Puppet is a¹⁾ powerful open source tool to automate the configuration of and software management on Unix-like²⁾ operating systems. This posting is a distillate of the resources I collected during my Puppet learning phase. I hope it helps to get an overview about what Puppet can do for you and how to use it (plus providing existing Puppet users some new ideas or tips).

Selected slides and presentations (overview, use-cases, experts, tips)

• Puppet for dummies - ZendCon 2011 Edition
• Developing infrastructures with Puppet (JS slides, use the ← and → key)
• Being a Puppet Master: Automating Amazon EC2 with Puppet & Friends
• Puppet 101 - Puppet @ Stanford University
• Lessons learned when introducing puppet in an existing large scale corporate environment
• Puppet at Loggly
• Are we compliant?
• A Puppet Approach To Application Deployment And Automation In Nokia
• Puppet Modules Standards and Interoperability
• Kickstart & Puppet, Booking.com
• Puppet at High Scale

Read more…

Since PHP5, methods can return objects (including $this). This enables you to chain the method calls after preparing your class by returning the object itself. Therefore, “Method chaining” may save you e.g. much copy & paste or chars to type, reducing typing time for dozens of $obj->method() calls.

<?php
 
//common way
class foo {	
    public function one() {
        echo "one ";
    }
    public function two() {
        echo "two ";
    }
    public function three() {
        echo "three\n\n";
    }
}
$object = new foo();
$object->one();
$object->two();
$object->three();
 
 
//with method chaining (note the "return $this;")
class bar {	
    public function one() {
        echo "one ";
        return $this;
    }
    public function two() {
        echo "two ";
        return $this;
    }
    public function three() {
        echo "three\n\n";
        return $this;
    }
}
$object = new bar();
$object->one()
       ->two()
       ->three();
?>

I did not made any performance measurements right now… so I can't say if method chaining is faster/slower in common environments or not. And to be honest, I don't use method chaining for myself:

• You simply can't see if a class supports method chaining without trying it or looking at its source.
• The need for all these return $this; within the class methods.
• IMHO, both reasons are leading to inconsistent coding styles and behaviors in real world applications containing 3rd party classes.

The interface of Google Groups implies that you can only subscribe with a Google Account and its email address. But even Google makes it harder than it should be, it is possible to use any other valid email address to subscribe. You just have to call the subscription page manually by editing a URL:

http://groups.google.com/group/name-of-the-group/boxsubscribe?email=your-url-encoded-email-address

Just substitute the following:

• name-of-the-group → the group you want to subscribe to
• your-url-encoded-email-address → your url-encoded email address

I just released updated versions of the following DokuWiki templates:

• vector – current MediaWiki/Wikipedia look and feel.
• monobook – traditional MediaWiki/Wikipedia look and feel.
• prsnl10 – minimalist template, suitable for portfolio and personal websites.
• mnml-blog – minimalist template, suitable for blogging with BlogTNG.

All of them are compatible to “Angua” and its awesome new media manager. Have fun.

Vorgehen, falls man ein PayPal-Konto löschen will:

1. Bei PayPal einloggen und sicherstellen, dass keine Transaktionen mehr offen sind.
2. http://www.paypal.com/cgi-bin/webscr?cmd=_close-account aufrufen.
3. Den Anweisungen folgen und gefühlte tausendmal bestätigen, dass man es mit der Schließung des Kontos ernst meint.

Der Link ist scheinbar nicht mehr direkt über das PayPal-Menü aufrufbar (meiner Erinnerung nach war früher ein entsprechender Punkt unter “Mein Profil” aufgeführt). Aktuell findet man den Link über das interaktive Hilfecenter via Suchwort “kündigen”. Um sich die Sucherei zu ersparen sei der Direktlink hier für's “Archiv” verbloggt.

Some userspace programs got problems with the 2.6.x→3.x kernel numbering transition. To prevent the need to fix everything at once, the Fedora developers decided to ship 3.x kernels as 2.6.4x on Fedora 15 Lovelock and use the correct numbering scheme on Fedora releases ≥16 Verne.

This kernel version numbering hack makes some problems with the current VirtualBox 4.1.6 on Fedora 15: /etc/init.d/vboxdrv setup exits with an error (/var/log/vbox-install.log says that recompiling VBoxPci-linux.o failed). The reason is simple: A check thinks that the running kernel 2.6.41.1 is older than 3.1. Therefore the wrong header file gets included (asm/amd_iommu.h instead of linux/amd-iommu.h).

Quick fix to get your VirtualBox working again:

1. Open the belonging source code file as root:

   $ su -
   $ gedit /var/lib/dkms/vboxhost/4.1.6/source/vboxpci/linux/VBoxPci-linux.c

2. Search for

   #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 1, 0)
   # include <asm/amd_iommu.h>
   #else

   (~line 37) and replace it with

   #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 1, 0)
   # include <linux/amd-iommu.h>
   #else

3. Recompile the needed modules:

   $ su -c '/etc/init.d/vboxdrv setup'

If you are searching for a powerful laptop to run Fedora 15 Lovelock on, have a look at the Lenovo ThinkPad T420 4180W1G/4180PH1.¹⁾ It simply rocks. All the internal peripherals are working out of the box (LAN, WLAN, graphics, sound, microphone, webcam, volume up/down and mute buttons, brightness control buttons, eSATA…). The Intel HD3000 processor graphics runs smoothly. Even no problems with external monitors up to a 2560×1600 resolution or when using both the built-in screen plus an external monitor connected to the Mini Dock Series 3 45N6678 docking station. The Intel Core i5-2520M CPU provides VT-d and VT-x. So everything is fine if you want to run VMs.

Downsides, pitfalls and notes:

• The built-in speakers are really bad, even for a laptop.
• The keyboard shows signs of cosmetic wear after a few weeks of usage.
• Microsoft tax a.k.a. Windows 7 Professional 64bit. At least, you can use the pre-installed Windows to update the laptop's firmware with a few clicks before installing Linux. And the license may be used to run a Windows 7 VM (although the laptop is shipped without installation media, you can download the original Windows 7 ISO images from Digital River).
• I can't tell if the fingerprint sensor and the Class 1 Smartcard Reader are working out of the box because I do not need nor did I test them. But the Smartcard Reader is at least recognized by the OS.
• When using the Mini Dock Series 3 45N6678, the analog sound line-out is not passed-through (everything else works). This means you still have to use the laptop's headphone connector to connect speakers.
• If you are looking for similar models out of the T420 family, you should know that some of them got two graphics adapters (a combination of Intel and NVIDIA). I don't know if these make any trouble or need special configuration because the 4180W1G/4180PH1 comes with Intel graphics only.

Tip for German readers: Studenten, Lehrer, Lehrkräfte und wissenschaftliche Mitarbeiter bekommen das ThinkPad T420 4180PH1 bei Brünings + Sander mit erheblichem Rabatt. Ich habe nichts mit der Firma zu tun und bekomme auch keine Provision. Aber meine Erfahrungen mit B+S waren bisher stets positiv.

The HPC 615 was very popular because of its attractive cost-performance ratio.¹⁾ I just installed Fedora 15 Lovelock on a HPC 615 with AMD Athlon X2, 320GiB HDD, ATI Radeon HD3200 and 4GiB RAM. Everything works out-of-the-box with one exception: Wireless LAN. There was no firmware for the Broadcom BCM4312 WLAN chip. However. Version 4.150.10.5 of the proprietary firmware works like a charm:

1. The B43 firmware cutter tool is used to extract and install the proprietary Broadcom firmware. Use a LAN cable to get internet connection. Open a terminal and install it:

   su -c 'yum install b43-fwcutter'

2. Download the firmware and use b43-fwcutter to extract and install it:

   su -
   cd /tmp
   wget http://downloads.openwrt.org/sources/broadcom-wl-4.150.10.5.tar.bz2
   tar xjf ./broadcom-wl-4.150.10.5.tar.bz2
   cd ./broadcom-wl-4.150.10.5/driver/
   b43-fwcutter -w /lib/firmware/ wl_apsta_mimo.o

   Reboot or restart the network. Your WLAN should work now.

Note: I tried several things before. Known solutions and b43-openfwwf were not able to provide a stable connection when using WPA2. Same for other versions of the proprietary Broadcom firmware.

Font rendering is a matter of taste. However, I personally think Ubuntu's default font rendering is the most eye-pleasing one of the whole Linux eco-system. And if a website's CSS font stack is looking good on Ubuntu, you can be relatively sure that it also works for Mac or MS Windows as long as the used fonts are available on these platforms. It is not hard to get the same font rendering on Fedora. This text is just a bit longer than a few commands because I try to provide additional background information and useful web-search-keywords which you may need if you have other targets than a 100% Ubuntu-like rendering.

To achieve the desired result, you have to know which parameters exist and how to change them. The most important things are:

• Resolution (DPI).
• Font hinting and the used font hinting method.
• Font rasterization. Especially the used anti-aliasing method and its strength.
• The used font rendering engine. The one shipped with Fedora comes without subpixel rendering (more on this later).

So let's look at the defaults applied on Ubuntu 10.10. You can do this on the terminal with xrdb -query:

Xft.dpi:	96
Xft.antialias:	1
Xft.hinting:	1
Xft.hintstyle:	hintslight
Xft.rgba:	rgb
Xft.lcdfilter:	lcddefault

As you can see, Ubuntu is using RGB anti-aliasing with subpixel rendering (lcd-default means “subpixel (LCD)” method) and slight font hinting. Now compare this with the default values on Fedora 15 Lovelock:

Xft.antialias:	1
Xft.dpi:	96
Xft.hinting:	1
Xft.hintstyle:	hintmedium
Xft.rgba:	none

This shows that Fedora does use grayscale anti-aliasing, a stronger font hinting style and no subpixel rendering by default. This is the reason why the same fonts look different on Fedora and Ubuntu.

1. Install the freetype-freeworld package. You need subpixel rendering the achieve the same results as on Ubuntu. The FreeType rendering engine shipped by default comes without it but you can install the freetype-freeworld package out of the RMPfusion-free repository to get a version with subpixel rendering. If not already happend, enable RPM Fusion on your system. Open a terminal and install the freetype-freeworld package:

   su -c "yum install freetype-freeworld"

   You should know that subpixel rendering is patented and therefore not completely free (as in speech). Using this package might not be legal in your country. The choice is yours and it is your legal responsibility to make sure that the software you are installing can be legally used.

2. Adjust the hinting style and enable RGB anti-aliasing. Ubuntu it using hintslight hinting by default, Fedora comes with hintmedium. Additionally, we need RGB instead of grayscale anti-aliasing. Open a terminal and execute the following commands to set the anti-aliasing and hinting style:

   gsettings "set" "org.gnome.settings-daemon.plugins.xsettings" "hinting" "slight"
   gsettings "set" "org.gnome.settings-daemon.plugins.xsettings" "antialiasing" "rgba"

3. Activate the lcddefault lcdfilter. Unfortunately, there is no GSettings key for it (at least as I'm writing this), therefore you have to create a hidden .Xresource file with the Xft.lcdfilter: lcddefault setting in your home directory. Open a terminal and execute the following command to do so:

   echo "Xft.lcdfilter: lcddefault" > ~/.Xresources

4. Some settings need a restart to take effect, so reboot your system. If everything worked you should get the following xrdb -query output (the output order does not matter if the values are the same):

   Xft.antialias:	1
   Xft.dpi:	96
   Xft.hinting:	1
   Xft.hintstyle:	hintslight
   Xft.lcdfilter:	lcddefault
   Xft.rgba:	rgb

• You may find the gnome-tweak-tool interesting. E.g. it provides an option to switch the window-title-bar font. Use the following command to install it:

  su -c "yum install gnome-tweak-tool"

• I used the command line tool gsettings to adjust the GSettings key values above. If you want to influence and explore available keys by using a GUI, have a look at the dconf-editor. Use the following command to install it:

  su -c "yum install dconf-editor"

• You may want to use the Ubuntu fonts, too. They are not included in the main repositories right now,¹⁾ therefore I wrote the install-ubuntufonts-fedora.sh bash script to make the font installation faster and easier. There is a high probability that this script will never be useful to someone else than myself. But you never know. If you want to use it, open a terminal and run the following commands to download and execute it (copy and paste recommended):

  wget "http://blog.andreas-haerter.com/_export/code/2011/07/18/install-ubuntufonts-fedora.sh?codeblock=1" -O "/tmp/install-ubuntufonts-fedora.sh"
  chmod a+rx "/tmp/install-ubuntufonts-fedora.sh"
  su -c "/tmp/install-ubuntufonts-fedora.sh"

  Please read the Ubuntu Font Licence for all the rules that govern the use of the fonts.

• If you want to go any further, you should know some things about the fontconfig system. First of all, it is controlled by *.conf files. Fedora is looking for them at the /etc/fonts/conf.d/ directory and they get imported in alphabetical order.²⁾ Please note that every file in this directory should be a symlink pointing to a real config file located in /etc/fonts/conf.avail/. This makes it possible to deactivate settings by deleting the symlink in /etc/fonts/conf.d/ without loosing the corresponding config file in /etc/fonts/conf.avail/. It is also recommended to follow the rule “one setting, one file”. This makes sure you always know which files configures what.
  All settings at /etc/fonts/conf.d/ are affecting all user accounts and therefore you need root privileges to create or edit the files. If you want to influence only a specific user account, it is also possible to place files in the user's ~/.fontconfig/ directory (simply create it if it is not already existing).
• I assume that your display is using RGB pixels (the subpixel layout test page can help you to verify this). If your monitor is using BGR, V-RGB, or V-BGR pixels, you might want to use another anti-aliasing setting than rgba.

• ScreenFontSettings
• Improve Fonts in Fedora
• The Lagom LCD monitor test pages

Edit 2011-07-21: Here are the demanded screenshots. You can use your keyboard to navigate trough them (← and → key). The last one shows a terminal with Ubuntu fonts.

When Fedora 15 Lovelock was just a few days old, the generally known commands to build an appropriate package did not work.¹⁾ Therefore (and because I think it is a bit extreme to create a package just to get some fonts), I wrote install-msttcorefonts-fedora.sh to make the font installation faster and easier. There is a high probability that this script will never be useful to someone else than myself. But you never know. If you want to use it:

1. Open a terminal.
2. Run the following commands to download and start the script (copy and paste recommended):

   wget "http://blog.andreas-haerter.com/_export/code/2011/07/01/install-msttcorefonts-fedora.sh?codeblock=1" -O "/tmp/install-msttcorefonts-fedora.sh"
   chmod a+rx "/tmp/install-msttcorefonts-fedora.sh"
   su -c "/tmp/install-msttcorefonts-fedora.sh"

• Core fonts for the Web
• The Unofficial Fedora FAQ - Can I install the standard Windows fonts on Fedora?
• An easy way to install Microsoft's TrueType core fonts on Linux
• TrueType core fonts for the Web EULA

SSH provides the possibility to use Public Keys to log in to a target system (which is very likely more secure than a password). To make this possible:

1. The user has to create a Public/Private Key pair
2. The user's Public Key(s) has/have to be stored on the target system running the SSH Server (normally within ~/.ssh/authorized_keys)
3. The server's Public Key has to be stored on the local system running the SSH Client (normally within ~/.ssh/known_hosts)

Some popular services like GitHub do not even provide a password based authentication for data exchange, forcing you to use a SSH Public Key. Same for the Fedora Account System (FAS) where I created an account recently.

On a common Linux system, all needed SSH client tools should be installed by default. If not (e.g. because they were removed), simply install the openssh-clients package on Fedora or the openssh-client package on Debian/Ubuntu. After installation, the SSH tool for authentication, key generation, management and conversion is available via terminal: ssh-keygen

As already said, ssh-keygen is the tool for creating a key pair. It brings a lot of options, I'm going into detail on the most important ones:¹⁾

• -b <bits>:
  From the manpage: “Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits[…]”.
• -t <type>:
  Specifies the type of key to create. The cryptographic algorithm to use will selected through specifying this parameter. For SSH2, you can choose between “rsa” and “dsa”.²⁾
• -C "<comment>":
  Provides a comment for the key. The comment is used as “name” for the key in most applications. If not given, username@host will be set by default. You can change the comment later without any problems.

Using a 2048bit long RSA key is a good choice for most use-cases. 1024bit RSA is no longer regarded as indisputably secure, 4096bit RSA is for paranoid person like me. Please make sure you set a passphrase to protect your key. Otherwise everyone who may gets access to it (e.g. because someone steals your laptop and copies the keyfile) is able to get instant access to all systems you used the key for logging in. In contrast, you should have enough time to change the keys on all affected system without any danger if you used a good passphrase for a leaked private key. Additionally, it is no problem to use multiple SSH keys. So if you need a SSH key without password (e.g. for a quickly hacked backup script), create a separate key for this special task but do not use it for logging in to important systems.

Now open a terminal and let's go:

user@local:~$ ssh-keygen -t rsa -b 2048 -C "user@local"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):

As you can see, the key will be stored into ~/.ssh/id_rsa by default. To choose another file, you have to provide the complete path (→ ~/ normally does not work to point to your home dir). I use the non-default path /home/user/.ssh/mykey in this example.

Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/mykey
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/mykey.
Your public key has been saved in /home/user/.ssh/mykey.pub.
The key fingerprint is:
10:af:1e:58:a3:a2:2a:7e:11:23:52:bf:c2:32:61:fa user@local
The key's randomart image is:
+--[ RSA 2048]----+
| ...     o       |
|     + o         |
|  . o = .        |
| ... o +         |
|.. .  . S        |
| o  .            |
|Bo.  .       .+  |
|E oo.            |
| +o+o            |
+-----------------+

Done. Now you got the needed key pair:

• /home/user/.ssh/mykey is the private key. Never share this one with someone else. Simply keep the Private Key… well, private.
• /home/user/.ssh/mykey.pub is the public key (also called “ID file” or “identity file”). This is the one you have to upload to the remote systems.

• If you never heard about the “randomart image”, you may have a look at ”What is randomart produced by ssh-keygen?”.
• If you need a GUI, have a look at GNOME Seahorse or PuTTY.
• Have a look at IBM: Shhh ... secrets about SSH and GitHub: Multiple SSH keys if you have trouble when using more than one SSH key.
• Close ssh if the session is not responding anymore: The command ~. closes the ssh client program if the server hangs (e.g. because it was unexpectedly shut down or your internet connection is not stable).
• Copy the Public Key(s) to a remote system: ssh-copy-id helps you to copy your SSH Public Key into the ~/.ssh/authorized_keys file of the remote system and/or copy the remote system's public key into your local ~/.ssh/known_hosts file. Usage:

  ssh-copy-id -i "~/.ssh/mykey.pub" remote-user@remote.example.com

• Change the passphrase of a SSH key: ssh-keygen is also the tool of choice to change a key's password. The -f parameter specifies the private key file you want to change. The -p parameter tells the program that you want to change the password of an existing key, preventing the generation of a new one:

  ssh-keygen -f /path/to/your_key -p

• Change the comment of a SSH key: ssh-keygen is also the tool of choice to change a key's comment. The -f parameter specifies the private key file you want to change. The -c parameter tells the program that you want to change the comment of an existing key, preventing the generation of a new one:

  ssh-keygen -f /path/to/your_key -c

• SSH
• LinuxWiki.org: OpenSSH
• Public-key Cryptography
• RSA Crypto System
• Digital Signature Algorithm (DSA)
• What is randomart produced by ssh-keygen?
• IBM: Shhh ... secrets about SSH
• GitHub: Multiple SSH keys

This article provides a step-by-step guide on how to install an Ubuntu Linux system with full disk encryption (new installation). However, you should take a relaxed day as topical newbie for further reading. You don't have to keep everything in mind but it is never an error to acquaint oneself with something new.

Read more…