Red Hat Enterprise Linux 5.2 — a way bigger deal than you might think

I stumbled across this on Slashdot, which led me to Red Hat’s own release on all the new things in Red Hat Enterprise Linux 5.2 (and eventually in the free CentOS clone of RHEL).

The most shocking: Firefox 3. The Red Hat people must have a lot of faith in Mozilla’s latest browser.

When it comes to the up-to-date applications, RHEL purposefully stays behind the curve so as not to break anything, especially on servers. But for desktop users, having to run Firefox 1.5 for-freakin’-ever is a bit of a bummer. Same for OpenOffice; the version I last used (probably in CentOS 4) didn’t even have ODF compatibility.

Users of RHEL 5.2 will enjoy the following newish applications:

• Evolution 2.12.3
• Firefox 3
• OpenOffice 2.3.0
• Thunderbird 2.0

This is one of the parts of the release that makes me eager to try RHEL 5.2:

We also significantly improved laptop support, with Suspend/Hibernate/Resume enhancements that allow us to certify more laptop systems.

Also, many graphics drivers where updated, including a backport of the “intel” graphics driver commonly used in Desktop and Laptops.

Bottom line: These improvements make RHEL/CentOS much more attractive on the desktop (and especially for laptop users).

Could this mean a greater push from Red Hat on the desktop, even though the company has stated recently that it will not focus on that very market?

I say yes.

Red Hat 5.0 (OK, in my case the free CentOS 5.0) runs pretty damn well on my Gateway Solo 1450 (the $0 Laptop), except that Suspend/Resume doesn’t work … and if it did, I would be very happy about it.

The Red Hat release didn’t mention the fact that RHEL didn’t suffer from the same OpenSSH vulnerability that has affected Debian-derived Linux distros, but the CentOS team does point it out while also telling CentOS users to check suspect keys from users of Debian-based systems that have had SSH contact with your RHEL/CentOS box.

The Debian server — a non-expert tries to roll his own

I decided to start from scratch with my Debian server project. Last time I was too hasty in adding the open-source version of Movable Type to my installation and intermingling files before I was ready.

This time I’m going to be a lot more methodical and make sure that Apache and MySQL are working properly — meaning I can run CGI scripts and have a directory dedicated to same — before I start with Movable Type.

I could’ve removed Apache, done some cleanup and gone from there, but since I didn’t have much “invested” in the install, I wiped the drive and started over.

I did want to change a few things:

Last time I used encrypted LVM. Since I don’t have any grasp about how to work with LVM partitions after the fact, and since I’m not confident enough to have an encrypted drive that I can’t get to from a live CD rescue disc, I went with a standard partitioning scheme. I initially was going to roll out separate partitions for everything, but since I don’t know how extensively I’m going to use /var — and since the automatic partitioning in Debian tends to make the root partition too small for my taste (and with a 14.5 GB hard drive, I don’t have a whole lot of space to waste), I went with a separate /home partition and one big partition for everything else. That way, even if I’m using /var for my Web files, I can always rsync them to the /home partition and then rebuild the whole damn thing if I need to, yet still have all the files right there.

Another thing I learned: When you check off “SQL server” during a Debian Etch install, you get PostgreSQL, not MySQL. I’ll write more about this in an upcoming post, but I’m at such an early stage in my interaction with databases (i.e. smack dab at the very beginning) that I’m going to use MySQL just because of its sheer ubiquity (and because that’s what Movable Type recommendseven though Movable Type supports PostgreSQL just fine — and also allows use of SQLite).

I’m not ruling out using PostgreSQL in the future, but since this is my very first installation of a SQL database — hell, it’s the first time I’ve even used a SQL database and actually knew I was using it, so I’m going with the flow as much as possible.

In the last install, I also selected “file server,” and ended up with a lot of stuff loading at boot that I don’t need. What I really do need is an ftp server (and preferably a secure one) as well as the OpenSSH server, both of which are easy enough to install and configure (easy since I’ve successfully done it before).

And while I considered not installing the “Desktop environment,” which brings GNOME and everything that goes with it, I didn’t want to leave all that GUI goodness behind just yet; I’d rather have Synaptic, especially, at my disposal.

So right now I have the stock Debian Etch install with the desktop environment and Web server options.

And I need to add:

• Anything I’m missing to make Apache work with PHP and CGI/Perl scripts (that was my big stopper in last week’s install)
• MySQL and the phpMyAdmin program to help me configure the database
• The ftp and OpenSSH server packages
• Movable Type

At this point, everything is on the local network, not right out there on the Internet, and I just want to see how hard it is to roll one’s own blogging-equipped Web server. Would I rather use Drupal, WordPress … or anything else? Sure, but since our shop makes extensive use of Movable Type, that’s where I’m putting my energy.

I’m getting some help setting up Apache2 from this Debian Admin page. And Carla Schroder’s “Linux Cookbook” has some good tips on rolling out Apache (look in Chapter 22 — and if you don’t have this book, you really do need it).

One thing that’s screwing me up is the presence of multiple configuration files in Apache2 (apache2.conf and httpd.conf), the placement of those and other files in different directories on different systems, and general confusion of what the proper commands are between Apache 1.3, 2.0 and 2.2.

But since I’m being more deliberate this time, I won’t move to the next step in the process until everything works with the previous step. That means I need to get CGI working in Apache, then add MySQL, create the database, and then add MovableType. … and in between I’ll get the FTP and SSH servers going.

Update: I installed a bunch of MySQL and PHP stuff that I saw in Synaptic. I also installed phpMyAdmin, which I already confirmed is working. I also added the proftpd ftp server, which has a MySQL-specific version (not sure what I’m getting myself into there). I also put openssh-server on the box, which worked perfectly in my last Debian Etch install.

A very good tip: This is true for most configuration files, as well as for those in Apache2, especially because there are a whole lot of them: SAVE copies of everything before you mess with it. Look at ALL of the configuration files and attempt to understand them before you mess with them.

By looking, I learned that the default Apache2 installation in Debian is already set up to use /usr/lib/cgi-bin as the CGI directory. This information wasn’t in /etc/apache2.conf or /etc/httpd.conf (which is empty, with the implication — for me at least — being that this configuration file is no longer necessary in Apache 2.2 … but don’t quote me because I could be totally and completely wrong).

I found out about the CGI situation in /etc/apache2/sites-available/default and /etc/apache2/sites-enabled/000-default.

OK, I realize that Apache is a huge deal. It’s production-ready, hugely scalable, time-tested, and all that other good stuff that makes for a bullet-hardened app. Did I throw in enough cliches?

But holy crap — I’ve got FOUR configuration files in front of me.

I somehow in my previous installation was able to get the “home” of my Web server out of /apache2-default/, and now that I know where the cgi-bin area is (and presumably how to move it) … I just might get this thing off the ground.

All I do know is that the online Apache docs led me astray (and were extremely vague about where exactly to put the various configuration lines I needed).

Here’s what I’m going to do now: NOTHING. I’m going to sit on this for a day or so and think about how to proceed without screwing the whole thing up.

Trying OpenSSH in Debian Etch … plus thoughts on security, sudo and nano vs. vi

I did a Debian Etch install on one of my test machine drives recently, and today I added the openssh-server package so I could play around with PuTTY and Xming.

Once I installed openssh-server (I used Synaptic, in case you were wondering), using PuTTY to start the connection, I was asked whether or not I expected the encryption key to change (I was, since this is the Debian install, not OpenBSD, which I’ve been using until now).

One bonus of using this Debian Etch install: The OpenBSD drive is noisy, which probably means it’s gonna go. The drive on which I installed Etch is much quieter. I probably need to get some newer, bigger drives … or a whole new test box, but that’s another story for another time.

Quirks in Debian Etch with openssh-server: I can run X apps, no problem. When I run:

$ nautilus &

… I get a huge window with the entire GNOME desktop, minus the toolbars. And I can’t close that window — Xming won’t let me, I think. X-ing it out doesn’t work. I had to kill the process in my PuTTY terminal. (Note: $ startx & does not work …)

Speaking of security: OpenBSD is known for its security above all else. Here’s how using openssl openssh (which was created by the OpenBSD team) differs — at my lowly level, anyway — between OpenBSD and Debian Etch:

In OpenBSD: The sshd server is included in the standard install. But it can’t be used until rootly powers are used to implement it. Running X over ssh is not allowed until the appropriate configuration changes are made. But root logins are allowed over ssh by default; the administrator, however, can choose to block root login (which I did).

In Debian: Debian installs without the ssh server installed. So without the administrator specifically installing openssh-server, nobody can ssh into the box. But once that package is installed, Debian automatically allows ssh logins — and X logins as well. As with OpenBSD in its default state, root logins are permitted over ssh until that feature is turned off in /etc/sshd_config.

I don’t understand all the lines in sshd_config, but I probably should get better acquainted with each and every one of them.

Speed? It could be the fact that this Debian Etch box has the GNOME desktop, and I’ve been running OpenBSD either from the console or the default Fvwm window manager, but everything happens a lot faster with the OpenBSD install (hardware is the same for both). I could modify Debian to boot to a console instead of GDM, and that might speed it up a bit (memory is 256 MB), but whatever the reason, thus far OpenBSD is a bit smoother. (Later, things seemed to run a bit better when I didn’t log in on the Debian box and hence didn’t have GNOME running).

More on security: If this box wasn’t just something for me to play with on the local network, the stakes would be a lot higher. I suppose not having sshd is pretty good security when compared to having sshd installed but not enabled. And I also suppose that installing sshd (openssh-server) means that you want to actually use it. But in the case of both OpenBSD and Debian, I wonder why root logins over SSH are enabled by default. If anything, I’d expect OpenBSD to disallow them until the administrator of the box decides to turn that feature on.

And since you can always use su or sudo (Ubuntu has conditioned me to like sudo, and I always add myself to the sudoers list with visudo, there’s really no reason for a root login over ssh.

Side note: Debian doesn’t automatically add the primary user to the sudoers list, something I always do because on many occasions I’d rather use sudo than su.

Ubuntu, by default, disables root logins entirely and only offers sudo. It makes setting root’s crontab a pain in the ass. I use sudo -i crontab -e to get into root’s crontab in Ubuntu.

Side note to a side note: While I can fake my way around vi, I like it when nano is the default editor and crontab -e brings up nano instead of vi. The one thing I don’t like about nano is that when you wrap text, actually linefeeds are inserted. At least in vi you can have the text break in the middle of a word without turning word wrap on (although you are able to do so if you want wrapped text). The one thing I like in X editors is the ability for text to look wrapped without actually being wrapped.