Updating Windows without a network connection

Problem: I have to get three Windows servers patched up to date tomorrow. I found this out about 3 this afternoon.

Second problem: No network connection to the outside world, under any circumstances.

Third problem: Any rewritable media used on said servers must be destroyed after use.

Impossible? Believe it or not, no.Normally we keep a copy of Hfnetchk Pro in this environment for pushing out patches (copied from an Hfnetchk Pro server that does have a connection to the outside world), but someone saw fit to blow that server away. Ahem. Someone can expect a thank-you letter from me. And perhaps a thank-you present from my dog.

As for why servers with no connection to the outside world need patches to protect them from the outside world, well, I don’t make the rules.

So the answer in this case is to get my grubby mitts on ctupdate, a tool written by the wonderful German IT magazine c’t (their few English-translated articles are so brilliant, I wonder sometimes if I should learn German just so I can read the magazine).

Ctupdate will go download your updates, make an ISO image for you to burn to CD or DVD, and the result includes a nice menu so brain-dead easy that even a CIO could use it. (Oh, did I say that out loud?)

The catch? At present, a full collection of Windows XP or 2003 updates is nearly 800 MB in size, so make sure you have a fast network connection and either a DVD burner or a big USB disk if you plan to use it.

With a ctupdate-created DVD in hand, I can walk up to those isolated servers, pop in the disc, click a couple of buttons, have a cup or two of coffee, and then move on to the next one. Or better yet, copy the DVD to a network share, run the executable, click those buttons, have some coffee, and get on with the day. Problem solved.

This works for some slightly less convoluted situations too. If you expect to be asked to fix Windows PCs for a relative or twelve while you’re on Christmas vacation, prepare by downloading ctupdate, downloading all the updates, and either burning them to DVD or copying them over to a USB device. It works with Windows 2000, XP, and 2003 updates.

I got a Pentax K110 digital SLR camera last month

When the Nikon D40 came out in November priced at $599, it seemed like the whole world went ga-ga over it. After all, we’ve pretty much been conditioned to expect to pay $1,000 to get into the digital SLR game.

But then I found out about the Pentax K110D. It’s also a digital SLR, and costs about $100 less than the Nikon. There wasn’t much information out there about it. So, after consulting the one person whose opinions on cameras I trust, my wife and I got one.Pentax isn’t the biggest name in cameras but is hardly a no-name either. The Pentax K1000 camera, first released in 1976, is a legend.

The K110D is a basic 6-megapixel digital SLR. It uses SD flash memory cards for storage and rechargable NiMH AA batteries for power. (Batteries are included, an SD card isn’t. But I couldn’t tell if the batteries were rechargeable because the writing on them is in Japanese.)

Most importantly, someone like me, who knows very little about photography, can take a good shot with this camera. While you can set all of the ISO settings you want, you can also put the camera on fully automatic, where it decides everything for you. In fully automatic mode, if you can frame a decent shot and get it in focus, the camera will take care of the rest.

You can see some shots I took this way with the camera at The Gauge. I shot these through a department store window, so there’s some glare. That’s not the camera’s fault.

The camera’s quality is good. You don’t want to play catch with it or expose it to any rough handling that you can possibly avoid, but it doesn’t feel fragile in your hands either. In case you’re wondering, the camera is manufactured in the Phillipines, while the lens is manufactured in Vietnam.

While 6 megapixels may seem a bit wimpy in this era of 10-megapixels and above, you don’t really need the extra resolution unless you’re making really large prints. A cheap 10-megapixel point-and-shoot could actually take a worse image than this camera if its optics and sensor aren’t of comparable quality.

If you’re looking for more versatility than a point and shoot will give you, but don’t care to spend four figures on a camera and a couple of lenses, the K110D or its bigger brother, the K100D (which adds image stabilization) is a good bet.

I like this camera a lot and would buy it again without hesitating.

A Linux-based GPL\’ed disk partition table recovery program

It seems like I’m recommending the program MBRwork to someone at least once a month. I recommended it two or three times just last week. But there are a couple of things I don’t like about it. One, it’s DOS. Creating DOS boot floppies isn’t as easy as it used to be. And two, it’s proprietary, so it could theoretically disappear any minute.

But similar tools exist for Linux.The most highly regarded is gpart (guess partition), which just happens to be included on the BG-Rescue Linux two-floppy rescue system. Download BG-Rescue Linux and burn the ISO image to a CD, or download the two-floppy version and write it to two floppies, and keep it in your toolbox. Or, of course, they’re on Knoppix.

When a partition table vanishes, or, a more likely scenario, a system quits booting mysteriously, you can boot BG-Rescue Linux and run gpart. You can also check FAT/FAT32 filesystems with dosfsck and NTFS partitions with ntfsfix.

Need to undelete some files in an emergency? You can even undelete files from NTFS partitions with ntfsundelete.

Clearly, skills with a handful of Unix utilities are very useful even in a strictly Windows shop.

Looks like I should explore these tools a bit more in-depth this week.

Ho-hum.

Another day, another Outlook worm. Tell me again why I continue to use Outlook? Not that I ever open unexpected attachments. For that matter, I rarely open expected ones–I think it’s rude. Ever heard of cut and paste? It’s bad enough that I have to keep one resource hog open to read e-mail, so why are you going to make me load another resource hog, like Word or Excel, to read a message where the formatting doesn’t matter?
The last couple of times I received Word attachments that were important, I converted them to PDFs for grins. Would you believe the PDFs were considerably smaller? I was shocked too. Chances are there was a whole lot of revisioning data left in those documents–and it probably included speculative stuff that underlings like me shouldn’t see. Hmm. I guess that’s another selling point for that PDF-printer we whipped up as a proof of concept a couple of weeks ago, isn’t it? I’d better see if I can get that working again. I never did get it printing from the Mac, but seeing as all the decision-makers who’d be using it for security purposes use PCs, that’s no problem.

I spent the day learning a commercial firewall program. (Nope, sorry, won’t tell you which one.) My testbed for this thing will be an old Gateway 2000 box whose factory motherboard was replaced by an Asus SP97 at some point in the past. It’s got 72 megs of RAM. I put in an Intel Etherexpress Pro NIC today. I have another Etherexpress Pro card here that I’m bringing in, so I’ll have dual EEPros in the machine. The firewall has to run under Red Hat, so I started downloading Red Hat 7.2. I learned a neat trick.

First, an old trick. Never download with a web browser. Use the command-line app wget instead. It’s faster. The syntax is really simple: wget url. Example: wget http://www.linuxiso.org/download/rh7.2-i386-disc1.iso

Second trick: Download your ISOs off linuxiso.org. It uses some kind of round-robin approach to try to give you the least busy of several mirrors. It doesn’t always work so well on the first try. The mirror it sent me to first was giving me throughput rates that topped out at 200KB/sec., but frequently dropped as low as 3KB/sec.Usually they stayed in the 15MB/sec range. I cancelled the transfer (ctrl-c) and tried again. I got a mirror that didn’t fluctuate as wildly, but it rarely went above the 20MB/sec. range. I cancelled the transfer again and got a mirror that rarely dropped below 50MB/sec and occasionally spiked as high as 120MB/sec. Much better.

Third trick (the one I learned today): Use wget’s -c option. That allows wget to resume transfers. Yep, you can get the most important functionality of a download manager in a 147K binary. It doesn’t spy on you either. That allowed me to switch mirrors several times without wasting the little bit I’d managed to pull off the slow sites.

Fourth trick: Verify your ISOs after you download them. LinuxISO provides MD5 sums for its wares. Just run md5sum enigma-i386-disc1.iso to get a long 32-character checksum for what you just downloaded. If it doesn’t match the checksum on the site, don’t bother burning it. It might work, but you don’t want some key archive file (like, say, the kernel) to come up corrupt. Even though CD-Rs are dirt cheap these days and high-speed burners make quick work of them, there’s still no point in unnecessarily wasting 99 cents and five minutes on the disc and half an hour on a questionable install.

As for downloading the file in separate pieces like Go!Zilla does, there’s a command-line Linux program called mget that does it, but it doesn’t follow redirection and it doesn’t do FTP except through a proxy server, so I have a hard time recommending it as a general-purpose tool. When it works, it seems to work just fine. You might try mget, but chances are decent you’ll end up falling back on wget.

Why I run Debian, and some Debian tricks

After Dan Bowman pointed out another blogger’s recent difficulties installing Evolution on Mandrake 8.1, I had little comment other than, “That wouldn’t be an issue if you’re running Debian.” Well, I think I said a few other things because I tend to be wordy, but that was the only important thing I had to say.Debian is one of the more difficult Linux distributions to install (you have to know what hardware is in your machine–it doesn’t nicely autodetect everything like Mandrake), but it’s far and away the easiest distribution to maintain. We’ll get back to that in a minute.

Released versions of Debian tend to be ultra-conservative. The current version, Debian 2.2r5, still uses the 2.2.19 kernel, for one thing (and that’s a fairly recent change). The current 2.2 kernel is either 2.2.39 or 2.2.40. All packages (at least all the ones anyone uses anymore) are constantly checked and maintained and patched. In theory, the current stable Debian release ought to be the most bullet-proof Linux available.

Besides Debian Stable, there’s also Debian Testing and Debian Unstable. Debian Unstable is pretty cutting-edge, but I’ve had no problems running it. I just keep up with the current patches and the system runs fine. I know people who run production servers on Testing and Unstable and get away with it.

If you want the latest and greatest stuff, after you install Debian, edit the file /etc/apt/sources.list and uncomment the ftp and http lines. Next, copy and paste those lines, then edit the “stable” to read “unstable.” (Or if you’re more conservative, edit it to read “testing.”) Be aware that occasionally you’ll run into problems running packages from unstable under stable. I ran Evolution, Galeon, Dillo, Sylpheed, and a multitude of other packages from unstable just fine, but when I installed AbiWord (a really nice, lean, mean, superfast word processor, by the way) it failed to run right. I upgraded to unstable, and then it worked perfectly.

OK, let’s talk some tricks.

Want to upgrade your distribution after a new version comes out, or upgrade from stable to testing or unstable? Easy. Type this:

apt-get update ; apt-get dist-upgrade

Then Debian will go download the pieces it needs to upgrade itself.

Want to keep your system up to date with any little changes (security patches, whatever) that may have happened recently? Type this:

apt-get update ; apt-get upgrade

So Debian lets you keep a current and presumably secure installation very easily. If you run that line regularly, you can rest assured that if your system is insecure, it’s not Debian’s fault but rather a misconfiguration on your part.

Want to try out some new piece of software? Forget having to hunt down RPMs or keep track of your distribution CD. Check availability with this command sequence:

apt-get update ; apt-cache pkgnames [name of program]

Found it? Excellent. Install it with this command:

apt-get install [name of program]

And if it wasn’t as great as you heard, you can uninstall it with this command:

apt-get remove [name of program]

System acting goofy? This’ll cure much that ails you:

apt-get clean ; apt-get update ; apt-get check

So from a system administration standpoint, Debian is great. Debian developers often try to justify the difficulty of installation by saying you only have to run it once, and to a degree, they’re right.

Compiling a kernel under Debian

I found a nice document detailing customizing your kernel under Debian. The standard method works under Debian, of course, but it’s cleaner to do it within the confines of your package manager–then it doesn’t go stomping on files you modified. Plus it’s actually a little easier to let Debian handle some of the details.

Here are the notes I took while using the document.

With additions:
Use kernel-source-2.4.17

export CFLAGS=”-O3 -mcpu=i686 -march=i386 -fforce-addr -fomit-frame-pointer -funroll-loops -frerun-cse-after-loop -frerun-loop-opt -malign-functions=4″
export CXXFLAGS=”-O3 -mcpu=i686 -march=i386 -fforce-addr -fomit-frame-pointer -funroll-loops -frerun-cse-after-loop -frerun-loop-opt -malign-functions=4″

Using -march=i686 is known to cause instability and not improve performance by any noticeable amount. The kernel mostly ignores these settings but I set them anyway. You can alternatively set them in the file /etc/profile. If you ever find yourself compiling apps from source, you want these options set so they’ll perform optimally.

A correction:
Debian tar doesn’t seem to support the -I switch for bzip2. So I extracted the archive with the following:
bunzip2 -k -c kernel-source-2.4.17.tar.bz2 | tar -xf –

the -k switch tells bzip2 to keep the original file intact, while -c tells it to extract to stdout. The | redirects stdout to the specified program, in this case, tar. -xf tells it to extract the file.

I got an error on make xconfig:

make: wish: command not found.

So I headed off to www.debian.org/distrib/packages. At the bottom of the page, there’s a form where you can type a filename and it’ll tell you what package it comes from. Type in “wish,” hit enter, and I get a long list, including /usr/bin/wish8.3 in a package named libs/tk8.3. Sounds promising. So I do an apt-get install tk8.3 and I’m in business. Type make xconfig again, and we’re set. This page is also a really good way to hunt down packages if you don’t know exactly how Debian named it.

Options I chose for kernel compilation:

Code maturity level options: prompt for development and/or incomplete code/drivers. I answered Yes, so I’d get modern filesystem support.
Loadable module support: I answered yes to all. I’ve read that disabling modules and compiling everything directly into the kernel can improve performance but I’m wary of that. If the kernel’s too big, the system won’t boot. And the idea of modules is to keep only what you need in memory. So I suppose there are instances where a no-modules kernel could increase performance, but there are certainly instances where it would hurt. I chose to be conservative.
Processor type and features: I changed a couple of the defaults. Double-check the processor family option; in my experience it’s usually but not always correct. Enable MTRR support unless you’re using a 486, Pentium, or AMD K5 CPU. All other reasonably modern CPUs, including AMD, Cyrix, Intel, and WinChip, support MTRRs for increased GUI performance. Since the PC I’m using only has one CPU, I disable SMP support. Then I enable local APIC and IO-APIC support on uniprocessors.
General setup: I accepted the defaults, because aggressive use of APM makes me really nervous. Under Windows, APM always does me more harm than good.
MTD: Since I don’t use any flash memory devices, I accepted the defaults of No.
Parallel port support: Curiously, this was disabled by default. This PC has a parallel port but I only use network printers, so I left it disabled to save a little memory.
Plug and play configuration: I said no to ISA plug and play support, since this machine is a laptop and won’t have any ISA PnP cards. On modern PCs that have no ISA slots, say N.
Block devices: The defaults are usually sufficient, but some configurations need RAM disk support and initrd support turned on. If you’re going to mess around with ISO images, you’ll probably want to turn on loopback device support.
Multi-device support: I’ve never seen a laptop with RAID, so the default of disabling it all works great for me.
Networking options: The defaults are fine for most uses. If you’re going to make a router or firewall out of your PC, enable Netfilter.
Telephony support: I disabled it.
ATA/IDE/MFM/RLL support: Disable it if you have an all-SCSI system. I don’t. Turn on SCSI emulation support if you use a CD-R or CD-RW. Under IDE chipset support/bugfixes, disable the chipsets your PC doesn’t have. This laptop has an Intel chipset, so all I had enabled were Generic PCI IDE chipset support, Sharing PCI IDE Interrupts support, Generic PCI bus-master support, Use PCI DMA by default when available, Intel PIIXn chipset support, PIIXn tuning support.
SCSI support: I have an all-IDE system (unfortunately), so I disabled it. Note that SCSI emulation for a CD-R counts as a SCSI device, as does a parallel port Zip drive. Since I have neither, I’m safe disabling it to save some memory and speed up boot time slightly.
IEEE 1394 (Firewire support): I disabled it since I have no Firewire ports.
I2O device support: I disabled it.
Network device support: This can be tricky. I turned off SLIP and PPP since I don’t use them. You may need PPP. I turned off ARCnet support, which you’ll probably do as well since ARCnet is very rare. I have a 100-megabit 3Com 3c556 NIC in this laptop, so I went into Ethernet 10 or 100 Mbit, drilled down to 3COM cards, and said yes to 3c590/3c900 series, since that’s the driver the 3c556 uses. I turned off the others. I like to compile support for the machine’s NIC straight into the kernel when I can, since it speeds up network configuration at boot time. On servers, I’ve been known to compile support for every type of NIC I own into the kernel, so that if I ever have to change NICs, it’ll come back up automatically without any configuration from me. I turned off wireless, token-ring, PCMCIA, ATM, amateur radio, infrared, and ISDN support.
Old CD-ROM drivers: You can probably turn this off, unless you know you have an old proprietary 1X or 2X CD-ROM drive. These were the drives that generally plugged straight into an ISA sound card, and they were very common on 486s. I sold tons of these things in 1994; I’m pretty sure that by the time I was selling PCs again in the summer of 1995, everything I was selling had an IDE drive in it.
Input core support: I don’t use USB input devices, so I turned it off.
Character devices: Near the bottom, after Ftape support, there are options for specific chipsets. You can find out what chipset you have by typing the command lspci in a shell. (You have to be root to do this–use the su command if you’re logged in as yourself, as you should be.) This laptop has an Intel 440BX chipset, so I turned off the VIA, AMD, SiS and ALI support.
Multimedia devices: Disable video for Linux unless you have a capture card. Most will disable Radio adapters as well.
File systems: I enable Ext3 and ReiserFS, along with DOS FAT and VFAT (as modules), ISO 9660 and Joliet, NTFS read-only (as module). Under network file systems, I enable SMB since I (unfortunately) work in Windows environments. I disable NFS since we have no NFS servers.
Console drivers: The defaults work for me.
Sound: Since I have onboard sound, I enable sound support and pick my chipset, in this case, ESS Maestro3. I disable all others.
USB support: I have USB ports but don’t use them. I left it enabled just in case, but I’m not sure why.
Bluetooth: I don’t use it, so I disabled it.
Kernel Hacking: I disabled Kernel debugging, the default.
Whew! Hit Save and Exit. Exit X to save some system resources while compiling and installing.

The end result was an up-to-date kernel (2.4.17) that was about 200K smaller than the stock 2.2.19 kernel and boots to a login prompt in 18 seconds flat, as opposed to 45 seconds before. Much of the improvement is due to the 3c590 driver loading faster as part of the kernel rather than as a module, and the kernel no longer searching for phantom SCSI devices. But Charlie Sebold told me it’s his experience that recent 2.4.x kernels boot a lot faster than earlier kernels.

It’s not perfect–I don’t have sound completely working yet–but I found some clues. I’m not overly concerned about sound support though. The system beeps at me when I have mail, and for work purposes, that’s all the sound I need. I don’t see any point in turning my PC into a multimedia tribute to Billy Joel or Star Wars or Quake III.

More of the same.

As I watched my Royals’ parent club, the Oakland Athletics, play the Yankees, I burned a CD under Linux for the first time. I honestly don’t remember when I last used my old Sony CD-R (it’s so old it’s a 2X burner!) but that was under Windows.
But burning an ISO image is insanely easy, at least if you’ve got a SCSI drive. Here’s the voodoo I needed:

cdrecord -v speed=2 dev=0,0 binary-i386-1.iso

By the time I could have pulled up the ISO image in Easy CD Creator, I’d typed the command line and cdrecord had already burned a meg.

How do you know the numbers? cat /proc/scsi/scsi.

And I know now why my people at work who are in the know on Linux love Debian. How big is a default installation of the current release? 141 megs. Including XFree86 3.36. It’s definitely not a distro for those who like the bleeding edge or even the leading edge, but if you’re wanting to build a Firewall, Debian looks like the distro of choice, and it’ll fit on a discarded 170-meg drive with room to spare.

I reformatted my experimental mail server, then I installed Debian. Then I made it a mailserver. Exim, a sendmail replacement, was already installed. So was procmail. So here’s what I did to make a mail server:

apt-get install courier-imap
apt-get install fetchmail

I created a .fetchmailrc file in my home directory:

poll postoffice.swbell.net with protocol pop3
user dfarq password noway is dfarq

Then I made the file secure:
chmod 0710 .fetchmailrc

I configured courier-imap. I had to scroll down to the bottom of /etc/courier-imap.config and uncomment the last line to activate it. Then I configured exim. I searched for the phrase “maildir” and uncommented the line that enables maildir format (courier doesn’t work with the default mbox format, and maildirs are more efficient anyway).

Then I ran fetchmail: fetchmail -d.

That should have worked. It didn’t. Exim continued to use mbox format. So I can connect to my IMAP server, which is populated by fetchmail, which is in turn served by exim, but since exim doesn’t put the mail in a format the server understands, I’ve got nothing to read.

So I guess I’m going to think about ditching exim for qmail. I have no great loyalty to exim except that Debian put it there by default.

And the Cardinals are eliminated (I’m furious with the way LaRussa handled Matt Morris; he won’t win 22 games next season, that’s a given now) and the A’s are going to have to play Game 5 without Jermaine Dye. I see the Royals have problems with the Yankees even when they’re wearing another uniform. Hopefully they can pull it off today. I’d have liked to have seen Johnny Damon, Jermaine Dye, Jeremy Giambi and Mike Magnante go to the Series in Royals’ uniforms, but if they get there in someone else’s, I’ll take it.

Just had a conversation with Dan Bowman to confirm my feeble grip on sanity (but I was afraid I may have let go, so that is good news), and now it’s way late. It’s actually about 11:30; this server runs on Farquhar time. I’m gonna go make friends with my pillow. Apologies if this is poorly edited.

Sorcerer: An easier way to get Linux your way

I’ve talked about Linux From Scratch before, and I like how it gives you just what you want, compiled how you want, by your system, for your system, but it doesn’t actually give you a very useful system in the end.
Sure, you’ve got a text-based system with all the standard Unix utilities, and it boots like greased lightning, but there’s still a fair bit of configuration you have to do afterward. And the attitude of the committee that wrote it seems to be that if the documentation to do something exists elsewhere, it shouldn’t be repeated there. Speaking as a published author, I don’t agree with that absolute. Sure, a table listing DOS commands and their Unix equivalents is out of place in that kind of book, because that’s non-essential for getting a working system. But the two paragraphs required to tell you how to get your network card configured isn’t a big deal. Just do it!

I could spend way too much time ragging on the project, and it wouldn’t accomplish anything productive. Linux From Scratch is a fabulous way to learn a lot about the inner workings of a Linux system, and it’s an opportunity few, if any, other operating systems give you. And I guess since it makes you work so hard and look in other places for information, you learn more.

But if your main goal is a lean, mean system built the way you want it, rather than education, and you’re willing to give up a little control, there’s another way: Sorcerer Linux.

For Sorcerer, you download an ISO image that contains the essentials like a kernel, file utilities, a C compiler, and necessary libraries, all compiled for i586. This gives a good balance of compatibility and performance. When you install it, it compiles a kernel for your system, then it copies everything else to the drive.

The heart of Sorcerer is a set of shell scripts that automatically downloads current versions of software, checks dependencies, and compiles and installs them for you. It’s not as convenient or as polished as RPM, but it’s usable and the benefits, of course, are tremendous. You get the newest, most secure, most stable (and, usually, fastest) versions of the software you need, compiled for your particular architecture rather than the lowest common denominator.

I had some trouble installing Sorcerer at first. I found that after compiling the kernel, I had to answer Yes to the question, “Edit /etc/lilo.conf?” and make a change. The default /boot parameter didn’t work for my system. I had to change it from /devices/discs/disc0/part7 to /devices/discs/disc0/disc.

To avoid having to recompile the kernel over and over to get to that menu option that let me edit LILO’s parameters, here’s what I did:

chroot /mnt/root
mount -t devfs /devices /devices
nano /etc/lilo.conf
lilo -f
exit

Sorcerer doesn’t currently have spells (sorcerers cast spells, therefore, Sorcerer packages are called spells, get it?) for every package under the sun, but most of the essentials are covered. I’ll have to write spells for a few of my faves and contribute them.

WordPress Appliance - Powered by TurnKey Linux