Posts Tagged ‘linux


Updating CentOS 4.9

I recently booted up a long-powered-off test system for a customer, and realized it was still CentOS 4.7. up2date gives one of these error messages:

Error: Bad/Outdated Mirrorlist and Baseurl

[Errno -1] Header is not complete.
Trying other mirror.

To fix, first run this to update to a newer version of yum:

for i in \
libxml2-2.6.16-12.6.i386.rpm \
libxml2-python-2.6.16-12.6.i386.rpm \
readline-4.3-13.i386.rpm \
python-2.3.4-14.7.el4.i386.rpm \
python-elementtree-1.2.6-5.el4.centos.i386.rpm \
sqlite-3.3.6-2.i386.rpm \
python-sqlite-1.1.7-1.2.1.i386.rpm \
elfutils-0.97.1-5.i386.rpm \
popt-1.9.1-32_nonptl.i386.rpm \
rpm-libs-4.3.3-32_nonptl.i386.rpm \
rpm-4.3.3-32_nonptl.i386.rpm \
rpm-python-4.3.3-32_nonptl.i386.rpm \
python-urlgrabber-2.9.8-2.noarch.rpm \
yum-metadata-parser-1.0-8.el4.centos.i386.rpm \
rpm -Uvh${i};

(note: the order is important for the dependencies, and the trailing “\” prevents bash from spitting out interpretation errors, but makes it readable.)

Then edit /etc/yum.repos.d/CentOS-Base.repo: comment out mirrorlist directives, and in each enabled section add baseurl=$basearch, baseurl=$basearch, etc.

Note the change from to – the CentOS Vault is handling RPM headers differently than yum in CentOS 4.9 expects. The archive does not.


Lenovo T430 running Kubuntu 12.10 for extreme battery life.

It’s been a long time since I’ve updated my Linux buildout on this site.

I’ve recently upgraded to a Lenovo T430 (from a T500, and Dell before that). This laptop has the following hardware:

Jump to main sections with these links:
CPU Configuration
Network Configuration
Video/Bumblebee Configuration
Encryption / Security configuration
Battery saving configuration
Custom kernel .config
This is the first time in years I haven’t had a built-in 3G Modem for internet access, but with wifi tethering to my phone, I don’t think it’ll be an issue. Out of the box, everything I cared about worked. I didn’t test the fingerprint reader or the Nvidia graphics with the default install, and pretty quickly customized the system, but if you’re not into customization, rest assured, the Ubuntu team did a fantastic job on the setup.

CPU and Battery

As stated in this post from 2007, I’m a huge fan of extreme battery life. I’m still using cpufreqd, laptop-mode-tools, and checking their configuration with powertop to make sure I’m doing everything I can. I also custom-compile my kjernel, which I’ll discuss more below.

Kubuntu 12.04 defaults to the “ondemand” cpufreq driver, which is great for power savings, except that it does its speed modulation in preference of performance. That is, when the lowest speed of the processor (1.2GHz in my case) isn’t enough, ondemand immediately jumps the CPU speed to the fastest available (2.9GHz in my case). Then, when the fastest is more than required, ondemand steps off slowly. This is perfect for video and gaming applications, and most people. I, however, greatly prefer the “conservative” driver, which works in the opposite manner: when an application needs more power, the conservative driver steps up 1 CPU speed level at a time, until the appropriate CPU speed is reached. Then, when the utilization drops off, conservative immediately drops all the way to the slowest speed, to step back up again if needed.
Using cpufreqd allows me to control this even more granularily, while not getting in the way of the kernel modules. My configuration uses “ondemand” when I’m plugged in, and “conservative” when I’m on battery power. The small delay in performance is worth the added minutes in battery life, especially since most of my on-battery time is very low-demand applications.
Since sometime in 2011, Ubuntu, however, has not shipped a working cpufreqd daemon – it’s apparently broken in the upstream Debian as well, and is well documented in this Launchpad bug. So I downloaded the cpufreqd-dev source package, the patch, and rebuilt cpufreqd myself. Now that it’s working, I can use the attached updated cpufreqd.conf configuration.


Both the ethernet and wireless adapters work right on first install with Kubuntu 12.10.  The wireless uses the iwlwifi driver, and connects to my router at 104mbps.  I’m still using the script from this post to get my MTU set to 9000, rather than 1500, for jumbo frames support when in the main office network. This has a major effect on network speed for large transfers, but most networks don’t support it.h

The Wireless adapter needed no changes, and NetworkManager handles it beautifully, even when tethering to my phone.


I haven’t had any sound issues, but a few users have reported problems when using the docking station. According to this post on ThinkPad Forums, the solution is to simply edit /etc/modprobe.d/alsa-base.conf and add:
options snd-hda-intel model=thinkpad
This causes no issues on my system.


This laptop ships with two video cards, an Intel (which uses the kernel i915 driver) low-power adapter, and an Nvideo high-performance, high-power adapter. In Windows, you can click an application to switch between the two for all applications. The Nvidia adapter uses about 10W more power than the Intel card, which means using the Nvidia adapter alone halves the system’s battery life.
By default, the Ubuntu kernel enables a feature called “vgaswitcheroo” which is well documented on the Ubuntu help site. I had a hard time getting it to work with my custom kernel, though, even though it was enabled. KDE and lightdm just didn’t want to swtich the laptop panel over to the Nvidia card. This *may* have something to do with my BIOS settings, which I currently can’t change due to office IT restrictions.
There is a new project called Bumblebee, which allows the user to use the Intel card, and only turn the Nvidia on for some applications. This gives the best of both worlds for power and battery savings, but is a work-in-progress, and not all applications run under Bumblebee. I’m using the Primus additions. Installation of Bumblebee is documented here, and Primus installation is documented here. I didn’t have to make any changes to get these installs working with simple applications.

VMware Workstation 9

VMware Workstation 9, however, offered some interesting challenges with Bumblebee. Out of the box, Vmware Workstation 9 installed (even with my custom kernel), and ran great, but would always give a warning that 3D acceleration was not available, which I expected while using the Intel card. However, Bumblebee has some limitations which mean it can’t run VMware workstation by default. I wrote a script to handle this, which I wrote up last night. I’m using a lot of work of others, so follow the links on that page to cmillersp’s post on the VMware Community Forums.

Encryption and Security

During installation, I chose the option to use an encrypted LVM volume. This uses DM-Crypt to encrypt the full HDD, so that it has to be unlocked at boot time. The Kubuntu installer seems to forget this fact, so it also asks you to set up ecryptfs private home directories, which is NOT neccessary for a single-user laptop, since the whole OS is already encrypted. The only oddity with dm-crypt is that sometimes the splash screen prompt to unlock the computer doesn’t show. If I just wait for disk activity to disappear, and have a blank screen, I can just type the passphrase, and it’ll still unlock successfully.

I don’t have the fingerprint reader set up, but if I do, I’ll update this post.

Battery and Power Savings

First, I use the configuration in the CPU Configuration section above for cpufreqd. Then I use laptop-mode-tools to set other configuration settings. I’ve attached all the files I have modified here, and it’s fairly power-saving aggressive. The only thing I should do, but don’t, is to disable the bluetooth adapter when I’m on battery, since it uses 1W just for the adapter. However, I have bluetooth headphones and a bluetooth mouse, which is why I have the bluetooth adapter in the laptop to begin with, so disabling it removes some critical functionality. I DO have it set to autosuspend, which is a little annoying when I go back to the mouse after 5 seconds of inactivity, but the annoyance is worth the savings, especially when I’m writing a long post like this.
All of these go in /etc/laptop-mode/conf.d :

With these settings, I was able to write this whole post, with the bluetooth mouse connected, running at an average of 13.2W. In 3.4 hours (I was doing other tasks, including feeding and changing my napping baby), I used 41% of my 93.6Wh battery. If I were to take this on a plane, I’d kill the wireless and bluetooth for probably another 2W savings, but I’d do that by hand.

Kernel Configuration

I have been building a custom kernel for my laptop for about 6 years now. The default Ubuntu image uses “generic-x86_64” for the processor family, but all of my laptops are “Core2 / Newer Xeon”. Just making that single change to my kernel results in about 0.5W-1W less power consumption, due to the increased efficiency gained by the kernel knowing about the new processor registers and commands that aren’t available to older processors. This greater CPU efficiency also means lower temperatures, and therefore lower fan speed.

My kernel configuration is attached here. Build it by following the instructions at the Ubuntu Help site

sudo apt-get install linux-kernel-devel fakeroot kernel-wedge build-essential
sudo apt-get install linux-source
sudo usermod -a -G src YOUR_USERNAME

Now log out and back in, so that you’re a member of the “src” group.

cd /usr/src
sudo chown -R $USER:src .
tar -jxf ./linux-source-3.5.0/linux-source-3.5.0.tar.bz2
ln -s linux-source-3.5.0 linux
cd linux
mv rob-config-20121204c.txt .config
make oldconfig
make menuconfig

Make any changes you want in here, then exit and save

fakeroot make-kpkg --initrd --append-to-version=.20121204c kernel_image kernel_headers

You’ll get 2 DEB files in /usr/src that you can then install and boot to. the “append-to-version” I use as a dating system for my kernels. “20121204c” means the 4th kernel attempt on December 4th, 2012, the day I recieved this laptop.

All Modified Files

Laptop-mode-tools config:
All of these go in /etc/laptop-mode/conf.d :
Other configs:
custom kernel .config.


Bumblebee / Primus and VMware Workstation (nvidia optimus graphics on Ubuntu)

I have a new Lenovo T430 with Nvidia/Intel hybrid graphics. The Intel card is for power saving, the Nvidia card for performance. The easiest way to handle this setup is to just choose the correct card on bootup, but this is inconvenient. Bumblebee provides a way to use the Intel card most of the time, but use the Nvidia for high-performance tasks such as games, and ONLY for those apps. Once it’s set up, it works pretty well, except for a few apps that require additional tweaking, such as Steam, or Wine.

One of the apps that requires tweaking is VMware Workstation (I’m running WKS 9). cmillersp provided a great write-up on the VMware Communities, which is what I set up on my system. VMware Workstation runs great – I can load OpenGL 3D apps in VMs and everything runs fantastic.

Except that I run VMs all the time, and using the Nvidia card all the time kills the performance benefit of the Intel card twice: once because I’m using the Nvidia card, and once again because BOTH GPUs are running at the same time. So I wanted a way to dynamically choose which card to run VMware under, based on whether I was on AC power or battery power.

The result is the attached script below, which I’ll be submitting to the Bumblebee wiki / project, as well as the VMware forums. This is version 1, which works as follows:

  1. Must be installed by “sudo ~/bin/vmware –install” – it will make the cd /usr/lib/vmware/bin; mv vmware-vmx vmware-vmx.real and then do the script creation at /usr/lib/vmware/bin/vmware-vmx, so that it’s a single portable script.
  2. Takes several options to force using the Nvidia card or not
  3. If no force option is applied, automatically determines AC adapter state or battery charge/discharge state
  4. Based on the above, decides whether to launch /usr/bin/vmware normally, or via the instructions from cmillersp

I’ve done some additional work to make it run via either “primusrun” or “optirun”. Optirun is much slower, but at least functional with fewer installs. I hope this is useful to someone else!

Edit: 2012-12-17 – v1.1 added gksu auto-detection
Edit: 2014-01-08 – Moved to github repo:


gdb: ptrace: Operation not permitted

I was troubleshooting a problem with some other vendor’s software tonight on a Red Hat Enterprise Linux 5.3 system.  We were able to reproduce the problem in the lab,  which was a huge boost to production, and insight, but we hit a wall when we got this error:

GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /opt/vendor/redacted/process...(no debugging symbols found)...done.
Attaching to program: /opt/vendor/redacted/process, process 16492
ptrace: Operation not permitted.

The weird thing is that we were running gdb as root, and it was 2.6.18. In the latest Ubuntu versions, a security hardening option has been added to the kernel to limit gdb (profiling, particularly, which gdb requires) to only being run on child processes. Since this was Red Hat Enterprise Linux 5.3, it didn’t have this option.

Well, it turns out that explaining it to #gdb on Freenode pointed us to the solution: a parent process had been attached to via “strace -f”. Since only one profiling process can run on any program at one time, the parent process’s “strace”, by following all forks with the “-f”, blocked out our “gdb” from attaching to the child. Simply adding 1 line:

pkill strace
gdb /opt/vendor/redacted/process `pgrep process`

to our debugging solved the mysterious “ptrace: Operation not permitted.” error which was showing me no results in web searches. FYI: this absolutely will block gcore in the same way.


PHP mail(), Apache, and SELinux (FC7)

(Originally drafted November 2nd, 2007, finally finished and posted much later)
As I posted last night, we built a new Fedora Core 7 box last night for PHP testing. Whenever at all possible, I leave SELinux enabled on new systems in Enforcing mode. Oracle 10g hasn’t had any issues with it, Oracle 11i EBusiness Suite hasn’t had any issues with it, and my NFS and FTP servers run without at hitch. The Oracle systems are RHEL4 (Red Hat Enterprise Linux 4), and the NFS and FTP servers are RHEL5.

However, this new PHP webserver caused a few glitches. I feel a little silly for not catching this as being an SELinux problem earlier, but since it’s caused 0 issues in 9 months of use in production, I didn’t even consider it initially.

What we initially saw was 0 errors from PHP – all the pages would run without error. PHP.ini has the following lines:

sendmail_from =
sendmail_path = /usr/sbin/sendmail -t -i

and testing cat mail.txt | /usr/sbin/sendmail -t -i as a non-root user delivered mail properly as well. Combine that with /var/log/maillog being completely empty for every test page loaded, and it was sure that the mail wasn’t getting TO postfix (our preferred localhost MTA).

So, I looked at the /var/log/httpd/error_log for apache and found:

sh: /usr/sbin/sendmail: Permission denied
sh: /usr/sbin/sendmail: Permission denied
sh: /usr/sbin/sendmail: Permission denied
sh: /usr/sbin/sendmail: Permission denied
sh: /usr/sbin/sendmail: Permission denied

But I knew that non-root users could access sendmail as defined in php.ini, so I finally decided to tail /var/log/messages and saw:

Nov 2 11:05:41 $(servername) setroubleshoot: SELinux is preventing the sh from using potentially mislabeled files sendmail.postfix (sendmail_exec_t). For complete SELinux messages. run sealert -l c9001c48-5d48-4b7c-9fd7-8400544daa8f

So now to fix it…
This is surprisingly simple, actually. The sad part is, we had this problem, fixed it, forgot about it, had it again, and I blogged it… and lost the post. so this has been sitting in my “drafts” folder for about 10 months now:
setsebool httpd_can_sendmail=true
service httpd restart
service postfix restart

And retry sending mail. There’s a few posts about sendmail and having to change permissions on home directories or on “”, but I use postfix, and not sendmail, so I don’t know how effective or necessary those changes are.


(Edit: repost on 2/23/2012 because of a DB problem losing the original)

About Us

Complete networking solutions for business.
August 2017
« Oct