Upgrading Kubuntu-9.04 from PPA – KDE 4, Xorg, Wine, OpenOffice 3…

I have upgraded all my systems to KDE 4.3.1 very successfully, and it is gorgeous.  While still slower than LXDE (this will likely always be the case), it is much better than the 4.2 that shipped with Jaunty.  I have also upgraded to OpenOffice 3.1.1, the latest stable Wine, and I have updated Xorg as well – all from the PPA (Personal Packages Archive) site.  Here is how, and from where:

To use these, click on each link, then:

  1. Select your sources.list version and copy the two deb lines to your /etc/apt/sources.list file
  2. Import the key with this command – sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 12345678 (replace 12345678 with the appropriate import key listed above)
  3. Update with sudo apt-get update
  4. Upgrade with sudo apt-get dist-upgrade

Hope this helps, but YMMV.  This is only a “howto if you want”, not a “recommendation that you do”.  If things blow up, well, that’s the risk you take.  I find it encouraging, however, that across four different Kubuntu 9.04 systems, I have not had any problems from these upgrades, and found that many fixes and improvements had taken place.

Ultimately, this article is really to help me for future upgrades.  But if you get something good from here, that’s cool too.

New Power Supply…

This is a short post.  Last night, I wanted to load up bzflags on my MythBuntu box so I could crush the kids in an epic tank battle.  Too bad my 500W power supply had roasted, and may have been merrily cooking away for a day or more before I found out.

So, off to the store I went, where I picked up a decent 650W power supply with all the right connectors for about $100.  After I got home and installed it, MythBuntu powered up fine and I loaded bzflags.  It was late, so the epic tank battle is on hold.

For now…

Update – My son wiped the field with me.   With glee and a complete absence of pity.  My daughter came close to doing the same thing.  I shudder to think of the beating my wife can deliver behind the barrel of a tank.  I apparently suck at bzflags, but it sure is fun, even losing.  I just blame it on my mouse, or on the wireless network (which works without flaw any other time – curious), or the dog (current tally:  farts, missing treats, losing to my son at bzflags).

Impressions of Kubuntu 9.04 and VMware-Server 2.0.1…

So far, RAID-10/LVM/XFS is working quite well with Kubuntu 9.04.  Jaunty picks up hardware effortlessly.  I plugged in a USB thumb drive, and a little notification pops up.

Ok.

I plug in my camera, and it sees it fine,no muss, no fuss.

Better.

I plug in my webcam – no notification, it just works.

Sweeeet.

I plug in my HP printer, and I have to dig around to see that it was added as quietly and politely as you please, ready to print.

Awesome.

I ran out of things to plug in.  Kubuntu 8.04 (the previous version I was using) didn’t boot nearly as quickly, took longer to load the desktop after login, and was good about detecting devices, mostly, but needed polish and charm.

9.04 has it in spades.  I am really quite impressed with the hardware cababilities of it.  There are some programs, like adept, I am missing, but the learning curve for the newer stuff is really more like a learning bump.

Update:  It even loaded the sensors package to track temperatures.  Wow.

I am running 64-bit now, and flash and java work fine.  It took me a while to find the right libjavaplugin and link it into the Firefox plugins folder, but flash 10 worked fine and installed easily.

VMware-Server is a different story.  The 64-bit is slow, flaky, and cranky.  It times out all the time, it resets often, and it just stalls doing stuff.  I now have a VM ready for loading, but it took all day to fight it into doing so.  And I found no reliable cure, to include swapping out the java jre version used for a later version.  I am really dissapointed with the 2.0.1 release in terms of ease of install, performance, and reliability.  Oh well, at least it installed without needing a special patch or script.

Update:  After a huge fight, I got a new Windows XP VM made.  Using the command ‘watch “du -s –si /home/vmguests/WinXP” ‘, I was able to get a sense of the speed of the file system when I was creating the virtual disk files.  I chose to make one large file at once for each of the two disks; C drive (15 GB), and E drive (48 GB).  With the watch command updating every two seconds, I was able to see that the RAID-10 XFS filesystem was handling about 100 Mbps as the disk files were created.

Once I had made theVM, loading it was uneventful.  Just a regular Windows XP professional install, like any other.  The vmware-server played nice mostly after that and has continued to do so.  I have only had to log out once due to unresponsiveness, and have not had to restart the server services.  The VM is quite fast, and allows my wife to see her video streams in Media Player 11 with only minor stuttering of the video.   Audio is fine.

I really like the USB visibilty of vmware-server.  The VM picked up the printer as if it were directly connected, and once I loaded the drivers for it, I was printing from the VM like normal.  All of my USB devices can be presented to the VM, which is an area I had problems with in the past with the 1.x versions of vmware-server.

Anyway, my wife is set up with her login and has a shortcut to RDP to the Windows XP VM, where she can login and watch her JNet streams.

Landscaping With Inkscape…

Just a quick post here.  This is not a howto or anything.  I have several projects going on around the house, and I have started using inkscape to put down ideas.  So far, I have designed and build a small piece of furniture with it (a Japanese doll table set that stacks for easy storage) and several landscape designs for my front and back yards.  I have not found any program for Linux specifically aimed at landscape design, but I am really pleased with the ease and power of inkscape to handle the job.

Its 3-D block functions are especially useful for these tasks, when you want to show a side or perspective view of a feature or wall.  I also relied on this function heavily for my furniture project.  By the way, I nailed the furniture set first time – no mistakes.  My first piece of furniture, ever.  I pulled out each piece of the completed drawing to make a parts list, went to Home Depot, and matched up part numbers, quantities, and prices.  I also took detailed dimensional measurements while I was there to ensure proper fittings, and adjusted all of my planned dimensions accordingly.

hina-ningyo-phase1 hina-ningyo-phase1-partslist hina-ningyo-phase1-partslist-2

Using inkscape allowed me to methodically and precisely document all aspects of the project, which turned out to be fairly involved for a beginner like me.  No mistakes.  Next is the backyard patio….

Here are some ideas I was playing around with.  We are going for the trees and raised patio, to keep costs down.

house-now house-new-3 house-new-backyard
house-new-front1 house-new-trees backyard-raised-patio

So, in case you were wondering how to get started on a home project, open up inkscape and start playing around.  You might be surprised at what you can get away with.

HOWTO – Child-Proofing Internet Access on Kubuntu

[UPDATED 10-18-2009 – Numerous old typos fixed, several new typos added, syntaxes corrected, updates made for newer versions of stuff, better instructions, cooler errors, and even a little more attention to detail paid.]

[CREDIT for getlists.sh goes to Step By Step – www.maynidea.com. Thank you for this script, and sorry it took so long to put this credit in.]

This article is a revision of this post. It has been adapted for use on Kubuntu 8.04. I got a lot of info from this link here. Another excellent resource is here (PDF). As always, YMMV. This is a long and involved post – be prepared to take an afternoon, and to work on that degree from Google. But when you are done, you will have a powerful transparent-proxy-content-filter-porn-stomper. No charge.

1. Download the following (there may be newer versions, but definitely need db-2.7.7):

I checked these versions against the repositories, and except for the db-2.7.7, these are still fairly current. The version of iptables I am using is 1.3.8. For this, I prefer installing from tarballs, even though this means they will not get updates. The main advantages I see to this approach are that you can more directly control where they go in the file system (making them easier to troubleshoot and remove), and updates to packages might cause feature/config file breakage, whereas these ensure a static environment. Unfortunately, I cannot upload the actual tarballs for use, so either find these versions in an archive, or brace yourself for an adventure in configuration differences.

2. Unpack the downloaded files:

  • tar xvfz db-2.7.7.tar.gz
  • tar xvfj squid-2.6.STABLE5-20061110.tar.bz2
  • tar xvfz dansguardian-2.9.8.0.tar.gz
  • tar xvfz squidGuard-1.2.0.tar.gz

3. Check that you don’t already have squid, squidGuard, or dansguardian already installed, and that you have iptables installed. Adept Manager is an easy way to find out. Check that you do not already have a squid group and user. If you do not, then pick a group ID between 1 and 999 to use for the squid group:

  • more /etc/group | grep -i squid <is there a squid group?>
  • more /etc/passwd | grep -i squid <is there a squid user?>
  • more /etc/login.defs | grep -i UID_MIN <what is the lowest user ID? anything below this is a system account, and will not get a home directory by default, which is a good thing – so pick something lower than UID_MIN>
  • more /etc/group | grep <number below UID_MIN> <is the group ID you picked already in use? If so, keep picking one until you find a number not in use.>

4. As root (sudo -s), make user and group. The “groupadd -r squid” command is out – this would have made a system account. The new command syntax is shown below instead.

  • groupadd -g <number you picked> squid
  • useradd -u <number you picked> -g squid -d /var/spool/squid -s /bin/false -r squid

5. When making firewall rules (below), I kept getting the error “iptables: No chain/target/match by that name” until I discovered that I did not have the ipt_owner.ko module available to be loaded (on my current version of 2.6.31.4, it is called “xt_owner”). Issue an “updatedb” command, followed by “locate _owner.ko” to see if you have it for your kernel version. If you have it, see if it is loaded – “lsmod | grep -i _owner“. I ended up compiling a new kernel from 2.6.26.2 to 2.6.28.5 (to get some other features I wanted, not just for the module), and ensuring the owner module was built (“make oldconfig” and “make menuconfig” steps of this post, under the networking section). Once I had that module, I was good to go with matching packets by owner.

Make menuconfig (need ncurses libraries installed: libncurses5-dev and libncursesw5-dev; helpful to have ncurses-term packages installed):
“Networking Support —>
Networking Options —>
Network Packet Filtering Framework (Netfilter) —>
Core Netfilter Configuration —>”

  • (M) Netfilter connection tracking support (NF_CONNTRACK)
  • (M) Transparent proxying support (EXPERIMENTAL) (NETFILTER_TPROXY)
  • (M) “TPROXY” target support (EXPERIMENTAL) (NETFILTER_XT_TARGET_TPROXY)
  • (M) “owner” match support (NETFILTER_XT_MATCH_OWNER)

REMEMBER: If you upgrade your kernel to a new version and use a proprietary video driver (ATI or NVIDIA), set your xorg.conf driver to “vesa” BEFORE you reboot. Reboot on the new kernel, log into the console (so as not to start any window manager or x session), and upgrade your video driver (update xorg.conf to reflect the new driver). Then either reboot, or just start your window manager normally.

6. Make BerkelyDB – must be 2.x version, not newer, not older:

  • cd db-2.7.7/dist/
  • ./configure
  • make
  • make install

7. Make squid v.2-6 (NOTE – To have SSL, I needed to install the libcurl4-openSSL-dev package. Otherwise, “make” generated this error: “../include/md5.h:14:2: error: #error Cannot find OpenSSL headers” ):

  • cd squid-2.6.STABLE5-20061110/
  • ./configure --enable-icmp --enable-delay-pools --enable-useragent-log --enable-referer-log --enable-kill-parent-hack --enable-cachemgr-hostname=hostname --enable-arp-acl --enable-htcp --enable-ssl --enable-forw-via-db --enable-cache-digests --enable-default-err-language=English --enable-err-languages=English --enable-linux-netfilter --disable-ident-lookups --disable-internal-dns
  • make
  • make install

It is located in /usr/local/squid/.

8. Make squidGuard v.1.2:

  • cd squidGuard-1.2.0/
  • ./configure
  • make
  • make install

Default install is in /usr/local/bin/.

9. Make dansguardian v.2.9.8:

  • cd dansguardian-2.9.8.0/
  • mkdir /usr/local/dansguardian
  • ./configure --prefix=/usr/local/dansguardian --with-proxyuser=squid --with-proxygroup=squid --enable-email=yes
  • FOR EMBEDDED URL WEIGHTING AND OTHER FEATURES: ./configure --prefix=/usr/local/dansguardian --with-proxyuser=squid --with-proxygroup=squid --enable-email=yes --enable-pcre=yes (this last option is CPU intensive; turn on in dansguardianf1.conf)
  • make
  • make install

It is located in /usr/local/dansguardian/.

If you get an error during the configure part like this: “configure: error: pcre-config not found!“, install the libpcre++-dev package.
When using GCC 4.3, I got errors of “error: ‘strncpy’ was not declared in this scope“. The fix was found on GCC 4.3 Release Series – Porting to the New Tools. Basically, for each such error, go to the file referenced under the src folder and add the line #include (cstring) (replace parentheses with angle brackets).

10. Make and configure squid directories:

  • mkdir /usr/local/squid/var/cache
  • chown -R squid:squid /usr/local/squid/var
  • chmod 0770 /usr/local/squid/var/cache
  • chmod 0770 /usr/local/squid/var/logs

11. Make and configure squidGuard directories (see getlists.sh for reference):

  • mkdir /usr/local/squidGuard
  • mkdir /usr/local/squidGuard/log
  • chown -R squid:squid /usr/local/squidGuard/log
  • chmod 0770 /usr/local/squidGuard/log
  • mkdir /var/log/squidguard
  • touch /var/log/squidguard/squidGuard.log
  • touch /var/log/squidguard/ads.log
  • touch /var/log/squidguard/stopped.log
  • chown -R squid.squid /var/log/squidguard
  • mkdir /var/lib/squidguard
  • mkdir /var/lib/squidguard/db
  • mkdir /var/lib/squidguard/db/blacklists
  • mkdir /var/lib/squidguard/db/blacklists/ok
  • mkdir /var/lib/squidguard/db/blacklists/porn
  • mkdir /var/lib/squidguard/db/blacklists/adult
  • mkdir /var/lib/squidguard/db/blacklists/ads
  • chown -R squid:squid /var/lib/squidguard

12. Configure dansguardian directories:

  • chown -R squid:squid /usr/local/dansguardian/var/log
  • touch /var/lib/squidguard/db/blacklists/porn/domains_diff.local
  • touch /var/lib/squidguard/db/blacklists/porn/urls_diff.local

13. Edit and copy squid configs from respective source directories:

  • cp squid.conf /usr/local/squid/etc/squid.conf
  • sample squid.conf settings:
    • http_port 127.0.0.1:3128 transparent
    • icp_port 0
    • htcp_port 0
    • redirect_program /usr/local/bin/squidGuard
    • cache_effective_user squid
    • cache_effective_group squid
    • acl all src 0.0.0.0/0.0.0.0
    • acl manager proto cache_object
    • acl localhost src 127.0.0.1/255.255.255.255
    • acl to_localhost dst 127.0.0.0/8
    • acl allowed_hosts src 192.168.12.0/255.255.255.0
    • acl SSL_ports port 443
    • acl Safe_ports port 80 21 443 # http ftp https
    • ##acl Safe_ports port 21 # ftp
    • ##acl Safe_ports port 443 # https
    • ##acl Safe_ports port 1025-65535 # unregistered ports
    • acl CONNECT method CONNECT
    • acl NUMCONN maxconn 5
    • acl ACLTIME time SMTWHFA 7:00-21:00
    • deny_info ERR_ACCESS_DENIED_TIME ACLTIME
    • #http_access allow manager localhost
    • #http_access deny manager
    • http_access deny manager all
    • http_access deny !Safe_ports
    • http_access deny CONNECT !SSL_ports
    • http_access allow localhost ACLTIME
    • http_access deny NUMCONN localhost
    • #http_access allow allowed_hosts
    • http_access deny to_localhost
    • http_access deny all
    • http_reply_access allow all
    • #icp_access allow allowed_hosts
    • #icp_access allow all
    • icp_access deny all
    • visible_hostname localhost

Edit squid.conf and set up time based access, to prevent late night surfing (add the following lines):

  • acl ACLTIME time SMTWHFA 7:00-21:00 (add to the ACL section)
  • http_access allow localhost ACLTIME (add to the http_access section)

14. Edit and copy squidGuard configs from respective source directories:

  • cp squidGuard.conf /usr/local/squidGuard/squidGuard.conf
    • change ip gateway address in squidGuard.conf

15. Edit and copy dansguardian configs from respective source directories:

  • cp dansguardia*.conf /usr/local/dansguardian/etc/dansguardian/
  • sample dansguardian.conf settings:
  • sample dansguardianf1.conf settings:
    • groupmode = 1
  • copy getlists.sh (it is posted as a PDF – copy the text to a shell script) to /usr/local/bin
  • [UPDATED 10-18-2009 with more current blacklist sites]

16. Make the firewall rules (iptables commands may appear wrapped in two lines):

  • iptables -t nat -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp --dport 3128 -j ACCEPT (without this rule, dansguardian may fail with the error: “Error connecting to parent proxy”)
  • iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
  • iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
  • iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner exemptuser -j ACCEPT (change exemptuser)
  • iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
  • iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

It is a good idea to do this part *after* compiling and installing, as these rules will get in the way if you need to install a package (like libcurl4-openSSL-dev). If this happens, Adept Manager will abruptly crash (leaving you to find and remove the lock files), and apt-get install will fail with a connection refused error. Just rerun the rules above, but replace the -A with a -D to delete them. Get your packages, install your software, and reapply the firewall rules.

17. Save and apply the firewall settings permanently (visit Iptables HowTo – Community Ubuntu Documentation for details):

  • sudo sh -c "iptables-save > /etc/iptables.rules"
  • sudo nano /etc/network/interfaces
    • pre-up iptables-restore < /etc/iptables.rules
    • post-down iptables-save -c > /etc/iptables.rules

18. Start or restart services as needed:

  • /usr/local/squid/sbin/squid -z (first-time config)
  • /usr/local/squid/sbin/squid -N -d 1 -D (test squid, kill when working fine)
  • /usr/local/squid/sbin/squid (this also runs squidGuard from “/usr/local/bin/squidGuard”)
  • /usr/local/dansguardian/sbin/dansguardian
  • /usr/local/bin/getlists.sh (you may have to kill this – it hangs after displaying the line “adult/usage”)
  • /usr/local/squid/sbin/squid -k reconfigure
  • /usr/local/dansguardian/sbin/dansguardian -Q

The squid test revealed that I was missing a custom file: “errorTryLoadText: ‘/usr/local/squid/etc/errors/ERR_ACCESS_DENIED_TIME’: (2) No such file or directory”. So, I copied it from “/usr/local/squid/etc/errors/English/ERR_ACCESS_DENIED”, and “edited” it in vi for a little access-denied humor. Never miss a chance to have a spot of fun! After that, squid worked fine.

Dansguardian kept failing with “Error connecting to parent proxy”, until I edited iptables with “iptables -t nat -I OUTPUT 1 -s 127.0.0.1 -d 127.0.0.1 -p tcp --dport 3128 -j ACCEPT"
(to place it as the first output rule on the nat table). Then DG worked fine.

The script hung and had to be killed. I confirmed everything was finished by checking the last file date-time-stamp against the date-time-stamp it displays right after it is run. So if the DTS displayed was “20090214185211”, and the DTS returned with “ls -l /var/lib/squidguard/db/blacklists/porn/stats/20090214185211_stats” was more recent, say “2009-02-14 18:53”, then you can be sure it is finished. Or you can just use “lsof” and look for the getlists.sh process. That is probably smarter.

[UPDATED 10-18-2009]
The script hung because a.) I could not download from the Norway site and b.) “squidguard -C all” from the getlists.sh script was not finding files and went into emergency mode, apparently a place it can hide and whimper silently. Forever. I ran instead “squidguard -d -C all” and discovered it was failing to find certain files, which I just created or copied into existence. This quieted squidguard down and let it finish. Almost – I also commented out the “not_ok” ACL block in the squidguard.conf file, since I am not using it. Details are on this article concerning the updated blacklist script “getlists.sh”: SquidGuard Blacklists…

19. Set up a mailer for notifications (here is a link for assistance):

  • using postfix, point it to your mailserver.isp.domain
  • postfix needs /etc/postfix/transport and /etc/postfix/generic
  • dansguardian.conf calls it with ‘sendmail -t' command
  • for non-authenticated use, do not set ‘by user = on’ in dansgaurdianf1.conf

20. Post-install testing and tweaking:

  • Test with browser as different users – should be transparent proxy surfing now, works with lynx as well (“su - <username>, lynx, G, http://www.playboy.com” should get either Playboy for an approved user or the dansguardian access denied page for a restricted user.)
  • Check if your system emails you violations.
  • Be sure to update your startup files (/etc/init.d/ or your rc.local) to ensure everything starts when the computer is booted.
  • When you are ready, reboot, and check again with lynx as different users.

I have been working on this all day. I have not yet gotten email to work, and am not sure I need to – maybe I’ll just check the logs instead. So, hope this helps, and good luck.

Time for a beer.

HOWTO – GkrellStock Plugin on Kubuntu Hardy Heron…

I have to post this – it is involved enough that I will forget it if I don’t.  Googling for a solution was challenging.

In order to get the gkrellstock plugin installed for Gkrellm-2, on Kubuntu 8.04, these are the steps I took:

  1. Download the plugin from http://gkrellstock.sourceforge.net/ – gkrellstock-0.5.1.tar.gz is the current posted version.
  2. Install the Perl Finance modules – sudo apt-get install libfinance-quote-perl, libfinance-streamer-perl, libfinance-yahooquote-perl
  3. Extract the gkrellstock file to a folder and cd into that folder.
  4. There is a README file with instructions, but essentially, the steps are make (which builds the gkrellstock.so file) and make install (as root).  You can instead select do “make user-install” (not as root), if you wish to only install for a user, instead of to the system.
  5. According to the README, you may need to copy the aisa.pm file to the proper directory.  However, I found the file to be in the correct place already.  It helps to run updatedb (as root, of course) and locate aisa.pm, just to be sure.
  6. If “make install” fails, you will get some output of the script trying to copy a file to a system folder (my attempt failed because the -C switch was not understood).  I opened up the Makefile and manually copied the files to work around this:
    1. sudo cp gkrellstock.so /usr/lib/gkrellm2/plugins/
    2. sudo chmod 644 /usr/lib/gkrellm2/plugins/gkrellstock.so
    3. sudo cp GetQuote2 /usr/X11R6/bin/
    4. sudo chmod 755 /usr/X11R6/bin/GetQuote2
  7. I restarted gkrellm, right-clicked to get the Configuration dialog, and selected and configured the GkrellStock plugin.  Quote data started coming in right after that.
  8. I always stop and restart Gkrellm after making changes, to ensure the changes have been saved (if it crashes for whatever reason, you have to redo your changes).

Your milage may vary, and you will need to adjust fire if you use a different blend of Ubuntu or a different flavor of Linux altogether.  As far as Windows goes, I’ll just say this – it can be done (good luck).

Enjoy!

Ubuntu, Nvidia, and Projectors – a HowTo Article…

Sorry, not mine, but I thought it looked pretty useful. Here is the link:

Getting a projector to work under Ubuntu Linux with Nvidia drivers

The Tech Explorer site has other articles you might find helpful as well, so dig around.

Have fun!