Ubuntu Me!

Volume 8, Issue 117; 12 Sep 2005; last modified 08 Oct 2010

Notes on switching to Ubuntu: the good, the annoying, and the seriously bad.

[Update: no more badness.]

After a decade of Debian (give or take a few awful years when I was forced to run a proprietary OS), I decided I'd give Ubuntu a try. Ubuntu is built on top of Debian and I'm sure I never would have switched if it hadn't been, so this migration isn't intended as a criticism of Debian.

Some folks subscribe to the “if it ain't broke, don't fix it” motto, but I've never been very content that way. If it can be made better, isn't it just a little bit broken? Anyway, it's certainly reasonable to ask why I'd go off and do something as radical as start my desktop OS from scratch.

I had several motivations:

  1. I wanted to use encrypted partitions for my email and other documents. Granted, I don't really have anything on my laptop that's worthy of corporate espionage, nor do I have any deep, dark secrets in my email that would make good blackmail fodder, but the villains don't know that. And it irks me that they could boot with a Knoppix CD and read my disk. Not anymore.

  2. I wanted a distribution that stayed a little closer to the bleeding edge. I've heard good things from friends and colleagues about Ubuntu and it seems to be aimed at achieving a good balance between stability and the absolute latest releases.

  3. My system is a collection of hacks on top of hacks. This isn't a bad thing, it just reflects years of working through bugs and issues with alpha versions of everything. I wanted to “start over”. I'm really trying to minimize the amount of customization I do, I'm trying to use the advertised interfaces as much as possible and hacking /etc/init.d/ as little as possible.

  4. I'm feeling hugely over-stressed. I have deadlines on top of deadlines and I needed something to do in the evenings that would be distracting but not too hard. I'm sure this is bad time management, but it keeps me sane.

Getting Started

There was no way to do this “in place” without risking my ability to get my day job done, so I stared with a new 80Gb disk. The first step was booting the Ubuntu “Hoary Hedgehog” install CD and partitioning the disk.

As near as I can tell, partitioning is as much art as science. I had a couple of constraints to consider: first, I wanted to encrypt part of the disk and second, I store email in individual files. Encryption meant that I needed an unencrypted boot partition and an encrypted partition. Efficiently storing a quarter of a million small email messages in individual files means that I need a partition for that too (so that I can set a small block size).

I think it's possible to make a very tiny unencrypted boot partition and store the majority of the system on the encrypted partition, but I decided not to bother. I don't need to encrypt the OS. In the end, I created five partitions:

Partition Size Notes
hda1, unused 10Gb In case I need some proprietary OS someday
hda2, root 25Gb The OS
hda3, swap 2Gb Big enough for hibernation
hda5, data 39Gb Encrypted data
hda6, mail 4 Gb Encrypted mail

Getting Up and Running

After partitioning, I finished the “Hoary” install and poked about. No fvwm. Hmm. Not good. Not even livable. I could have grabbed the source, but I'm trying not to do that. A little exploration revealed that it's in the next Ubuntu release, the soon-to-be-ready “Breezy Badger”. What the heck: fiddle /etc/apt/sources.list, run apt-get update; apt-get dist-upgrade, and I'm running “Breezy”.

Get fvwm and switch to it.

I'm sure lots of folks want to have Nautilus running on their root window, but not me. I work with a six-desktop layout: desk 0 is my main work desktop, it has an emacs and two shell windows; desk 1 is for browsing, it has firefox; desk 2 is for email, it has an emacs, two shell windows, X-Chat, and Gaim; desk 3 is for VPN; and desks 4 and 5 are scratch space. There is no useful amount of root window visible on any of the desktops I routinely use and the only purpose for the little slivers that are visible is so that I can popup root menus. Getting nautilus off the root window requires unchecking /apps/nautilus/preferences/show_desktop in gconf-editor.

Speaking of desktops, why doesn't the Workspace Switcher remember my preferences? Why does it always show four desktops when it starts instead of the six that I keep telling it I want?

Next annoyance, why don't any of the gcc packages create the /usr/bin/gcc symlink? Doesn't matter: symlink created.

At this point, I had a working system, so I setup the encrypted partitions with dm-crypt and copied my data onto the new disk. Everything went smoothly. Both partitions are encrypted and when I boot, the system asks for the pass phrases. Here's a patch I decided I had to make: the distributed /etc/init.d/cryptdisks only asks once for each password. My typing is good, but the pass phrases are fairly long and my typing isn't that good. I decided to patch cryptdisks so that it will ask up to five times. I also figured it should run e2fsck before mounting the partitions.

A consequence of having to type passwords at boot time is that the pretty, graphical “splash boot” option doesn't really work, so I turned it off.

Next I installed the Thinkpad modules (for my T42p), switched to the “686” version of the Ubuntu 2.6.12-8 kernel, and installed my network printer under CUPS. All straightforward.

There doesn't seem to be an Ubuntu or Debian package for mplayer, my video player of choice. In fairness, the mplayer build is pretty aggressive about optimizing for your hardware, so maybe it makes sense to build that one from source. Another annoyance: building mplayer revealed that Ubuntu puts the X11 include files in /usr/include/X11 instead of the expected /usr/X11R6/include/X11, but a symlink fixed that.

Another unpackaged application: dspam. Getting that setup required retraining my spam filter, but that turned out not to be too hard. Switching to exim4 and getting my various spam-filtering, mailhop forwarding, work, and home configurations setup was a bit more tedious, but I got there.

Getting Gnome to use the “emacs” theme (an absolute requirement, from my point of view) required another trip through gconf-editor to /desktop/gnome/interface/gtk_key_theme to set it to “Emacs”.

I was naively expecting to just copy my subversion repositories, but instead I had to dump and restore them. I also moved the location of the working directory for this site, so I decided to rebuild the whole thing, just to make sure I got all the configuration correct. After a couple of false starts, I got there. I think.

Ubuntu installs a whole bunch of X11 drivers for various video cards. Why can't I uninstall all the ones that I don't actually need? The way the dependencies are setup, it's all or none. Well, I guess disk space is cheap.

The last thing I had to figure out was where to install my firewall configuration (an iptables script). Installing the Ubuntu iptables package didn't seem to put any sort of init script in place, so I just popped it back in /etc/init.d/ and linked it from /etc/rc2.d as an “S13” process.

Hmm, and I still need to figure out DVD burning. I don't see a cdrecord-dvdpro package, but I do see some other DVD-related things.

All-in-all, Ubuntu is working out perfectly. Almost all of my hacks are gone: mounting the encrypted disks, starting wifi, loading X11, etc., all “just work”. I think that's the way it's supposed to be.

The Seriously Bad

I do have one really serious issue: the Cisco VPN client that I have to run to connect to the corporate firewall raises a kernel panic occasionally. And by occasionally, I mean, within a few hours if I keep it running.

I thought I'd back down to the 2.6.11.3 custom kernel that I had been using, but it can't seem to mount the encrypted partitions. While booting, it reports:

device-mapper: error adding target to table
device-mapper: dm-linear: Device lookup failed

That's odd because I had successfully tested encryption on an external disk under the old system, and the new system can still mount that encrypted disk, so there must be some incompatibility in libraries or some aspect of the LVM system.

It's a rock and hard place, for sure. Most of my animosity about this is directed at the closed-source Cisco VPN software, but I can't use the open source alternative until it supports profile certificates.

So far the crashes have been harmless. I backup often. And I'm running VPN as infrequently as possible.

I think I might try building my own custom kernel, I'd like to enable preemptive scheduling anyway, and see if that helps. I've tried both vpnclient-linux-4.6.02.0030-k9.tar.gz and vpnclient-linux-x86_64-4.6.03.0190-k9.tar.gz.

Suggestions most welcome.

Comments

All these configuration settings ought to be in text files, probably XML, somewhere under ~/.gnome where I can grep for things!
Isn't this how it works now, with gconf-editor being just a gui-editor for these files?

—Posted by polaar on 12 Sep 2005 @ 02:28 UTC #

Yes, that is exactly how it works. gconf-editor is a UI on top of gconfd (which is very useful for various things like notifying the entire system about config files changes), which writes XML files to ~/.gconf/

—Posted by Ross on 12 Sep 2005 @ 02:35 UTC #

Mplayer is really easy to get under Ubuntu, just add the universe and multiverse repositories to your sources file, then apt-get update and apt-get install mplayer.

And it has become even simpler with Breezy Badger, open the new add/remove program application that is available in the Gnome menu, browse to the Mplayer and it will ask you if you want to add the universe or multiverse repositories and do it for you if you agree. However since you are using fvwm I do not know if this route is available to you.

—Posted by Laust M. Ladefoged on 12 Sep 2005 @ 02:43 UTC #
Ah. ~/.gconf

Ok, I retract my rant about gconf-editor :-)

—Posted by Norman Walsh on 12 Sep 2005 @ 03:14 UTC #

GConf also allows applications to install a schema for their configuration, which is intended to make the database more discoverable than the mess that the Windows registry is.

But the schema installation is a pain for people who build packages. And I still prefer text files because they’re much easier to synch across multiple machines…

—Posted by Aristotle Pagaltzis on 12 Sep 2005 @ 06:13 UTC #

If I understand correctly, your Subversion repositories can be “naïvely copied” if you use FSFS storage instead of BDB.

—Posted by Kevin Reid on 13 Sep 2005 @ 12:12 UTC #

Try using "vpnc" instead of the broken Cisco client. Many universities in germany use Cisco VPN for their wireless network, and "vpnc" works with most if not all of them. (VPNC is an implementation of Ciscos Xauth non-IPsec-IPsec... a pre-shared-key approach/extension which is vulnerable to man-in-the-middle attacks, so it was rejected from the ipsec standard) If your admins won't tell you the shared secret, run ltrace on the cisco client and what for when it reads the config file. It will decrypt the secret for you.

—Posted by Erich Schubert on 13 Sep 2005 @ 12:59 UTC #

Next time you need a partition with lots of small files, consider using ReiserFS. Reiser automatically puts multiple small files in the same block, so you don't have to worry about fiddling the block size for optimization, and can use the same partition for everything (if you want). I switched to Reiser when I was doing some GIS work with tens of thousands of tiny data files, and the difference in disk usage was astonishing. Reiser is also a journaling FS, like Ext3.

—Posted by David Megginson on 13 Sep 2005 @ 04:37 UTC #

ReiserFS is inherently more fragile, though. At least these days it’s pretty mature, so reports of hair-raising blowups have become rare. But it achieves its goals by avoiding the highly and predictably structured metadata storage of more traditional filesystems, which means any error in the metadata inherently has more dire consequences for a larger portion of the filesystem than with traditional filesystems. And all that haggling with highly volatile structures eats a lot of CPU.

I’m using ext3 because waiting for fsck after a freeze or kernel panic or power outage or whatever sucks, but I don’t really like any of the journalling filesystems on offer.

—Posted by Aristotle Pagaltzis on 14 Sep 2005 @ 01:24 UTC #

"Mplayer is really easy to get under Ubuntu, just add the universe and multiverse repositories to your sources file, then apt-get update and apt-get install mplayer."

Doesn't work in 5.10 (Breezy). Pity.

—Posted by Richard on 15 Oct 2005 @ 12:08 UTC #

it does work in breezy (5.10) just "apt-get update" and "apt-cache search mplayer" after adding universe and multiverse repositories then find the one you need probably mplayer-386 and apt-get install it.

—Posted by Scott Wigham on 06 Nov 2005 @ 11:33 UTC #

After reading your post I found that I had the same problem with the number of workspaces not being saved across sessions on Ubuntu.

I discovered that you can fix this by running gconf-editor and setting a value for the key /apps/metacity/general/num_workspaces Mine was set to, IIRC, "" and it looks like the workspace switcher preferences isn't handling this too well.

The cause of the problem may be because I have brought my $HOME, and my Gnome config, along with me through a couple of different distros for a couple of years now. Metacity used to use the key "/desktop/gnome/applications/window_manager/number_of_workspaces" but it looks like this has been deprecated at some point and Gnome isn't doing something sensible with existing configs.

I've raised on the Ubuntu Bugzilla so hopefully this will get fixed.

Hope it helps!

—Posted by Andy Bold on 21 Dec 2005 @ 01:38 UTC #

Actually burning DVDs works fine in KUbuntu-6.06-beta2, using k3b - which uses growisofs as backend instead of cdrecord. This was a nice surprise, after reading this article ;)

—Posted by David Faure on 01 May 2006 @ 10:38 UTC #
If vpnc is not working with your vpn server, try this:

vpnc --natt-mode cisco-udp your_config.conf

—Posted by Tamas on 23 Jan 2008 @ 02:56 UTC #

I could get vpnc to work instead of vpn clinet. I am using mutual group authentication with root certificate. Look at instructions here

http://www.toolsbysk.com/skforums/forum/Blah.pl?m-1247385296

—Posted by boscharun on 12 Jul 2009 @ 10:15 UTC #