Making ntsysv/chkconfig compatible rc scripts

To make a startup/shutdown script that can be used with ntsysv or chkconfig, the script must follow the template:
#!
#
# chkconfig: runlevel startpriority stoppriority
# description: brief, possibly multi-line description \
# follows

For example:
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon


Sharing the GNOME desktop

GNOME now has a built-in VNC service called vino. It's there in Applications->Preferences-> Remote Desktop. Unlike VNC server, the display number used with this desktop is :0.

Resizing mounted partitions

Starting with kernel version 2.6.10, you can resize ext3 partitions using resize2fs program (part of e2fsprogs). While resize2fs could be used to shrink and grow ext3 partitions, the one bundled with e2fsprogs-1.36+ can apparently resize even mounted partitions! Woo hoo!

Configuring X Window

Each distribution seems to have it's own thing for configuring X:

xf86config

Standard X Window configuration tool

system-config-display

Red Hat/Fedora X-window configuration tool

redhat-config-xfree86/Xconfigurator

Older Red Hat and Fedora versions

sax

Suse Linux

CD recording stuff

Detecting the CD recorder

cdrecord -scanbus

To burn a CD

cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject speed=2 archive.iso
Omit the -multi if it's a single session CD.

To burn a multisession CD

First burn:
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session1.iso
For subsequent burn:
First create the ISO
Place the CD in the drive. Execute
cdrecord dev=0,1,0 -msinfo
0,27139
mkisofs -o session2.iso -Jr -V Session2 -C 0,27139 -M 0,0,0 /path/to/files/

Alternately:
mkisofs -o session2.iso -Jr -V Session2 -C $(cdrecord dev=0,1,0 -msinfo) -M 0,0,0 /path/2/files/

Now burn (dropping the -multi for the last burn):
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session2.iso

Simplify the cdrecord command line

To keep the cdrecord command line simple, put common options in /etc/default/cdrecord:
#/etc/default/cdrecord
CDR_DEVICE=0,0,0
CDR_SPEED=2

Now the command line can be greatly simplified to:
cdrecord archive.iso


To erase a CD-RW

cdrecord -v dev=0,0,0 blank=all
where

-v

verbose

dev

cdrom device (detected using cdrecord -scanbus)

blank=all

blanks the entire disk.

Creating a hybrid ISO

mkisofs -a -J -r -v -V vol_label -L -o img1.iso ~/cds/cd0/
where:

-a

Include all files on the ISO9660 file system. Files that contain '~' or '#' will be included.

-r

Use rockridge naming conventions

-J

Generate Joliet directory records in addition to iso9660.

-L

Allow file names to begin with a period.

-o outputfilename

output file name.

Test the created ISO by mounting it with mount -o loop.

Changing role in SELinux enabled FC4

To run a command with a different role, first use newrole to change the role. For example, to switch to the sysadm_r role:
newrole -r sysadm_r

Enabling public_html for Apache in FC4

To enable per-user web directories on SELinux enabled FC3+, edit /etc/httpd/conf/httpd.conf:

• Comment out the line UserDir disable
• Add UserDir public_html.
• Save the file and run service httpd reload

Each user who needs web directories must do the following:

• Create ~/public_html, and populate it.
• Change perms with chmod
• Change the security context of the folder recursively:
  chcon -R -t httpd_user_content_t ~/public_html/


At this point, it should work. If it does not, check to see that the Boolean that enables user home directories is enabled:

• Run system-config-securitylevel
• Under the SELinux tab within the Modify SELinux Policy area: enable Allow HTTPD to read home directories.
• Alternatively, execute
  setsebool httpd_enable_homedirs true

Preventing console message flooding

To prevent kernel messages flooding the console:
dmesg -n 1


SE Linux essentials (FC3)

Bare minimal SElinux:

• SELinux in FC3 uses a targeted policy by default. One could opt for a strict policy too, which was default with FC2. The policy files needed are in these RPMs
  selinux-policy-strict-.rpm and selinux-policy-strict-sources-.rpm
  • selinux-policy-targeted-.rpm and selinux-policy-targeted-sources-.rpm
  The policy source resides in /etc/selinux/policyname/src/policy, when it is installed, and the binary policy file is in /etc/selinux/policyname/policy.
• Use system-config-securitylevel to change SELinux based settings.
• The ls command's -Z option will display the security context of a file
• The id command's -Z option will display the security context of a user
• The ps command's -Z option will display the security context of a process.
• Don't take policy switching lightly. Unless of course, it's for learning :)
• To change the policy - easy way - run system-config-securitylevel, change the policy and reboot.
• To change the policy manually -
  1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
  2. Set the mode to permissive. SELINUX=permissive.
  3. Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
  4. Reboot the system.
  5. Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. Fix any problems.
  6. When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
• Ordinary backups will not backup the security context which are stored as extended attributes. Use star to backup files on an SElinux protected system. In particular, use the -xattr and -H=exustar options. Eg:
  star -xattr -H=exustar -c -f ../test.star ./*

• The variable SELINUX in /etc/selinux/config can take the values disabled, enforcing, or permissive. Booting the kernel with enforcing=0 is the same as SELINUX=permissive. Similarly, ooting the kernel with enforcing=1 is the same as SELINUX=enforcing
• As a safer alternative to booting with selinux=0, use SELINUX=disabled in /etc/selinux/config.
• To temporarily turn off the enforcing mode, use setenforce 0. To return to enforcing mode, setenforce 1.
• To turn off selinux at bootup, add selinux=0 to your kernel command line. Note that if you boot with selinux=0, any files you create while SELinux is disabled will NOT have SELinux context information. If booting with selinux=1 fails, relabel the files with a touch /.autorelabel and reboot into single user mode.
• /usr/sbin/sestatus -v displays status info about SELinux
• To relabel a directory, use restorecon -v -R /path.
• If you have file systems shared by both SELinux enabled and non-SELinux machines - eg a dual-boot Suse and FC4 sharing the same /home, it sort of spells trouble when booting into SElinux as it may require relabelling.
• Mounting a non-SELinux file system via NFS results in SELinux treating all the files in the share as having a context of nfs_t. To override the default context to say, system_u:object_r:tmp_t to SELinux:
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
• To change and load the security policy:
cd /etc/selinux/targeted/src/policy
make clean
make load


Upgrading CentOS 4.0 to CentOS 4.1

CentOS 4 is basically Red Hat Enterprise Linux 4. I just upgraded it to CentOS 4.1 using the rpms using these steps:

• Download the rpms from CentOS/4.1/os on any mirror.
• Download the updates from CentOS/4.1/updates on any mirror.
• Download any extra modules that depend on the kernel version. In my case, I had to download linux-ntfs rpms for the 2.6.11ELhugemem kernel.
• Disable selinux using
  setenforce 0.
  (Failing to do this made the rpm postinstall fail for some rpm files. Off the cuff, I recall the rpms for bzip2-libs, and krb5-* failing.)
• From the directory containing the 4.1 rpms, run
  rpm -Fvh *.rpm
  You do need a lot of free disk space for this to work. Alternately, freshen a few rpms at a time :)
• Now enable selinux with setenforce 1.
  
• Reboot in run level 1 so that no services start up
• Run
  /sbin/fixfiles relabel
  Alternately, to speeden things up, you can also use
  /sbin/restorecon -R pathname
  to recursively restore security context on the specified path - in my case /lib and /usr/lib were definitely affected. I opted for the fixfiles approach rather than weed out directories individually.
• Change to the normal runlevel

That's all there is to it :-)

Adorning links in HTML with images

Not really linux - more HTML+CSS stuff :-) I always wondered if it would be too painful to get images next to links like the way they have in some wikis. Seems for every HTML problem, there's a CSS solution lurking, just waiting to jump out :-) You need to do something like this:
<style>
.whatever {
background-color: transparent;
background-image: url(imgfilename);
background-attachment: scroll;
background-repeat: no-repeat;
/* Change following to 'right' instead of 'left' if you need it right aligned. */
background-position: left;
/* Change following to 'right' instead of 'left' if you need it right aligned. */
padding-left: 18px;
}
</style>
<body>
... Testing <a class="whatever" href="...">links</a>
</body>

I'll probably separate out the HTML stuff from this blog if there are too many of these HTML tips.

Installing grub on removable media

Grub is a really nifty boot loader. I especially love two things about it:

• A command-line interface
• No reinstallation for kernel changes

Even if the OS boot loader gets knackered, you can probably restore it if you have a grub floppy.

Installing grub on a floppy
Here's how to get grub on a floppy:

• Kiss the prior contents of the floppy goodbye ;-)
• Change to the directory /usr/share/grub/i386-redhat (on fedora) or /usr/lib/grub (on Suse) or /usr/share/grub/i386-pc if you built and installed grub yourself
  
• Execute the commands:
dd if=stage1 of=/dev/fd0 bs=512 count=1
dd if=stage2 of=/dev/fd0 bs=512 seek=1


You ought to be able to get a grub prompt on booting with this disk.

Here's another way to do the same thing - not so destructively

• Mount a ext2-formatted floppy to say /mnt/floppy
• Copy the contents of the /usr/share/grub/i386*/{stage1,stage2,e2fs_stage1_5} to /mnt/floppy/boot/
• Optionally create a /mnt/floppy/boot/menu.lst
• Execute grub-install --root-directory=/mnt/floppy fd0
• Umount the floppy

If you dont have grub-install, or are paranoid about using it, there's yet another way - boot into a grub prompt either using a floppy created using the destructive way outlined above, or on some machine with grub installed on the hard disk. Drop to a grub prompt. Then place the ext2 floppy in the drive and execute:
root (fd0)
setup (fd0)
You ought to have a grub-bootable on your hands now. I think the grub-install part ought to work with USB drives as well tho' I haven't really tried it.

Installing grub on a CD

• mkdir -p iso/boot/grub
• cp /usr/share/grub/i386-*/stage2_eltorito iso/boot/grub
• Optionally create a iso/boot/grub/menu.lst.
• Create an iso image:
  mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot \
  -boot-load-size 4 -boot-info-table -o grub.iso iso
• Burn the grub.iso image to cd.

Hopefully if all goes right, you have a bootable grub CD. Of course, try this with rewriteable CDs if you *really* need to be sure :)

Unzipping large files in Linux

Infozip's Unzip program has certain file size limits. It may not support files whose unzipped size is larger than 4GB and instead produce this error:
skipping: yeas3/yeas3.TRC need PK compat. v4.5 (can do v2.1)
Support for unzipping large files will come with Unzip 6.x - the current version is 5.52.
So what if you want to unzip a large file on unix *now*? You could either unzip on Windows with any number of utilities (7-zip/PowerArchiver/Izarc) and somehow get the file over to Linux/Unix - or locate the unix version of 7-zip's command line utility (7za) called p7zip. All you need to do is build the executable from source:
make
make install
Then run:
7za x file.zip [filename ...]
Till unzip 6.0 arrives, this one is going to be one fixture on my machine.

NSD - Name Server Daemon

Ack! Now here's a good replacement for BIND if your requirements aren't too heavy. It's a high-performance authoritative name server. Being authoritative is good I guess since it

• separates cached & authoritative data
• simplifies the software
• avoids BIND bugs and security flaws

It caters to the security conscious with DNSSEC. I've yet to try it - looks promising, tho'.

Newsforge's 10 commandments of system administration

Newsforge has a nice collection of articles for system administration titled
The Ten Commandments of System Administration

In short:

1. Thou shalt make regular and complete backups
   Use whatever floats your boat for this one - amanda, rsync, tar, etc.
2. Thou shalt establish absolute trust in thy servers
   using file integrity tools like tripwire, aide, and afick.
3. Thou shalt be the first to know when something goes down
   using tools like Nagios, Big Sister and Zabbix
4. Thou shalt keep server logs on everything
5. Thou shalt document complete and effective policies and procedures
6. Thou shalt know what cable goes where
7. Thou shalt use encryption for insecure services
8. Thou shalt not lose system logs when a server dies
9. Thou shalt know the openings into your servers
   using the well-established nmap program.
10. Thou shalt not waste time doing repetitive and mundane tasks

TrueType and Mozilla

Downloaded and installed that latest version of Mozilla? You may need to tweak some settings - if you create a new profile, these steps would have to be repeated

1. In the location bar, type about:config
2. In the filter bar that appears, type font
3. Locate the line "font.FreeType2.enable". If the value here is false, change it to true
4. Edit the /default/firefox.js or /default/unix.js and add a line for each directory with TrueType/OpenType fonts like this:
   pref("font.directory.truetype.1", "/usr/local/share/fonts/TrueType");
pref("font.directory.truetype.2", "/usr/share/fonts/TrueType");


Now hopefully mozilla will render fonts better. If not, check this page for anything I may have missed out.

Changing display managers

To use kdm as the default display manager instead of gdm in Fedora/Redhat/Mandrake distributions, edit /etc/sysconfig/desktop and add DISPLAYMANAGER="kdm" (or just edit the DISPLAYMANAGER line if it already exists.) Mandrake has two versions of KDE display manager - the normal version is kdm, and Mandrake's tweaked version can be referred to with DISPLAYMANAGER="KDE".

For Suse Linux, you need to play with /etc/sysconfig/displaymanager and edit the DISPLAYMANAGER line either using a text editor or the /etc/sysconfig/Editor in YaST.

xargs and maverick tars

Ever had a tar file which didn't have a directory as it's top level entry? I really hate these maverick tarballs - I really like the idea of tarballs storing a directory and it's contents rather than merely a directory. Why? So that when untarred, it doesn't spew files in the current directory and mess things up. Sybase's ASE tarballs come to mind on this one. Anyways, if you have to clean the mess, it's not a big deal. I use
tar tf filename.tar | xargs rm
Of course, use jtf for filename.tar.bz2 and ztf for filename.tar.gz. :)

grep is good, grep is fun, grep is good for every1

I love the GNU grep over the normal U*x grep. It has a few cool extensions over the POSIX grep. One of them is the -R option that lets you recurse through directories to search for a pattern. That's one of the reasons I've always compiled the GNU grep on U*x machines as well. If there's no option but to use the standard grep, all isn't lost - xargs and find along with grepdo the same job. i.e.
find -type f -print| xargs grep -li "pattern"

It's no fun having three processes to do something instead of merely one, but that's the only option when in a bind.

Which ports in use? Who opened them?

Two questions I get frequently asked is:

• How do I figure which ports are in use?
• How do I figure which program is holding this port open?

Q. How do I figure which ports are in use?
A. Every OS with TCP/IP as a network stack includes a command called netstat. Use
netstat -na
to display all open port numbers.

The -a and -n are probably the most portable command options to netstat. You can fine-tune the output - say for example you want to see only TCP ports and not UDP, IPv4 only and not IPv6, etc. Those are pretty OS specific options tho'. For example, Linux's netstat has the option -l to list only listening ports. The netstat version supplied with Windows 2000 or Solaris does not have an equivalent option! It's best to check up the help text (man pages on U*x) to determine the supported options

Q. How do I figure which program is holding port open?
A. Use lsof. In particular, use
lsof | grep "nn"
to figure the process holding the port open. Of course you can also use
lsof| grep -i "progname"
to figure the ports the program progname has open.

It may not be present on all U*x machines, but no big deal - download the sources off ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/lsof and compile. At least you get prebuilt binaries for Linux and Solaris. Other than these platforms, lsof works fine with AIX 5, Apple Darwin 7.7.0, *BSD, HP-UX and Tru64 UNIX 5.1. Sorry, lsof doesn't do Windows. Use Sysinternal's Process Explorer to determine open ports for Windows machines.

Screen captures in Unix/Linux

There are several tools around for screen caps in Unix/Linux.

First option:
GNOME users: Use the built-in tool to take a screen shot. You don't need to go as far to launch it. A PrintScreen to take a screenshot of the desktop is enough. Want only a window? Get the window into focus and hit Alt+PrintScreen.

KDE users: ksnapshot is pretty impressive. It too can take images of the desktop or window.

Second option (in order of preference):
gimp: GIMP can take screenshots - gimp1 seems to dither on Solaris 8 tho'. At least on the installation I worked with it didn't work too well. It still worked a lot better than Solaris's own sdtimage.

xv: A fast image viewer - it can also take screenshots. :) The reason it is second in preference is it is shareware - it may not readily be available on the machine.

stdimage: This tool is available on Solaris only. Not too impressive - kept crashing in Solaris 8 :(

Last option: Use the command line. My favorite in order of preference:
import: Part of ImageMagick's impressive suite.

xwd and convert: xwd can capture X-Window dumps but the format is not understood by most image viewers. ImageMagick's convert however can convert these files into a gif/jpeg/whatever else.

There probably are other means too, but I'm not really aware of any other than the tools mentioned above.

Installing truetype fonts in Suse Linux

Damn! There's no ttmkfdir in Suse 9.1 - I looked, but I couldn't find it. Maybe I'm missing something. :( In any case, the help for installing new fonts is in the Administration Guide, Chapter 4, section 2.

Simply install the fonts in some directory which is a subdirectory of the directories listed in /etc/fonts/fonts.conf. For example, /usr/X11R6/lib/X11/fonts/truetype Alternately, use KDE's font installer from the Kontrol center. Either way the result is the same.

If the fonts are already present in some other partition - for example, the /fonts/ directory on the Windows partition, create symlinks to those fonts using SuSEconfig --module fonts

This is applicable for all font types - bitmap fonts, TrueType and OpenType fonts, and Type1 (PostScript) fonts. It isn't applicable to CID fonts. CID-keyed fonts must be installed in /usr/share/ghostscript/Resource/CIDFont.

In any case, given that ~/.fonts is mentioned in /etc/fons/fonts.conf in both Red Hat/Fedora and Suse, one of the simplest ways to install fonts - one common to both flavors of Linux would be to drop the fonts in ~/.fonts.

Displaying multipage fax documents

A received fax is usually a TIFF file - but if it's multi-page, the usual image viewing proggies like gimp, xv, et al do not show more than one page. That's when KFax comes to the rescue - navigation with KFax thru a multi-page document is as simple as using PgUp and PgDn.

Passwordless logins with SSH

Here's how to login without supplying a password for remote machines running ssh.

• On the local Unix/Linux host or a local Windows host with openssh installed, execute:
  ssh-keygen -t dsa
• Use scp to copy the $HOME/.ssh/id_dsa.pub from the local machine to the remote ssh host.
• Login to the remote ssh host.
• Append the contents of id_dsa.pub to $HOME/.ssh/authorized_keys.
  cat $HOME/id_dsa.pub > $HOME/.ssh/authorized_keys
rm $HOME/id_dsa.pub
• Ensure permissions on the $HOME/.ssh directory are strictly for the file owner only.
  chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/*

---

Alternately, if the local host is Windows and there's no openssh around, then download and install the Putty installer - preferrably the 0.58 version or higher. Then run the puttygen tool, select the dsa option and press Generate. After the key generation is completed, save the public and private keys. Do the same stuff with the public key as mentioned above. [Urk - I'll complete this later - am running late ]

Converting Type 1 fonts for use with Windows

Some Linux distributions like Red Hat and Suse have some fabulous Type 1 fonts for use that Windows users can really drool over. I especially like the URW and Chancery fonts.

If you want to use these fonts in Windows, hop over to the FontForge site and download FontForge. Open the font you wish to convert, select Generate, and choose to convert to either an OpenType or TrueType font. Drop the font in your fonts directory and you're home free. :)

Converting TTF for use with Linux/Unix apps

There are some apps on Linux/Unix that refuse to play nicely with TrueType or OpenType fonts. (The WxWindows library is one that gave me such headaches.) For such programs, the best bet is to convert the TTF to Postscript Type 1 fonts using TTF2PT1. There's even a version for Windows.

After installing TTF2PT1, convert the font to Type 1 using the command:
ttf2pt1 -a -e -llatin1 filename.ttf

For creating fonts for use with Ghostscript:
ttf2pt1 -a -b -llatin1 filename.ttf

You ought to have a files suffixed with .afm and .pfa (or .pfb for use with GhostScript) after the conversion completes.

Note that you should NOT do this if the font license disallows such a conversion.
Drop the font in the appropriate directory on Linux/Unix and from that directory, build the fonts.scale and fonts.dir file with
mkfontscale
mkfontdir.

If needed, add the directory to the X font path as mentioned in this tip.

Installing truetype fonts in Fedora Core/Red Hat and others

X Window supports many different types of fonts like Adobe Type 1 fonts, TrueType, or OpenType. If you need your OpenType/TrueType fonts accessible in Linux:

mkdir /usr/share/fonts/opentype

Copy the TrueType (.ttf) or OpenType (.otf) fonts into this folder. Now run
ttmkfdir -d /usr/share/fonts/opentype \
-o /usr/share/fonts/opentype/fonts.scale
mkfontdir /usr/share/fonts/opentype

Run chkfontpath to see if the directory we created (/usr/share/fonts/opentype) is present in the list of locations X Window will look for font files. If not, run:
chkfontpath -a /usr/share/fonts/opentype

If chkfontpath is not present, edit /etc/X11/fs/config or /etc/X11/xfs/config (whichever is present). Locate the lines

catalogue = /usr/X11R6/lib/X11/fonts/misc:unscaled,
/usr/X11R6/lib/X11/fonts/75dpi:unscaled,
/usr/X11R6/lib/X11/fonts/100dpi:unscaled,
/usr/X11R6/lib/X11/fonts/Type1,
/usr/X11R6/lib/X11/fonts/Speedo,
/usr/share/fonts/default/Type1,


To this, add /usr/share/fonts/opentype so that the content now appears like:
catalogue = /usr/X11R6/lib/X11/fonts/misc:unscaled,
/usr/X11R6/lib/X11/fonts/75dpi:unscaled,
/usr/X11R6/lib/X11/fonts/100dpi:unscaled,
/usr/X11R6/lib/X11/fonts/Type1,
/usr/X11R6/lib/X11/fonts/Speedo,
/usr/share/fonts/default/Type1,
/usr/share/fonts/opentype,


Now run:
fc-cache
fc-list

Check if the fonts added appear in the list. You can also run xfontsel to check the font list. For a font preview as well, run gucharmap.

If you add new fonts to this directory, run ttmkfdir, mkfontdir and fc-cache again.

Making KBD tags look good

Not directly Linux related, but something I wouldn't like to forget :-)

The Mozilla support site shows keystrokes really neatly. Like this: Ctrl+Alt+Del or Ctrl+W. The style sheet I used is:
kbd {
padding: 0px 1px 0px 1px;
border-width: 1px 3px 3px 3px;
border-style: solid;
background: #faf6f6;
color: #000;
border-color: #edd #baa #baa #eed;
font-size: 10pt;
font-style: monospace;
font-variant: normal;
font-weight: normal;
}

End result is a nice keyboard effect of sorts.

Starting a new X session through KDE

To be able to start a new X session through KDE:
cd /etc/X11/xdm
cp Xservers Xservers.orig

Edit the Xservers file so that it looks similar to this:

...
# you can add them here as well. Each X terminal line should
# look like:
# XTerminalName:0 foreign

# We comment out the following:
# :0 local /usr/X11R6/bin/X

# Add these lines
:0 local@tty1 /usr/X11R6/bin/X -nolisten tcp vt7
:1 local@tty2 reserve /usr/X11R6/bin/X -nolisten tcp :1 vt8
#:2 local@tty3 reserve /usr/X11R6/bin/X -nolisten tcp :2 vt9
#:3 local@tty4 reserve /usr/X11R6/bin/X -nolisten tcp :3 vt10
#:4 local@tty5 reserve /usr/X11R6/bin/X -nolisten tcp :4 vt11


You can then select Start New Session under the KDE menu. KDM and KDE are both needed for this to work. KDE does have it's own Xservers file, but on FC at least, it's a symbolic link to /etc/X11/xdm/Xservers.

Transparent Proxying

To make the host a transparent proxy, on the m/c connected directly to the ISP, edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1.
Then execute the following:
# sysctl -p
# #Use appropriate network address below
# iptables -t nat -A POSTROUTING \
-s 192.168.10.0/24 -j MASQUERADE
# services iptables save
On other hosts set their default gateway to the transparent proxy's internal IP.

Cool ImageMagick stuff

Make thumbnails with ImageMagick's convert utility using:
convert -resize 25x25% filename.png filename-thumb.png

The convert utility can also convert image formats:
convert file.jpg file.png

Another cool tool in ImageMagicks arsental which can convert images is mogrify - this one's more useful when there are a many images requiring conversion:
mogrify -format jpg *.png

This will annotate an image:
convert -font helvetica -fill white -pointsize 36 \
-draw 'text 10,14 "Garden, Pune"' \
img_314.jpg annotated_314.jpg

To make an image look like it was sketched:
convert -charcoal 2 \
portrait.jpg charcoal-portrait.jpg

To make images out of a pdf file:
convert bigfile.pdf bigfilepages-%03d.png

You can also combine effects:
/bin/convert -size 460x90 xc:transparent \
-font AvantGarde-DemiOblique -pointsize 72\
-draw "text 10,75 'AvantGarde'" \
-fill darkblue -stroke yellow \
-draw "text 15,70 AvantGarde" test.jpg

This results in an image that looks like

Automounting the USB key

[update: FC3 automounts in GNOME anyways without the hoopla - that new HAL thingy works well with udev. I'll try to get the dratted thingy to work in KDE. The stuff below does NOT work out with FC3 and above.] Add this to /etc/fstab to help the USB key mount automatically in GNOME

/dev/sda1 /mnt/usb vfat \
user,iocharset=utf8,umask=0,sync,quiet,\
exec,codepage=866,noauto 0 0

If you need to automount the USB key, edit /etc/auto.master and add:
/mnt/usb /etc/auto.misc --timeout=60

Then add this line into /etc/auto.misc:
usb -fstype=auto,nosuid,nodev,\
sync,dirsync,mode=777,uid=99,gid=99,umask=000 \
:/dev/sda1

(In the above line, the user nobody has the uid and gid of 99. This is chosen as autofs runs as root.)

Then start/restart autofs :
# chkconfig --level 345 autofs on
# service autofs restart

The USB drive will be mounted/unmounted automatically.

If you want to automount USB flashdrive without using automount:
Plugin your flash drive look a the tail end of dmesg. If there is something about the usb drive on /dev/sda1, then the following will work if you have devlabel:

$ devlabel add -d /dev/sda1 \
-s /dev/flashdrive --automount \
--perms 666

Edit /etc/fstab and add this line:
/dev/flashdrive /mnt/flashdrive \
auto noauto,noatime,user,kudzu 0 0

Next time your flashdrive is plugged in, it should be automounted at /mnt/usb.

Mounting an 8-in-1 card reader

I'd written this tip down on paper - don't remember the origin.

I recently bought an 8in1 USB card reader. It uses multiple LUNs for the different media. To get all of them registered, edit grub.conf to add the kernel parameter "max_scsi_luns=8". Also add "options scsi_mod max_scsi_luns=8" to /etc/modules.conf. Reboot so the new kernel options take effect. Afteryou plug in the USB card reader, you can use the right mouse button on the root window to get a popup menu with a submenu "drives" that contains entries like "memstick", "memstick1", "memstick2", etc. After you picked one of them, it will be mounted and a new icon appears on your desktop.

Acronym tag and styles

This isn't strictly Linux - but it's kinda nice to know.
Firefox supports tags like ACRONYM and DFN. Here's an exampe of the ACRONYM tag - HTTP (Hold the mouse over the word HTTP for a few seconds).

In case you're wondering if the appearance you see here is default, it is not. It's been spruced up with this stylesheet.
<style>
acronym {
border-bottom: 1px dashed;
cursor: help;
}
</style>

I've added this to the HEAD section in my blog template.

Displaying the path in the title bar

The string '\[\e]2;\H:$PWD\a\]' in PS1 will show the hostname and path in the title bar. The single quotes are important. Also, enclosing the string with \[..\] also matters when it comes to screen wrap. It tells the wrapping mechanism to not count the enclosed characters.

If you use double quotes, use \w instead of $PWD. I like $PWD because it shows the full path and not '~' if the current dir is the home dir.

Another way to do this is in bash is by placing the string in PROMPT_COMMAND. Don't use this unless echo is a shell builtin.

Get the *bleep* out

The PC speaker beeps irritate.

Here's how to turn the beep off for X window:
xset b off

Here's how to turn the beep off for bash:
Edit .inputrc (or /etc/inputrc if you want this systemwide) to reflect:
set bell-style none
Set the bell-style to visual if you want a visual bell instead.

For vim, edit the .vimrc to contain
set visualbell

Running Java apps on FC4 with Sun's JVM

The FC4 release notes advise to not install Sun's JRE rpms, but the self-xtractors instead. If you have these installed, you need to tell certain Java apps to use Sun's VM.

Edit /etc/profile.d/java.sh and type
export J2RE_HOME=/opt/jre1.5.0_03
export PATH=$J2RE_HOME/bin:$PATH

At the prompt, execute . /etc/profile.d/java.sh

Then execute:
alternatives --install /usr/bin/java java /opt/jre1.5.0_03/bin/java 2
alternatives --config java
Output
There are 2 programs which provide 'java'.
Selection Command
---------------------------------------------
*+ 1 /usr/lib/jvm/jre-1.4.2-gcj/bin/java
  2 /opt/jre1.5.0_03/bin/java
Enter to keep the current selection[+], or type selection number:2

/usr/sbin/alternatives --display java

You should see:
java - status is manual.
link currently points to /opt/jre1.5.0_03/bin/java

NVidia on FC4

Again, I got this off the Fedora Core 4 installation notes for us blokes with nVidia cards:

Download the appropriate driver from Nvidia's unix drivers page.

Change to runlevel 3.

Remove the "rhgb quiet" from /etc/grub.conf to disable the "Red Hat Graphical Boot"

Edit /etc/X11/xorg.conf. In the "module" section comment the "load "dri" entry. In the "device" section change "nv" to "nvidia".

Add the line /sbin/modprobe nvidia to /etc/rc.local.

Disable selinux with /usr/sbin/setenforce 0
Execute sh nameOfNvidiaDriverInstaller.run

Reboot.

You should see the nVidia splash screen when Fedora reboots.

To get the graphical boot back:
cp -a /dev/nvidia* /etc/udev/devices
chown root.root /etc/udev/devices/nvidia*
Remove the modprobe nvidia line from /etc/rc.local
Add the "rghb quiet" back to grub.conf

Note that upgrading the kernel requires this whole procedure to be followed again!

Troubleshooting
If the driver installer complains about differing versions of gcc and the version the kernel was compiled with, do this:
sh nameOfNvidiaDriverInstaller.run --extract-only
cd nameOfNvidiaDriverInstaller.run

#I think this should be gcc40
# for FC4- not sure tho'
make install CC=gcc40 # used to be gcc32 for FC1

Speeding up browsing

Haven't verified this - found it on the Fedora Core 4 installation notes over at FedoraNews.org. Edit /etc/modprobe.conf so that it contains

alias net-pf-10 off
alias ipv6 off

Apparently this will speed up browsing and file transfers by decreasing DNS lookup time.

Enabling the slocate Database on FC

To make sure updatedb creates the database used by locate, enable the database creation by setting DAILY_UPDATE to yes in /etc/updatedb.conf.

FC4 system call auditing

Boot the kernel with audit=1 to enable system call auditing. Alternately, enable auditing with the command:

# auditctl -e 1

Firefox bookmark tips

Ok, this isn't exactly Linux, but FF is a linux app so...

In a bookmark's properties, enter a keyword. You can then use the keyword instead of the full URL in the location bar and awayyy we go...

For sites that use GET to submit search forms, note the URL at the time of submitting. Eg: Note the URL:
http://www.google.com/search?q=search+item
Bookmark the URL and edit the bookmark properties. Subsitute a %s in place of the search item. The URL will now be http://www.google.com/search?q=%s.

Assign a keyword - like 'google' to this item. In the location bar type
google searchitem
and we end up straight on the results page.

Extended File System Attributes

Clean forgot there were something called extended attributes. This jogged my memory a bit. In summary: For ext3 or xfs, add the user_xattr option while mounting. Eg. in /etc/fstab edit the lines that mount ext3 or xfs file systems like this:
/dev/hda1 / ext3 defaults,noatime,user_xattr 0 1 Then remount the partitions:
mount -o remount,user_xattr / Then use setfattr and getfattr to set/get extended attributes.

• Create an attribute 'testing' in the 'user' namespace: setfattr -n user.testing -v "this is a test" test-1.txt
• Delete the attribute: setfattr -x user.testing test-1.txt
• Retrieve the attribute: getfattr -n user.testing test-1.txt
• Backup all extended attributes: getfattr --dump * > data_file
• Restore all extended attributes: setfattr --restore=data_file

And oh, if you dont have setfattr and getfattr, you can get the sources from the SGI site or look for 'attr' on rpmseek or rpmfind.net

Checking Fedora Core CD Media

Checksum Fedora Core ISOs prior to burning them with md5sum (FC3 and earlier) or sha1sum (FC4 and later). When installing Fedora Core off CD media do a mediacheck. Recommended way to do the media check:
boot: linux mediacheck ide=nodma
So far I've not been using ide=nodma - which may explain the reason I've got a failure on working discs as well.