is to ensure a user cannot accidentally or intentionally create a file that can be written by others an integrity issue Like previous role attributes, it should be added below the declaration of a role, but before any subject declaration. Unlike conventional umasks, the roleumask support in grsecurity s RBAC also restricts the permissions allowed to be set by chmod, fchmod, and POSIX ACLs. Allow configuration of process accounting. Allow configuration of the secure attention key. Allow administration of the random device. Allow examination and configuration of disk quotas. Allow configuring the kernel s syslog printk behaviour. Allow setting the domainname. Allow setting the hostname. Allow calling bdflush. Allow mount and umount , setting up new smb connection. Allow some autofs root ioctls. Allow nfsservctl. Allow VM86REQUESTIRQ. Allow to read write pci config on alpha. Allow irixprctl on mips setstacksize. Allow flushing all cache on m68k syscacheflush. Allow removing semaphores Used instead of CAPCHOWN to chown IPC message queues, semaphores and shared memory. Allow locking unlocking of shared memory segment. Allow turning swap on off. Allow forged pids on socket credentials passing. Allow setting readahead and flushing buffers on block devices. Allow setting geometry in floppy driver. Allow turning DMA on off in xd driver. Allow administration of md devices mostly the above, but some extra ioctls. Allow tuning the ide driver. Allow access to the nvram device. Allow administration of apmbios, serial and bttv TV device. Allow manufacturer commands in isdn CAPI support driver. Allow reading non standardized portions of pci configuration space. Allow DDI debug ioctl on sbpcd driver. Allow setting up serial ports. Allow sending raw qic 117 commands. Allow enabling disabling tagged queuing on SC SI controllers and sending arbitrary SCSI commands. Allow setting encryption key on loopback filesystem. Allow setting zone reclaim policy. Allow raising priority and setting priority on other different UID processes. Allow use of FIFO and round robin realtime scheduling on own processes and setting the scheduling algorithm used by another process. Allow setting cpu affinity on other processes. Override resource limits Set resource limits. Override quota limits. Override reserved space on ext2 filesystem. Modify data journaling mode on ext3 filesystem uses journaling resources NOTE ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too. Override size restrictions on IPC message queues. Allow more than 64Hz interrupts from the real time clock. Override max number of consoles on console allocation. Override max number of keymaps. Allow manipulation of system clock. Allow irixstime on mips. Allow setting the real time clock. Introduction Edit. This table lists all syste m resources that can be restricted by grsecurity Grsecurity supports all the resources Linux supports, but uses slightly different names for them The RLIMIT prefix has been replaced with RES For example, the Linux resource RLIMITCPU is called RESCPU in grsecurity. For detailed information about resources in Linux, see the man page of getrlimit. Syntax and Examples Edit. A single resource rule follows the following syntax. An example of this syntax would be. This would prevent the process from creating files that are bigger than 5 Kilobytes. Using unlimited is valid for both the soft limit and the hard limit, to denote an unlimited resource Note that by omitting a resource restriction, the system s default limits are used as set by PAM or the application itself If a resource is specified within the policy, the specific limits override the system s default limits for the given subject. A number of suffixes are allowed when specifying resource limits They are described below. On this page you wil l find documentation regarding permissions to use material written by others before this Wikibook was started. The Original grsecurity Documentation Edit. The original documentation for grsecurity was written by Brad Spengler, the author of grsecurity This includes the ACL documentation and the grsecurity Quick-Start Guide PDF. Permission to Use the Official Documentation Edit. Below is the correspondence between myself Meev0 talk and Brad Spengler regarding the use of his works in this Wikibook. Sent at Mon Apr 20, 2009 5 56 pm You may publish my answer to the original request and this request too You may copy republish any and all parts of the grsecurity documentation I don t think I put an explicit license on the documentation, but I consider it to be essentially public domain. Sent at Mon Apr 20, 2009 5 27 pm Thanks. I m making a separate page for the book that will include credits, links to the original documents and a copy of your message where you grant this permission. Just so that the re is no misunderstanding 1 May I publish your answer to my original request 2 In my request I mentioned wanting to copy parts which is very vague Basically what s needed IMO is you clearly stating what parts of the grsecurity documentation can be published under the GNU Free Documentation License I m not a copyright lawyer, but I think the clearer the situation the better. I ll try to limit the amount of text I need to copy, as I like writing documentation, but most of technical notes are better left as they are. Sent at Sat Apr 18, 2009 7 59 pm Of course, that s fine with me Thanks again for your work, and hope things get better for you personally. Sent at Sat Apr 18, 2009 5 41 pm Hi Brad. I wanted to ask about using the Grsecurity QuickStart guides the and the in the Wikibook As you are the copyright holder of both documents, I need your permission to copy parts from those files Mainly I would like to copy the ACL documentation, as it would be silly for me to start writing it from scrat ch Naturally I would credit you and include a link to the original documents. You can reach me by replying to this PM or by email at. Installing Mandriva 2006 Linux-Mandrake 11 0 on an IBM Thinkpad A22p. Permanent URL. Last updated 2009-10-28.This is my page dedicated to Mandrake Mandriva GNU Linux on an IBM Thinkpad A22p This version covers Mandrake 11 0 also known as Mandriva 2006 , but there are earlier pages about Mandrake 8 0 8 1 and 9 1 This information has been drawn from many sources thanks to all of you Any feedback on this page would be welcome Copying is permitted see below In addition, this page led to the computing course I wrote for my students, introducing Linux, which is here. This Thinkpad is actually very Linux-compatible Although I haven t documented it here, I ve run 8 0,8 1,8 2,9 0,9 1,and 10 2 on it and Knoppix Basically, everything works well, therefore, this is partly a quick run through the installer, partly a list of things I think are important useful to change on a GNU Linux system, and partly a memo-to-self about my preferences for the next install I also have a desktop system, so there is a lot of general Mandrake information here Lastly, I ve included some useful scripts, binaries and config files I have denoted commands and files like this. It is worth mentioning also and Linux on laptops , Linux on Thinkpads, and the mailing list , ThinkWiki the Linux on Thinkpads webring and the Knoppix bootable Linux demo rescue CD This is also a good place to warn about lm-sensors do not install it, since it can destroy some thinkpads Lastly, don t forget to subscribe to the security announcement mailing list. This is an IBM A22p, model TA2USUK, with 15 1600x1200 display, PIII 1 GHz, and CD-RW The RAM was upgraded from 128 MB to the maximum supported 512 MB Crucial RAM is cheaper than IBM and seems fine 128 MB is rather marginal for intensive use under Linux Everything works although I never tested the S-video in out The interesting challenges are encryp tion trackpoint sensitivity making suspend work reliably and the modem driver. The hardware maintenance manual for the A22p is here Spare parts can be purchased from IBM s online parts store or from laptopbits Parts are identified by their FRU Field Replacement Unit number, for example, spare trackpoint caps are 84G6536.I also purchased a Port Replicator 10 on eBay , which is extremely useful it saves frequently plugging unplugging many cables, and it acts as a stand to tilt the keyboard Everything works, except the DVI connector Lastly, the ugly Designed for Windows98 sticker was removed, and the top of the lid adorned with a 40mm-high tux. Download the ISOs Yes, I joined MandrivaClub Burn to CD using cdrecord Test using dd if dev cdrom md5sum You can also buy the CDs cheaply from for example The Linux Emporium Sometimes, a perfectly good CD will not verify correctly because of padding I downloaded the set of 6 CDs available as Mandrake Club Silver Edition, however if you download just the 3 Free GPL CDs, and then add all the urpmi sources, then install non free packages java, realplayer, flash, acroread you will end up with the same result. Read the release notes and the Errata. Backup everything especially home, including hidden files within home on an external disk, or over the network rsync via ssh Check it using diff - r It s also worth keeping the old etc If there is anything useful in var, remember to keep that too eg Postgres databases, html, logfiles, crontab, mailspool If the IP address is static, write it down and the other network settings This is true for updates as well as fresh installs. Power off take deep breath, get coffee. In the BIOS, make sure that all the devices are configured to be enabled, and that the hardware clock is set to GMT Set the boot order to CD-ROM, then HDD Set the HDD password but not the poweron password Set the lid-close button to be inactive, not to suspend this prevents a race-condition. Have a copy of Knoppix handy, and also note tha t the Installer Disk 1 is a recovery CD especially useful if you destroy the bootloader. Plan Encryption and security. Please note, I am not an authority on this - and I am only documenting what I did Corrections would be welcome. Consider How important is security here Given that it is a laptop, it might well be stolen, and in this case, the data would be compromised Is encryption useful Is it worth the performance penalty and hassle I decided to do the following, however, you may decide otherwise Here is a helpful threat model The worst thing, of course, is a false sense of security Nothing is guaranteed to be safe Security means adding several layers which makes it more difficult to attack The more layers you add, the more inconvenience you ll get until it actually stops you of getting any work done You have to find the right balance looking at how important your data is, how much effort and resources your attacker will can put into getting at the data, and how much inconvenience you r e comfortable with in taking measures against a possible attack. I set the Hard Disk password in the BIOS This is fairly impenetrable, IBM certainly won t get it back for you , but it is probably circumventable by a talented data thief Don t forget it It also means that the laptop cannot boot up unattended I didn t set a BIOS password, since the HDD password is sufficient and stronger than the BIOS password anyway From the Linux-thinkpad mailing list The Hard Disk password is pretty secure The protection is provided by the drive itself one needs to disassemble the drive, separate the drive platters from its internal IDE controller and replace this controller to get to the data. One important thing to know about Thinkpads is that if you also set a poweron password in the BIOS, the harddrive password gets copied to an EPROM on the motherboard As a consequence, not setting a poweron password and only a harddrive password decreases the risk of an attacker to get to the data. Most systems give n an attacker with physical access can be booted up, either using Knoppix, or by pressing Escape while Lilo is starting, and then typing linux single So the login password alone is no protection at all Even if CD-ROM boot is prevented by a BIOS password, and Lilo single-user boot is disabled, the Hard disk can still be read by placing it in another machine. Encrypt home since it contains my data. Encrypt var since it contains all sorts of things logs, postgres database etc. Encrypt swap because anything could end up there and in the clear Swap is the easiest to encrypt, and most transparent, so I d recommend to encrypt that, even if nothing else. Not encrypted the root directory , because it s all open source anyway Furthermore, this is quite a complex operation, especially if trying to install there And the performance hit would be most significant if the applications were encrypted Yes, there is a little information which could leak out via etc but for me, this isn t important - besides which, my email address is written on the bottom of the laptop. Not encrypted boot because this would be impossible If worried about a trojaned kernel being installed here, boot only off a USB-key, and keep the key in your sight at all times. I decided to use losetup rather than dm-crypt, since losetup is more established, and at least partially supported by a broken Mandrake script dm-crypt might actually work OK with Mandriva 2006, but it certainly didn t when I originally set this up under 10 2.Using losetup means that suspend-to-disk is dangerous, since the RAM will be in clear on the disk But I only ever want suspend-to-RAM anyway dm-crypt would allow cryptographic suspend-to-disk Also, newer versions of suspend2 also have native encryption support via the crypto-API of the Linux kernel But Mandriva doesn t seem to use suspend2.Firewire can be dangerous IEEE1394 devices can, by design, snoop on the host s memory This is useful for debugging, but can be considered harmful The laptop has no inbuilt 1394 device, but a PCMCIA card would be helpfully hotplugged by Mandrake So prevent the modules from loading. The implication of the setup which I have chosen is that. When the system is switched off, if someone tries to access the hard disk, we are protected by encryption. When the system has booted up, all the encrypted partitions are mounted We are now protected by the kernel, the login program, file permissions, and a strong password. When the system is left running, but unattended, xscreensaver is used to lock the display We now are protected by xscreensaver And sshd, if on a network. Obviously, choose a strong password and passphrases Also, there are some useful articles on data-hygiene published by The Register, on internet anonymity and data security. Here are some other encryption resources which may be of interest Note that losetup is older than dm-crypt. Loopback AES Readme. Linux device-mapper cryptography dm-crypt and the dm-crypt wiki. How to encrypt the entire hard disk. Linux Journal article Implementing Encrypted Home Directories but slightly old, not referring to dm-crypt. Disk and email encryption in Linux covers Open PGP and Mandrake 9 1.Encrypting the whole disk using Gentoo and losetup Not really relevant here. Cryptoloop howto Mounting an encrypted file instead of a partition. EncFS doing everything in userspace Uses Fuse Easier, but less efficient. GPG Encrypting file-at-a-time Useful for emails. StegFS plausible deniability by having multiple layers of encryption. Other attacks include listening to the sound of the keyboard listening to the sound of the CPU and sampling diffuse visible light from the monitor. Tom s Hardware intro LUKS. Other considerations. Can the encrypted home partition be locked without unmounting it Eg before invoking the screensaver, or suspending, somehow forget the key, without first having to close all the applications and unmount home I can t see why this shouldn t be possible, but it would appear to need a kernel modi fication. Can we trust the login program Yes, probably provided the password is good enough Thus, when the system is running, we are protected by the passwords The encryption protects against someone with physical access to the machine, who can remove the hard disk or use a bootable CD. Can we trust xscreensaver to do the locking Yes, probably provided that the password is sufficiently strong, and that there are no root logins on the virtual consoles, which xscreensaver cannot protect Xscreensaver uses PAM, so it is as good as login Disabling Ctrl-Alt-Backspace would be a good idea If there were some way to crash X or xscreensaver without logging out, this would leave home exposed. What about the daemons Could sshd or apache compromise things Make sure that permissions are not world-readable What about. publichtml Obviously, we need to run a fully up-to-date system, with no known local-root exploits. What about the risk of a dictionary attack on etc shadow Obviously, I use a password which is not a dictionary word But a really sophisticated attacker could perhaps surreptitiously borrow the unattended laptop, copy etc, run some crack against etc shadow, return the laptop, wait for me to log in, then steal it A possible improvement is adapting your pam configuration to replace the standard unix authentication with use your ssh passphrase to log in or use a usb-stick to log in But obviously, losing a usb-stick is very easily done. Can we use PAM to automate any of this, to reduce the number of times the passphrase needs to by typed Is there any reason why root password, my user password, and SSH passphrase should be different. Can the SysRQ key do anything bad It appears not, according to the documentation in. We are still vulnerable to a brute-force attack with sufficient computing power to theft of the laptop while unlocked or to theft while locked, but powered on, and with sufficiently clever electronic probing of the motherboard or via firewire. Newer thinkpads, with biometric fingerprint sensors should not rely on these The sensors do not reliably discriminate between users, and are very easy to fool Furthermore, one s fingerprints can easily be retrieved from the laptop. If any of this is wrong, please tell me. If you want to have an encrypted system, first initialise the HDD by filling it up with random data This will destroy any previous information there, so be warned Either boot knoppix, or run this from the current system, and run dd if dev urandom of dev hda bs 1M This will take about 5 hours for a 32GB disk dev random is better cryptographically, but would take a year. Now, the install itself This went fine, with no problems So just a quick summary. The new Mandrake installer is very slick, and just works expert mode has gone away There is a very useful rescue mod e on the first CD, in case you mess up the system. It did prompt me to upgrade from 9 1, which would probably have worked fine However, I decided to do a full reinstall, and re-partition. Accept license Read release notes British English UK keyboard. Security high don t choose paranoid - you can make your system almost unusable Security admin rjn this is the person who gets the email from msec etc. Mouse any PS 2 or USB the default. Partitions If you are not using encryption or just encrypting swap , I would recommend something simple, eg. Package Selection it is usually easier to install a small system, then add urpmi sources, and select more packages once it is done So I just accepted the default groups NOTE DO NOT install lmsensors it can destroy some thinkpads - see Mandrake do not include it by default, and lmsensors should now safely exit before damaging vulnerable machines, but it s worth making sure This also means avoiding glms, ksensors, and not running sensors-detect. Define a root password, a user rjn and password. Put the Lilo bootloader on the MBR Master Boot Record. At Summary , I went through all the config options. Timezone - London, Hardware Clock GMT, Use NTP. Printers - configure after install. GUI - Generic Flat Panel Display, 1600x1200, Rage 128 Mobility, Xorg 6 8 2 with hardware acceleration, 16 bit per pixel Note It is necessary to choose 16 bit pixel and not 24 bpp in order to have hardware acceleration working glxgears gives 787 FPS at 16 bit, but only 158 FPS at 24 bitwork - LAN set eth0 to DHCP Do NOT assign host name from DHCP address Do not set DHCP hostname Choose start at boot Get DNS servers from DHCP Zeroconf hostname blank Note Unlike earlier versions, 10 2 will background the DHCP request to allow boot to proceed faster However, you can also set a timeout. Firewall off all but SSH, and ping. Bootloader - 5 second delay Clean tmp at boot No need to specify precise RAM size ACPI is now supported, so allow it Previously, I used APM Add splash verb ose panic 60 to the bootloader options respectively make bootsplash verbose, so that the boot messages are visible reboot after a kernel panic rather than hang. Services - deactivated many of these In particular, unless you need them, deactivate anything to do with NFS netfs, nfslock, portmap and Zeroconf mdadm, mDNSResponder, nifd Here is what I am running on my laptop Note that some of these choices may not suit everyone I don t have a printer on the laptop, no cups I do web-development and I have internet connection sharing enabled for use when travelling dhcpd, squid, named ACPI is now supported, although APM works too I have no bluetooth hardware, and I never change the ultrabay Irda causes crashes and anacron causes the disk to thrash rpmv, msec for 20 minutes. These are running alsa, acpi, acpid, atd, cpufreq, crond, dhcpd, dm, haldaemon, harddrake, hotplug, keytable, kheader, messagebus, named, network, ntpd, partmon, pcmcia, postfix, postgresql, shorewall, smartd, sound, squid, sshd, syslog, udev, xfs. These are not running anacron, apmd, apmiser, bluetooth, cups, cpufreq, cpufreqd, dund, hidd, iptables, irda, laptop-mode, mDNSResponder, mdadm, netfs, netplugd, nfslock, nifd, oki4daemon, pand, pcscd, rawdevices, ultrabayd, vncserver. Post Installation. The system booted straight up - all seems well Nevertheless, there is a lot left to do This being Linux, there is a huge amount that can be configured In particular, before trying to do any further setup, I d recommend configuring sudo and urpmi and then installing bash-completion. 1 Quick tests. Some quick tests to check status. check hard disk performance Is DMA enabled it should be hdparm - tT dev hda Test data rate hdparm - tT dev hda I get 287 MB s, 19 MB sec respectively. check memory status free - m more info. check disk space df - h and what is mounted where mount. is swap enabled swapon - s. check which kernel is running uname - a. check 3D acceleration glxgears I get 787 FPS. check which processes are running top ps aux less chkconfig --list service --status-all. check network ifconfig - a. check for system error messages dmesg var log messages var log kernel. 2 Configuring lilo. The kernel parameters are listed in I use the following. splash verbose - so that the boot-up messages are visible Mandrake defaults to hiding them with splash silent The old way just text is splash none. panic 60 - so that, if there is a crash, the system will try to reboot after 60 seconds Useful if unattended We could also install the watchdog. acpi off - this would be used if we want APM rather than ACPI To have ACPI, no entry is required. inotify - so that inotify is enabled, which allows KDE s volume manager to detect changed media eg CDROMs or USB-keys. vga 794 - so that the console uses a much higher resolution which makes it far more pleasant To see which modes are possible, run hwinfo --framebuffer then convert it using this table. Thus, a typical stanza might look like. For faster bootup, reduce the value of timeout from 50 to 30 Then, remember to run sbin lilo so the changes take effect. 3 Configuring. Add the following to so that these modules are automatically loaded on bootup. The pcspkr module provides the ability to have the PC-speaker system bell eg Ctrl-G at a console, or gnubeep See this bug The e100 module is loaded here to force it to be loaded instead of eepro100 and before pcmcia starts see the network section for why. Configuring sudo. This is to save having to type the password each time I, the only user of this laptop, wish to become root Add the rjn line to etc sudoers under the currently existing root line where rjn is your login name. alias sud sudo su So, you can now become root by simply typing sud More information here. Note sudo su does not usually set up X authentication, so if you then try to run a GUI application eg xclock , it fails with the error message Xlib connection to 0 0 refused by server The solutions are any of. Permit the root user to access your normal xsession run as yourself xhost local root. Invoke the GUI application directly sudo xclock. Use the sux wrapper script instead of su to transfer the X credentials. Configuring urpmi sources. 1 Introduction. Urpmi user RPM install is the Mandriva package manager It is a delight to use once configured, simply urpmi PACKAGENAME and it will download and install it for you However, first you must set up some software sources urpmi media Virtually every package that you will ever need is available via an urpmi source, and it is important to choose the correct sources Also, you should never bypass or force RPM When installing from source, I recommend using checkinstall so that RPM is always correctly aware of the system status There is a graphical interface to urpmi, which is rpmdrake. For more urpmi information, see the Advanced uses of Urpmi section. 2 Systems and Sources. There are 3 possible systems do not mix and match These are. Official - this is the stable release Recommended for servers. Devel Community - this is the slightly more bugfixed and updated system and is required by some PLF packages Recommended for desktops. Cooker Bleeding edge, and usually broken Recommended only for Mandriva developers. Official vs Community PLF only support the Community branch of Mandriva, which is actually a living version of the official branch, with all updates merged instead of being distributed separately Moreover, some limited backports are provided, whereas official is absolutly frozen Using PLF packages with official will often work, but not always. To set up the urpmi sources, it is possible to use but probably easier to visit Easy Urpmi or the Mandriva Club Mirror Finder. Firstly, remove the sources corresponding to the install discs - a Then, set up the following sources via EasyUrpmi. Main the 3-6 CDs you download Core distribution. Contri b packages built by other volunteers - over 2GB of useful stuff, but not officially in the main distribution. PLF Penguin Liberation Front - packages that might cause legal headaches in some countries, mainly multimedia PLF is split into plf-free and plf-nonfree Note PLF is designed to work with Community, not Official. Updates updated packages fixing bugs and security problems Only official has an updates source for devel or cooker, updates are subsumed into the other media. If you are a member of the Mandriva Club, you may also wish to add the Club media I would recommend removing the club media after you have downloaded the desired packages Remember log into MandrivaClub first, and make sure to replace PASSWORD with the actual value There are. Club Open source packages updated packages available to MandrakeClub members You may wish to pick and choose these rather than adding the urpmi source if so, browse the mirror with lftp. Club Commercial non-free, binary packages such as Java and Fl ash These are available as RPMS from MandrivaClub if you prefer, you can download these directly from Sun, Macromedia etc. You may also wish to add the cooker backports source provided by the excellent Hawkwind at SeerofSouls.2006 RPMS - updates for many and various packages, built for Mandriva 2006.KDE 3 5 RPMS - packages for KDE 3 5. 3 Applying updates and adding packages. Now, apply the updates, using updates urpmi --auto-select Also, install the latest kernel, from the updates source, using urpmi kernel-i686-up-4GB-2 6 12 12mdk and then remember to edit and run lilo. Now, if desired, you can add any other package I d recommend adding the following gnome-alsamixer, anacron, abiword, antiword, bash-completion, catdoc, checkinstall, dos2unix, faces-penguin, gscanbus, lyx, nc, nano, sane, openssh-clients, unix2dos, mandrivadoc-en, shorewall, units, xfig, X11R6-Contrib. 4 My Urpmi Configuration. Hopefully, that isn t too confusing By way of example, these are the urpmi sources I am using. maincommunity. contribcommunity. plf-free and plf-nonfree and mandrake non-free 2006 0.mandrivaclub Only temporarily configured, to download Java, Flash, OpenOffice2 then removed. Configuring bash. The Bash shell is extremely versatile, and can be customised by editing. Bash completion sophisticated tab-completion. Tab completion is wonderful, and installing the bash-completion package is incredibly useful it makes tab-completion far more pervasive For example, it will complete on urpmi packagename killall processname ssh hostname and it will suggest completions in KDE s run command dialog Alt-F2 Under Mandriva 2006, the installation of bash-completion has changed, and if you already are an existing user on the system, it won t just work These are the steps. urpmi bash-completion. etc bashcompletion in your. edit the file etc sysconfig bashcompletion. To test if it is working, create a file and directory with similar prefixes touch testfile mkdir testdir Then type cd test TAB If bash-completion is installed, it will know that cd can only apply to a directory, and will complete the command to cd testdir Otherwise, it will print both options. Lastly, bash-completion will occasionally refuse to complete a command which you know is valid Use Alt - to force filename completion. Optimising tab-completion. Most other distributions which I have tried have tab-completion configured far less-than-optimally This usually manifests itself as the question how do I disable the system bell. In all distributions if the word is unambiguous, pressing Tab once will complete it. In Mandrake, if the word is ambiguous, pressing Tab once will print a list of options with no beep. In most other distributions, if the word is ambiguous, pressing Tab once will just beep at you You have to press Tab twice to get the completion options This rapidly gets irritating, and causes lots of beeping. The secret edit either etc inputrc or. and add these lines. Then, the beeps become useful and much rarer. More Bash tips. Typing help will give a guide to the bash builtins info bash or man bash are extremely useful reading the man page in konqueror man bash is easier. Here is a useful reference the Advanced Bash Scripting Guide Also, a list of special characters and string functions. Mandrake defines a lot of helpful aliases such as cd and s Type alias to list them. Keyboard shortcuts in bash readline are described in info bash Command Line Editing or man readline There are very many here are some of the most useful. Clear screen except for current line. Reverse-search through history. Single quoted phrases in bash are literal Within sinqle quotes, you may never use another single-quote, not even with a preceeding backslash See QUOTING in the bash manpage. Double-quoted phrases in bash treat backtick , and backslash specially Double-quoted doublequotes may be escaped by Beware of characters within interactive shells echo Oops will c ause an error. Conatenation is allowed TEXT What s your name n My name is Richard echo - e TEXT. Without quoting, filename globbing takes place and have special meanings see PATTERN MATCHING in the manpage. Globbing is the process by which special characters are expanded to match filenames For example ls lists all files ending in But consider what happens when there are no matches By default, bash falls back to a literal shopt - s failglob makes it throw an error shopt - s nullglob makes it result in the empty string All choices are problematic - consider. i 0 for file in ZZZ do let i done echo There are i files matching when there are no relevant files Without failglob nullglob, this will give the answer 1 when it should be zero nullglob is best. ls ZZZ The default neither nullglob nor failglob results in ls ZZZ No such file or directory However, with nullglob, it becomes just ls listing the entire directory. IFS is the input field separator By default, it is space tab newline Any of these characters are treated as delimiters when tokenising input For example set echo first second echo 1 is 1 and 2 is 2 results in 1 is first and 2 is second whereas IFS set echo first second third echo 1 is 1 and 2 is 2 results in 1 is first second and 2 is third. Some customisations in make it very much more useful Here are some of the things I have added. Here are some snippets from root s In particular, the root prompt is in red, and the konsole tab has a in it. Setting Up Encryption. Now that we have a system installed, it is time to encrypt it It is possible to encrypt partitions on-the-fly, and it is maybe even possible to install to an encrypted disk But the following is the easy well, easiest way. Note that you aren t really supposed to put a journalled file system on a loopback device you may need to use reiserfsck --rebuild-tree if you are unlucky. 1 Encrypt Swap. Encrypted swap is the easiest thing to set up, and potentially the most useful since you never know what gets swapped out, you can never be sure what is on the swap file Try reading it using cat dev swap-partition strings and you may be surprised If you have lots of RAM, you might consider disabling swap altogether Even better, encrypted swap is all automatic, and you never need to set a password It adds no significant overhead to the system See man swapon for more details. Check that the loopback device is enabled. In the 2006 0, I find that there is an error message at bootup Activating swap unable to open device dev loop0 This arises because the symlink dev loop0 - dev loop 0 doesn t get created fast enough It s OK on faster machines Also, when rebooting after a kernel panic, the loopback device itself doesn t get created, and we need to encourage udev a bit. The cure is to modify to include the 2nd paragraph below. If you wish to undo the encrypted swap eg to use suspend - to-disk , you will have to re-create a normal swap partition with mkswap mkswap dev hda6. 2 Encrypt other partitions spare, home and var Using losetup. This is the easier way to do it on Mandrake, since the init-scripts sort-of understand Here is how it works losetup creates an encrypted loopback device, such that dev loopX is unencrypted and can have a filesystem mounted on it , but connects to a matching hard disk partition dev hdaX which is encrypted The first time, losetup will require a passphrase I use at least 30 characters, and have all 3 partitions with the same passphrase The mount options in etc fstab are loop use loopback device , encryption aes256 type of encryption and encrypted used by to know that it is encrypted When mounting, if you get an error about a bad superblock, it means you used the wrong passphrase It is possible to encrypt a partition leaving the data in place, but it is easier to back it up The partition should be prepared by filling it up with random noise. 2 1 Encrypt partition dev hda8, mounted as spare. remove backup directory. 2 4 Make sure that the partitions will mount at bootup. So far, so good We ve done the hard part, BUT there will be problems when we reboot When we boot, we want to always mount the encrypted partitions However the init script will give only one chance to mount, and if you mistype the passphrase, it will just skip it This will cause serious difficulties, since the system cannot properly boot without var, and you cannot start kde without home. Edit etc sysconfig autofsck and change the line to AUTOFSCKCRYPTOTIMEOUT 600 This should mean that instead of timing out after 15 seconds, the computer will wait 10 minutes for a user to enter a passphrase before it continues to boot However, this setting only applies in the case where the filesystem is unclean, and the normal setting is hardcoded in. Back up cp Now, edit it. 2 4 1 Fix the timeout for mounting encrypted filesystems on boot-up It should wait a long time Edit the line just above the comment Mounting Encrypted filesystem and change the timeout to 600 The correct line reads - z AUTOFSCKCRYPTOTIMEOUT AUTOFSCKCRYPTOTIMEOUT 600. 2 4 2 Fix so that, if you get the passphrase wrong, it asks you again and again 10 times Edit the section which begins Mounting Encrypted filesystem. Replace this part of the script. 2 4 3 Fix the section beginning with Check loopback filesystems so that it doesn t check filesystems which are both loopback AND encrypted It should read. 2 4 4 Side effect service udev status is untruthful udev is started very early by before var is mounted service udev start tries to save the status by touching var lock subsys udev This failure is harmless, but it will mean that service udev status wrongly claims that udev is stopped when it isn t To check the truth, use pgrep udevd instead If desired, add this to immediately after mounting var in section 2 4 2 above. 3 Other considerations. Set the hard disk password in the BIOS See above. Firewire modules could be harmful Prevent them from being loaded run bin true instead of installing the module by adding this to. 4 Conclusions. This now works Test it by comparing the result of cat dev hda9 strings with what you would usually see It is gobbledegook. Don t use diskdrake to set up encryption it won t work, and it won t allow you to encrypt var anyway. As a consequence of var being on a separate partition, and the need not to waste disk space, postgresql may need to live in home rather than var lib pgsql. Remember to lock the screen if you use a screensaver. See note below on suspend to RAM. Keep a copy of your new because if you upgrade or update with urpmi, it will be overwritten by the defaults In order to prevent this occuring, add this to. 5 An aside on dm-crypt cryptsetup. Actually, dm-crypt is the most promising way, but it involves too much fighting with Mandrake s init-scripts Also, diskdrake doesn t understand, and I would guess that drakupdatefstab won t There is no need to use it loop-AES is fine , but since I attempted it, here are some brief notes. It works - but it won t work on reboot yet. To make it automatically mount on reboot, we need to get the cryptdisks init script Download it from here save in etc init d with mode 700, and comment out the line which reads set - x ln - s usr bin cryptsetup sbin cryptsetup since the Mandrake package puts cryptsetup in usr bin and the script expects it in sbin. Save a copy of then edit it Just after the line service udev start put. This will work, provided that we fix the cryptdisks script so that it keeps prompting for a passphrase if the wrong one is entered It might be possible to make udev do this However, cryptsetup create returns 0, whether or not it succeeded This makes it hard to distinguish success from failure in a script. Note that, unlike losetup, umounting a mapped-device does not cause the encryption key to be forgotten This may, or may not, be a good thing You can forget the key with cryptsetup remove. Configuring X and the Trackpoint. Most of this works just fine as installed But, we can do better Note to make a change take effect, it is necessary to restart X Logging out is not sufficient if using kdm Restart the display manager from the console with service dm restart. 0 Upgrading the version of Xorg to 6 9 0.When Mandriva 2006 was released, an unstable version of xorg was used xorg-cvs20050915 This basically works, but EmulatedScroll didn t work quote properly Since 6 9 0 is now out as of December 2005 , and SeerofSouls have provided a cooker backport, it is worth installing UPDATE April 2006 Xorg 6 9 is now in the mandriva community main urpmi source, so just use urpmi. Find out which xorg packages are installed rpm - qa grep - E xorg X11R6 I had the following. Download these from I didn t set this as an urpmi source because I don t want to pull in all the upgrades from here. Install the packages with urpmi urpmi. Get the updated packages from the community mirror - a urpmi --auto-select. Log out Then restart X service dm stop service xfs restart service dm start. 1 Graphics Driver and 3D. The graphics card is an ATI Rage 128 Mobility This used to use the r128 driver But now, use the ati driver This is correctly detected by Mandriva, and the driver is both free and stable In case of difficulty, the vesa driver works universally.3D acceleration just works on this ThinkPad under Mandrake, without any need to install binary drivers from ATI ATI drivers only started being binary-only ugh for 3D in their later cards However, it is necessary to set the graphics to 16 bit colour as there is insufficient memory for DRI at 24 bit color You can test 3D acceleration by running glxgears I get about 780 frames sec at 16-bit The performance is good enough to enjoy tuxracer, or helios In case of 3D problems, see below. Various graphics modes resolutions are available by default there are 1600x1200, 1280x1024, 800x600 and 640x480 To switch between these, eg to play tuxracer, or to use a projector , use xrandr or xvidtune. xrandr is invoked xrandr - s NUMBER and all ows you to re-size the entire desktop xrandr is X rotate and resize. krandrtray is invoked krandrtray and is a KDE system-tray GUI for xrandr. arandr is a graphical version of xrandr, that runs on various desktop environments. xvidtune is invoked xvidtune - next and changes the viewport onto the desktop For example, an 800x600 viewport which can be panned around on top of a 1600x1200 desktop. In Mandrake 9 1, it was necessary to increase the HorizSync and VertRefresh ranges in but this is no longer requred The defaults of 31 5-90 and 60 are fine. The resolution at the virtual terminals may be increased by using vga 794.Aside for X22 laptop install driconf, and run driconf as normal user No need to restart X afterwards This allows you to enable HyperZ which improves glxgears performance from 400fps to 970fps This option isn t relevant for the A22p. 2 External Display. The external display is normally a copy of the LCD although it can be used as a dual-head setup - I ve seen this in W98, and believe that it can be done using Xinerama The BIOS uses Fn-F7 to cycle between , and it takes about 3 seconds for the display to initialise. However, most projectors won t work at 1600x1200 In order to guarantee success. Make sure that the mode such as 1024x768 or 800x600 is working on the internal LCD. Plug in the projector, and use Fn-F7 If both LCD Projector are enabled, then with some projectors, there may be problems with timing errors The symptoms are Distortion Flickering LCD monitor may complain about timing frequencies Projector may fail to display anything, or mis-sync giving a sliced image If so, use Fn-F7 again to have only the projector of course, this means that there is no Autocue , so have a printout of the slides available. Use xrandr - s 800x600 to resize the desktop as necessary to fit onto the projector. Give the presentation NB practice in advance text not too small test projector in advance have printout of notes check timing speak slowly be calm. Aside for X22 laptop ibmacpi doesn t properly co-exist with Fn-F7 To enable Fn-F7 to switch displays between LCD CRT Both, it is necessary to enable BiosHotKeys in the Device section of. 3 S-video ports. The A22p has S-video input and output ports I ve never had occasion to use them, but atitvout - f may help. 4 Font Sizes. The fonts are too small This is because most monitors are 75 dpi, whereas this one is actually a wonderful 133 dpi Three alterations are needed. Add the DisplaySize line to. Change the dpi line in etc X11 Xresources to. where 133 is the value of xdpyinfo grep resolution. Unfortunately, the gnome-font-properties program which configures GTK applications does not respect the value from the X-server Start gnome-font-properties, click details , and manually change the resolution from 96 dpi to 133 dpi. Then, logout and re-start X The fonts should all look better and larger The fonts faces themselves and anti-aliasing are described below. 5 1 Mouse device. As of kernel 2 6, instead of using separate devices for each mouse, the kernel merges them together into dev input mice This is fine, provided that you are not trying to do anything too clever such as having a graphics tablet However, we can, if desired, specify the correct mouse This will be one of dev input mouseX but the value of X may vary depending on what is plugged in The solution is to use udev to create a symlink to the correct device. We can discover which mouse we want by doing cat dev input mouseX and wiggling the mouse In this case, it happens to be dev input mouse0.We want to create a udev rule to symlink dev input trackpoint - dev input mouse0.Find out about the device with udevinfo udevinfo - a - p sys class input mouse0.Add the following to. Modify to refer to dev input trackpoint rather than dev input mice. Reboot since the PS 2 port doesn t like hotplugging. This works Note the following. If multiple mice are now needed, the ServerLayout section should have one CorePointer and the others to SendCoreEvents. For the A22p, it is also valid to use dev psaux for the trackpoint device. Note we don t want dev input eventX nor do we want dev input tsX since these can cause subtle errors. If the Xserver fails to start, Mdk will helpfully re-detect the mice, and over-write your carefully constructed file So keep a copy. 5 2 Mouse buttons. The buttons on the Thinkpad A22p are exceptionally well-arranged, and the resulting behaviour is extremely flexible. Button 1 ordinary Left-click. Button 3 ordinary Right-click. Button X ordinary Middle-click i e paste Button X is achieved by pressing btn1 and btn3 together. Button 2 move trackpoint Vertical AND Horizontal scroll. Here is a diagram of the layout. To achieve this, we need the following. Emulate3Buttons on this means that Button 1 Button 3 emulated middle button. EmulateWheel on this means that Button 2 move mouse emulated scroll wheel. EmulateWheelTimeout 0 this means that Button 2 does not generate middle-clicks Only Button X does. YAxisMapping 6 7 Vertical scroll generates a series of button 4,5 events, which the application treats as a vertical scroll. XAxisMapping 4 5 Horizontall scroll generates a series of button 6,7 events, which most applications treat as a horizontal scroll. No, that s not a mistake it cancels another bug, namely the existence of etc X11 xinit d mousebuttons which swaps buttons 4 6 and 5 7.Horizontal scrolling is misinterpreted as forward back in Mozilla See below for fix. Newer Thinkpads have 3 buttons in a row As of Xorg-6 9, they can use EmulateWheelTimeout, to allow Button 2 to be both scroll and middle-click This works extremely well, except for a few applications xfig pcb which use middle-button drag, so cannot coexist with EmulateWheel For older versions of X, see here for alternatives. The mouse options are documented in man 4 mouse But there is sometimes another mouse manual page of the same name documenting the electronic protocol for mice To get the right man page, use man. For testing, use xev to identify button presses and xmodmap - pp to show the button mapping. Note, before upgrading xorg to 6 9 0 as above the following things were different. The X and Y axes were switched i e Option YAxisMapping 4 5 Option XAxisMapping 6 7 because etc X11 xinit d mousebuttons didn t work. EmulateWheelTimeout had no effect It w as stuck on the default 200ms. The ZAxis mapping to some non-existent buttons was needed. 5 3 Cursor Theme. The cursor theme can be selected by running choosecursor or from kcontrol - Peripherals - Mouse I like the crystal cursors theme. 5 4 mouse. Here is the mouse section of my. 6 Trackpoint sensitivity. The trackpoint can be set to have a very light touch, which I prefer The old way, using the excellent tp4d is described here but it doesn t work with Mandriva 2006, preferring a 2 4 kernel with apm and XFree86 There is now a driver in the kernel, but it requires either a patch and recompile, or a kernel 2 6 14 or later See below for the kernel upgrade. Once the kernel has been upgraded to 2 6 14, the trackpoint can be configured by echoing values from 0-255, without a trailing newline into the appropriate file in sys Eg echo - n 255 sys devices platform i8042 serio0 sensitivity Once adjusted to taste, add to. The result is a very light sensitivity for the trackpoint Note don t rest your finger on the trackpoint if it starts to drift , take your finger off it for a second to allow it to re-calibrate this is normal behaviour, especially at high sensitivity Negative inertia is explained by IBM. Lastly, set up the Xorg mouse acceleration in kcontrol - Peripherals - Mouse - Advanced I use Pointer acceleration 2 0x Pointer threshold 4 pixels Mouse wheel scrolls by 5 lines. CAPS-LOCK is evil It always seems to lurk in waiting on top of the tab key Furthermore, it is the correct, and natural position for the Control Key. Either use xmodmap, by including this in. Or use the KDE control center Accessibility - Keyboard Layout - Xkb Options - Make CapsLock an additonal Control. Special and Accented Characters can be entered using the AltGr key For example, the symbol is entered with AltGr-M To get accented characters such as use AltGr and one of followed by the character to accent Alt-Gr is sticky in this context Alternatively, GTK applications support entering Unicode characters directly to enter U 00B5 the symbol , type Ctrl-Shift-U, B, 5 the leading 0s are optional. Ctrl-Alt - Del Backspace Esc are used to respectively reboot, restart X, kill an application KDE now traps Ctrl-Alt-Del, so it won t instantly reboot the machine But Ctrl-Alt-Backspace will instantly ki ll the X-server This is dangerous especially if you use sticky keys So, uncomment this line in the ServerFlags section of. Ctrl-Alt-Esc is occasionally useful it s a shortcut for xkill. There are quite a few modifier keys used by X, and listed in kcontrol - Keyboard Layout - Xkb Options Here is a brief summary. Meta is roughly Emacs-speak for Alt Sun keyboards have Meta, whereas PC keyboards have Alt. AltGr RightAlt is AlternateGraphic for other characters such as , which is entered as AltGr mpose is an alternative way to get composite characters Eg is entered with the sequence Compose o c However, unless using Unicode , it only duplicates the functionality of AltGr and isn t really required. Super is often mapped to the Windows-key which isn t present on ThinkPads , and is usually used for extra Window-manager functions and custom global program-shortcuts. Hyper is also sometimes, but uncommonly used It may be mapped to the Menu key not present on ThinkPads. Mod1 - Mod4 are the internal names used by the X-server for the modifiers up to 4 are allowed Usually, Mod1 Alt Meta Mod2 NumLock Mod3 AltGr KDE 3rd level , and Mod4 is free. Space Cadet Keyboards have all of the above, and can enter 8000 characters Of course, this leads more to parody than to usabilty. Note that many Linux programs still only understand ASCII 7-bit, 128 characters max, see man ascii , or if you are lucky, they understand one of the extended upper-half character sets such as Latin-1 8-bit, 256 characters The right way to do it is Unicode with UTF-8.See below to fix the GTK keyboard shortcuts. 8 Miscellaneous. Here are a few random snippets of information. Fn-F7 switches between LCD, LCD CRT, CRT But if you are in a virtual console, the LCD is blank in LCD CRT mode Under X, the LCD works as expected. Switch on screen expansion in the BIOS Otherwise, 800x600 will only use the central quarter of the screen. LCDs look horrible at non-native resolution But it s much better for games since it reduces the CPU-load, and allows a higher frame-rate Eg tux-racer at 640x480.There was in 9 1 a bug in the r128 driver which caused occasional lockups with 3D GL things This appears to have been fixed, but for reference, here is the information. The xev XEvent program is very useful to see what is going on - it prints keycodes keysyms button-press diagnostics to the screen. xmodmap allows you to change particular keyboard and mouse-button mappings. setxkbmap gb allows you to set default keyboard mappings Useful if you did something stupid with xmodmap. xbindkeys allows you to define key-combinations to launch programs. xclip copies and pastes from stdin out to from the clipboard. xmacro lets scripts generate key mouse events eg echo - e KeyStr Z n xmacroplay 0.For the PC-speaker, or Bell see sound. 9 Mouse Emulation. Mouse emulation in X KDE works as follows The keys below refer to the numeric keypad, so this is really more relevant to desktop machines. Shift-Numlock turn mouse emulation on or off.82,46,7913 move mouse pointer up, down, left, right, diagonally.5 press the mouse button. select which mouse button is emulated by pressing 5 respectively left, middle, right. 0 double-click, click-and-drag. Note 1 when restarting the X-server, it is necessary to restart the dm service Logging out is insufficient Note 2 Make sure to keep a copy of since Mandriva helpfully re-writes it whenever anything goes wrong Unfortunately, making the file non-writeable doesn t help, because processes running as root don t respect file-permissions However, we can set the file attributes to be immutable using chattr Immutable files cannot be altered by anything without first unsetting the immutable flag So, as root, do chattr i See also lsattr Note 3 This is also a good time to introduce RCS version control Use ci - l to check-in the latest revision of the file, and generate an RCS file, with a, v extension , The - l makes ci check out the file again immediately See also co. 11 Aside EmulateWheelTimeout for X - and T - series. In the recent updates for Xorg, the EmulateWheelTimeout function has temporarily broken This is irrelevant on the A-series, but of vital importance for users of T - and - X series thinkpads which have 3 buttons in a row For these machines, we have to use EmulateWheelTimeout in order to have both scroll and middle-click functionality Unfortunately, although it has been fixed in xorg the Mandriva packages have not included the patch This means compiling it directly To do so, use rpmbuild. Get the latest xorg from the SRPMS directory on the mirrors I used the one from SeerOfSouls. Install with rpm - i. Get this patch attached to comment 8 on the xorg Bugzilla. Apply it to the source. Now build the RPM cd usr src RPM SPECS rpmbuild - bb. Finally, the RPMS will be in usr src RPM RPMS i586 install the packages as desired. Now, clean up or there will be over a GB of wasted disk space When the rpm tool installs a it merely unpacks its source into the usr src RPM SOURCES directory Thereafter, it isn t listed by rpm - qa and cannot be removed with rpm - e So, some judicious use of rm - rf in the directories usr src RPM SOURCES and usr src RPM BUILD is required. 1 Font sizes. First, sort out the font-sizes by configuring X correctly see above This is necessary, since the 1600x1200 screen has a much higher DPI than normal. 2 Font Types bitmap, truetype, antialiased, hinted - Introduction. De-uglification of the fonts is quite easy to do examples , but fairly long to explain Here is my short summary There are several types of fonts. Bitmap fonts 75dpi, 100dpi These are the old-style X fonts, and cannot be scaled They also cannot be printed However, they look excellent on screen, iff they are displayed at their native size Only certain point-sizes are available, and these fonts cannot be anti-aliased Eg Helvetica 8,9,13pt look excellent 11pt looks poor, 10,12pt are unavailable. True-type scalable fonts These fonts are the modern , resizable ones, which look curvy The outlines are generated from vectors, and mapped onto a pixel-grid However, how exactly should the fonts be scaled to match the pixels. Scale, but don t anti-alias Each pixel is either black or white This means that the font is sharp, and easy to focus on, but the coarse pixellation usually results in a horrid, spidery effect with jagged outlines This is the well-known bad Arial fonts on Linux problem Here s a sample comparison left right. Scale and anti-alias Fudge the curves by setting the intermediate pixels to varying shades of grey This blurs the edges of the font, creating a smooth outline which is on average faithful to the original vector For very large fonts in headlines , and fonts used in images, it looks good But for normal text, it is a matter of taste Some people like the smooth edges, but I personally find them blurry, and out of focus - and they give me eye strain It s not quite so bad on this wonderful 133dpi monitor of the ThinkPad, but dreadful anywhere else Sub-pixel rendering is a possible solution it uses the 3 coloured pixels of the LCD to triple the horizontal resolution of the anti-aliasing But the result is colour-fringing of the fonts If you look at the result using xmag kmag you will see what I mean However, some people do really like this smoothing effect The Bitstream Vera or DejaVu fonts are the best for this. Use properly Hinted fonts and don t anti-alias Hinting means that when the font is scaled, instead of keeping its shape perfectly the same, it is carefully distorted to fit better over the pixels The result is that the font face looks slightly different, but it is always sharp, and free from ugly artifacts For example, the letter e sacrifices its Times-New-Roman-nature in favour of clarity These correctly hinted fonts do not need anti-aliasing and anti-aliasing often makes them worse at small sizes The Microsoft fonts are best for this For interest, here s a comparison of Microsoft s and Apple s different approaches to smoothing. Lastly, when the font is very large eg 15 pt or used in an image , anti-aliasing makes the edges less jagged, without harming readability. Here are some images of the different fonts Try enlarging it with xmag kmag to see the details not firefox-zoom, which will antialias More examples are here scroll down. Bitmapped clear, but un-scaleable.- For termina ls. True Type, non-antialiased spidery. You ve probably guessed that this means I like the hinted, non-anti-aliased fonts The snags are that most of the Linux fonts are not well hinted, and that the bytecode interpreter for interpreting hinting information is covered by an evil software patent The Mandriva packages use the autohinter, which works adequately with the Bitstream fonts, but very badly with the MS fonts The PLF packages use the bytecode-interpreter which works very well with the MS fonts, but not with the Bitstream fonts Furthermore, many fonts look better at certain sizes than at others This means. Install the Microsoft corefonts which are free-as-in-beer These are very well hinted. Install the plf version of libfreetype6.Set up the applications to use the new fonts. No half-measures a compromise will be much worse than either extreme. 3 Configuring Freetype, installing well-hinted fonts. So, actually doing it. Take a screenshot of how things look now with ksnapshot for later comparison. Install the Microsoft Core Fonts Before I wiped out Win98, I kept a tarball of C Windows fonts Install the files, but not the files using either the Mandrake Font Installer in Mandrake Control Center , or KDE s font installer KDE - kcontrol - System - Font Installer Alternatively, there are the Microsoft webfonts which are free as in beer , which can be downloaded from sourceforge Tahoma isn t necessarily included in corefonts, but it is available for download here. Installing a version of libfreetype with support for the Bytecode interpreter hinting. First, download the penguin-liberation-front packages for libfreetype6 and - devel and. Then, install them instead of the Mandriva packages However, urpmi won t upgrade them since the replacement version is in fact slightly earlier If you use urpme to remove the Mandriva packages before installin g the PLF ones, you ll end up uninstalling your entire system This is one of those rare occasions when using rpm with --nodeps is justified Find the names of the packages which are installed rpm - qa grep libfreetype. Forcibly uninstall them, without removing packages which depend on them rpm - e --nodeps libfreetype6-2 1 10-9 1 20060mdk libfreetype6-devel-2 1 10-9 1 20060mdk. Install the PLF packages urpmi. Prevent urpmi --auto-select from re-installing the mandriva packages Add this to. Restart X logout, service dm restart. 4 Font settings for applications. Now, we need to configure the applications to use the new fonts We want to use hinted fonts, with anti-aliasing off except for large font sizes Note that the precise font sizes need to be controlled per machine, since the display resolution affects their weight Eg Tahoma 10 looks a lot better than Tahoma 9 or 11 Also, it is worth playing with the upper limit of the Antialiasing exclude range generally, the higher the resolution DPI of the monitor, the smaller this number can be the aim is to make headlines look smooth, and text look sharp Lastly, to add confusion, OpenOffice and Mozilla Firefox work in pixels not points Here are the settings which I use on the A22p at 133 dpi and, for comparison, my desktop machine at 99dpi. Font Thinkpad A22p, resolution 133dpi. Font Desktop, resolution 99dpi. Repeat for root If desired, repeat the above with sudo for applications when they run as root eg Mandriva Control Center. Web browser font test Web browsers show dif ferent fonts dependning on the CSS font-family property Note that you can configure the browser as to precisely what font it should show for the various families, as well as allowing disallowing the use of web-page specified fonts Here are the various families, so you can see what they look like in your browser. This is your chosen serif font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen sans-serif font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen cursive font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen fantasy font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen monospace font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is what you get for the times named font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. 5 Fix GTK weirdness. Fix GTK applications with KDE Unfortunately, there is a problem with GTK applications every time X is restarted, they lose their font settings which are defined by gnome-font-properties , and go back to ugly defaults The way to fix this is to run gnome-settings-daemon This could also be achieved by starting and stopping gnome-font-properties Note that the side effect is to start xscreensaver and the gnome-accessibility stuff key repeats Unfortunately, there doesn t seem to be a simple workaroud in the complicated. Thus, I append this to the end of my kde-startup script. Log out and in again if desired to check everything Take another screenshot if desired, and enjoy the difference. 7 A few more notes on fonts. Selecting fonts xfontsel is useful A font is unambiguously described by both foundry and name and size, style eg adobe-times-iso8859-1 However, in KDE, fonts are known just by their name when unambiguous e g Bitstream Vera Sans and with the foundry in brackets when it is required, e g Fixed Misc or Fixed Sony Also, note that Times adobe-times-iso8859-1 and Times New Roman Microsoft TTF are quite different fonts It s also possible to use fontconfig to make substitutions, for example, so that whenever an application asks for Arial , it actuallly gets Tahoma After updating the font configuration, it s often necessary to update fontconfig s cache fc-cache - v. For desktop users, with antialiased fonts and LCD monitors without DVI LCD monitors auto-adjust by aligning their clock with vertical lines in the image But, if all the fonts are antialiased, there are no hard edges to crunch on, and the monitor calibration is often poor Here is a 1280x1024 chessboard view it at 100 size, then press audo-adjust on the monitor. The point is a unit of length, defined as 1 point 1 72 27 inch in computing, it is usually redefined to 1 72 instead A 10-point font means that that the full height of a row of text is 10 points The em is the height of an M or the width of an m in that font For example at 96dpi, 12pt 16 px at 133dpi, 10pt 18px. The GIMP freefonts are good, and may be downloaded from here Also, have a large number of fonts available for preview. Summary it s all about personal choice If you get used to AA, then switching back to non-AA feels a bit weird for a while Likewise, vice-versa. 1 Introduction. Xscreensaver is a much nicer package than the KDE screensaver, and has a wonderful configuration program toy xscreensaver-demo The really slick screensavers and fireflies are also great Install the following packages xscreensaver xscreensaver-gl xscreensaver-extrusion xscreensaver-matrix rssglx fireflies rssglx-matrixview Configure xscreensaver xscreensaver-demo to lock the screen and when suspending the laptop , or there is no use having an encrypted laptop To start xscreensaver automatically, first disable the KDE screensaver, then add the following into. xpenguins - a - b and xearth are also fun - but you need to enable Programs in desktop window in KDE - Control Centre - Look and Feel - Behaviour. 2 r128 ati Workaround. There is an obscure bug in the r128 ati graphics card driver when it interacts with GL programs and the mouse cursor theme The effect is that, whenever a GL program is running, the mouse cursor changes from the nice blue crystal-cursors theme to a black-and-white mottled one I suspect this bug is too obscure to troubleshoot However, it can be worked-around by one of. Revert to core X-default cursor-theme, or. De-select the GL screensavers in xscreensaver-demo, or. Kill and restart xscreensaver every time it unblanks. Here is a script to do the last one automatically save it as. and start it in. instead of directly running xscreensaver Note this must be started before gnome-settings-daemon. 1 Sound configuration ALSA. In Mandriva 2006, sound just works The snd-cs46xx modules are correctly detected for ALSA, and even better, ALSA now has dmix enabled by default Previously, sound applications required an exclusive lock on dev dsp and would not share it Sound servers such as Artsd were a partial solution, but the latency was a problem and not every application had an arts-output capability Artswrapper soundwrapper didn t always work However, with dmix, all is happy Multiple applications can output sounds to the sound card simultaneously, provided that they use ALSA output rather than OSS i e dev dsp. Most applications eg mplayer, amarok, vlc can do this simply set the output plugin to be alsa. Even the KDE sound server can output to Alsa But see below. Some applications only understand OSS eg usr bin play In these cases, use aoss to intercept the call to dev dsp and redirect it to ALSA eg aoss usr bin play Actually, play itself is just a script, and can be edited to include the aoss anyway. QEMU doesn t work with aoss, so it has to have the sound card to itself. CD playback can be done digitally, via alsa eg by alsaplayer, kscd, vlc or directly through the sound card. For more technical details on ALSA, see this excellent introduction this tutorial and this page about dmix If you have multiple sound devices eg external USB soundcard , finding the correct name in alsa-terminology is slightly complex To get information, use aplay - l amixer - c 0 scontrols and look in proc asound For example, default 1,0 means use the default alsa-interface to the second soundcard, on the first channel dmix 1,0 explicitly forces alsa to use dmix, whereas hw 1,0 usually prevents dmix from working. Finally Artsd has a very noticeable startup latency especially when playing system notifications , and it is finally obsolete Arts can be configured to use ALSA for output, but it is unncessary I have the KDE sound system kcontrol - Sound - Sound System disabled and play system-notification sou nds thus. kcontrol - LookNFeel - System Notifications - Player Settings - Use external player. External player is. bin I have the following script named. 3 System bell. To get the system bell to work, it is necessary to load the pcspkr module See above Then, in kcontrol - Sound - system Bell, make sure Use system bell instead of system notification is checked, and set the beep to 440 Hz Concert A and duration 30ms. Make sure Konsole is set to use it by choosing Settings - Bell - System Bell Then, test by pressing Ctrl-G, and you should be instantly greeted by a short, friendly beep. For use in scripts echo - e a Or install gnubeep, and try for i 200i. 4 Sound Mixer. The mixer volumes are changed with kmix or gnome-alsamixer alsamixergui , and if required, can be manually saved restored with alsactl aumix is obsolete, and doesn t support all the mixer-controls To reduce hiss, keep all volumes below 90 , and ensure that the Mic channel is muted As with all internal soundcards, one can hear some interference from the CPU. The Thinkpad has some buttons for Volume up down mute These are in series with the mixer If desired, their state can be displayed on-screen by using tpb. amixer is a very useful non-interactive command-line mixer control usable in scripts etc. speaker-test is helpful for identifying which channel is connected where, and emitting a test sine-wave. 5 Microphone. On my Thinkpad, the internal Mic is broken However, the Mic input is fine This input provides a bias voltage, capable of powering an electret microphone A pair of headphones will work as a quasi moving-coil microphone, however I have been extremely impressed by the Microphonics microphones tiny, high-quality electret condensers built into a stereo 3 5mm jack plug and costing a mere 7 10 It is also necessary to enable the 20dB Mic Boost in the mixer. Recording sound isn t as straightforward as expected You may find that even though you can get the mic to work through the speakers, you can t record from it This usually indicates that the ADC is disabled Here s what I had to do. Start gnome-alsamixer. Make sure that all 3 of the Mic and ADC and Capture controls are set to Record. Mute the Mic input the speaker icon should be greyed out This prevents feedback unless you are using headphones. Optionally, enable the Mic boost 20dB This gives much greater sensitivity at the expense of some extra hiss. It should now work Try using the command record - i mic and you should be able to see the left and right levels move up and down If so, it s working. An alternative is to use the alsa program arecord thus arecord - f cd - t wav - D front. amixer can be used to turn on the required mixers. Note1 the record program is part of the xawtv-misc package Note2 Audacity disables the Capture input - and you need to re-enable it Note3 Gtkguitune is an oscilloscope frequency counter - useful for tuning instruments. MIDI is a way to synthesise music by sequencing samples of various instruments Midi files are a very highly compressed way to store music or musical notation Despite the existence of dev sequencer this machine doesn t have support for Hardware MIDI synthesis however excellent results can be obtained by using the software synthesiser, TiMidity It s also necessary to install a patch set i e some samples , such as timidity-patch-freepats. Mandrake also provides a timidity service T his doesn t work well it seems necessary to run the timidity daemon as a normal user, and not via the timidity service However, my suspend script above doesn t account for this, and must be modified to kill restart timidity on suspend Otherwise, sound will not come back on resume. An excellent article about MIDI is provided by the Linux Journal Part 1 Part 2 Part 3 Part 4 Music composition score-editing tools include rosegarden and hydrogen. Note that the KDE control centre s Test Midi button doesn t work - and in fact has never worked. 7 Multimedia Applications. There is a vast number of media players available Generally, you need to install the PLF versions to have the full functionality These are the ones I like the best. Mplayer - plays practically everything Run it from the command-line, or use gmplayer for the GUI, or mplayer-plugin from mozilla. VLC videolan client - also plays virtually everything Probably the best for DVDs. Amarok - excellent program for enjoying and files Use the xine back-end. JuK - similar to Amarok some prefer it. XMMS - somewhat venerable, but rapid startup, and very good for audio. Kmidi GUI and TiMidity CLI - for playing MIDI files. Alsaplayer - for playing music, and CDs A key feature is adjustable speed playback even reverse. KsCD - CD Audio playback. usr bin play - a wrapper for sox, which plays sound files. festival, espeak, mbrola - speech synthesis programs. play, rec, cdp, cdplay, ogg123,mpg123,sox, aplay - useful command-line programs. I recommend uninstalling noatun and kaffeine. 8 Audio Streaming. To set up your own audio or video stream, use VLC It s surprisingly easy here s the howto. To listen to a real-audio stream, use mplayer or realplayer See below. Here is how to record from internet audio streams. It is also worth mentioning personalised radio , which requires the latest version 1 4 1 of Amarok. Another collaborative filtering system is iRate. 9 Multiply opened dev dsp. Normally, dev dsp can only be used by one application at a time This is the case with most hardware such as my desktop intel motherboard , and is why we need ALSA dmix However, the A22p s sound card does permit dev dsp to be opened multiple times simultaneously This is directly due to the hardware not to the kernel or to ALSA although I m sure it wasn t supported in kernel 2 4 Experimentally, we can have up to 32 simultaneous accesses before failing to open dev dsp Thus, much buzzing for i in seq 1 32 do play - d dev dsp sleep 0 05 done. 10 Soundcard distortion CPU whine and Hiss. The CPU causes a very quiet whine to be heard over the soundcard It isn t really noticeable, except with an external amplifier, or headphones It is caused by the CPU power state switching back and forth between idle and active A test, is to force the CPU to always run at full speed nice - n 19 yes dev null This doesn t harm performance, but it s too ugly to use as a proper fix besides which, it eats battery, and will make the CPU fan come on A slightly less ugly solution is modprobe - r thermal processor The best solution would be the Dynamic Tick patch from here. There is also a slight degree of hiss This can be nearly eliminated with the following mixer settings use gnome-alsermixer. Ensure that no level is set to maximum This includes the hardware volume control from the volume buttons 90 is fine. Mute every unneeded control Mic, IEC958Input. Set 3Dcontrol-switch to ON, but the sliders to 0 No idea why this helps. Increase signal-noise ratio by ke eping the software mixers high 90 and controlling the sound level with the hardware volume control. There is also a slight pulsed buzzing about 0 5 seconds, every 2 seconds which occurs when any USB removable storage device is present. 11 External USB soundcard. When playing back music through an external amplifier, it s worth buying an inexpensive external USB soundcard, such as the Creative MP3 , or Behringer UCA202 These provide dramatically better quality, because they don t pick up interference from the other signals inside the computer case Thinkpads are much better in this regard than most, but not ideal It s also a simple way to make sure that when music is played loudly, system sounds and beeps are not excessively amplified. 12 Soundcard troubleshooting. For sound troubleshooting, Mandriva recommend the following sequence. lspcidrake - v fgrep - i AUDIO will tell you which driver your card uses by default. grep sound-slot will tell you what driver it currently uses. sbin lsmod will enable you to check if its module driver is loaded or not. sbin chkconfig --list sound and sbin chkconfig --list alsa will tell you if sound and alsa services are configured to be run in this level. aumix - q will tell you if the sound volume is muted or not. sbin fuser - v dev dsp as root, if necessary will tell which program uses the sound card in OSS-mode Programs which access the soundcard via ALSA rather than by writing to dev dsp will not show up here. sbin fuser - v dev snd as root, if necessary will tell you which programs are currently outputting sound to ALSA. Don t forget to check whether sound is also muted in hardware use the volume buttons , or in the application itself. 1 Lucent WinModem driver. The internal modem is a Lucent WinModem, with a proprietary driver There is no free driver in the kernel, but the modem does work. Ensure you have the source for your current kernel installed see below. Download and run the scanModem for information. Download the source package. Untar, and change into the directory tar xvzf cd ltmodem-8 31b1.Become root. buildmodule to compile the module don t try buildRPM, since it has specfile problems Repeatedly press Enter This results in the modules and. ltinst2 to install the modules This fails to complete the first time don t worry, it will succeed in a moment. cd source make mdkinstall cd This succesfully installs the modules in the destination. ltinst2 Finish the installation. autoload Make the modules load automatically at boot time Adds ltserial to. checkout Finish. dev modem is now a symlink to dev ttyLTM0 Test it by querying the modem with kppp. Note it is necessary to repeat the above buildmodule ltinst2 cd source make mdkinstall cd ltinst2 every time a new kernel is installed. 2 The Mars driver - for kernels 2 6 15 and above. As of kernel 2 6 15, the internal kernel interfaces have changed eg MODULEPARM becomes moduleparam and the ltmodem driver above no longer compiles Furthermore, there is now a much better way, putting ths proprietary stuff into userspace which no longer taints the kernel More details on the Martian driver are here To install and use it. Untar Read the README. In the driver directory, do make clean make make install. Add martiandrv to. In the helper directory, do make make install. Run usr sbin martianhelper dev MODEMNAME This creates dev MODEMNAME, which talks to martiandrv, which in turn talks to the modem. Add this to. Note it is necessary to repeat the above make clean make make install every time a new kernel is installed. 3 Configuring kppp modem dialer. Here is how to set up the kppp modem dialer. Use dev modem. Use Dynamic IP Do NOT Auto-configure hostnamefrom this IP. Default gateway Assign the default route to this gateway. Disable existing DNS servers during connection. BUG Kppp fails to actually assign the default route during the connection So, in Accounts - Execute, add. Before connect sudo ifdown eth0 sudo mv sudo touch. Upon disconnect sudo ifup eth0.This will work. Define the modem network interface for the firewall add ppp0 to etc shorewall interfaces. For occasional use, has provided good service Or, try for which no signup is required - just use it. PCMCIA just works Make sure that the pcmcia service is running, and that pcmcia-cs is installed Always eject cards in software with cardctl eject before physically unplugging them Otherwise, the kernel will probably panic You must also eject cards before suspending to RAM To find information on a PCMCIA card, use cardctl ident. IrDA - Infrared. The Thinkpad has a 4 Mbit sec FIR Fast IR port, although it can also do SIR Standard IR, 115 kbps IrDA basically works straight off once the right device is set Edit etc sysconfig irda and change the device from dev ttyS2 to dev ttyS1 The IR should also be enabled in the BIOS if necessary Then, restart irda service irda restart and switch it on permanently chkconfig --add irda. The irda service will also handle kernel module loading, and starting irattach You should also see the network device irda0 which shows up in ifconfig Don t forget to firewall off the irda0 interface Some extra entries in dev will be created if the correct modules are loaded Eg modprobe irnet creates dev irnet and modprobe ircomm-tty creates dev ircommX. To test IrDa, as root, run irdadump - this shows the raw packets, and should show up reflections from the thinkpad s own transmissions Also, cat proc net irda discovery should show up other devices, and give addresses You can ping other devices using irdaping daddr where daddr is the value such as 0x0d7357f2 from grep daddr proc net irda discovery This may take a few seconds to respond You can also see IR light directly using a CCD videocamera, or a phototransistor. Other things to be investigated IR networking, file transfer, IR-remote control via lircd IR modem connection to mobile phone See also the Infrared-HOWTO. Bug 1 chkconfig --add irda doesn t work This is easily fixed edit etc init d irda and change the line. Bug 2 Severe irdadump can panic the kernel I reported this bug which may, or may not be specific to the Samsung S300 phone For now, disable IrDA UPDATE 2006-08-03 this bug is now fixed upstream It now works perfectly in the 2 6 17 7 kernel fromwork LAN and WiFi. 1 Internal ethernet Intel Ethernet Pro 100.The internal 10 100 ethernet port used to use the eepro100 module however it should now use the e100 module Otherwise, random dropouts occur The eepro100 module is obsolete it hasn t been revised since 2000, whereas the e100 is maintained, and works with kernel 2 6 See here and here for more details However, by default, the kernel loads the eepro100 module To make sure that the correct module is used, add or modify this line in. This also has the beneficial side effect that the ethernet module is always loaded before PCMCIA starts, and so eth0 is always the internal port It also seems necessary to prevent the eepro100 driver from loading Add this to. Configuration with Mandriva s configuration tool mcc just works Remember that, if using DHCP, it is not necessary to configure the DHCP hostname , it is different to the hostname , and that zeroconf should not be used ifplugd will bring up, and shut down the interface as and when it is plugged in. N ote this port is not auto-sensing, so you will need a crossover cable to connect it directly to another laptop. 2 WiFi PCMCIA card. This card is a Netgear WG511 version1, 54Mbit sec It is supported under Linux using the prism54 module, but the card also requires that its firmware should be loaded from the host pc every time it is powered on This firmware is not GPL, and isn t included with Mandriva however it is free to download Without the firmware, iwconfig reports NOT READY dmesg reports could not upload firmware isl3890.The prism54 driver is in the kernel the firmware is available from the prism54 project The firmware required is the fullmac version, named. Rename it to isl3890.Move it to the directory usr lib hotplug firmware. Eject the card cardctl eject then physically remove and re-insert the card. Now enjoy configure with ifconfig iwconfig or mcc Mandrake control center as desired. Useful wireless tools are iwconfig iwlist kwifimanager and netapplet See also the Linux wireless LAN howto. In order to suspend the computer, it is essential to eject the card at least in software, if not physical ly Otherwise, suspend will crash Use cardctl eject to do so On resume, physically re-insert the card, and then do service network restart or just ifup wlan Then run dhclient wlan if necessary to obtain an IP address. This card reports 2 different MAC addresses, depending on its state of initialisation But the network interface scripts identify the interface by its MAC address as a result, the interface can only be brought up once after boot or insertion Subsequent restarts of the interface will fail since the second mac address will not be recognised The simple workaround is to do cardctl eject, and then physically remove reinsert the card every time For more explanation of this difficult bug and its solution, read on. The MAC address as reported by ifconfig - a or udevinfo - a - p sys class net wlan varies between 2 states. When uninitialised before the firmware is loaded , it has the bogus value 00 30 B4 00 00 00 This is not unique between cards, and it belongs to Intersil the chipset manu facturer The first 3 pairs of MAC adddreses are uniquely allocated to the manufacturer the final 3 pairs are allocated by the manufacturer to each card. When initialised after the firmware is loaded , the card reports its true, unique mac address mine is 00 09 5B C1 3A B1 , which which is printed on the card - and belongs to Netgear the wireless card manufacturer. The true mac address persists until the card is powered down or ejected, even if the network is restarted. This is because the real mac address is unknown to the card until the firmware is loaded probably, it cannot read its own mac address out of its EEPROM , usr src linux-2 6 14 drivers net wireless prism54 islpcidev c Credit is due to Mauro Maroni for putting me on the right track by noticing the MAC range owner - thanks. The problem is that Mandriva loads the firmware too late it should be loaded as soon as the card is detected, but, it isn t actually loaded until the network interface is brought up Loading the firmware is ev entually done by sbin firmwarehelper invoked by a udev rule in which is triggered on bringing up the interface. Note enabling logging is very helpful set udevlog info in and then run tail - f var log messages To make udev aware of new rules, run udevstart. But interfaces are identified by their mac address Thus we must have the bogus mac address in etc iftab and etc sysconfig network-scripts ifcfg-wlan to get the interface to come up the first time Once up, the mac address changes So subsequently restarting the interface will fail ifup wlan exits with the error interface wlan not found Device wlan has different MAC address than expected, ignoring A possible workaround to this might be to modify sbin ifup to allow 2 alternative HWADDR XX lines in ifcfg-wlan. Possible solutions. Try to invoke firmwarehelper in the right place with a udev rule Unfortunately, firmwarehelper is undocumented Reading the source of udev-78 extras firmware firmwarehelper c provides some enligtenment the arguments mu st be supplied as environment variables, but it isn t clear what the values ought to be especially DEVPATH. Write a udev rule to change the MAC address to the correct one Use a RUN key to execute sbin ifconfig wlan hw ether 00 09 5B C1 3A B1 as soon as the device is detected Unfortunately ifconfig refuses to do this without the firmware. Bring the interface up and then down again without assigning an IP as soon as the device is detected This causes the firmware to be loaded, and is the best solution We can easily do this by piggybacking on the udev rule to name the wlan interface. Thus, I have the following files. The udev rules in Note that the RUN command must be the full path. The fudge which is executed usr local sbin firmwarefudge remember to make this executable. Now, the real MAC addresses can go into etc iftab and etc sysconfig network-scripts ifcfg-wlan. Finally, run udevstart to make this take effect and enjoy. 2 1 Troubleshooting WiFi connection problems. If the laptop is normally set up to use ethernet eth0 and is firewalled, then you may have some trouble actually connecting via WiFi. Failure to see any access point with iwlist wlan0 scanning means either the hardware isn t working, the driver isn t loaded, or there is no radio signal in reach. Failure to obtain an IP address with dhclient is usually caused by firewalling issues. Failure to reach the wider internet usually, you can ping the access-point but no more is usually caused by having the default-route assigned to the wired-ethernet device Check this by running route To stop eth0, do ifconfig eth0 down Note ifdown eth0 won t necessarily remove the default route. This is a useful shell-alias to make everything work assuming a WEP ASCII key. alias connectmywifi sudo sh - c ifconfig eth0 down you can directly set up a simple ad-hoc network where other machines can connect wirelessly to this laptop To do this, we must put the adapter into Ad - Hoc mode see man iwconfig for more The magic incantations are. On this laptop iwconfig wlan0 essid myessid mode Ad-Hoc enc off ap 00 0e 1e 11 22 33.On other laptops iwconfig wlan0 essid myessid mode Ad-Hoc. The ap 00 0e 1e sets a chosen access-point cell-identity similar to MAC address, but not the same in the privately assigned range the 11 22 33 are a free choice This option is particularly helpful in hotels which charge extortionate rates for wifi, and you want to share it To do so, set up internet connection-sharing with DrakGw as described below. 5 USB Networking. A neat gadget to have in the laptop bag is a USB network adapter I have a Sitecom LN-013 USB 1 1, 10 100 ethernet adapter This just works under Linux, using the rtl8150 kernel module However, this really doesn t like being hot-unplugged, and will panic the kernel To unplug it, ifdown usblan then rmmod rtl8150 and only then unplug it Also, if the LN-013 is plugged in, when a suspend is attempted, the laptop will crash. 6 Firewire networking. Mandriva will very helpfully configure an ethernet over firewire PCMCIA device Unfortunately, this gets the name ethX, and hence adds to confusion So, unless we are going to use it, it can be disabled by adding this to. 7 Network device names. 7 1 The problem. This machine has 2 ethernet interfaces eth0 internal 10 100 ethernet, cat5 and eth1 pcmcia network card, wifi Worse, they keep on swapping around The kernel assigns network interfaces in the order in which they are detected So, boot with pcmcia plgged in and eth0 is the pcmcia card otherwise, it is the 10 100 ethernet This problem gets even worse if one has an extra network card, firewire card, or usb network adapter The root causes are these. Hardware is initialised asynchronously Module loading order isn t necessarily repeatable although it usually is. PCMCIA and USB NICs may not be present - but load before motherboard s onboard adapter if they are. Interfaces are assigned consecutively by the kernel one cannot reserve eth0 yet assign eth1.The wireless network above can get assigned 2 different interface names as its mac changes. 7 2 Solution 1 - simple hack. Add e100 to This forces the e100 module to load before the hardware is scanned for autodection, therefore eth0 is always the internal device. 7 3 Solution 2 - temporarily fix the mess. Go into Mandriva control center mcc and delete all the network interfaces then start again. 7 4 Solution 3 - the old way use ifrename. ifrename is designed to rename interfaces once they are detected, so that they are consistent This is done by using iftab and the MAC address see man iftab and man ifrename However, it is supposedly obsoleted by udev. 7 5 Solution 4 - the Right Way udev. This is this the modern way to do it, and allows us to pick meaningful names eg lan and wlan rather than eth0 and eth1 This assumes that eth0 and eth1 are already configured, but need to be permanently renamed. Create a udev rule to map the MAC address to the kernel s name The MAC addresses can be found by looking at the output from cat sys class net INTERFACE or ifconfig - a or printed on the bottom of the laptop Note that the MAC addresses need to be in lowercase Also, the wlan rules needs to cover both the bogus MAC address and the real one Thus these are defined in. Fix etc iftab so that the device is recognised as already-existing modify the names of devices in etc iftab to reflect the new names Check they are the right way round first I chose to have lan and wlan thus. Note iftab is not used during normal network startup It is, however used by MCC, the GUI tools, and by autoconfiguration of new interfaces. Edit to pair the kernel modules to the devices The interface names must match the kernel modules. Edit ifcfg-foo so that ifconfig knows what the network settings are For each network interface, the settings see man ifcfg are stored as a series of KEY VALUE lines in etc sysconfig network-scripts ifcfg-foo where foo is the name of the interface. Rename the file Eg mv ifcfg-eth0 ifcfg-lan etc. Change the DEVICE entry Eg DEVICE lan. Make sure the MAC address is the right one Eg HWADDR 00 03 47 8d da e9.If using static IP addresses edit etc sysconfig network and change GATEWAYDEV ethX to the correct interface name This isn t relevant for DHCP. Change any other files which refer to the old-style interfaces. Shorewall change the interface names in etc shorewall interfaces and etc shorewall masq. Ifplugd if used, modify. Change the reference to eth0 used in kppp co nfig above. Just in case grep - inr eth 0123 etc. Reboot to check It may suffice to stop the network, rmmod all the modules, and run udevstart. 8 Hostname and etc hosts. The etc hosts file is used to permanently map IP addresses to hostnames It must include localhost, and should also include the hostname of the machine If these are missing, all sorts of weirdness and timeouts may occur The hostname of the machine itself should never change, although a temporary hostname can be defined for each interface. etc hosts may also define other mappings, overriding DNS This is particularly useful if transporting the laptop between 2 networks, one with static IP and the other with DHCP For example, I transport this laptop between two networks On one, using DHCP , it is told to be 192 168 10, whereas on the other using static IP , it is 131 111 193 203 The machine name is always toffee-pecan Our network computers are named after ice-cream flavours , but on the static IP network, it is also Thus this is in etc hosts. By default, Mandriva will set network interfaces to DHCP, and enable Assign hostname from DHCP address I think this is a bug I ve already chosen a hostname, and I d prefer to keep it, thank you very much DHCP can provide an IP address for the specific network interface, but the hostname belongs to the whole machine, and I don t think it should change Besides which, changing the hostname without a reboot can cause all sorts of trouble. To fix this, either. Uncheck the Assign hostname from DHCP address option in the Mandriva control center mcc. Add the line NEEDHOSTNAME no to the appropriate etc sysconfig network-scripts ifcfg-DEVICE. Hack the default to be off it s defined in either or. TODO Actually fix this. 9 Firewall Shorewall , and Internet Connection Sharing. Mandrake uses the Shorewall firewall, configured in etc shorewall or by drakfirewall and drakgw Drakfirewall simply lets you configure which ports should allow connections usually SSH, Ping, and maybe Drakgw sets up a gateway for internet conection sharing, and is a wonderful tool for setting up an entire network. 9 1 Shorewall. Shorewall terminology is as follows. Various zones are defined in etc shorewall zones These are typically net the big, bad internet , fw the firewall, this machine , and loc the local zone, or intranet, i e trusted internal systems For a client-only machine, use fw not loc. Each interface, such as eth0 eth1 and ppp0 is assigned to a zone, in etc shorewall interfaces. General policies are defined in etc shorewall policy Mandrake defaults to allowing all outgoing connections, but restricting inbound connections. Specific rules are defined in etc shorewall rules For example, to allow incoming SSH and Ping from the internet net to reach this machine fw , add these lines. IP masquerading for internet connection sharing is configured in etc shorewall masq Note, etc shorewall nat is not unused. To start stop and clear shorewall, use service shorewall start stop clear Note that the inverse of start is clear , not stop stop will result in a completely closed firewall, whereas clear will result in a completely open firewall, as it was before shorewall was first started In the stopped-state, shorewall is safe against intrusion, but also prevents any new connections though existing ones won t die The cleared-state is most useful for debugging suspected firewall-related connectivity issues This is a change from previous Mandrake initscripts it is now consistent with the shorewall upstream, but not with earlier versions of Mandrake, or some other distributions A consequence of this is that you can lock yourself out of the machine by accident The workaround is to re-enable ssh after shorewall has stopped - add this to etc shorewall stopped. To test the firewall, run a port scan An excellent one is Gibson Research s Shields Up It s also helpful to run netstat - lp --inet to list which local processes are doing what I also recommend ssh-ing somewhere else, and testing that you can get back in. Technical explanation shorewall is actually a front-end to netfilter iptables iptable s is what actually does the filtering in the kernel shorewall just generates and executes iptables commands To see what is happening, run iptables - L An alternative to shorewall is to write the iptables rules manually, then put these into etc sysconfig iptables and run the iptables service to apply them at boot Don t run both the iptables and shorewall services simultaneously they are alternatives. Shorewall Tips. Remember to firewall off all the interfaces that you use, not just eth0 This probably includes irda0 ppp0 and wlan0.Once the shorewall rules are established and tested, run shorewall save this will cache the compiled rules, and it will then start up much faster at boot time. The optional interface option allows Shorewall to come up without that interface being present But you will still generally need to shorewall restart after the interface is up and configured. Note Bug 16917 causes etc shorewall interfaces to be messed up each time a new interface is added Remember to check an d fix it if necessary. DrakGW is used to set up internet connection sharing If this computer has two network ports, it can be used to share its internet access with other machines The drakgw wizard sets up everything, including a dhcp server, named squid and IP masquerading masq , not nat in shorewall. 10 Useful networking tools. Here is a list of some very useful networking tools, commands and files. ifconfig - print information about, or configure a network interface example ifconfig - a ifconfig eth0.ifconfig eth0 1 - create a pseudo interface eth0 1 on the same physical network connection This can have a different IP address to eth0 Up to 9 pseudo-interfaces are supported. ifplugstatus - tells you whether the cable is plugged in and live example ifplugstatus. ifup ifdown - start and stop an interface, according to the network scripts example ifup eth0.ethtool mii-tool obsolete - view or manipulate network interface status Eg the link-status and speed-setting of an ethernet port example ethtool eth0.dhclient - obtain a dynamic IP address for an interface example dhclient eth0.ping - check whether another machine can be reached example ping ping 72 14 207 99.route - which ranges of IP addresses should be routed via which device example route - n route add default gw 192 168 0 1.arp - dis play mapping between hostname IP addresse and MAC address for devices on the local network example arp arp 10 0 0 3cat nc telnet - connect to or listen to another machine on some port example nc - l - p 1234 nc localhost 1234.brctl - configure a network bridge, to make multiple physical interfaces act as one virtual interface example man brctl. service network restart - restart the networking subsystem Also remember to restart shorewall. mcc - mandriva control center GUI to configure networking. iwconfig - print information about, or configure a WEP wireless interface example iwconfig iwconfig wlan essid MYSSID enc off. iwlist - list wireless access points example iwlist wlan scanning. traceroute - print the steps on the path from this machine to another example traceroute. whois nslookup dig - find out the owner of a domain, name of an IP address, or DNS query example whois nslookup 72 14 207 99 dig tcp 8 8 8 8.tcpdump - example tcpdump - vv - i eth1.ethereal now re-named wireshark - very usefu l and flexible GUI for tcpdump Allows you to view the contents of network packets example ethereal. EtherApe - real-time network monitor GUI with impressive graphics example etherape. fping hping - scriptable ping, TCP IP diagnostics example fping. iftop - network interface bandwidth monitor, like top, but for the network example sudo iftopstat - list open connections and sockets on the computer example netstat --inet - lp. nmap nmapfe - map network, scan for open ports example nmap - v 192 168 0.xinetd - network-enable any program xinetd connects stdin and stdout over TCP IP on a defined port example dinnerdogd. NPtcp - measure and diagnose network performance example machine1 NPtcp and open the firewall , machine2 NPtcp - h machine1.airodump-ng - monitor and sniff Wifi example airodump-ng - c channel wlan0. etc sysconfig network - the hostname is defined here Also use the hostname command Iff the IP addresses are static this must also contain the IP of the gateway eg GATEWAY 72 14 207 99 and the name of the network device connected to it eg GATEWAYDEV eth0. etc sysconfig network-scripts ifcfg - - interface-specific settings are defined here Eg the IP address and netmask of eth0. - the DNS servers are defined here. etc hosts - some hostname -- IP mappings are defined here, notably 127 0 0 1 localhost. 11 MAC spoofing. Sometimes, it s useful to spoof the MAC address of an interface, in order to pretend to be another machine. Temporary change ifconfig eth0 hw ether 00 01 02 03 04 08 where 00 01 02 03 04 08 is the mac address you want to have This can only be done while the interface is down so first do service network stop and restart the network when done. Permanent change persistent across reboots add this line to the relevant etc sysconfig network-scripts ifcfg-ethX file MACADDR 12 34 56 78 90 ab lower or uppercase is unimportant. 12 Zeroconf. What is mDNSResponder This is the Multicast DNS responder , designed to allow the operation of Zeroconf networking, This is also known as Apple s Bonjour protocol, and has an alternative implementation by avahi The principle is that devices should be able to discover each others IP addresses, hostnames, and services eg printing on an ad-hoc without any pre-existing configured DNS This is neat, if you like this sort of thing personally I prefer to do it manually. Power Management - ACPI or APM. This Thinkpad can use either APM or ACPI Since ACPI is now maturely supported, it is the recommended choice ACPI will be enabled by default, unless it is disabled in see above , in which case APM will be activated instead It is also important that, when booted, the mains should be plugged in Note do not confuse ACPI with the unrelated APIC. 0 BIOS clockspeed - always switch on with mains power connected. An oddity is that the status of the power source AC vs battery at boot time affects the subsequent maximum performance If the AC is not present when the machine is started, the maximum performance of the machine thereafter will be reduced by 30 This is not reversible by plugging in the mains a reboot is required However, once the machine has booted past the BIOS, I think , subsequent changes switching mains to from battery, throttling the CPU with ACPI, sleeping have no lasting effect Some experimental data. Boot Power source. Current power source. Other condition proc cpuinfo. CPU Frequency proc cpuinfo. BogoMips and CPU frequency are measured by the kernel at boot time, and so do not change with the current-power status. In my setup, the system is configured in the BIOS for Automatic power management while on battery, and High performance while on mains. Measured performance is the result of yes sleep 10 killall yes wc - l roun ded to the nearest million. 1 1 Introduction. ACPI allows system management power control, buttons and lights, cpu, fan, battery monitor etc The acpi and acpid system services need to be enabled See also this page at thinkwiki. To find information, use acpi - V or look at the information in proc acpi The files in proc acpi can be read with cat and modified with echo - n The proc acpi ibm directory is particularly useful For example. cat proc acpi ibm light returns the current status of the thinklight off and the available commands on, off. echo - n on proc acpi ibm light turns the light on. The acpi daemon acpid runs as a system service It monitors system events such as lid close, or plugging in AC power , and then runs scripts in response See man acpid. To monitor what is happening, tail - f var log acpid. etc acpi events contains short files linking the ACPI event eg button sleep to the script which is to be run. etc acpi actions is the directory in which these scripts usually live. To make the daemon aware of changes in etc acpi , do killall - HUP acpid. Note that the function keys Fn-Fx do not generate acpi events until they are enabled with proc acpi ibm hotkey. 1 2 Devices buttons and lights. 1 2 1 On-screen display of events. The tpb program produces a very helpful on-screen display of events, such as the volume level, screen brightness, and output to LCD CRT both It can be installed with urpmi, and is automatically started from etc X11 xinit d It also allows the otherwise non-useful ThinkPad button to do something edit etc tpbrc. 1 2 2 Toy example flash the thinklight. This script is useful for diagnostics or notifications. Fun may also be had with proc acpi ibm beep. 1 2 3 Using Fn-F3 to switch off the backlight. Using APM, this just works however with ACPI, it no longer does. Enable the hotkeys Append this to. tail - f var log acpid and observe what happens when Fn-F3 is pressed. Create etc acpi events fn-f3.killall - HUP acpid See if it works It does. Now, we need to actually switch off the backlight This cannot be done with ACPI, but install radeontool with urpmi , and test radeontool light off sleep 2 radeontool light on. The completed files. Make executable, restart acpid killall - HUP acpid and enjoy. 1 2 4 Using other Fn-keys F4,F7,F12.Fn-F7 works fine without intervention, to toggle between video output on the external display and the LCD Fn-Home and Fn-End change the LCD brightness Fn-PgUp toggles the thinklight Fn-F4 and Fn-F12 are discussed below. 1 3 Mandriva s scripts in etc acpi event. Some actions events are already supplied. proc acpi event lmacadaptor - This is broken it is never triggered. proc acpi event lmbattery - this triggers which does some wizardry involving laptopmode, but doesn t seem to do much. proc acpi event lmlid - this is never triggered I prefer that that a lid-close should merely turn off the backlight via the BIOS anyway. proc acpi event power - a 2 second press of the power button triggers this, and will cause a normal system shutdown with sbin poweroff Pressing it for 4 seconds or more will force an instant poweroff and reset in the BIOS. proc acpi event sleep - see below This is never triggered, but would crash the machine if it were See below. Also, hald-addon-acpi is a client of acpid This will notify KDE. 1 4 CPU throttling. The CPU speed can be controlled by ACPI. To read the CPU speed, do cat proc acpi processor CPU throttling. To set the CPU speed, do echo X proc acpi processor CPU throttling where X is a number from 0 to 7.State 0 represents no throttling, i e 100 of full speed, and is the default. State 7 represents maximal 87 throttling, i e 13 of full speed This is much slower, but has lower power consumption It will also keep the fan inactive. KLaptop can do all sorts of clever things It is configured in kcontrol - Power control - Laptop Battery - Acpi Configuration CPU throttling can also be varied by right-clicking on the battery icon in the systray It is necessary to run Setup Helper Application from the ACPI Config tab. 1 5 Fan speed control. To use APM instead of ACPI, see the configuration in Mandrake 9 1 Note it is important to use my suspendANDresume script and not directly to use apm - s or the machine will crash The apmd service should be on, and the acpi and acpid services should be off. Suspend to RAM. There are two sorts of suspend Suspend-to-RAM sometimes known as sleep and Suspend-to-Disk, sometimes known as hibernate Either may be bound to Fn-F4.During suspend-to-ram, the machine enters a low-power state, stopping almost everything except the DRAM refresh It can last this way for several days on battery Resume occurs on re-opening the lid or by pressing Fn. In suspend-to-disk the machine is totally powered off, and the state is saved to the swapfile On he next boot, the kernel detects the presence of a previously running system, and does some clever gymnastics to switch into it. 2 Suspend to RAM. This covers ACPI suspend for APM suspend, see here ACPI suspend in Mandriva works theoretically in this way. The user or an ACPI event invokes usr bin pmsuspend2 memory Invoke with - d for debug. usr bin pmsuspend2 is a symlink to usr bin consolehelper consolehelper invokes usr sbin pmsuspend2 memory as root, on behalf of the non-root user, who is logged in locally. This sources the configuration variables from etc sysconfig suspend. It then executes memory. then iterates over all the files in etc sysconfig suspend-scripts suspend d invoking them with the argument suspend This is where the system services are shutdown, xorg is chvt d, and the network is stopped etc. then executes an ACPI suspend by doing echo 3 proc acpi sleep. However, it doesn t actually work Here is what is required. When testing suspend, it may well crash X or the kernel Save your work Run IceWM instead of KDE - it s much faster to restart Also, a remote connection via SSH is very useful for debugging Lastly, set debug yes in. First test is the kernel capable of suspending Remove PCMCIA cards, then reboot At the lilo prompt, press Esc, then boot it into runlevel 1 with 2 6 16 20 single Now, echo 3 proc acpi sleep and check that it goes to sleep and the crescent lights up Then, wake it with Fn Check you can do this more than once If so, proceed otherwise, give up now Note Neither 2 6 16 20 nor 2 6 17 7 can resume more than once the second suspend cycle always fails. Mandriv a s own scripts in etc sysconfig suspend invoked by pmsuspend2 memory are insufficient, and a horrific mess of bugs A crash is guaranteed My is a wrapper around pmsuspend the most important things are chvt 1 and cardctl eject For security, xscreensaver is configured to lock the screen. The killall - STOP X killall - CONT X steps are not strictly required they used to be vital with apm , however, they are added for extra safety there is no way the X-server can crash if suspended However, while X is suspended, it can be crashed by e g. xscreensaver-command Mandriva s script starts xscreensaver in the background with leading to a race-condition. It is important to remove the script etc sysconfig suspend-scripts suspend d xfree Unfortunately, just renaming it to will not work it has to be deleted, moved out of the directory, or have the first non-comment line replaced by exit Preserve the changes by adding suspend-scripts to. If sound does not return after suspend, then try restarting the alsa service If alsa cannot be shutdown, then some process possibly timidity has a lock on the soundcard Network applications should survive a restart of the network service, however, it seems necessary to restart it twice pmsuspend already does it once , in order to keep a PCMCIA wireless card happy. The completed files are. Make executable, restart acpid, press Fn-F4, and cross fingers. Set the BIOS to not automatically suspend on lid-close Sometimes, it s useful to keep the machine running with the lid shut also it prevents a possible race-condition between starting the suspend-script above, and triggering a BIOS suspend by closing the lid ALSO, ensure that there is NO ACPI event defined to suspend on lid-close. You may also wish to configure klaptop to automatically suspend on low battery - but only if you trust suspend. Note the screensaver only protects the X-session If there are any logins on the virtual consoles, this i s not secure See above. 3 Suspend to Disc. Don t do it Suspending to disk will cause all the memory to be written to disk in cleartext, thereby completely ruining any sort of security Note an encrypted suspend image doesn t do what you think it might That said, suspend2 does do encrypted suspend, and might be promising. If you want to use suspend to disk anyway with swsusp , the instructions are in It s very easy to do, but it does not co-exist with the encrypted swap space we set up earlier Remove the encryption enty for swap in etc fstab, then regenerate the swapfile with mkswap. With the default Mandriva 11 0 install, Fn-F12 doesn t do anything anyway I ve mapped it to blink the thinklight - as a reminder that something has happened, but it shouldn t be used Download. Thinkpad-specific programs tpctl, configure-thinkpad, configure-trackpoint, tpsmapi, hdaps. configure-trackpoint is a graphical utility to set the trackpoint sensitivity It can be installed with urpmi, but on my system, it doesn t work even though the trackpoint driver itself does work Never mind. tpctl and configure-thinkpad are CLI and GUI utilities to change certain BIOS settings most usefully, the wake-up alarm for the thinkpad They can be installed with urpmi, a nd just work Remember to modprobe thinkpad or add it to first These utilities are crucial on some thinkpads eg 600-series , which do not have a proper configuration menu in the BIOS However, they are not necessary on the A22p The utilities are obsolete for later thinkpads such as the X-series. tpsmapi aims to provide extra system management features via SMAPI System Management Application Program Interface , using tpsmapi This should allow changing the optical drive speed, and manual control of charge discharge At the moment, with tpsmapi-0 22 , the various interfaces are exposed in sys, but it doesn t do anything useful on this machine Also, much of the useful information is already exposed via ACPI look at proc acpi battery BAT0.hdaps is the Hard Disk Active Protec tion System The hdaps kernel module allows the accelerometer to be read, which has serious uses parking the disk head and frivolous ones joystick, or gyroscopic display stabilisation Note one should not park the disk head too frequently, since it can cause unreliability It should only be done if the laptop detects that it is falling Anyway, the hardware is not present on the A22p. External Disks usb-key,1394,camera, compact flash reader with udev. When a mass-storage device most digital cameras , usb-memory-key etc is plugged in, the kernel will recognise it, and assign it a SCSI device dev sdX The individual partitions will be dev sda1, dev sda2 etc The name of the device can be found in the kernel messages dmesg Then it can be mounted, usually with mount dev sda1 mnt tmp files are transferred, and it is then unmounted. Mandriva 2006 KDE 3 5 will automatically pop up a dialog box Detected new device when a new drive is plugged in, and give the option to open in new window This is configur ed in kcontrol - system - storage media Note it is much better in KDE 3 5 than in 3 4 x After this, the device will be mounted at some temporary mountpoint, and the permissions set up to allow the logged-in user full access KDE allows drag-and-drop of files, so all is GUI happiness In order to unmount the drive, visit system media or just media in konqueror, then right click the Removable Device with the usb key logo, and choose safely remove Note system media is a kioslave, and has only one slash Or, look in etc fstab for an entry with the mount-option managed. However, I prefer to have some more control I use ext2 on memory keys, and reiserfs on hard disks, not vfat, and I prefer my jpegs non-executable Also, it s faster to use the command-line This means manually mounting and unmounting the device But which device and which mountpoint SCSI devices are assigned by the kernel in successive order So, if a camera and a memory-key are both inserted, there is no way to detect which of them i s dev sda and which is dev sdb This means we can t specify the relevant options in etc fstab The old way was a really ugly hack but now we can use udev, and everything is wonderful. Udev is a user-space device manager, which is responsible for creating removing the entries in dev as and when the devices exist One of its great features is the ability to create symbolic links based on the system information for a device So, we can have. dev camerae300 - dev sdX1. dev usbkey - dev sdY1.The symlinks which we define are always created consistently, regardless of the changes in the underlying device X and Y Then, we can reliably refer to the devices in etc fstab by their symlinks. 2 Writing and activating udev rules. A tutorial on writing udev rules is here See also man udev These are the stages. Find the relevant device For example, use dmesg to find the relevant device In the case of USB storage, this would be dev sdX1 for the correct X. Obtain the udev information on this device Either find the entry in sys or use the entry in dev Use one of. This will give several paragraphs use the information from any one block You can also narrow it, by using one more block, by using plurals eg KERNEL S We then create the udev rule, for example. Here, we have several key-value pairs Those with are comparisons, which must all be satisfied The assignments with are the operations So, this rule means If a new device is found on the USB bus, with manufacturer OLYMPUS and product E-300 , and the kernel would want to assign it device dev sdX1, then create the entry in dev which the kernel would already have picked also create the symlink dev camerae300.Save the rule into. Now, make ud evd aware of the new rule For a recent kernel, using inotify, the rule will automatically be picked up Just unplug and replug the device Alternatively, run udevtrigger or less optimally , udevstart If inotify is disabled, use udevcontrol reloadrules Note Mandriva 2006 doesn t have udevtrigger, nor a recent udevcontrol. 3 Some examples USB storage devices memory key, camera, ogg mp3-player. 3 1 Olympus E300 digital camera mass-storage device. Plug in the camera Run dmesg to find the device dev sdX1 , and then obtain the udev information on it with udevinfo - a - p sys block sda sda1.Use the information in any one block to define the camera This is my udev rule in. Make udevd aware of the new rule, then plug in the camera When the camera is plugged in, dev camerae300 is automatically created. Create the mountpoint mkdir mnt e300 and add this to etc fstab. Some of the mount options are interesting pamconsole means that the device is always owned by the physically logged-in user so I don t need to become root to mount and unmount it ro is because the computer should never modify the camera s file system noauto prevents the filesystem from being mounted at boot time dmask and fmask create sensible default permissions for the files FAT doesn t have permissions at all, so the defaults are 777 But photographs really shouldn t be marked as executable Lastly, managed is not present man aged denotes that an fstab entry was automatically created - and can be automatically removed. Now, I can just plug in the camera, and mount dev camerae300 without even needing to be root. Note that KDE will no longer pop up a dialog box See below or bug 126208. 3 2 iPod nano. The iPod nano, hugely enhanced by iPod Linux and or RockBox is actually quite a decent player Rockbox also supports Ogg Vorbis - The iPod is a USB mass-storage device, but the iTunes database used by the Apple firmware and iPodLinux must be accessed via gtkpod Rockbox can use either ID3 tags iTunes format with tagcache or a directory-hierachy for file-access. I have dev ipod and mnt ipod The udev rule is. 3 3 USB Memory key. Here is the udev rule for this. and this entry in etc fstab. NOTE this is not mounted with sync As a result, make sure never to unplug without unmounting. 4 Gnome Volume Manager. Although we are running KDE, some of the GNOME subsystems are also running This is a consequence of starting gnome-settings-daemon above Therefore, gnome-volume-manager is also running By default, this will automount all removable media when they are plugged in Personally, I d rather control it by hand, so run gnome-volume-properties and uncheck all the options. 5 Firewire 1394 storage devices. I m using a 20GB Evergreen Fireline Hotdrive firewire drive, with an Evergreen PCMCIA firewire card, and the internals of the drive have been upgraded to 120GB Everything just works, and in a very similar way to USB devices 1 Hotplug the drive 2 Check dmesg for the relevant scsi disk 3 Mount it 4 Unmount it 5 Unplug it. It is no longer necessary to mess around with modprobe ing and rmmod ing sbp2 ohci1394 and ieee1394 every time The disk can be formatted using diskdrake or just with dev sda1 Then, write a udev rule for it For diagnostics, use gscanbus It is also possible to use a DV camcorder as a 10 GB tape drive. But remember - we deliberately broke firewire support back in the encryption section un-break it when needed. 5 Compact Flash card reader. This is a SanDisk 6 in 1 USB reader, which I m using for a 1 GB microdrive, or for SD cards It just works Use dmesg to discover which virtual scsi device is the new one, then mount dev sdX1 mnt tmp Or write a udev rule, if desired Remember to unmount it before ejecting it, and that unmounting can take some considerable time if files need to be sync d Never remove the disk while it s mounted, or while the light is flashing this can kernel panic the laptop, or corrupt the filestem. It is best to leave the card as FAT16, for compatibility with digital cameras, and use for re-flashing a Zaurus This means no symlinks, and no file permissions However, CF cards can be formatted with ext2, or even reiserfs with care, avoid frequent writes , and then used as silent replacements for IDE drives. Printer, Scanner, Fax, Digital Camera. Having thrown away 3 Epsons in as many years, I purchased an HP Deskjet 5850 This is an excellent machine, and just works Features it s a ne twork printer, has cancel-job button on the printer has duplexer, auto-detection of paper-type, reliable, fast, good value ink Since each ink cartridge contains a new print head, the printer cannot suffer an un-cloggable print head, which is what kills the Epsons if you don t print colour at least once a month. 1 1 Installation. Connect printer to LAN Find printer s default IP address Configure eth0 temporarily to an IP in the same range Log in to web-based printer control panel, and set a sensible static IP address for it Or it can use DHCP. Use Mandriva Control Center to add the printer It s a network printer on port 9100 This is standard Use the recommended ghostscript hpijs driver. Bookmark the printer s web interface - to check ink levels. Set CUPS not to look on the network for other printers, nor to broadcast this one This is the Browsing Off setting in. Now, use KDE s excellent printer tool kups as root to configure the printer settings I created 6 different instances of the printer, for ease of use. bwdraft - greyscale, fastest Still very good Default. bwfine - greyscale, best quality. bwdraftduplex, bwfineduplex - with duplexer. colour - colour. colourphoto - colour, photo paper. 1 2 Using the printer. From the GUI, it just works Useful printing commands are. kprinter kups and xpp are GUI printing tools. lp and lpr print files from the CLI They can print at least pdf ps jpg and STDIN. cancel cancels a print job use with - a for all jobs. lpq to see printer queue status. lpstat - a to see printer status. lpadmin - p printername - E to re-enable a printer which has decided to stop Note the order of arguments is important. 1 3 Troubleshooting. If CUPS takes ages to start, this is a manifestation of the Broken HalDaemon problem below. If you experience long delays, check etc hosts see here. Note - if a print job is cancelled at the GUI, it will usually finish printing the current page, and the next one Use the kill-button on the printer instead. The CUPS web interface is on. For further information, see. 1 3 Using postscript. Unlike MS Windows, Linux speaks postscript natively It s out of the present scope, but look at. Viewers gv kpdf xpdf. Editors lyx tex and openoffice which has pdf export , xfig output to. Printing lp lpr kprinter. Conversion pdftotxt pdf2ps ps2ps ps2pdf pstops psselect psnup convert a2ps etc. Canon CanoScan N670U USB works perfectly Plug it in, and use Kooka for scanning gocr is reasonably good for optical-character recognition, provided that it is scanning only a single column of text For newspaper articles, cut into strips using GIMP xsane is also good for scanning, or the GIMP can scan directly. It is possible to use the modem as a fax. To send and receive faxes, install efax Edit. set to answer after a single ring, and to use tmp for lockfiles There is a GUI frontend efax-gtk and a CLI interface fax. To print directly, use KDEPrintFax as a virtual printer. Don t use ksendfax it s redundant, obsolete, and it segfaults Also, I don t recommend hylafax here it s very sophisticated, but unnecessarily complicated for occasional use. You can also use the excellent free email-fax gateway service from This is simple and reliable, but only supports outgoing faxes A fax coversheet is prepended, which may include an advert from the operator. 4 Digital Camera. My Olympus E-300 is a usb mass storage device and works perfectly See above. It is worth mentioning that some digital cameras mainly expensive Canon cameras are not USB mass-storage devices These can be accessed by using gphoto2.Gphoto2 also works with toy digital cameras such as the Nisis Quickpix QP3 Use gphoto2 --auto-detect to identify it as an Aiptek Pencam , then use gphoto2 - P to download images. There is a bewildering array of digital photography applications available on Linux I personally like albumshaper GWenview F-spot DigiKam Gthumb Eye of Gnome and qiv are also useful. It is possible to extract RAW images and obtain better quality post-processing by using dcraw Hugin allows many photos to be combined seamlessly into a panorama There s also some support for HDR High Dynamic Range images, formed by superimposing different exposures. Most cameras including the E-300 now have a gravity-sensor built in, so they save the orientation inside the EXIF tags in the JPEG The photo can be automatically, losslessly rotated, and the orientation reset, by using Gwenview kipi-plugins, or Gthumb, or exifautotran Also, unless this is done, different applications will display portrait photos in different orientations, since some ignore EXIF tags, and some do not. Image editing and compositing applications include the Gimp OpenOffice Draw Xfig and Inkscape Sadly, the potentially very promising, but not yet finished Xara Extreme project has effectively failed. Mobile Phone Samsung S300.I m using the excellent Samsung S300 mobile phone This can use IrDA, but the phone comes with a serial data cable very nice It is just a regular serial modem, so it s simply a case of plugging in the serial cable and setting the modem device to dev ttyS0 in kppp The same things apply kppp, shorewall as with the internal modem. A neat feature is that one can use extended AT commands to send and receive SMS messages Here is a script to do this. kppp is extremely useful here it has a ter minal for interfacing directly with the modem and typing AT commands It s a lot easier to use than minicom It s buried 4 levels deep though kppp - Configure - Modems - Edit New - Modem - Terminal. KDE configuration and GTK. 1 KDE upgrade to 3 5.KDE 3 4 3 as installed is somewhat old KDE 3 5 2 is much nicer There is an excellent tour of the latest KDE here or a VMWare image here If you decide to upgrade KDE, the RPMS are available from SeerOfSouls. Before starting, save a list of the currently installed packages rpm - qa You can revert to this if necessary. Remove the KDE 3 5 1 urpmi source if you have it , and then add the seer of souls KDE 3 5 2 repository SoS-KDE-3 5 2 with. Warning 1 Bad Things will happen if you allow this upgrade to pull in upgrades to HAL and DBUS from the SoS 2006 repository see below for more details. Prevent k3b from being upgraded add these lines to. It is not necessary despite these instructions to completely remove the existing KDE packages. Download all the new KDE packages urpmi auto-select --test --force Then, install the packages If there are any error messages, make a note of them urpmi auto-select. Logout, and restart X service dm restart. You may find at this point that KDM does n t work, and you cannot log in to KDE The KDM config file is no longer valid I didn t experiment to find the exact root cause, but here is an ugly solution which worked. Forcibly uninstall kdm rpm - e --nodeps kdebase-kdm kdebase-kdm-config-file. Remove the kdmrc config files This is etc kde kdm kdmrc also remove anything RPM has helpfully left behind. Re-install kdm and get a fresh, working config file urpmi kdm. Re-customise KDM from kcontrol if desired. Some enlightenment might perhaps be found in etc kde kdm README. The splash screen and kmenu side-image still identify as KDE 3 4 Fix the splash screen by choosing another one from kcontrol - LookNFeel - Splash screen Fix the menu side-image Mandriva have hard-coded it to be when it ought to be Copy the latter over the former. 2 Un-breaking HAL and DBUS important. 2 1 Explanation. hal haldaemon , and dbus messagebus are the damons which notify userspace about hotplug events and other things If you accidentally allowed urpmi to update them to the ones in the SoS-2006 or KDE 3 5 0 repository, bad things will happen Certain applications will be very very sluggish cups printer-configuration and vlc will take about 25 seconds to start up, and anything using the GTK filepicker eg firefox will appear to stall for 25 seconds before being able to save a file. The reason is that the Mandriva 2006 applications were compiled against an earlier version of libhal libdbus, as shipped with 2006 , and so cannot correctly use the newer one A quick test is to stop the messagebus and haldaemon services if these timeouts go away, this is the cause of the problem You can also use strace. 2 2 Solution. The packages concerned are the dbus and hal ones rpm - qa grep - E dbus hal The incorrect packages are those ending in and the desired ones are those ending in mdk We need to downgrade the packages to earlier versions. Remove the unwanted SoS packages with rpm use --nodeps or half the system will come away with them rpm - e --nodeps. Download the Mandriva 2006 packages from the urpmi media source for main Use lftp and the medium listed in We need and Then install them with urpmi urpmi. Restart the daemons service messagebus stop service haldaemon restart service messagebus start. Remove the offending urpmi source, or, if necessary, block any further updates with. The SoS versions of K3B have dependencies on the SoS libhal libdbus So, uninstall them, and re-install Mandriva s pacakges for k3b k3b-dvd libk3b2 Then, add this to. Run urpmi --auto-select to repair any damage done by the rpm --nodeps above there shouldn t be any To double-check rpm - Va grep dependencies. Consequence of th e fix KDE storage media will now claim HAL backend No support for HAL on this system This doesn t seem to make much difference though. KDE is very configurable Here are some of my settings for the KDE Control Center. Accessibility. Keyboard Layout - Xkb Options - Make CapsLock an additonal Control. Keyboard Shortcuts - Application shortcuts Set up the same bindings as Readline for Ctrl-A and Ctrl-E Select All no shortcut Beginning of Line Home and Ctrl-A End of Line End and Ctrl-E Text Completion no shortcutponent Chooser - Email Client - Use a different email client t s Then create. File Associations set up sensible bindings for multimedia In order of preference. mp3 m3u Alsa Player, Xmms, amaroK, VLC media player. mov wmv VLC media player, Mplayer. Information. Protocols contains a list of the KDE ioslaves Eg fish or media. Background wallpapers as desired, same for each desktop for best performance Advanced use solid black colour behind text OR enable shadow 2 lines for icon text. Behaviour allow programs in desktop window This permits xearth etc to run. Colours to taste I prefer to have Title Blend darker than Title Bar and Inactive Title Bar Blend different from Active Title Bar Blend. Fonts see fonts section. Icons Connectiva Crystal - classic. Launch feedback - disable busy cursor, enable taskbar notification for 5 seconds. Multiple desktops 4.Panels Show RH hiding button, no animation Menu name Description Show side image QuickStart Menu items show the 15 applications most recently used Disable transparency enable background image Appearance - Advanced Options Hide applet handles after you have arranged them as desired. Screensaver none - we are using xscreensaver instead. Splash screen Default the Ga laxy one still says KDE 3 4.Style Keramik Show icons on buttons Disable animations Toolbar text position Icons Only. System Notifications change the most annoying sounds KDE is starting up A critical message is being shown. Taskbar Group similar tasks never Appearance Elegant. Window Decorations Keramik don t draw grab bars below windows, Add custom title-bar button for keep above others. Peripherals. Mouse Single click to open files and folders This isn t MS Windows Theme crystalcursors Mouse wheel scrolls by 5 lines. PowerControl. See section on ACPI. See the section on sound for Arts Alsa Midi. KDE Performance preload an instance of konqueror after KDE startup. Login Manager Echo mode 3 stars Set wallpaper Spot the fish Download from with Blue 21449c background Set font Tahoma, without antialiasing Convenience preselect previous user, focus password If desired, Disable the existing theme in System - KDM Theme Manager. Storage Media see below. Paths set Documents path to home rjn This is KDE s de fault location for saving and opening files it is only coincidentally equal to home rjn Documents i e KDE should always default to home rjn, but I use. Documents for certain files like the Windows My Documents folder. Window behaviour Focus follows mouse Titlebar double-click Maximise Don t display content in moving re-sizing windows for performance Don t animate minimise and restore Don t allow moving and resizing of maximised windows Transparency is fun, but very slow and needs the Composite extension to be enabled in. WebBrowsing. See the web browser section. 3 KDE storage Media. This is KDE s notification system for when you plug in removable devices Actually, anything with a removable filesystem CD-ROM, DVD, blank-CD, USB-key, Digital camera will create an event via dbus, which will cause something to happen as defined here This is a useful feature for beginners personally I d rather use the command-line and dmesg Here is how to set it up. Configuration is in kcontrol - System - Storage Media. Inotify must be enabled, see above , otherwise kded will constantly poll the disks. Devices which are dynamically created with udev rules above , but which have permanent entries in etc fstab will not trigger events. Important media will be automatically mounted, but will not be automatically unmounted It isn t safe to just physically pull the device out Physically removing a device with a mounted, writeable filesystem can crash the kernel also, writes are asynchronous, so saved files may not have been actually written to the device until it has been syn c d Remember to manually umount. This is available with a GUI in konqueror visit the URL media or devices to see mounted and umounted filesytems devices To unmount, right-click - Safely Remove Note the URLs must be typed exactly, with only one slash. The Gnome equivalent is Gnome volume manager, configured by gnome-volume-properties and may also be running as a consequence of the GTK font workaround. Actually defining the behaviour is quite complex, and there are not sufficient behaviours defined by default Here is what I discovered by experiment. The actions are defined by KDE servicemenus These apply to konqueror generally System-wide ones are in usr share apps konqueror servicemenus and user-specific ones are in. For CD burning, we need to have the U or KDE Removable media complains about Bad URL But we dont t want it or k3b will complain Workaround use this command echo U k3b. Added a DVD playback option gmplayer is most user-friendly The command required is usr bin gmplayer - quiet - fs d vd U Note the U is a bug it is required to prevent an erroneous error message. Hack to specify that CDs should be ripped in Grip not kaudiocreator, edit and change Exec kaudiocreator u to Exec grip u. 4 Other KDE settings, tweaks and tips. Wallpaper may be obtained from or from or khotnewstuff There are also some stunning mainly commercial wallpapers from The background can also be set to a slide-show, or a background program Great fun can be had by enabling blending eg hue-shift Saved wallpapers live in. Icon-text background may be a solid colour, OR a drop-shadow This option is hidden in Background - Advanced Options I recommend enabling 2-lines at about 130 columns for icon-text. Icons can be aligned to grid, and then locked in place right-click desktop Finally, as of KDE 3 5 0, the icons stop jumping around between logins However, it is broken in 3 5 2 and not fixed until 3 5 4 Partial workaround turn off Desktop Icons right-click - behaviour , then back on again Or while not running KDE, delete edit. Create shortcuts on the desktop for system and media. If desired, the KMenu icon bottom left can be reverted from the Mandriva star to the KDE default edit. find the section KMenu add it if needed , and then add below it KmenuUseMdvIcon false Then restart kicker. 4 2 Directory structure. Mandriva already created a basic directory structure, some of which I don t like Also, many of the icons on the desktop are special files and do not represent directories or symlinks this means that they don t play nicely with the CLI. Firstly, remove the Mandriva weirdness - this is actually quite tricky Some but not all of it is described in the release notes. Remove any superfluous icons from the Desktop Then remove any unneeeded files including hidden files from. Remove unwanted folders in home rjn Mandriva create Video, Music, Download all with corresponding desktop icons. Get rid of the weird icon for Documents remove. and its contents. The release-notes also suggest touch. Fix the icons in the quick-launch panel of the KDE File-open dialog see below. Create a directory structure as desired This is the one I use. Actual Directories. Symbolic links for convenience ln - s. I also wrote a script to set this up. Incidentally, it is worth setting KDE s Documents path kcontrol - System - Paths to be home rjn rather than home rjn Documents This is KDE s default location for saving and opening files. 4 3 Trash can Wastebin. As of KDE 3 4, and unlike previous KDEs , the Desktop Trash icon is a special file, not the literal directory where the trash lives It has also been renamed to Wastebin in UK It is accessed via the KDE trash ioslave The actual files live in. You can still access it via the command line with kfmclient move trash but this is extremely slow I wrote a bash script, cn as a replacement for this One should get into the habit of typing cn file s directory s rather than rm - rf since it avoides the potential for a slip of the fingers, followed by regret, and locating the backups. 4 4 KDE File-open dialog. The KDE file dialog is extremely versatile. It supports tab-completion. It remembers how large it is Open the dialog, make the window most of the screen size, then close it Voila much easier to see files. It has inline preview. Sort-order can be case-insensitive. Folders can be shown in a separate pane Persistent setting, F12 to toggle. Hidden files can be turned on off F8.The quick access navigation panel on the left F9 can contain certain frequently accessed directories - just right-click it to add them and these can be customised per-application. Klipper the KDE clipboard is one of the killer-features of KDE It s the clipboard icon in the system tray, and allows you to have cut-and-paste history Note X-windows has 2 separate buffers for text. Select text and text is automatically copied Middle-click to paste. Ctrl-C to copy Ctrl-V to paste. In nano, emacs, bash, pico, there is also a 3rd kill-buffer using Ctrl-K, Ctrl-U Ctrl-Y. These buffers are usually synchronised, but not necessarily I set Klipper to have 40 entries in the history, synchronise clipboard and selection, and pop-up the menu at mouse position The shortcut is Ctrl-Alt-V Klipper can also store images, but the X-clipboard mainly works with text Graphical applications Gimp, OODraw etc do their own thing, and use Ctrl-C, Ctrl-V. Here are a few utilities using dcop to use klipper with the CLI klippergetcontents pipe the output of a command to the clipboard klippersetcontents print the contents of the clipboard klipperreadfile read file into clipboard Alternative install xclip. 4 6 Desktop Search Kat, Beagle. Kat and Beagle are the desktop-search engines for KDE and GNOME respectively They are both promising, but the versions supplied with Mandriva-2006 simply don t work Kat, in particular is a dreadful resource-hog, yet it is started by default To prevent kat from being launched automatically, touch. Better yet, uninstall it. The later versions of Beagle look extremely promising but the install process is complex The current version of Kat 0 6 4 is still unusable. The alternatives is to use locate grep and find together with descriptive filenames. 4 7 File associations and service menus. KDE s file associations are configured in kcontrol - components - File Associations This defines what application is launched when you click on a file If several are listed in order of preference, these are listed as options for Open-with when you right-click the file Embedding is also defined here Eg konqueror should open PDFs in a separate window. KDE Servicemenus allow you to define any action which goes in the context menu for a file-type This is extremely powerful There are many for download on Here is one I wrote to Eject Unmount removeable media. 4 8 KDE System monitor. The KDE system monitor ktimemon is really nice to have in the taskbar It is in the kdeaddons package Then, right-click the taskbar, and choose Add applet - System monitor For greatest usefulness, set up colours as follows. CPU Kernel darkgreen User midgreen Nice palegreen IOWait yellow. Memory Kernel darkblue Used midblue Buffers lightblue Cached paleblue. 4 9 Other tips. Sessions If you leave some KDE-applications open when you log out, they will be re-started in the same state when you return Configured in kcontrol - Components - Session Manager. KDE Startup and shutdown scripts Any scripts placed in the and directories are run automatically on starting and exiting KDE This is similar to. note that is not run by default on exiting KDE. IOSlaves These are KDE resources which allow all applications to do some clever things For example, you can edit a remote document over you can use fish to drag-and-drop remote files, and use man and info to view documentation in konqueror Some information is in kcontrol - information - protocols There is also a KIOSlave FUSE module. Keyboard shotrcuts for kwrite Alt-F and Alt-B can be bound to move back forward one word in kwrite settings - configure editor - shortcuts Ctrl-A, Ctrl-E are defined globally above. Konqueror autoscroll Press shift, then up down arrow Konqui will continue to scroll automatically. Scripting KDE here is a useful presentation. Kstart Start program with custom window options eg window title, desktop number skip-task-bar etc kstart --help for more. Ksystraycmd start program, put window into systemtray ksystraycmd --help for more. Kommander a way of doing graphical shell scripting with QT Here is an introduction and a tutorial The Kommander homepage has some more information Also try out this toy word processor. Kdialog KDE dialog box to interact with scripts Like xdialog Eg kdialog --title Fortune Cookie --msgbox fortune. Scripting X see this article also wmctrl and devilspie. 4 10 Show Desktop bug. Since KDE 3 4, the show-desktop button behaves in a most unintuitive way It used to minimise all windows, then wait until you clicked it again, at which point it would restore them Now, the desktop is exposed on the first click, but the windows automatically restore as soon as you have clicked one icon on the desktop This is allegedly a feature, not a bug However, I have written a workaround. This is a bash-script, which uses wmctrl and a hacked version of devilspie together with xprop in order to exactly replicate the old behaviour Installation instructions are in the source of. 5 GTK Configuration. GTK applications fonts, colours are configured with the gnome-control-center. Font settings are configured with gnome-font-properties see above. GTK-2 applications eg firefox are configured with gnome-theme-manager I like the Galaxy2 or GrandCanyon themes. GTK-1 applications xmms, mozilla , are configured from Menu - System - Configuration - Other - GTK Theme Switch usr bin switch or by editing. I prefer Eazel-Blue to give easily visible scroll-bars but with Kcontrol - colours set to Apply colours to non-KDE applications , which makes it less dark-grey. Web browser Mozilla, Firefox, Konqueror configuration. 1 Konqueror. Konqueror is an extremely featureful and versatile browser Here are some configuration changes I prefer, mostly for similar behaviour as mozilla firefox. Settings - Configure Konqueror. Web Behaviour. Tabbed Browsing - Advanced Options uncheck Open new tab after current tab , uncheck Activate previous used tab when closing the current tab. Underline links. Java Javascript Enable globally Javascript - open new windows smart. Web Shortcuts these are extremely helpful, and many are already defined However, only a few such as wp and gg for wikipedia search, google search are active by default. Adblock Filters enable these, and add the same list as for mozilla below. Browser Identification can spoof user-agent as, for example, MSIE on NT5 on a per-site basis, if it is required to defeat stupid browser-sniffing. Plugins Load plugins on demand only, CPU Priority for plugins lowest No more flash except when I click to start it, and no cpu-hogging either - Konqueror will automatically scan for mozilla plugins at startup, and incorporate them automatically. Performance Preload an instance after KDE startup. Settings - Configure Shortcuts. Reload Ctrl-R and F5.Homepage Alt-Home and Ctrl-Home. Leave Ctrl-L as it is Clear Location Bar which also focuses the location bar. Line-editing shortcuts Ctrl-A, Ctrl-E etc are already configured kde-wide above. Konqueror has multiple profiles eg File Management and Web Browsing The home-page is saved with the profile, so visit the home-URL you want, then choose Settings - Save View profile - Web browsing One can also add a Konqueror Profiles applet to the KDE panel. When files are linked on the web, it s better to open them directly within konqueror rather than starting an external kwrite Go to kcontrol - components - file associations Search for txt In the Embedding tab, choose Show file in embedded viewer , and uncheck Ask whether to save to disk instead. Konqueror s mailto handling is configured above. 2 Mozilla suite. Mozilla is all-in-one the Web Email Editor suite It is the predecessor to Firefox Thunderbird and has now been officially retired However, it is still developed by the SeaMonkey project here is a comparison and a Seamonkey review. The advantage of separate programs is principally that they run in separate processes, and individually have allegedly smaller RAM requirements They are also seeing very rapid development, and a vast number of extensions However, the integrated suite is still easier to use, and better integrated. Most of what follows, about Firefox also applies to Mozilla However, there are a few Mozilla or SeaMonkey-specific details. The latest version of the integrated suite can be downloaded from the SeaMonkey project One particularly useful tip Use Ctrl-L to focus the Location bar, then type a query, then press uparrow and enter to search Google. When opening URLs from another applications, and Mozilla is already running, we don t want to start another instanc e, particularly if it would create another profile by accident Multiple instances will fight over accessing the profile, which is A Bad Thing, and results in lots of unwanted, and unsynchronisable profiles If you ever see the Profile Manager , quit and find the lock file don t create a new profile You cannot run more than one mozilla or firefox process at a time to connect to an existing mozilla or firefox, use the mozilla - remote command The default set-up in Mandriva 2006 is usually smart enough to do this automatically. Latest versions. Download the latest versions, if desired Before installing them, back up your profile. and then install them I recommend installation in directories such as HOME bin mozilla d firefox 1 5 06 with a symlink from HOME bin firefox which is in your path The advantage besides simplicity is that firefox can auto-update itself, since it has write access to its own binary Then create a desktop shortcut to the symlink. Don t do this stupid thing which I did during my early steps with Linux a few years ago. Fix keyboard shortcuts. The default keyboard shortcuts for Mozilla and Firefox are the same as in readline emacs and bash Unfortunately, the Mandriva packages use the shortcuts defined by GTK, which match the far less useful defaults for MS Windows To fix this, do. Edit or create if needed. and add or change the line. Use gconf-editor and change the key desktop - gnome - interface - gtkkeytheme from Default MS Windows-like to Emacs. Restart the browser. These are the resulting behaviours for more shortcuts, see the Mozilla Firefox Help. Horizontal scrolling. Mozilla and Firefox have a bug definitely not a feature which means that, by default, the horizontal mouse-wheel scroll maps to back forward This is extremely annoying when you use emulated scroll, and are happily scrolling down the page, and accidentally move slightly sideways Fortunately, it s easy to fix Type about config in the location bar Then filter on Horizontal Change the following values. Of course, you can still use Alt VerticalScroll or Alt Left RightArrow for back and forward. Adblock and prevent timeouts. Install Adblock Download it from here install by clicking the link in firefox , restart firefox, then install the Filterset G Updater to install and automatically-update a list of advertising servers to block This is useful for 3 reasons. It makes web browsing faster and less cluttered. It removes the very anti-social animated flash advertisments which hog a large amount of CPU, and which continue to do so even in background tabs. It prevents the most common occurrence of this bug where the whole mozilla UI locks up for up to a minute - one cannot even close the tab, or the window, nor will the window re-paint This seems to be caused by the server stalling mid-TCP connection usually the overloaded server is a 3rd-party adserver netstat reports that the socket is sitting in CLOSEWAIT Wait 2 minutes, and mozilla will usually come back to life. Alternatively, you can manually configure a list of advertising servers to block I also block fastclick Filterset G provides a collaboratively edited and rather long list of filters Use Filterset G updater, or see these instructions basically, retrieve the most recent filter-file from this directory and then import it with Tools - Adblock - Preferences - Adblock O ptions - Import Filters. Of course, there is a risk that you might loose too much information from the web page this way. Custom Keyword Searches. It is extremely useful to define custom keyword searches For example, just type wp penguin into the location bar in order to search wikipedia for penguins For example, these are really useful. Note that the keyword must not contain a trailing space, but you must leave one between the keyword and the search term I ve chosen the same keywords as konqueror, but there is no other reason to have a colon. To define a keyword for a bookmark, just fill in the Keyword field in the Bookmark s properties If the bookmarked URL contains a s this will be substituted by your search term In Firefox 1 5, it is also possible to right click on any search field and choose Add Keyword for this Search Cute. In Firefox - 1 5, you can also click the search bar, and add extra search engines eg Wikipedia. Preference tweaks about config. A few other enhancements can be made Th ese are also applied in about config and usually take immediate effect no need to restart. By default, if you middle click in the main browser window, mozilla will treat this as a paste and attempt to load the URL just visited It s a neat feature, but can be terribly annoying if you want to open a link in a new tab, but just don t quite hit it it Disable it thus, if desiredwork performance can be improved by changing. Creating a custom home-page is also extremly useful It keeps the most frequently-used information close to hand, and doesn t slow down the browser start-up time You can also add file URLs, Locally hosted ones for web development , and local documentation usr share doc Here is the page which I use it may be a useful base I have the browser home URL set to. Type-ahead-find is another extremely useful feature In any web page, just start typing letters, and the first link containing these letters will be highlighted Start with in order to search the whole page F3 and Shift-F3 fi nd the next and previous matches respectively For example, type penguin to find the first instance of the word penguin on this page To enable, go to Preferences - Advanced - General, and select begin finding when you begin typing. In case you haven t yet discovered it, tabbed browsing is wonderful Middle-click on any link to open it in the background of a new tab. Firefox fonts can be optimised in Preferences - Content - Colours see above I also recommend setting the background colour to pale-yellow rather than white, since it is easier on the eyes. Unlike Mozilla, Firefox has separate search and location bars If you enter a query in the location bar, you will get a Google I m feeling lucky result by default This isn t very helpful here is how to change it Change this setting in about config. For more Firefox tips and tricks, see here and here about config is documented quite fully here. There are lots of other extensions for firefox thunderbird mozilla seamonkey Unfortunately, these cannot be installed system-wide with urpmi, but have to be installed per-version of firefox, and the browser must be restarted Here is a very useful guide to some selected extensions. Extensions I am currently using. Adblock and FiltersetG updater - as described above. Tab Mix Plus - allows drag-and-drop reordering of tabs and many other features It includes a session manager to recover from crashes and allows tabs to be un-closed by right-clicking the tab bar My configuration includes prevent blank tabs when downloading files , Don t show close icon on each tab and Middle-click on tab does not close it. Image Zoom - right click an image, resize it. Web Developer Toolbar - very, very good All sorts of useful things, including local HTML validation, and editing the HTML CSS of pages in the sidebar. Aardvark - very clever way to see, and edit the individual page elements Good for printing. HTML Validator locally, using Tidy. CustomizeGoogle - helpful tweaks for Google. Update Image Zoom functionality is now native to Firefox Consider also Flashblock Facebook Disconnect hack. Extensions I like, but am not currently using. UrlParams nice - but it intereferes with add keyword for this search. Session Saver - allows retrieval of session after a crash, and un-closing of tabs - But this is duplicated by Tab Mix Plus. Colorful tabs - assigns colours to tabs, making it easier to arrange to them. StumbleUpon - Serendipitously find other highly-rated websites. Firebug - another way to see javascript errors in webpages Seems powerful - but I can t actually figure it out. View Formatted Source Fx does view the whole page source anyway, but very neat inline mode. HTML Validator - opens new tab to validate page with W3C s validator - nice, but duplicated by Web Developer toolbar. Some tools which already exist on Linux, so no extension is needed. kruler - screen ruler in pixels. kcolorchooser - select html colours. check-link - check links. 4 Firefox integration with Thunderbird. To make Firefox and Thunderbird work together, see below. 5 Migration to of Firefox. With luck, Firefox will offer to import existing settings from Mozilla with the Wizard However, if you need to manually migrate, or restore from backup, or move from a different computer, here s how to do it manually. Download and install the latest Firefox. out of the way Then run firefox, which now has a clean configuration , and install extensions, plugins and set it up as desired Close mozilla and firefox. Make a backup copy of. The Mozilla and Firefox profile contents are described in detail here The Mozilla profile resides somewhere like. and the Firefox profile resides somewhere like. Copy bookmarks across, by copying the file. Copy passwords across by copying the xxxxxxxx s file across, and renaming it to Also copy. Copy cookies and history and. Some more details are here. Sometimes the profiles break and the salted directory is no longer where Moz Fx expects to find it. For Firefox, simply edit. For Mozilla, create a symlink cd. ln - s so that Mozilla can find the actual profile by looking where it wants to look This is necessary, since Mozilla stores absolute paths. 6 Lightweight browsers. For really fast GUI browsing, try dillo or links-graphic These are much simpler browsers, but very very fast. For CLI browsing, try links or lynx Links is tables-aware, and notices mouse-clicks Navigate with the arrow keys press Esc for menu Also, use wget to download files, and note that less can view HTML. 7 Browser Plugins. Except for Java where the path to the executable must be specified , konqueror will scan for Mozilla firefox plugins at startup, and will just work These plugins are installed by default in the commercial Mandriva system, but must be installed by hand in the GPL version A good test for plugins is the Plugger testing grounds I do not recommend installing mozplugger. Make sure Java is installed - see below. In Konqueror, just specify the path to the java executable Usually, this is just java. In Mozilla and Firefox. Create the mozilla plugins directory, if necessary mkdir. Change into it cd. Create a symlink to the correct java executable ln - s. Restart the browser Test it here. Adobe Macromedia flash is widely used on the web for animations - and misused for adverts GNU are developing a free alternative, Gnash but it isn t ready yet To install. Download Note there won t be a version 8 for Linux we have to wait for 8 5.Untar Close browsers Run flashplayer-installer. To test, look at this CSS box model or John Cleese s Institute for Backup Trauma. To avoid much irritation with flash adverts, use adblock. 7 3 Real Audio. The Real Audio format can also be handled by mplayer and gxine So it is not necessary to use the player from Real However, if it is desired, see below for the installation Then, register the plugin. 7 4 All other formats Mplayer. The Mplayer plugin is excellent, and can play practically anything Just install it, using urpmi mplayerplugin If using Firefox in. bin and not the official RPM, it is also necessary to do. ln - s - For Windows Media files but this is sometimes unstable. ln - s - For Quicktime files. ln - s - For Realplayer rtsp files Or use realplayer. Sometimes rarely there is a file which mplayer cannot play VLC is a good alternative - although I don t recommend installing the vlc - plugin. Mail Client Mozilla, Thunderbird, Pine configuration. 1 Mozilla mail. The old Mozilla mail suite has worked extremely well for a long time It is a shame to say goodbye - but the developers, and bugfixes are now mainly with Thunderbird That said, Seamonkey is still maintained. 2 Thunderbird. 2 1 Installation. This is very similar to the firefox install The profile directories to back up are. Install in HOME bin mozilla d thunderbird 1 5 05 with a symlink from HOME bin thunderbird which is in your path Note Mandriva s thunderbird binary has the same name, so be careful with PATH. Thunderbird s Import wizard is quite good otherwise see Migration below. 2 2 Thunderbird Setup. 2 3 Thunderbird Extensions. 2 4 Migration to of Thunderbird. 3 Other mail clients KMail, Pine. Alternative GUI mail clients include the well-regarded KMail and Evolution the CLI, pine is a delight to use. 4 Other e-mail tips. It s easy to move mail from one client to another virtually all of them support mbox For example, each message folder Foldername in Thunderbird has the following files Foldername the mbox itself , message summary file - this index can be deleted , subdirectory for sub-folders. Some clients use maildir too this is more advanced, but requires efficient storage of small files. To access hotmail as if it were a POP server, use hotwayd. Some mail clients can directly import from MS Outlook however, this isn t so useful if outlook isn t installed on the machine concerned Instead, convert email from OE s mailbox file to an mbox file with oe2mbx This uses liboe, which can be found here archive For Thunderbird, just move the file into the Mail subdirectory of. renaming it without the extension If a previous import attempt has failed, use thunderbird s Remove Duplicate Messages extension to have just one copy of each message. a k a TNEF transport-neutral encapsulation format attachments are Microsoft s proprietary version of MIME Many configurations of Outlook send attachments as by default Here are more details and the thunderbird bug 77811 The solution is to download tnef I use this script. For local mail using the mail program, and to receive email from daemons and cron-jobs, use postfix see below. 5 Firefox Thunderbird and other integration. By default, Firefox and Thunderbird are not paired Clicking a mailto link in Firefox invokes Evolution, not Thunderbird This setting is defined in the Gnome-control-panel despite the fact that we are using KDE, and there is no GUI pref for it in Firefox A similar problem applies to Thunderbird However, it s easily fixed, thanks to this Gentoo tip. To make Firefox open mailto links in Thunderbird. Go to the URL about config. Right-click, and add a new string. To make Thunderbird open ftp URLs in Thunderbird. Go to Edit - Preferences - Advanced and Click the Config Editor button. Right-click, and add new strings. For konqueror, use the script above. 5 Thunderbird. 8 Migration from Mozilla-suite to Firefox Thunderbird. Non-free Software Java, Flash, Realplayer. These are installed by default if you use any of the Club Commercial media However, the Free distribution doesn t include them, and so they must be downloaded and installed direct from their homepages. For now, Sun s Java is the best one Kaffe isn t ready, although GCJ is already very good Note this Mandriva warning to avoid version 1 4 209 To install Java. Download Java from here I recommend the JDK Java Development Kit , which includes both the javac compiler and the JRE Runtime environment Get the package called J2SE TM Development Kit 5 0 Update 7 which is 45MB and not the one with NetBeans which is 140MB, and doesn t install anyway Download the Linux RPM in self-extracting file. Sun s installation instructions are here. Then, as root sh type yes , urpmi It s now installed, but not in the path. Remove any old versions or links to etc alternatives cd usr bin rm java javac javadoc javah javap jar. Create symlinks to the new versions ln - s usr java jdk1 5 007 bin java. See above to install the browser plugin. See above for installing the Flash plugin. 3 RealPlayer. Real Player 10 for Linux can be downloaded as an from here Note that it doesn t use alsa, but requires an exlusive lock on dev dsp or use aoss For the browser plugin, see above To test realplayer, try the BBC Documentary Archive. Alternatives to realplayer are mplayer and xine gxine. To play real audio with xine gxine first install the real audio codecs urpmi real-codecs Then tell gxine where they are located Set the User Interface mode to expert , then go to File - Preferences - Codecs - Path to RealPlayer codecs The path should be usr lib real Then, Firefox can just click on a link Otherwise, xgine gives the error message cannot find. To play the file with mplayer, you have to know which type it is. A file is a real audio playlist, like a m3u It is a short text file containing one or more URLs of a stream With mplayer, look inside the file, or use use - playlist. A URL is the real audio stream It may also specify a start position eg rtsp This can be opened directly in mplayer I r ecommend - cache 100 for improved startup speed. I have written some simple scripts which may be of use plays and saves a stream to ogg. Acrobat Reader can be installed from adobe However, it is totally unnecessary, and not always stable Alternatives are kpdf most full-featured gv fastest xpdf most reliable on all files, even those which cause errors for gv From the commandline, use pdftotext less or pdftops. Ugh Just don t do it Use SIP instead I wrote a VoIP howto which is here. 6 Nvidia Driver. Aside for desktop systems the nVidia driver can be downloaded from here It works quite well - although it is annoying to have to re-install for every kernel Note that, on rebooting into a new kernel, Mandriva will helpfully break your and you have to fix that too. SSH Secure shell, keys. SSH is absolutely wonderful It does all sorts of clever things encrypted remote logins passwordless logins with public-key cryptography file transfers scp X11 forwarding VNC tunneling port forwarding of any TCP protocol. 1 Installation. Installation is simple urpmi openssh-clients openssh-askpass-gnome openssh-server sshd-monitor keychain Check that the service is on with chkconfig --list sshd The default configuration is good, but can be altered in etc ssh if desired It is important to stay current with the security updates on the Mandriva Security announcement mailing list. Check that only SSH protocol 2 is enabled, and prevent direct logins as root an attacker only has to guess the password, not the username too Change the following lines if necessary in etc ssh sshdconfig. Remote logins are now easy, and secure Consider a local user tux sitting at machine iceberg who wants to login with the same username tux on host antarctica Sitting at iceberg tux should simply type ssh antarctica Hostnames should be fully-qualified if necessary the remote username may be omitted if it is the same as the local one SSH connections can be nested. To copy the herring directory from iceberg to antarctica use scp scp - r h ome tux herring antarctica Note the final colon is required. The tab name in konsole can include the hostname see above for. SSH keys are wonderful Not only do they save entering your password repeatedly, but they increase security, since your password is never exposed to the remote machine. Firstly, create a public-private key pair Generate the keys using ssh-keygen - t rsa Do set a passphase This creates a public private key pair in. the private key is. and the public key is. Do not distribute your private key. Keys should always have a passphrase unless you really trust the machine with the private key not to get compromised or stolen Furthermore, any machine which is running ssh-agent can have its decrypted keys easily accessed by root This may then grant access to lots of other hosts too Running ssh-agent on only one machine is preferred see below. Then, any machine which has a copy of the public key will allow passwordless login from any machine containing the private key Do this by appending the public key. on iceberg to the list of authorized keys. on antarctica If necessary, create the directory. and append to an empty file On older versions of sshd, the authorizedkeys file is named. The directory. must have permissions of 700 and your home directory must have permissions at least as restrictive as 755.Now, we need to make sure that the key is authorised This uses ssh-agent and keychain to prompt the user at the first login after booting for the passphrase To set this up, run keychain one time as user it will then be configured to automatically load ssh and GPG keys at every future login keychain will prompt for the passphrase if there is one by using ssh-askpass immediately after the login screen The authorized key will now persist until ssh-agent exits i e probably until the machine is re-booted. At login, only the keys with the default names identity idrsa iddsa will be automatically imported into the keychain This is controlled by the variable KEYS in If you have extra keys these must be added manually with something like this in. You now have to enter your passphrase only once each time you boot the system, and that is it Extremely easy remote access - For convenience, set up some aliases in. eg alias sshantarctica ssh. Should it ever be necessary to restart keychain, do this. Scripts run from cron cannot take advantage of the above, because they do not have KEYCHAINFILE exported into their environment To run, for example, a nightly remote-backup over ssh do this. The backup script must source the relevant keychain file. ssh-agent must be running this means that the user must have logged in at least once since boot, and typed the passphrase The user need not still be logged in. Neither of these is necessary if the ssh key-pair has no passphrase. This page at IBM developerworks is very helpful, but note it refers to. whereas Mandriva uses the file. See also keychain --help and note the option keychain --clear. 3 Copying files. To copy a single file, or a directory, use scp This is the simplest way, but it does copy file-permissions, and it always converts symlinks to real files Eg. scp antarctica - copy the file in the current directory on iceberg to tux s home directory on antarctica Note the colon. scp - r home tux worlddomination puppy antarctica secrets - recursively copy tux s worlddomination directory into dust-puppy s. secrets directory on antarctica. A better way is to use rsync which has a huge number of options In particular, it can synchronise directories without needing to transfer redundant information, also, it can preserve special files eg symlinks which scp does not Note if the source is a directory, the presence or absence of a trailing slash makes a difference Eg. rsysnc - avzS - e ssh pebbles antarctica nest - copy tux s pebbles directory on iceberg into the nest directory on antarctica resulting in home tux nest pebbles rock 12345 o. rsysnc - avzS - e ssh pebbles antarctica nest - copy the contents of the pebbles directory on iceberg into the nest directory on antarctica resulting in home tux nest rock 12345 o. Alternatively, you can ue ssh as a network-transparent pipe Eg cat ssh tux antarctica cat The first cat s stdout is piped to the second cat s stdin. You can also use bash tab-completion of paths on the remote-host with scp rsync To do this, you must have passwordless ssh-access to that sys tem, and enable scp tab-completion with COMPSCPREMOTE Put COMPSCPREMOTE true in your. 4 Nested SSH Connections - SSH ProxyCommand or AgentForwarding. Consider a firewall called ocean which stands between iceberg and antarctica Antarctica is on a private network, visible only to ocean Both machines run sshd, and have tux s public key Tux wishes to ssh into antarctica The easiest way is to first ssh into ocean, and thence to ssh into antarctica But the second connection will require him to type his password, despite having an authorised key. 4 1 SSH ProxyCommand. This is the recommended, and safest method It also supports single-step scp We use ProxyCommand with netcat it is explained in detail here. In summary, we must create an netcat-proxy script on iceberg for simplicity. And then we have to add this to our. Alternatively, to avoid creating the netcat-proxy-command on the firewall, just use this entry in. Also, ensure that nc is installed on the firewall, ocean There are 2 variants of netcat netcat-traditional and netcat-openbsd which interpret the - w option differently In both cases, - w is a timeout period, but for netcat-traditional, this only applies to connections and EOFs, whereas for netcat-openbsd, it also unhelpfully includes stdin Ensure that the former is the one that is installed on ocean, not the latter Otherwise, SSH will terminate within about 1 second, with Write failed broken pipe If both versions are installed, then etc alternatives switches nc from one to the other or you can explicitly use. Using ProxyComm and, we can do the following. SSH directly to antarctica, as though it were on the local network tux iceberg. ssh antarctica. Use SCP tux iceberg. scp antarctica. Use VNC over ssh and a proxy tux iceberg. vncviewer - via antarctica localhost 0. 4 2 SSH Agent Forwarding. BIG FAT WARNING SSH agent forwarding exposes your ssh-agent to hijacking unless you completely trust root on the intermediate machine ProxyCommand is a much better alternative See also the ForwardAgent setting in man sshconfig. The simplest solution is to enable ssh-agent forwarding on iceberg Antarctica then authenticates ocean by asking iceberg for the credentials So ssh-agent forwarding both slightly improves security ssh-agent only runs on the most trusted machine , and improves convenience by eliminating the need to type a password the second time. Don t actually do this To enable agent forwarding, append these lines to either etc sshconfig or. Using AgentForwarding, we can do the following. In two stages, do tux iceberg. ssh ocean and then run tux ocean. ssh antarctica without needing a password on either occasion. In a single leap you can do tux iceberg. ssh - t ocean ssh antarctica The first - t is needed to force it to allocate a pseudo-tty. The networked pipe equivalent is cat ssh tux ocean ssh antarctica cat. 5 Advanced uses. There is even more magic that can be done It really helps to have passwordless key-based logins for this. 5 1 Direct X forwarding. SSH to antarctica, and launch a GUI application such as xclock Magically, it appears on iceberg, on your own display If this does not work, invoke ssh with - X X11 forwarding can be turned on always, by adding ForwardX11 yes into your. Security considerations. When forwarding X11, you are essentially connecting your screen mouse keyboard to the other machine That machine will now have access to your X display, including being able to run a keylogger In general, don t use X forwarding unless you trust the other machine. ForwardX11 ssh - X uses the X-server security extension to prevent untrusted machines from accessing parts of your X display that they should not This is relatively safe, but some older GUI applications will not work. ForwardX11Trusted ssh - Y implicitly trusts the other machine This is potentially unsafe Remember A trusted machine is one that can break your security policy. 5 2 VNC over SSH. Either use vncserver to start a new X-session, or x11vnc too connect to an exisiting one. ssh into antarctica and run either vncserver or x11vnc - localhost - display 0 as appropriate For more on vncserver, see below. Start the vnc viewer tightvnc , using the - via option for an ssh tunnel vncviewer - via tux antarctica localhost DISPLAYNUM where DISPLAYNUM is 0 for x11vnc, and is the number quoted to you by vncserver. Exit the viewer If using X11vnc, the server will exit, leaving the X-session running as before If using vncserver, it will continue to run, until closed with vncserver - kill DISPLAYNUM. Note that, if ProxyCommand is configured, you can have multi-step - via useful if there is an intervening firewall as well as a firewall on the target machine. 5 3 Xpra screen for X. Direct X forwarding is convenient just ssh in and launch the desired program, and it appears on your display, like any other window , but it only really works over a 100M LAN it can be almost unusable over broadband VNC is much more responsive, but is more awkward to set up it forwards the entire desktop, rather than just specific windows Nomachine NX solves this, but is difficult to get working The answer is Xpra which has all the simplicity and integration of rootless X forwarding, and is almost as responsive as VNC An extra benefit is the way it acts like screen , i e you can detatch from it and reconnect later. Simple instructions are given on the Xpra website. SSH into the server, and run the command xpra start 100 --start-child xterm. From the local machine, run xpra attach ssh serverhostname 100 --encoding png. Xpra also starts a panel applet in the systray, which allows configuration and includes a nifty bandwidth monitor graph. Note that the default Encoding H 264 is really a video codec For text editors eg kwrite , it s much more responsive to use one of the PNG encodings or Raw RGB Zlib. 5 4 GUI Drag n Drop. Konqueror uses the fish ioslave to allow remote access via the GUI, and drag-and-drop Just type this as the URL fish tux antarctica home tux nest Note that there is no colon before the path the syntax is web-like, rather than rsync-like sftp is similar, but not supported by all ssh servers. 5 5 Port Forwarding over SSH - L. As above, we have a firewall called ocean which stands between iceberg and antarctica Tux wishes to talk to a web server port 80 on antarctica, but antarctica is on a private network, visible only to ocean. Tux connects to ocean thus ssh - L 8888 antarctica 80 tux ocean In addition to the normal ssh connection, ssh opens a tunnel The far end of the tunnel connects from ocean to antarctica on port 80 The near end is port 8888 on localhost iceberg. Tux can now browse the remote webserver by connecting to. We could run the command ssh - C - f - L 8888 antarctica 80 tux ocean sleep 20 instead This compresses the data - C and causes the connection to fork into the background, and disconnect if nothing subsequently happens for 20 seconds - f sleep 20.Use the - g GatewayPorts option to make local port 8888 listen on other interfaces By default, only local users on iceberg may use the tunnel. A real world example obtaining secure access to Cambridge network from elsewhere, tunneled via the SRCF we want to use the server for because we don t necessarily trust the wireless provider , we want to send outgoing SMTP mail through because we are permitted to use this one , and we can just use POP as normal, via TLS First, set up the two ssh tunnels ssh - L Then, set the konqueror firefox to use the web proxy localhost 8080 set thunderbird to have this default outgoing mail server SMTP localhost 8025 and just use POP incoming mail via secure connection TLS as normal, which doesn t require an extra encrypted tunnel. 5 6 Reverse Port Forwarding over SSH - R. In this example, tux sitting at antarctica wishes to remotely help polar-bear with a Linux install on a new machine, iceberg However, iceberg is located on a dynamic IP behind an unhelpfully configured router firewall, and so there is no way to get in remotely But, polar-bear can connect to antarctica Here s how to do it. Polar bear makes an outbound ssh connection to antarctica thus ssh - C - R 8022 localhost 22 polar-bear antarctica Antarctica will now accept local connections to port 8022, and will tunnel those connections back to the ssh server on iceberg s port 22.Tux can now connect to iceberg by doing ssh - p 8022 - o UserKnownHostsFile dev null localhost Then, for example, tux might run x11vnc in order to assist polar-bear. In this example, the - C is for compression, and the - o UserKnownHostsFile dev null is to stop ssh complaining about the key fingerprint not matching for localhost Note that, by default, the port 8022 opened on Antarctica wil l only accept local connections, from another user sitting at Antarctica. A real world example, with the same usernames tux antarctica which is publicly accessible , and polar-bear iceberg which can only make outgoing connections First, tux must create a temporary account on antarctica for polar-bear to log in Then, polar-bear sitting at iceberg uses this to connect to antarctica, opening a reverse tunnel ssh - C - R 8022 localhost 22 antarctica Then, tux at antarctica connects via the tunnel to iceberg ssh - p 8022 polar-bear localhost - o UseKnownHostsFile dev null At this point, he starts up x11vnc x11vnc - display 0 which runs on iceberg s port 5900 Then, tux at antarctica creates a forwarded tunnel on port 5900 to iceberg s 5900 ssh - L 5900 localhost 5900 polar-bear localhost - p 8022 - o UseKnownHostsFile dev null Tux can now start the vncviewer, to connect through this tunnel, and control iceberg vncviewer - encodings copyrect tight - compresslevel 7 - quality 6 - bgr233 localhost 5900 Notes TCP tunneled within TCP is technically bad but usually works ok We spec ify vnc-encodings manually, since vncviewer doesn t know that localhost isn t actually local This is even easier with ssh-keys. 5 7 Dynamic Port Forwarding Web browsing with SOCKS. Normally, port forwarding only works for a specific server But ssh - D sets up dynamic forwarding, using the SOCKS v5 protocol, which allows the ssh proxy to relay web-browsing To do this. Configure Firefox to use a SOCKS v5 proxy In the network preferences, choose Manual Proxy Configuration , then SOCKS Host localhost 1080 and SOCKS v5.Also ensure that Firefox sends DNS requests through the proxy in about config set true. Finally, set up the ssh tunnel, with - D The autossh program is useful it can reconnect automatically when the tunnel is closed. Here is an example Consider that Tux has gone to a conference in Norway, taking his laptop He wants to tunnel all traffic through his home machine, antarctica So, he runs autossh - D 1080 - L 8025 localhost 25 antarctica This gives him a shell on antarctica, proxies his firefox web browsing DNS, and allows him to send outbound mail too Who needs a VPN 87 UDP over SSH. You can tunnel UDP packets ov er ssh, using netcat Here is how. 5 9 SSH or fish over SSH. This is a special case of the port-forwarding above SSH can be tunnelled within ssh although ssh ProxyCommand is better more usefully, fish can be tunneled for file-transfer In principle, tunneling TCP within TCP is a bad idea duplicated error correction will multiply-up network errors , but in practice, it works fine over a decent network. 5 10 SFTP SSH File Transfer Protocol , with a Chroot. Natively, SFTP just works, when connecting either with the commandline sftp application, or a GUI such as FireFTP It works like normal FTP However, that gives the sftp-user the same access as an ssh-user Sometimes it s useful to have a much more restricted setting, allowing access only to a particular directory Here s how. Based on this enabling chrooted SFTP on a webserver. Create a dedicated sftp user Let s call him puffin Then create a chroot within the home directory this and everything above must be owned by root , and a files directory he can use useradd puffin mkdir home puffin chroot files chown - R root home puffin chown puffin home puffin chroot files. For safety, disable normal logins, by changing the shell to nologin This will politely decline an SSH request, even when sftp is disabled usermod - s usr sbin nologin puffin. We could consider just using SFTP only, without a chroot, but this would then grant read-access to the ent ire filesystem If this is what you wanted usermod - s usr lib openssh sftp-server puffin -- careful. Otherwise, edit etc ssh sshdconfig comment out the line Subsystem sftp usr lib openssh sftp-server and add the following. Restart sshd service ssh restart. Connect with an SFTP program, eg sftp or FireFTP Open the URL sftp puffin antarctica files. 5 11 Executing complex remote commands. Simple commands ssh antarctica cat will run the command cat on machine antarctica The output will be redirected to STDOUT on iceberg and the exit code will be the one from. More complex commands need some escaping. Wrap the whole command in The double quotes protect it mostly from the shell on iceberg the brackets create a new subshell on antarctica which may contain things like if. and should always be escaped singly with another is literal. is escaped as if it is a variable on antarctica, but not escaped if it is to be evaluated on the iceberg before the remote command is run. To have a literal metacharacter on antarctica, it must be triply-escaped Eg n become n. For example, rather than write a script on antarctica and then execute it remotely, tux might wish to have all the logic in a single shell script, running on iceberg This script tells tux whether he has enough herring in his freezer. 5 12 SSHFS - the ssh filesystem. SSHFS allows users to mount a remote directory on a local mountpoint The only requirement is that they have ssh access to the remote server There are 2 implementations sshfs and lufs both based on the userspace filesystem FUSE SSHFS is the more recently maintained version, and I have found it to be reliable Note sshfs does not work well at all over an unreliable link e g slow Wi-Fi It doesn t re-try fast enough after failures, resulting in minute-long timeouts. Download from herepile, and install both fuse and sshfs from source. As root modprobe fuse This creates creates dev fuse with permissions 666.Then mount as a normal user the ssh filesystem as desired sshfs - r - o reconnect tux antarctica nest. mnt nest The - r is for read-only, if desired the reconnect is useful if the connection fails. To unmount, do fusermount - u. If the ssh connection dies, the mountpoint will hang, and cannot be unmounted killall sshfs will fix it. sshfs is most useful if you already have key-based authentication. I have found lufs to be unreliable For completeness. Install with urpmi lufs only required on the client. As normal user , lufsmount sshfs tux antarctica home tux nest. mnt nest - fmask 444 - dmask 555.To unmount, lufsumount. Note if the ssh daemon on the remote end dies, or the network connection fails, this causes serious problems The local mountpoint will become un-unmountable A reboot is required to recover from this furthermore, the machine will not finish shutting down on its own, and will require a reset. killall lufsd may help here I haven t tried it. 5 13 X2X - share a keyboard and mouse between different systems. X2X lets you forward keyboard mouse events from one X-display to another Consider a desktop machine, nest sitting on the same table as a laptop, iceberg The laptop is placed with its screen to the right of the desktop s monitor, but its keyboard mouse are inconvenient to reach On the desktop machine, nest run the command ssh - X iceberg x2x - east - to 0 0 Now, you can move the mouse pointer off the right-hand edge of the desktop display, and onto the left-hand edge of the laptop display The keyboard will go to whichever window has focus X2X is available via urpmi, or from here More details here. X2X is also capable of synchronising the clipboards, though it doesn t seem to work for me Unfortunately, it can t yet drag windows from one display to another N B Don t try to get in a loop between 2 mutual instances of X2X just like back-to-back mirrors, it will never let you out. Encrypting and decrypting files with SSH RSA keys see here. Printing over the network cat ssh antarctica lp. Copy clipboard from one machine to another in. function ccc then type ccc to pull the remote clipboard to the local machine. Tunnelling SSH over if behind restrictive firewalls use corkscrew. HashKnownHosts - this option in. hashed It s a slight security gain, but makes bash-completion on hostnames less useful. AddressFamily inet - this option in. ssh config makes SSH only use IPv4 to connect It can be faster, especially if ip6 addresses exist but fail To test, use the -4 option, e g time ssh -4 antarctica exit. Other Tweaks NTP, Apache, Cron, Postfix, NFS, DVD. 1 NTP configuration. NTP is the network time protocol which can synchronise the computer clock to within 10ms of UTC A more detailed explanation of how NTP works is here. To configure it, run drakclock and ensure that enable ntp is checked Then, pick a timeserver ideally, use your own ISP s time server otherwise, here is how to use It is also a good idea to keep the computer s hardware clock permanently on GMT, rather than setting the hwclock back forward for winter summer To test it, allow ntpd a minute or two to synchronise after restarting, then run ntpstat or ntpq - p. The system service is ntpd and it is configured in See also man ntpd and man hwclock. Alternatives to ntp include chrony or htpdate. 2 Apache setup. The Apache webserver now with 2 3 market-share is very sophisticated, but by default, it just works Files placed in var www html will be served up to the world firewall permitting Mandriva splits apache into lots of modules, which may be installed in combinations as desired, for example apache-modphp and apache-moduserdir. Two things have changed in Mandriva 2006.Support for user s home directories. username , is no longer on by default To enable it, install apache-moduserdir Then, ensure the user has a directory. publichtml and that their files within it are readable by apache, and that directories above it may be traversed by apache i e the directories are executable. files are now ignored Directories protected by will no longer be secure To re-enable this, do TODO FIXME WHAT. If using PHP, remember to ensure that registerglobals is OFF, and that magicquotes are ON. 3 Mail forwarding and Postfix. This explains the setup of postfix, to send email from the local system via the Internet service provider s SMTP server The result is that mail from daemons, cron-jobs, and apache php will be delivered to your normal inbox It does not cover setting postfix to handle incoming mail - just use thunderbird with a pop server, nor does it cover using spamassasin to identify spam nor procmail advanced email processing A simpler alternative aimed primarily at delivering mail from Cron is sSMTP. 3 1 Basic setup required. Install postfix urpmi postfix Make sure the postfix service runs by default chkconfig --list postfix. Normally, postfix will attempt to directly contact the recipient s mail server However, some ISPs block port 25, to prevent this as a spam-mitigation measure for compromised Windows machines If the ISP requires that outgoing email SMTP is routed via their servers, use a relay-host Add edit this line to. If the relayhost requires username password authentication first urpmi libsasl2-plug-login libsasl2-plug-plain then add these lines to. and create a password maps file owned by root, and with mode 600 etc postfix saslpasswd. Define the default email addresses for mail sent from local users Add this line to. and then create the file etc postfix canonical containing. Where should local mail from one user daemon to another local user be delivered If you want it to remain on the local system, just access it directly, with pine Alternatively, it can be forwarded to another address, defined in that user s. file This file contains a single line, with the destination email address It must have permissions 600 and your home directory must only be writeable by you E g. Root s mail is forwarded differently edit etc aliases and change. For security, ensure that Postfix only listens to localhost unless you need to do otherwise In set. For outbound encryption, we can set up opportunistic TLS When Postfix acts as an SMTP client connecting to other servers and the other server supports it, we can encrypt the message This setting falls-back to plaintext if the server can t do TLS Inbound mail encryption is somewhat harder, requiring some SSL certificates See here A useful test for encrypted TLS is provided by checkTLS. Make sure that the security administrator for msec is defined within draksec This user gets the output from the nightly security checks. Restart postfix and check that email is sent mail finish with Ctrl-D, or a single on a line by itself Or echo hello world mail - s hello. To have the serv er notify on reboot, add this to your crontab reboot echo Rebooted were you expecting this mail - s servername rebooted. 3 2 Advanced setup SMTP forwarding for a NAT d subnet. Configure postfix to listen on the internal interface, and accept mail for forwarding from the relevant machines on the subnet Edit. Make sure shorewall allows connections to port 25 from within the subnet edit etc shorewall rules and add. 3 3 Some email debugging tips. If postfix fails to start, run postfix check Remember to restart or reload postfix to apply changes. Errors will be logged to var log mail errors. To test sending mail, use the mail command e g echo hello mail - s test recipient domail or interactively Ctrl-D ends the text input , and look at var log mail info. To read local mail which should probably be forwarded to your normal email account , just use mail q to quit. To send email from the command-line with attachments, use mailx or mutt more. To check the queue status, use postqueue - p and to try to flush it, use postqueue - f. To debug SMTP, try telnetting to the smtp server Instructions are here Simple version. To debug POP, try telnetting to the pop3 server Instructions are here Simple version. Postfix s configuration is documented here. Mandriva s postfix start script runs postmap and postalias automatically Not all distros do this Eg postmap etc postfix canonical postmap etc postfix saslpasswd. Cron, the crond service is a periodic job scheduler It does. System housekeeping every night updatedb msec rpm - Va These run at 4am, and take about 30 minutes. Anything the user scehdules, eg nightly backups. To configure jobs, use crontab - e see also man cron and man 5 crontab. For one-offs, use at and atd instead. If the machine isn t always on, use the anacron service to run skipped cron-jobs shortly after the machine has booted. Note Msec s messages from cron jobs go to the user specified in draksec. 5 NFS Network FileSystem. NFS is the Network File System It is designed to allow remote mounting of a share on a fileserver NFS is capable of many things, including encrypted connections, access-control and read-write file-locking, for which, see the howto Alternatives are Samba designed for Windows , and SSHFS in userspace, via FUSE , but NFS is in kernel-space, and therefore has much higher performance Here is how to set up a basic read-only, world-accessible NFS share, useful for example, as a central jukebox repository for music within a house. On the SERVER install and enable the following services portmap nfs-common nfs-server. Consider that we want to export the directory home public music Place the following entry into etc exports. This exports the directory home public music to all hosts, i e , read-only, and squashes file-ownerships See also man exports You can also use the draknfs GUI. NFS has multiple daemons, which dos not always run on a pre-defined port, and it is necessary t o pin the server s NFS daemon to a known port, if we also want to make it firewall-able This howto explains what to do here is a summary, suitably modified for Mandrake rather than Fedora. Force statd to run on port 4001, and lockd to 4002 There s nothing very special about these port numbers, except that they are unused in etc services Edit etc sysconfig nfs-common and set. Force mountd to run on port 4003 Edit etc sysconfig nfs-server and set. Pin rquotad to 4004, if used, by adding this to etc services. The portmapper service always runs on port 111, and the nfsd service always runs on 2049, so we needn t change this. Restart the portmap nfs-common and nfs-server services Check they are permanently enabled with chkconfig. Now, we have well-defined ports for NFS, we can enable the firewall Make sure the firewall permits both TCP and UDP access to the following ports 111, 2049, 4001, 4002, 4003, 4004 4004 itself may not be required, if you don t use rquotad In etc shorewall rules add. The following diagnostic tools are useful. showmount - show what remote clients have currently mounted which directories. rpcinfo - p - list the ports currently used by the various RPC remote-procedure-call daemons. exportfs - show what directories are currently available to be exported. exportfs - fa - tell the NFS daemon that etc exports has been modified, without needing to restart it. On the CLIENT everything is much easier If you want to have locking of files, then you need to install and run the portmap servic e, but it is not necessary the alternative is to mount with - o nolock For a read-only mount, that is perfectly sufficient Thus, you can mount the share directly with. Or you can add this to etc fstab. There is also a GUI for this, diskdrake - nfs. The mount options are explained in detail in man 5 nfs The important things are that nolock is useful for read-only mounts that soft is important if you want the client to be interruptible in case of network errors otherwise, if the server goes down, the client application cannot be terminated, even with kill -9 and that servername can be a hostname or IP address, but must be an IP address if the mount happens early in the boot process, before the system has working DNS. 6 DVD playback and creation. One can swap the ultrabay CD-RW drive for a DVD drive To play a DVD Linux requires. A DVD of the correct region to match the drive Actually, in most cases, Linux ignores the region-coding on the disc However, if the region of the drive has never been initialised, it may refuse to play So, set the region using regionset. To play most commercial DVDs, it is necessary to break the CSS encryption Install libdvdcss2 from the PLF At least some of these packages are also required libdvdread3, libdvdread-utils, libdvdnav4, libdvdcontrol9, vlc-plugin-dvdnav. Then, to play the DVD, use either VLC, mplayer, xine, or ogle plf versions You can even back it up with mencoder. A very quick offtopic aside on video-editing and DVD creation. Tools kino, cinelerra, mplayer, transcode, mplex, spumux, dvdauthor, growisofs, xine, gimp Usually worth downloading compiling latest versions. Capture from firewire mini-DV camera with kino, edit with cinelerra tutorial. Note cinelerra really wo rks better if you have 2 drives source footage on one, background-rendered output on the other. Create final then check with mplayer. To avoid mice teeth , I recommend de-interlacing the final file before making the DVD. Conversion to mpeg, burning to DVD, DVD-menus see here very detailed My incantation was transcode - i - V - x mplayer, mplayer - y mpeg - F d - Z 720x576 --exportfps 25 --exportasr 2 - E 48000 - b 224 - J smartdeinter - o outputmpeg which results in outputmpeg m2v the video play with mplayer and outputmpeg m2a the sound play with mpg123 Then, mplex the files mplex - f 8 - S 0 - o movie m2v. dvdauthor handles converting to the max 1GB filesize on DVD without a problem, even if the exceed this In total, a standard, single-sided 4 7GB DVD can take 4 3 GB of video a little over an hour discrepancy is 2 30 vs 10 9.DVD cover use xfig, then export to pdf. See also tutorial discussion Linux-Journal. Use DVD-R rather than DVD R for greatest compatibility. Useful Applications. In case of dataloss ex ample heavy-handed use of the delete key , TestDisk and PhotoRec are extremely useful TestDisk allows undeletion of files PhotoRec allows lower-level recovery even after a format, but without the names. In case of faulty media usually dying hard drives , DD-Rescue is excellent There are 2 similarly named tools, with the same purpose but different authors GNU ddrescue and ddrescue. Wine MS Windows Applications. There are various ways to run MS Windows Applications under Linux. Run a Linux-native application Many applications exist under Linux anyway Some are cross-platform eg Firefox, OpenOffice , and many are Linux-native Often, the Linux-native applications are better than their non-Free Windows equivalents. Use Wine Wine is a Free implementation of the Win32 API Wine Is Not an Emulator , now at version 0 9 11 and works very well It is available for download from or in a supported commercial version from Codeweavers WineTools is sometimes a helpful addition, but is increasingly no-longer n ecessary Winehq provide Mandriva RPMs which are more recent, and work better than the official ones Office97,Photoshop, and even InternetExplorer work well OK, even on Windows, Internet Explorer can t really be said to work well , but Wine allows us to check web design for bug-compatibility - Generally, older or simpler Windows binaries are more likely to work perfectly Usually, hardware drivers won t work, but I did have success with a serial-port PIC Programmer If you just need to read MS document files and OpenOffice can t cope , you can download the free beer MS Office viewer or Lotus KeyView. If you still have access to an obsolete Windows box, put VNC on it Then leave the Windows box on the network, suitably NAT ed please , run vncserver on it, and view the application on your local display To maximise server performance, disable all animations, disable show content in moving resizing windows, and set a plain colour for wallpaper maximise viewer performance by optimising - encoding We run MarketEye this way on an old 770Z PII,300, Win98 Advantage VNC is free, and works brilliantly Disadvantage you need an old Windows machine. If you have access to a Windows install disk, or an image of the old hard disk, you can emulate it with QEMU QEMU is brilliant It will run any x86 operating system from within any other it is free, and it is fast Performance is about 5x slower than real life You can also try other Operating Systems, eg the latest Knoppix direct from the disk image Either create a new disk image, boot it in QEMU and install Windows, or with luck you may be able to boot a pre-existing image There is also KQEMU which uses a kernel module to accelerate to near native about 1 2 speeds KQEMU is now GPLd it used to be only free-as-in-beer QEMU will not yet allow you to run hardware devices such as most USB or sound input, although you have access to sound output, network, video, disks Note QEMU disk images are sparse files A guest OS may have a mainly empty 10GB vir tual disk, which takes only 200MB on the host To copy these, you must use cp - a or rsync - aS to do it, or you will loose the efficient packing. Another GPL option is virtualbox I haven t tried this yet. VMWARE is the commercial equivalent of QEMU It is essentially the same, and although expensive, it works well There is also now a free VMWare player, but someone else would have to create the VMWare image Sound input works, and they say that USB devices can be made to work with Windows drivers We run Dragon Naturally Speaking this way. ReactOS is very promising alternative to Windows, especially if combined with QEMU However, it isn t quite ready yet. As you can see, that s quite a long list - and I am not sure I have mentioned them all Just for fun, look at MenuetOS. Stopping it rattling. This laptop lives in the same room as me So I d rather it doesn t rattle the hard disc all the time when I m not using it Check for culprits using find - mmin -2 - print grep - v proc. The worst is mailman, so remove it with urpme mailman. Uninstall process accounting - it s rather pointless on a single-owner laptop It also causes disk writes every 15 seconds Remove with urpme psacct. Shorewall should not write out the logfile to disk to often Edit to have. Check for and remove spurious cron jobs By default, a whole lot of security checks run at 4 00 am, and take about 30 minutes of constant activity If the machine isn t always on, anacron will also run these shortly after the machine has booted Some of these aren t absolutely necessary However, updatedb is really useful. sshd-restarter runs every 5 minutes by default Change this to every 30 minutes in etc cron d sshd-monitor. Stop CUPS regenerating its certificate every 5 minutes once every 2 hours will do Change to have. Mozilla should not check for new messages more than about once per 5 minutes, since this also causes disk activity. Shell Scripts and Files. Advanced uses of Urpmi and RPM. Urpmi is Mandriva s package manager It is User-RPM , and i s intended to make some RPM tasks more friendly It is similar in functionality to Debian s apt. 1 Introduction to RPM and Urpmi. Here is some more information on rpm and urpmi. Adding and removing package repositories and See above. To install a package urpmi PACKAGENAME eg urpmi mplayer Urpmi will automatically resolve dependencies, and fetch the package from the repository If you already have the package downloaded, use eg urpmi Or, you can use rpm - i Multiple packages may be installed in one command You can tab-complete on packagenames. To uninstall a package urpme PACKAGENAME eg urpme mplayer Or, use rpm - e Note that, the packagename does not include the which is appended to the filename RPM is unnecessarily fussy about this. GUI equivalents for urpmi urpme are rpmdrake and rpmdrake-remove. To find out what package contains a certain file urpmf FILENAME eg urpmf. To find the description of a package urpmf --description PACKAGENAME eg urpmf --description mplayer Or, rpm - qi mplayer. To find out whether a package is installed urpmq PACKAGENAME or rpm - q PACKAGENAME or rpm - qa grep PACK AGENAME. To apply package updates Update the package list from the mirror, then select the updates The easiest way is this, which downloads all the packages first, and only then prompts you fwhether to go ahead - a urpmi --auto-select --force -- test urpmi --auto-select Note that, with the 2006-Official distribution as opposed to 2006-Community , the first part is updates The kernel is a special case, and must be dealt with manually To update the entire distribution, see below. To verify installed packages use rpm - Va see below. To install self-compiled packages use checkinstall This is important, since it means that you don t bypass the RPM package database As a result, you can prevent collsions, and can easily uninstall again So, instead of the usual configure make make install use configure make checkinstall this generates an rpm, which you can install as usual. To list unnneeded libraries urpmirpm-find-leaves This prints a list of all packages which are currently installed, but on whic h no other package depends These packages are leaves on the rpm tree , and their removal will not break anything else Many of these packages will be the applications eg Firefox which you actually want, however, old libraries, which nothing uses, can be removed in this way Alternatively, use rpmdrake-remove and select Leaves only. To prevent a package from being selected for automatic upgrade add it to. To downgrade a package to an earlier version remove the newest version without removing its dependencies rpm - e --nodeps NEWPACKAGE then manually download the older version from the mirror with lftp , then install it from the downloaded rpm urpmi then add PACKAGENAME to so that it is not automatically upgraded again Check that the system is self-consistent again with rpm - Va. Various RPM queries to list the files in an RPM, use rpm - ql or use less To list the requirements of an RPM, use rpm - ql To list all installed packages, sorted by size rpm - qa --qf n sort - nr. Source RPMS A is NOT a no rmal package, but a bundle of the program source, some patches, and a specfile If you install rpm - i a it will unpack the tarball specfile onto your system to uninstall, just use rm - rf To rebuild an rpm in such a way that it can be installed on your system, do rpm --rebuild. Building RPMS an excellent introduction is here. Troubleshooting see below if urpmi complains of an invalid package, or if rpm hangs. For further information on rpm see. 2 How to upgrade the Distribution. 2 1 Introduction. It is possible to directly upgrade from one version of Mandrake to the next You can use the installer on the CD, or can do so directly by using urpmi This process works very well, although you will occasionally have to fix breakages The easiest way is to log in via ssh from another computer so you can have multiple tabs in konsole, cut paste, and web access. This should be safe, but back up your data For ultimate safety, copy the entire filesystem onto a different partition, and have Knoppix handy Then, boot into the copy, and modify that see below Important keep a note of any warnings, and which, if any packages are removed Also, check for sufficient disk capacity, especially in var. WARNING PostgreSQL databases will be lost - or become unusable Make sure you back them up pgdump first. 2 2 Performing the upgrade. Log in as root, go to runlevel 3 init 3 It may be easier to do this from another computer, via ssh. Save the list of currently installed packages, just in case rpm - qa. Remove anything from if you put it there Think why it was there Otherwise, the upgrade won t complete. Remove the old urpmi media - a You may want to back up first. Add the new urpmi sources Decide community, or official Add main contrib updates if appropriate plf if desired. Upgrade urpmi itself. urpmi --test urpmi test whether urpmi s upgrade works. urpmi urpmi do the upgrade - if you get no errors in previous step. Upgrade the distribution and packages. urpmi --auto-select --test 2 1 tee test whether the upgrade of the distro will work. urpmi --auto-select 2 1 tee do the upgrade - if you get no errors in previous step. Look for, and remove obsolete libraries urpmirpm-find-leaves will print a list of all packages which are not depended - on by any other package These are either. Very important packages w hich we explicitly want Eg apache. Independent packages with no interrelation to others eg nc. Obsolete libraries which have not been removed. Uninstall these if desired In one line urpmirpm-find-leaves grep - E lib xargs urpme. Upgrade the kernel. urpmi kernel upgrade the kernel you will get a choice pick the one you like uname - a prints the currently running kernel Note that the kernel is not upgraded automatically by urpmi. Edit to make the new kernel the default, and then run sbin lilo. Reboot into the new kernel Watch the log messages on the console. 2 3 Fixing and re-configuring the new system if needed. Are there any kernel-issues This is especially relevant if migrating from kernel 2 4 to 2 6 For example, udev replaces devfsd and Serial-ATA disks become dev sdX rather than dev hdX Have any of the kernel modules changed If so, we may need to edit and. Look at the system s error messages dmesg var log messages and var log kernel. updatedb locate re-build the locate database, then locate all the changed configuration files There are 3 possibilities for package foobar, configured with. If a package s configuration file was never modified by the user, then the new package will be installed over it Otherwise, depending on the package. The old config-file will be kept as and the new one saved as. The new default config-file will be used it becomes and the old one will be backed up as. It is necessary to inspect and merge these files manually Usually, but not always, the packager makes a sensible choice as to whether the new, or old file is mo re appropriate diff or etc-update will help here. Read the Release Notes 2006 and Errata 2006 again - check for gotchas. Check the configuration files of important packages, especially apache and sshd. Are there any new or obsolete system services which should shouldn t be running Use chkconfig --list or mcc. Look for newer packages which may have bcome available and which you might like to install rpmdrake is most useful. Remove any old, unwanted kernels with urpme Don t do this until you are happy with the new one. Upgrade any non-distribution packages if desired necessary. Non-free java, shockwave-flash maybe acroread, realplayer. Binary drivers ugh eg the nvidia 3D driver. Custom-compiled packages built from source remember, use checkinstall instead of make install. Recompile anything which depends on the kernel source eg ltmodem kqemu vmware nvidia-driver. Re-add packages to as necessary Saving the kernel-source package is a good idea. Fix any other breakage There shouldn t be any, but keep a n eye out. 2 4 Explanations and troubleshooting. This method could fail if. You have used rpm --force at some point to install packages. You have installed rpms from an untrusted origin. You have installed rpms not specific for Mandrake. You have installed from source with configure make make install which bypasses the RPM database as opposed to using instead of using configure make checkinstall which RPM is aware of. If you have non-official rpms, this could cause trouble Write down the offending rpms files, remove them and try again. The --test option is great because. It downloads all needed rpm-packages. It tests the installation and provides quite clear error messages. It does not delete downloaded rpm-packages Note this does mean that you need plenty of space in var if necessary, temporarily replace var cache urpmi rpms by a symlink to a directory with a few GB of space. It does not change your current programs. When happy and you do not use --test , as all the packages are already downloaded, your upg rade takes less time. If you get a message like Package foobar cannot be installed because it conflicts with file , remove the package with the offending file To discover which contains offending file, use rpm - qf and remove the package with urpme offendingpackage After completing the upgrade, install a new version of the package urpmi offendingpackage if needed. Use tee and log files so that you have a convenient record of what you did. Urpmi caches downloaded files in var cache urpi rpms So you can install RPMS directly from there. You can use --force with urpmi this means Answer yes to all questions This can be dangerous, but if you have already used --test, and been happy, it may save time Note urpmi s --force is much less potentially hazardous than rpm s --force. 2 5 Cloning the distribution. It is very useful to be able to make a copy of the distribution, whether for backup, or to install on another computer I am going to consider the case where the original system has 4 partitions hda1 , spare hda6 , swap hda5 , home hda7 and we wish to clone onto spare This is easily adaptable. Have a destination partition or partitions ready fdisk and iff necessary. Bring the source system into runlevel 1 init 1 Start networking if required. The directories in are bin boot dev etc home initrd lib mnt opt proc root sbin share spare sys tmp usr var. On the target, these directories should be created empty cd spare mkdir home mnt sys proc tmp. Copy these directories across cp - a bin boot dev etc initrd lib opt root sbin usr var spare Or, use rsync - avz - e ssh. Recreate the mountpoints in spare mnt. Fix spare etc fstab and to reflect the new partition arrangement. Also edit to add the kernel in the new root, and run lilo. Reboot In case you need to fix your bootsector, u se Knoppix see below This step is required if the destination is a different hard disk. Now, you have hopefully 2 identical systems Update one, and be happy that you can easily revert. 3 How to verify the system with RPM. If you break a system package, by some careless use of rm by an unfortunate power-failure, or by doing something daft then RPM will let you verify all the installed packages, and you can then fix them. Verify all the packages, using rpm - Va In particular, look for missing , 5 , and Unsatisfied rpm - Va grep - Ei missing 5 unsatisfied. Note, some errors are usual, eg a modified config file, or permissions which have been changed by msec. If a file is definitely damaged, find out which package it is in urpmf FILENAME. Repair the file by forcibly uninstalling its package, then re-install rpm - e --nodeps PACKAGENAME urpmi PACKAGENAME. 4 Troubleshooting. In the nowadays-unlikely event that rpm or urpmi break the symptom is that they just sit there doing nothing , this is probably because of a stale rpm lock file This can be caused if rpm is somehow killed while running eg by power failure, or a kill -9 These lock files usually serve to prevent more than one instance of rpm accessing the same database simultaneously, and are deleted after the rpm process terminates normally This is what to do. Check rpm isn t currently running use ps aux grep rpm. Remove stale lock files by doing rm - f var lib rpm db as root. Rebuild the RPM database using rpm --rebuilddb. It is also a good idea to delete partially downloaded corrupt files from var cache urpmi rpms if urpmi complains that they are invalid. Also, make sure not to run out of space on var A 1GB var partition will cause problems with urpmi --auto-select --test especially if there is also a have Postgres database in var lib pgsql The solution is to temporarily replace var cache urpmi rpms by a symlink to a directory elsewhere eg home which has more space. Mandriva Kernels intro. Here is a brief introduction to Mandriva kernels It does not cover kernel compiling but discusses some of the Mandriva-specific things. Mandriva kernels usually include support for all hardware, and are compiled with almost everything as modules This means that practically every device will be supported, but then in-memory portion of the kernel is not bloated I have never yet found it necessary to compile a kernel. Mandriva kernels usually have quite a few patches applied often backports from development kernels However, the kernel-linus package is available if you want an unpatched one The kernels come with various options For example. - kernel 2 4 default. kernel-2 6 12 14mdk - kernel 2 6 default. kernel-i586-up-1GB-2 6 12 14mdk - kernel 2 6 compiled for i586 Pentium 1 only with uniprocessor and support for upto 1GB RAM. kernel-i686-up-4GB-2 6 12 14mdk - kernel 2 6 optimised for i686 Pentium 2,3,4 with uniprocessor and support for upto 4GB RAM Use this on the A22p. kernel-smp-2 6 12 14mdk - kernel 2 6 for SMP multiprocessor Most High-end Pentium 4s are dual-core, which counts as SMP. - Unpatched copy of Linus s kernel tree. kernel-source-2 6 - kernel source for the most recent 2 6 kernel. kernel-source-stripped-2 6 - stripped kernel source You can compile against this, but cannot read the source code. To update the kernel, first install the kernel that is desired with urpmi The new kernel will automatically be added into Then, if desired, edit and set the default field to that kernel Then run sbin lilo to write the boot sector Easy. After updating the kernel, it is necessary to recompile reinstall any binary drivers or custom kernel modules Eg ltmodem, kqemu, vmware, nvidia. A gotcha urpmi will install multiple versions of the kernel without difficulty However, it will only install one version of the kernel source Urpmi --auto-select will update the kernel source, but not the kernel So, if you regularly update packages with urpmi, you can end up with a kernel source package which does not match your currently running kernel This means that, should you need to compile ex tra modules, you cannot do so Solution either upgrade the kernel, or downgrade the kernel-source, or compile extra modules sooner It is worth adding kernel-source to in order to stop urpmi doing this automatically. Here are some useful commands. modprobe - insert remove modules and dependencies Eg modprobe pcspkr modprobe - r pcspkr. lsmod - list currently loaded modules. modinfo MODULENAMEM - get information about a module and its parameters. dmesg - view kernel messages. uname - a - print name of currently running kernel. Look at the contents of proc - the kernel s status information Eg proc cmdline. Look at the contents of var log kernel - kernel information and errors. Upgrade to Kernel 2 6 16 Kernel Compilation. 1 Upgrading the kernel. There are 2 compelling reasons to upgrade the kernel from 2 6 12 as shipped to 2 6 14 or greater The trackpoint sensitivity patch is in the official tree, as of 2 6 14, and there is also the improved disk scheduler, which means that interactive processes get priority for disk access Also, if desired, s2ram requires 2 6 17 We can do this in 2 ways. 1 1 Upgrading the kernel to cooker kernel 2 6 14-0.Normally, it is a very bad idea to mix packages from cooker and a stable release However, the kernel package is essentially independent, and in this case, it is ok Look on the cooker mirrors in devel cooker i586 media to find a suitable kernel I downloaded and from contrib N B Save the RPMS, since once they are superseded, they will be gone from the mirrors Install with urpmi, edit to make it the default, run sbin lilo and reboot Re-compile the Modem driver. There is an interesting aside here this kernel requires psmouse to be in it is added by the rpm install script A consequence is that udev rules cannot include DRIVER psmouse I can find no documentation for this, but experimentally, I found the following for Even more weirdly, 2 reboots are required for the changes to occur. BUT this kernel is not very stable 3 simultaneous scp processes can panic it For a more recent one, you have to compile it read on. 1 2 Compiling the latest kernel much easier than I thoughtpiling a kernel is actually very straighforward Here s how. Save the results of lsmod and maybe lspci - vvv somewhere This tells you which modules you need. Download the newest kernel from Get the full version, not the patch I downloaded 2 6 16 20.See This FAQ on compiling. Untar, or unzip the source. Configure the kernel with make xconfig I changed these values from the defaults. Processor type and features - Build arch PentiumIII Timer 1000Hz. Do enable proc acpi sleep deprecated in favour of sys power state. The kernel configuration is saved in Note that we loose Mandriva s bootsplash patch. make Wait a few hours Then, as root install the kernel. make modulesinstall - Install the kernel modules into lib modules kernel-2 6 16 20.cp arch i386 boot bzImage boot vmlinuz-2 6 16 20 - Install the kernel itself. mv linux-2 6 16 20 usr src chown - R root root usr src linux-2 6 16 20 - move the source into usr src , so other modules can be built against it. cd lib modules 2 6 16 20 rm build source ln - s usr src linux-2 6 16 20 build ln - s usr src linux-2 6 16 20 source - correct the build and source symlinks. Mandriva uses an initrd, so we need to create one mkinitrd 2 6 16 20.Edit and copy one of the existing stanzas Here is mine. If desired, change the default line at the top to match the new label line. Then, run sbin lilo and reboot Check everything works. If you forgot a module, re-run make xconfig, make make modulesinstall If just adding a module, the compile will be very quick, and you shouldn t need to reboot If you change a built-in driver, you need to rerun mkinitrd and lilo then reboot. With the new kernel, it s necessary to recompile any necessary drivers These are either the non-free drivers eg ltmodem, kqemu, vmware, nvidia-driver , or the development ones which aren t yet in the official kernel eg rt2500 If necessary, run depmod after compiling them. 2 Enjoying the new kernel. 2 1 Trackpoint Sensitivity. Kernel 2 6 14 provides sys devices platform i8042 serio0 sensitivity which allows the trackpoint sensitivity to be adjusted See above Also, my udev rule for the trackpoint was broken by 2 6 16 20, and it is easier to just use dev psaux in than to fix it. 2 2 Disk I O priorities. With the older kernel, a program at low priority that used lots of disk I O would prevent a program of higher priority from accessing the disk, even though the CPU was available The new scheduler gives a bonus to interactive programs, and takes niceness into account when allocating disk accesses Try this. background program sudo nice - n 19 updatedb. important program bash or sudo su. The important program now gets the disk access that it needs, and can start up much faster. Troubleshooting and diagnostics. Sometimes, inevitably, things sometimes go wrong This section might help. 1 Symptom Applications are slow to start. Sometimes, an application may take about 10-30 seconds to start, during which absolutely nothing happens it is using neither disk nor CPU, but just seems to be waiting There are 2 causes of this. Timeouts caused by the wrong hostname If the machine doesn t have an entry for its own hostname and for localhost in etc hosts then it will be unable to resolve its own name This will result in a DNS timeout about 10 seconds before the application continues This affects all X applications This problem can also sometimes be caused by changing the hostname from within an X-session, whether manually, or by a daft default DHCP option. Many applications are now built with support for HAL DBUS If they are built against the wrong library, they will speak the wrong protocol, and the HAL error will take about 25 seconds to time-out See above. Note that some applications, notably OpenOffice are just very heavy , and are just rather slow to start - but you will see t he CPU load being 100. 2 Symptom X config is messed up e g mouse buttons misbehave. If anything causes X to fail to start up, Mandriva will very helpfully re-write the xorg configuration with a default This is usually manifest in the mouse-buttons reverting to defaults, i e no emulate-wheel , or the horiz vert scrolling being interchanged Solution keep a backup copy of your and replace the broken version Then restart the dm display manager service Close your applications first, since stopping the dm will instantly kill KDE See also. 3 Symptom daemons fail to start. When the system starts, or you restart a service with service SERVICENAME start it is extremely unhelpful when it just says Starting SERVICENAME FAILED Often, the error is in a configuration file if you just changed it , and there will be a helpful message in var log daemons errors or var log messages If this fails, look at the startup script in etc init d and then run this command manually, without the redirection of stderr to dev null Sometimes, the man page for the daemon will have an option to not fork into the background this will ensure that messages are printed to the console. 4 Symptom 3D performance is really poor. This Thinkpad is quite capable of running glxgears at about 760 frames second, and of decent performance for games tuxracer ppracer , fancy screensavers helios and astronomy tools stellarium There are at least 2 ways to mess this up. Don t run at 24 bit colour There isn t enough graphics memory so it seems to run at 24-bit, with acceleration, and it will cause glxgears to drop to only 160 fps Approx 780 fps is achievable when running at 16-bit This is controlled by the DefaultColorDepth setting in. Don t install Mesa Mesa allows you to do indirect rendering of OpenGL in software excellent when there is no hardware support, but far less powerful than raw hardware Interestingly, this won t seriously affect the performance of glxgears, but ppracer stellarium will be totally unusable 2fps glxinfo provides some debugging information this excellent page on DRI Troubleshooting has more details If hardware acceleration is available, you should not have Lib MesaGL installed So, uninstall the Mesa-5 0 2-11mdk and libMesaGL1-5 0 2-11mdk packages Note the libMesaGLU1-5 0 2-11mdk libMesaglut3-5 0 2-11mdk and libMesaGLU1-devel-5 0 2-11mdk packages are innocent. Note when diagnosing Xorg problems, you have to restart the Display Manager service dm restart to make changes take effect I recommend using IceWM for speedy restarts. 5 Symptom Software breakage. If it was working, and then you broke it. For system packages, try verifying the installed packages with rpm - Va See above If necessary, uninstall with rpm - e --nodeps and immediately re-install. If it is an application, try removing or Copy it first. If it was broken to begin with. Check the package s bugzilla, and google, in case it is a known bug Otherwise, file a bug report both upstream with the author, and with mandriva. 6 Symptom Hard disk errors and poor performance. If the hard disk is slow it is possible that DMA direct memory access is not enabled Use hdparm dev hda to check the status hdparm can also measure file-transfer performance hdparm - tT dev hda or change DMA settings hdparm - d 1 dev hda. Check the hard disk for errors Smartctl is part of the SMART System monitoring and reporting tool system for Hard drives These can detect impending failure, and hopefully warn you. smartctl - l selftest dev hda - print the self-test log from the drive. smartctl - a dev hda - print all information that the drive knows about itself. smartctl - t long dev hda - begin a long selftest about an hour This can be run without unmounting the drive. To set up automated monitoring, see here and check that mail root is delivered to a human. There is also a graphical utility, gsmartcontrol. 7 Symptom Wrong file permissions for devices. Mandriva uses pamconsoleapply to change the ownership of various devices to the first locally logged-in user For example, when I am logged in, the sound device has these permissions. The login manager kdm ought to set these To fix the permissions temporarily, do as root. 8 Symptom It won t boot i e the boot sector is messed up. This occurs after. Installing another OS eg Windows on a different partition, and it messed up the bootloader. Ugrading the kernel without running lilo but Mandriva normally does this automatically, when you use urpmi, so this is rare. Copying the hard disk eg with rsync onto a different disk or a new machine. Fortunately, it is quite easy to fix The Mandriva install disk has a recovery mode for repairing bootloaders Here is how to do it with the much more versatile Knoppix. Boot the damaged system up from CD with knoppix Become root sudo su. Mount the hard disk mount - o dev mnt hda1 The - o dev is very important it is not the default for Knoppix. If necessary it usually isn t , copy over knoppix s dev directory ONLY do this if mnt hda1 dev is empty cp - a dev mnt hda1 dev. Chroot into the target system chroot mnt hda1.Edit the target s if needed nano. Run lilo sbin lilo. Note you might expect that without chrooting , lilo - C - b dev hda woul d work For some reason, it doesn t Note2 See also the Knoppix Rescue FAQ. 9 Symptom KDE menus get messed up, and are missing entries. There are confusingly several different inconsistent ways to edit the KDE GNOME ICEWM menu Some 3rd-party installers mess it up, leaving most entries missing To regenerate the KDE menu correctly, run update-menus as root. 10 Symptom random crashes or kernel panics. Dodgy RAM can cause all sorts of problems These range from I O and network errors, to randomly segfaulting processes, to kernel panics It depends which part of kernelspace userspace gets corrupted These errors are often weird and sometimes, but not always repeatable if you retry immediately, the kernel may re-allocate the same memory page. Even expensive RAM can go bad, and once-working RAM can die after a few months years, especially if the computer is running warm, and the warranty has just expired The problem is quite a lot more common than one might expect. The way to test it is to install memtest86 Then, reboot the machine, and choose memtest from the Lilo prompt Or, run memtest from Knoppix Usually, memtest will detect faulty RAM within minutes However, to get a clean bill of health , let it run for at least 12 hours Memtest s report will identify the faulty memory range s , which should identify the faulty DIMM. 11 Symptom Data corruption, or partition cannot be mounted hard disk error. Use ddrescue reiserfsck, then throw disk away. 12 General troubleshooting tips. Look at the log files dmesg var log messages var log kernel var log daemons errors etc. the kernel messages, dmesg are particularly helpful. If it is a hardware problem, try compiling the latest kernel If it s an application bug, try the latest version. Run the application from a terminal, so that the error messages stderr and stdout are visible These are invisible when starting from the GUI though they are appended to. If necessary, you can watch what the program is doing with strace print system calls , and ltrace print libary calls. To see what process is using a particular file, use fuser and lsof as user root. To identify what processes are using the most CPU, use top keys M - sort by memory usage explanation P by processor use S cumulative CPU use. vmstat reports memory usage, and swap disk io bandwidth. Other useful tools include ps, pgrep, nice, ionice, netcat, lshal, lsusb, and digging around in proc. Look at the source code A surprising number of progr ams are actually scripts. Look in the application s bugzilla, or google s Linux pages Google for the exact error message Kdialog lets you select text, for this reason. Remember, once found, to document what you did, and file a bug report if relevant. Figure out how to use the S-Video input and output that the Thinkpad has. Get IrDA to work without crashing. These are some of the significant bugs which I have reported on Mandriva 2006.PC Speaker not working Bug 13627 Trivial, finally fixed in 2008 1.Prism54 firmware Bug 17797 Not really a bug, just an irritation. X - EmulateWheelTimeout doesn t do anything Bug 4291 Fixed in Xorg CVS Fixed in 6 9 0.X - Broken R128 driver Bug 17958 Solution use the ati driver instead. X Must restart dm to make xorg changes take effect Bug 18022 This is Not a bug. Encryption - bug in initscripts Bug 17931 Still not fixed. Swapon race condition need sleep in Bug 17802 Still not fixed. Swapon needs specific dev loopX Bug 17803 Probably a kernel bug Not fixed. Apm suspe nd causes crash solution is sync, chvt, kill - STOP X Bug 17930 Still not fixed. etc bashrc unset i Bug 17799 Trivial, not fixed. etc profile fails to prevent core-dumps Bug 19822 Fixed in Jan 2007.lircmd service starts after the dm service, so it can t be used as an IR mouse Bug 20771 Fixed March 2007.Timidity-init doesn t play nice with alsa Bug 17160 Complicated. Irdadump panics kernel Bug 20443 Being worked on Fixed upstream. Kdialog converts n to n n Bug 111388 Trivial, not fixed May be deliberate. Mozilla has wrong shortcut keys Bug 18024 Default behaviour not a bug although I think it s a misfeature. Need to accept 2 different MAC addresses with WG511 Bug 21840.KDE Removable storage - dynamic devices with udev rules, permanent entries in fstab Bug 126208.This A22p is still, after 5 years an excellent laptop It s my 3rd ThinkPad, and I shall soon buy a 4th It works well under Mandriva, although there is quite a lot of configuring to do I d be more than happy to help anyone else if I can please do contact me if you have any questions, would like help, or alternatively, if you want to point out a glaring error in the above. This page is copyright Richard Neill, 2006 It is intended to be helpful to the community who have given me so much of their help, and is hereby released under the GNU Free Documentation License the code snippets are additionally released under the GNU GPL. Redistribution, translation, copying, wiki-fying etc is encouraged If you wish to link back to this page, please link to. Footnote Linux is a registered trademark of Linus Torvalds However, in most cases above I am using the word as shorthand for GNU Linux.