Category Archives: Distributions

Managing SSH keys with Conary

Since we “eat your own dogfood” here at rPath, we do have IT using a Platform-as-a-Service model.

They maintain their own platform that contains all the bits required on all the systems, like a baseline. As a consumer of the platform, all I have to do is add my own software.

In this case, I was basing my Jira product on IT’s custom platform.

IT wants their standard SSH keys (for their own access, as well as for automated backups) on all their machines. But I also want SSH access (and my SSH key) on my appliance. Since one cannot share /root/.ssh/authorized_keys among multiple packages, Conary’s tag handlers to the rescue!

Foresight’s development branch now has an ssh-keys package that allows you to manage multiple sources for your ssh keys.

To manage your keys with Conary, all you need to do is drop your SSH public keys in /etc/ssh/keys.d/<username>/<somename>.pub within a Conary package that has a build requirement on ssh-keys:runtime (so that the file is properly tagged).

When the file gets installed, ssh-keys’ tag handler will append the file to the user’s authorized_keys file, thus granting you access.

Key removal is not yet done, although it would not be hard at all to implement.

ext2online is gone

I used to use ext2online in conjunction with LVM whenever I had to resize a partition that was already mounted. I haven’t had to do that in a while, so I was surprised that I couldn’t find ext2online anymore.

Turns out more modern versions of resize2fs already know how to do that. Not the ones from e2fsprogs=conary.rpath.com@rpl:1, but I was able to install e2fsprogs=conary.rpath.com@rpl:devel into a temporary root and run the new resize2fs from there. Yay.

Random bits

Apparently I didn’t get in the habit of blogging short entries often.

Today liferea notified me there is a new release of WordPress that I should upgrade, so I figured I might as well post something.

First off, liferea is slowly becoming a habit. I use it to track announcements about new software (see paragraph above), keep in touch with my friends, read news from ./ and some other news sites. To the point that I have now to see how I can replicate the feeds on all of my computers. Maybe I should try a news reader from yahoo.

A lot of exciting things happened. We’ve finished upgrading rPath’s issue tracker, Jira, to the latest version. And we did it in a eat-your-own-dogfood way: it’s a software appliance living on a Xen machine, as a domU. I was involved in this initially just for the Mercurial plugin for Jira, but figured we might as well go to the latest version of Jira. I had to fix several other plugins that were broken by API change (yes I wish you didn’t have to touch plugins to make them work on newer versions). It’s pretty cool, if your reference a Jira issue in your mercurial commit message, it will get indexed by Jira and linked to the issue (viewable as the Mercurial Commits tab). This link is an example.

The software appliance lets you isolate the application from the base operating system, and it makes it trivial to update it. No mess left on the host operating system either. I know package managers are supposed to help there, I’ve been installing rpm packages for almost 10 years now, trying to achieve that. But the very moment you deploy the system in a production environment, you know things get installed that you didn’t plan for. Conary helps a lot here.

I am looking forward to version 0.45 of Inkscape to land in Foresight. The screenshots look awesome. Ken promises he’ll have it committed in a couple of hours. It’s very nice to have the latest and greatest software, and Foresight is doing a great job there. A big thanks to the Foresight community and to Ken for making Foresight a great distribution – which DistroWatch reviewed yesterday.

On the personal front, we’ve been unhappy with my daughter’s school (or maybe looking for a reason to move into a larger home). At any rate, we’re in negotiations for the repairs the seller has to perform before we close. This is exciting. Except for the hour I spent today with the heating technician inspecting the gas pack in a chilly 18 degrees Fahrenheit. And for the amount of siding that has to be fixed. Hopefully we’ll get to an agreement on this. But I had to spend a lot of time on the phone with lenders, insurance agencies, inspectors, real estate agents and the such.

Lazy…

Wow, almost a month from the previous post. If blogging were one of my New Year resolutions, I’d be behind already.

Anyway, I was pretty busy lately. We had friends visiting for Christmas, more friends visiting between Christmas and New Year, and an orienteering event at Lake Johnson to organize.

I’ve been playing with vmware quite a bit lately, partly for my work with software appliances (which are a very cool concept) and for Condes, the Orienteering course editor. I initially tried to run Condes under wine, and it installs and starts, but for some unknown reason all features on the map are drawn with extra thick lines/points, so everything becomes unreadable. I believe something in the way Condes displays OCAD maps. Otherwise, Condes can be run in Windows under vmware, but it’s slower. I’ve found a thread about Condes on Linux here, and I’ve chimed in, let’s see how much interest my experience generates.

I’ve also dipped my toes in the murky waters of Java programming, working on porting some jira plugins to the latest and greatest, version 3.7.1. I haven’t decided yet if I like maven or not. The fact that maven2 is not backwards compatible with maven1 (and doesn’t complain if it can’t find the .pom file) makes me a bit hesitant. Also, packaging Java applications feels weird: each application ships with all the jar files. Sure, you remove the inter-dependency between applications, you can now independently upgrade one without touching the other, but if you have a security issue and have to patch version X of a jar file, you’re dead in the water since there are no good ways you can list all applications that use a jar (that I could find, at least). That’s my 10k foot view of a subject I am not familiar with, so take it with as much salt as you like.

Back to software appliances. Isn’t it nice that when you need a PostgreSQL database server, you just go and download a PostgreSQL appliance that you unzip and start using vmplayer or xen and run it as a server? It even comes with phpPgAdmin, so you can do all the administration remotely. It literally takes a few minutes to have something up and running and not worry about extra packages you have to install, extra hardware to solve possible security problems etc.

One final gripe. I spent an hour last night with someone from Fidelity trying to understand where some of my ESPP stock has gone. To make the story short, they will gladly lose history of your purchases because the software that does the transactions uses an “oldest first” policy. Enough said. Your assets are still there, it’s not like you lose money, but you do lose important historical information.

The Battle of Wesnoth

After reading an article about Linux games I’ve found out about The Battle of Wesnoth. It was ranked as #1, with Frozen Bubble (which I played before on my Fedora system).

Being tired of chasing 3 very strange bugs I’ve been working on for the past 3 days or so, I’ve decided to package the games for Foresight. I’ve only managed to get to wesnoth. You can get it from the foresight.rpath.org@fl:1-contrib branch.

Frozen bubble has a ton of dependencies, I have to build those first.

gnucash 2.0.2 for Foresight

Yesterday I finally got around to transfer the recipes from my private Conary repository into the foresight.rpath.org@fl:1-devel branch. Everything is now built, you should be able to use the above label to try out the newer gnucash.

Some of the intricacies included:

  • newer guile and slib packages conflict with umb-scheme. You’ll have to get rid of umb-scheme.
  • gnome-games needed to be recopiled against the newer guile.
  • guile and slib are pretty evil to compile, I had to use tag handlers. You have to start somewhere :-)
  • I have split the HBCI support into a different package, gnucash-hbci. The reason for that was the extra dependency on aqbanking which was pulling in the KDE libraries.
    This extra package would allow you to do online banking with Gnucash, if your bank supports the OFX protocol (and most do, except that you will not get that information from the bank). Follow this link to learn more than you wanted to know about the mess.

Happy managing of your financials! :-)