This page lists the many little things I tweaked on my system. Consider all the pieces of scripts on this page to be under GPL v3.0.
Some of the Lenovo Thinkpad T420s have an Optimus video card, which means that they have both an Intel integrated and a nVidia graphic cards. The nVidia can be switched off in the BIOS, or by software. For the later, you have to first install a module that allows to make acpi calls, and then to use a shell script as root to switch of the card.
First, install the module acpi_call.ko. You have to download it, compile it, install it in the proper directory containing the additional modules for the current kernel, and update the module dependencies. All this can be done as follows:
git clone https://github.com/mkottman/acpi_call.git cd acpi_call make mkdir -p /lib/modules/$(uname -r)/extra cp acpi_call.ko /lib/modules/$(uname -r)/extra depmod
When this is done, you can use the script optimus-t420s.sh to switch on or off the nVidia card. This script has to be run as root, so the best is to put it in /usr/local/bin with the root as owner, and then to chmod +s it. Note that this script does not check for the presence of nvidia-related modules, and may crash your kernel if you do not take care of that yourself.
If you switch the card off and reboot under Windows, it will not be available (go figure). On my machine, I switch the card off at boot and on when reboot, both with a script in /etc/init.d. Also, I switch it off when coming back from suspend with a script in /usr/lib/pm-utils/sleep.d/. (Update: While it works, and the card is on under Windows after reboot, the nVidia drivers crashes often. So at the moment I switch off the machine and restart it instead of simply rebooting.)
Here are the two said scripts, which do a lot of other things because I am a control-freak. Please remove what is not needed and use with care.
Copy them respectively in /etc/init.d and /usr/lib/pm-utils/sleep.d/, and then run
update-rc.d fleuret-tweaks-t420s-init defaults
to set up properly the calls to the first one from the various /etc/rc?.d.
The ethernet card of the Lenovo T420s is not supported by default in Squeeze, there seems to be troubles with the Sandy Bridge chipset (resulting in kernel locks and such), and xorg performance are awful.
All this can be fixed by upgrading to a more recent kernel and xorg, which can be done simply by using the wonderful back-port repository of Debian. These repository contains recent versions of certain packages, compiled for Squeeze, which allows to have "bleeding edge" kernel and xorg, without messing up all your installation by hand.
In practice, since the ethernet card was not operational, you have to download the kernel packages linux-image-2.6-amd64, linux-headers-2.6.39-bpo.2-common, and linux-headers-2.6.39-bpo.2-amd64, save them on a usb key, and install them with dpkg. From there, you simply have to add
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free deb-src http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
to /etc/apt/sources.list, and then
aptitude update aptitude -t squeeze-backports install xserver-xorg-video-intel xserver-xorg
and you are done. You can also install similarly all the packages related to the kernel (source, headers, etc). I also have
Option "AccelMethod" "xaa"
in the "Device" section of my /etc/X11/xorg.conf, and it seems that it matters.
The USB tethering with my HTC desire was working perfectly well under Linux until I installed Cyanogen 6.1.1. With it, while I could still see the USB device appearing in the logs when I switched on the USB tethering, the network interface was not appearing anymore.
To fix that, I had to install new versions of a few modules, following these instructions. In a nutshell: download http://downloads.sourceforge.net/synce/usb-rndis-lite-0.11.tar.gz, compile and install the modules.
The getmail command is a very convenient method to fetch mail from an IMAP or POP3 account. However, it does not include a canonical way to avoid several instances to run simultaneously.
The script withlock.sh below can be used to execute a command with a lockfile. Simply call it with the original commands and its arguments as arguments.
#!/bin/bash
# This command allows to call another command with a lockfile to avoid
# concurrent executions for the same user.
set -e
if [[ ! $1 ]]; then
echo "withlock.sh <command> [command args]"
exit 0
fi
LOCKFILE=/tmp/lock$(which $1 | sed -e "s:/:-:g").${USER}
(set -C && : > ${LOCKFILE}) 2> /dev/null
if [ $? != "0" ]; then
echo "Lockfile ${LOCKFILE} exists." >&2
exit 1
fi
trap 'rm ${LOCKFILE}' EXIT
$*
Getmail is a nice alternative to the infamous fetchmail to fetch mails from a POP3 or IMAP account. However, my own configuration uses sendmail locally (the postfix sendmail command in my case), and an exotic error showed up that I remember I met already a decade ago. The problem is that sendmail by default interprets a line containing a single dot as an end-of-mail. Hence, you have to pass it the -i option to prevent this.
So finally, for an IMAP account through SSL (encrypted connection) you should have a configuration file, for instance in ~/.getmail/something_dot_com
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.something.com
username = myusername
password = mypassword
[options]
delete = true
[destination]
type = MDA_external
path = /usr/sbin/sendmail
arguments = ("-bm", "-i", "-f", "%(sender)", "fleuret")
and then invoke getmail with
getmail --getmaildir $HOME/.getmail -r something_dot_com
If you do have a server with an open ssh port, you may have noticed heavy brute-force attacks which result in the sshd process taking noticeable amount of CPU and the /var/log/auth growing.
To limit the effect of such attacks, I combined two simple measures. The first one is to add in the firewall three rules to forbid more than four connections to the sshd server on port 22 in less than a minute form the same IP. For that, I have the following fire-wall in my /etc/init.d/ffboot.sh, which is linked from /etc/rc2.d/S30ffboot.sh (only the lines with --dport 22 are related to ssh):
# Reset all the rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# Allow everything from the lo
iptables -A INPUT -i lo -j ACCEPT
# Drop spoofing of the localhost on any other interface
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
# Drop packet on the ssh port if there was more than four connections
# established on that port from that IP in the last minute
iptables -A INPUT -i eth0 -p tcp \
-m tcp --dport 22 \
-m state --state NEW \
-m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource \
-j DROP
# Memorize the IP if the packet was not dropped and a connection is
# established
iptables -A INPUT -i eth0 -p tcp \
-m tcp --dport 22 \
-m state --state NEW \
-m recent --set --name DEFAULT --rsource
# And let the packet goes in
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Accept all tcp traffic on the user ports
iptables -A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
# Same for udp
iptables -A INPUT -p udp -m udp --dport 1024:65535 -j ACCEPT
# Accept icmp echo reply, destination unreachable and time exceeded
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# Accept traffic from the lan
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
# Drop all other attempts at establishing a tcp connection
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
# Drop all other udp packets
iptables -A INPUT -p udp -j DROP
# Drop all other icmp packets
iptables -A INPUT -p icmp -j DROP
The second measure is to run every day the ffboot.sh script above to reset the firewall, and to run every 5 minute the script block-brute-ssh.sh given below, which parses the /var/log/auth and adds specific dropping rules in the fire-wall to block ips with fail attempts on unknown logins (note that I have only fleuret as allowed login on my box).
#!/bin/bash
LOG_FILE=/var/log/auth.log
ACCEPTED_LOGIN=fleuret
for ip in $(grep 'Failed password' /var/log/auth.log | grep -v "${ACCEPTED_LOGIN}" | awk '{print $13}' | sort | uniq); do
if [[ ! $(/sbin/iptables -L -n | grep DROP | awk '{print $4}' | grep ${ip}) ]]; then
if [[ $ip =~ ^127.0.0.1 ]]; then
logger "$0: $ip is the localhost, do not block."
elif [[ $ip =~ ^192.168.1 ]]; then
logger "$0: $ip is from the LAN, do not block."
else
/sbin/iptables -I INPUT -s ${ip} -j DROP
logger "$0: iptables -I INPUT -s ${ip} -j DROP"
fi
fi
done
So I end up with the two following lines in /etc/crontab:
*/5 * * * * root /usr/local/bin/block-brute-ssh.sh 2 3 * * * root /etc/init.d/ffboot.sh
I recently bought a Norhtec MicroClient Jr. DX (also known as the eBox-3300), a low-power fanless PC. The problem is that this beast has a Vortex86DX CPU, which requires a tailored Linux kernel. In practice, I could not even boot with the Lenny net-install CD.
So I used qemu on my laptop to install the system with an exotic kernel on a SD card, and used that SD card as the main hard disk on the MicroClient. This is a simple and general procedure to deal with exotic hardware when you need to tailor the installation before you can even boot the machine with it.
To do so:
wget http://cdimage.debian.org/debian-cd/5.0.2/i386/iso-cd/debian-502-i386-netinst.iso
qemu -hda /dev/sdb -cdrom debian-502-i386-netinst.iso
wget ftp://ftp.icop.com.tw/upload/Shawn/linux-image-2.6.27.9-vortex86dx_2.6.27.9-vortex86dx_i386.deb
dpkg -i linux-image-2.6.27.9-vortex86dx_2.6.27.9-vortex86dx_i386.deb.and shutdown qemu.
You may run into trouble if for some reason the device corresponding to the SD card in qemu is not the same as the one in the MicroClient. In such a case, the /etc/fstab will be incorrect. To solve the problem, you can either mount the SD card and edit the fstab by hand afterward, or run qemu with adequate parameters so that this does not happen in the first place.
Also, you can compile your own kernel for Vortex86DX:
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.29.3.tar.bz2
tar jxvf linux-2.6.29.3.tar.bz2
wget http://fleuret.org/francois/files/config-2.6.29.3-vortex86dx-g4e8c2a0-dirty cp config-2.6.29.3-vortex86dx-g4e8c2a0-dirty linux-2.6.29.3/.config cd linux-2.6.29.3
make-kpkg clean make-kpkg --initrd kernel_image kernel_headers
There were two problems with my X61s when going to suspend-to-ram on Debian stable (Lenny). The first was a USB hub which would make the laptop resume (no idea why, probably a bug in the hub, see below), the second was the hard disk power management which would systematically switch to an aggressive mode. I did not install laptop-mode-tools, which is a bag of hurt as far as I can tell.
So, I ended up with only the acpi-related packages and pm-utils, I removed all the /etc/acpi/*/90-hdparm.sh which insist on changing the settings of my hard disk, and added the following in /usr/lib/pm-utils/sleep.d/50fleuret-tweaks.
#!/bin/bash
case "$1" in
hibernate|suspend)
# To prevent my usb hub from awaking
for i in /sys/bus/usb/devices/*/power/wakeup; do
if [[ $(cat $i) == "enabled" ]]; then
echo disabled > $i
fi
done
;;
thaw|resume)
# Forces a less aggressive hard-disk power management
for dev in /dev/sd? /dev/hd? ; do
if [ -b $dev ] ; then
hdparm -B 254 $dev
fi
done
# To avoid usb_hcd_poll_rh making lots of wakes up
for i in /sys/bus/usb/devices/*/power/wakeup; do
if [[ $(cat $i) == "disabled" ]]; then
echo enabled > $i
fi
done
;;
*)
exit $NA
;;
esac
Among many magical things they can do, USB devices can wake up a computer. This is of major importance for instance to allow the user to resume his PC by pressing a key on a USB keyboard.
However it may be a nuisance. For instance you may not want the plugging/unplugging of the mouse to wake up your PC, or in my case, an USB hub to do it 5s after the PC goes to suspend (even if no device is connected to the said hub, go figure).
The solution to the problem is simple, you just have to put the
value disabled into the
adequate /sys/bus/usb/devices/.../power/wakeup
(see power-management.txt
for more details).
The usual way to describe a volume in /etc/fstab
consists of specifying a device such as /dev/sda1 which
corresponds to a certain partition of a certain hard disk.
It may be useful to mount a USB disk at the same location, whatever
the device it appears on may be. The simplest way is to use the
links present in /dev/disks/by-id thanks
to udev.
For instance, my /etc/fstab contains the
following:
/dev/disk/by-id/usb-SAMSUNG_SP2514N_10000E000CCD3357-0:0-part1 /mnt/backup.1 ext3 user,noauto 0 0 /dev/disk/by-id/usb-Hitachi_HTS543216L9SA00_00E0010367D45-0:0-part1 /mnt/backup.encrypted.1 ext3 user,noauto,encryption=aes 0 0
which states that the first partition of a certain Samsung USB disk
I own has to be mounted on
/mnt/backup.1, while the first partition of a certain
Hitachi USB disk (which is encrypted with AES) has to be mounted
on /mnt/backup.encrypted.1.
A very fast key repeat frequency (100 per second or so) does not work well with Emacs + xft + fontlock. Often the cursor disappears while it is moving. This is due to a default setting of Emacs which stops refreshing the display if there are inputs waiting to be processed, which happens when the display is to slow. To prevent this from happening, just add
(setq redisplay-dont-pause t)
This script emacs-cvs-in-debian.sh is strongly inspired by this help and installs emacs CVS in a Debian system. It also registers that new version of emacs as an laternatives so that all related Debian packages (vm, bbdb, etc.) will be compiled and installed for it. Just run as root
emacs-cvs-in-debian.sh download compile install
to download the cvs version, compile it (note that this is a pretty dry configuration without gtk and other fancy stuff) and install it, or
emacs-cvs-in-debian.sh deinstall remove
to remove the alternatives from your Debian system and remove the files. Note that if you use only deinstall (without remove), you can install again without downloading and compiling.
Emap is a nice
little application which associates keystrokes to commands. I use it
with a remaping of my caps-lock key to mod5 (who uses caps-lock ?) To
remap your caps-lock to mod5 and to start emap, just add in your
.xinitrc (or .xsession – or whatever
people use those days):
xmodmap -e "remove Lock = Caps_Lock" xmodmap -e "add mod5 = Caps_Lock" emap
To configure caps-lock+E for emacs, caps-lock+M for firefox and
caps-lock+S for an xterm, put in you
~/.emap.d/use.emap:
key <mod5-e> {
string "" exec emacs &
}
key <mod5-m> {
string "" exec firefox &
}
key <mod5-s> {
string "" exec xterm &
}
If you need to install Debian on a laptop without optical drive,
the most convenient solution consists of using a USB stick. Here is a
procedure to create such a bootable USB stick with a debian installer
on it. The device here is /dev/sdb and you have to be
root to do most of the operations below. Please note that the
procedure, as described, will erase the content of the
key.
wget http://cdimage.debian.org/debian-cd/5.0.2/i386/iso-cd/debian-502-i386-netinst.iso wget http://ftp.debian.org/debian/dists/lenny/main/installer-i386/current/images/hd-media/boot.img.gz
dd if=/dev/zero of=/dev/sdb bs=1M count=100
/dev/sdb1
later (note that the key I use everyday has a first 3.5G FAT16
partition, followed by the Linux install partition)
fdisk /dev/sdb n [enter] p [enter] 1 [enter] [enter] +256M [enter] a [enter] 1 [enter] w [enter]
install-mbr /dev/sdb
zcat boot.img.gz > /dev/sdb1
mount /dev/sdb1 /mnt/key cp debian-502-i386-netinst.iso /mnt/key/ umount /mnt/key
You are done.
It appears that recent versions of XTerm (i.e. more recent
than 10 years I presume) can handle more than 8 or 16 colors. To make
the magic happen, you just need a correct XTerm version (mine is
version 228-1 of the debian package), the ncurses-term
package so that the terminal xterm-256color is defined,
and to set the TERM environment variable precisely to
xterm-256color. Then, under emacs, load xterm-256color.el
so that the usual colors are defined.
As you may have noticed, when running Emacs in a XTerm, most of the sophisticated key combinations (ctrl-page up, ctrl-backspace, etc.) are not available. This is a problem if you are working through a remote console, or if you want to enjoy the beauty and speed of an anti-aliased xterm (as a matter of facts, I now use emacs 23.1.1 with the Vera Sans Mono font, and I can say that my life is perfect).
I do not know what is the normal way of dealing with that issue, and a bit of web-surfing on the topic let me feel that there are as many solutions as people who tried to solve the problem. However, I could not find how to have all the keys I needed to work.
Hence, here is my – pretty violent – way of fixing the
problem: I heavily hack the .Xressource with what
follows, so that XTerm will send a specific code for every key I
need. This is a bit ugly, since I picked some sequences arbitrarily,
and they may have already been defined in the VT-something
specification. However it is pretty easy to fix this if there are
conflicts.
The character '^[' can be typed under emacs with
C-q C-Esc, '^?' with C-q
C-Backspace and '^_' with C-q
C-_.
XTerm.VT100.translations: #override\n\
<Btn4Down>,<Btn4Up>:scroll-back(2,line)\n\
<Btn5Down>,<Btn5Up>:scroll-forw(2,line)\n\
Ctrl<Btn4Down>,Ctrl<Btn4Up>:scroll-back(1,page)\n\
Ctrl<Btn5Down>,Ctrl<Btn5Up>:scroll-forw(1,page)\n\
Shift<Btn4Down>,Shift<Btn4Up>:scroll-back(1,halfpage)\n\
Shift<Btn5Down>,Shift<Btn5Up>:scroll-forw(1,halfpage)\n\
Alt<KeyPress>:insert-eight-bit()\n\
!Shift<Key>BackSpace: string("^?")\n\
Ctrl<Key>BackSpace: string("^[OZ")\n\
Shift<Key>Prior: string("^[[5;2~")\n\
Shift<Key>Next: string("^[[6;2~")\n\
Shift Ctrl<Key>]: string("^[O}")\n\
Shift Ctrl<Key>[: string("^[O{")\n\
Shift Ctrl<Key>/: string("^[O?")\n\
Ctrl<Key>/: string("^[O/")\n\
Shift Ctrl<Key>=: string("^[O+")\n\
Ctrl<Key>=: string("^[O=")\n\
Shift Ctrl<Key>;: string("^[O:")\n\
Ctrl<Key>;: string("^[O;")\n\
Shift Ctrl<Key>`: string("^[O~")\n\
Ctrl<Key>`: string("^[O`")\n\
Shift Ctrl<Key>': string("^[O\\\"")\n\
Ctrl<Key>': string("^[O'")\n\
Shift Ctrl<Key>.: string("^[O>")\n\
Ctrl<Key>.: string("^[O.")\n\
Shift Ctrl<Key>\\\\: string("^[O|")\n\
Shift Ctrl<Key>-: string("^_")\n\
Ctrl<Key>-: string("^[O-")\n\
Shift Ctrl<Key>\\,: string("^[O<")\n\
Ctrl<Key>\\,: string("^[O,")
Then, add the correct decoding of the sequences in the
.emacs file. For instance with:
(unless window-system
(set-terminal-coding-system 'iso-latin-1)
(define-key function-key-map "\e[2~" [insert])
(define-key function-key-map "\e[Z" [S-iso-lefttab])
(define-key function-key-map "\e[1;2A" [S-up])
(define-key function-key-map "\e[1;2B" [S-down])
(define-key function-key-map "\e[1;2C" [S-right])
(define-key function-key-map "\e[1;2D" [S-left])
(define-key function-key-map "\e[1;2F" [S-end])
(define-key function-key-map "\e[1;2H" [S-home])
(define-key function-key-map "\e[2;2~" [S-insert])
(define-key function-key-map "\e[5;2~" [S-prior])
(define-key function-key-map "\e[6;2~" [S-next])
(define-key function-key-map "\e[1;2P" [S-f1])
(define-key function-key-map "\e[1;2Q" [S-f2])
(define-key function-key-map "\e[1;2R" [S-f3])
(define-key function-key-map "\e[1;2S" [S-f4])
(define-key function-key-map "\e[15;2~" [S-f5])
(define-key function-key-map "\e[17;2~" [S-f6])
(define-key function-key-map "\e[18;2~" [S-f7])
(define-key function-key-map "\e[19;2~" [S-f8])
(define-key function-key-map "\e[20;2~" [S-f9])
(define-key function-key-map "\e[21;2~" [S-f10])
(define-key function-key-map "\e[1;5A" [C-up])
(define-key function-key-map "\e[1;5B" [C-down])
(define-key function-key-map "\e[1;5C" [C-right])
(define-key function-key-map "\e[1;5D" [C-left])
(define-key function-key-map "\e[1;5F" [C-end])
(define-key function-key-map "\e[1;5H" [C-home])
(define-key function-key-map "\e[2;5~" [C-insert])
(define-key function-key-map "\e[5;5~" [C-prior])
(define-key function-key-map "\e[6;5~" [C-next])
(define-key function-key-map "\e[1;9A" [M-up])
(define-key function-key-map "\e[1;9B" [M-down])
(define-key function-key-map "\e[1;9C" [M-right])
(define-key function-key-map "\e[1;9D" [M-left])
(define-key function-key-map "\e[1;9F" [M-end])
(define-key function-key-map "\e[1;9H" [M-home])
(define-key function-key-map "\e[2;9~" [M-insert])
(define-key function-key-map "\e[5;9~" [M-prior])
(define-key function-key-map "\e[6;9~" [M-next])
;; The following ones are not standard
(define-key function-key-map "\eO}" (kbd "C-}"))
(define-key function-key-map "\eO{" (kbd "C-{"))
(define-key function-key-map "\eO?" (kbd "C-?"))
(define-key function-key-map "\eO/" (kbd "C-/"))
(define-key function-key-map "\eO:" (kbd "C-:"))
(define-key function-key-map "\eO;" (kbd "C-;"))
(define-key function-key-map "\eO~" (kbd "C-~"))
(define-key function-key-map "\eO`" (kbd "C-\`"))
(define-key function-key-map "\eO\"" (kbd "C-\""))
(define-key function-key-map "\eO|" (kbd "C-|"))
(define-key function-key-map "\eO'" (kbd "C-'"))
(define-key function-key-map "\eO>" (kbd "C->"))
(define-key function-key-map "\eO." (kbd "C-."))
(define-key function-key-map "\eO<" (kbd "C-<"))
(define-key function-key-map "\eO," (kbd "C-,"))
(define-key function-key-map "\eO-" (kbd "C--"))
(define-key function-key-map "\eO=" (kbd "C-="))
(define-key function-key-map "\eO+" (kbd "C-+"))
(define-key function-key-map "\eOZ" [C-backspace])
)
You can easily add other key sequences that are not already dealt with here.
Use
xrdb ~/.Xresources
to reload the content of the X-window resource manager properly, and re-start an xterm, for instance with
xterm -geometry 155x55 -fa dummy -fs 11 -u8 -e emacs -nw &
This is not really a glitch-fixing. I battled for half an hour with the zillions of video-grabber I could find under Debian to grab my webcam, and nothing worked. Finally VLC did the trick with a pretty hairy list of arguments.
vlc v4l:/dev/video:size=320x240 --sout
"#transcode{vcodec=mp4v,vb=1024,scale=1,acodec=mpga,ab=192,channels=2}:duplicate{dst=display,dst=std{access=file,mux=mov,dst=\"/tmp/webcam.mov\"}}"
Unless you add the option shortname=mixed when
mounting a vfat partition, all filenames shorter than 8 characters +
extension will be encoded in upper-caps. Thus, I have for my USB key
the following in /etc/fstab
/dev/sda1 /key vfat user,noauto,uid=fleuret,gid=fleuret,noatime,shortname=mixed,fmask=133,dmask=022 0 0
With some old kernels, when coming back from suspend under X, the
screen remained black. To prevent this, I have to pass the
acpi_sleep=s3_bios option to the kernel at boot. Thus, my
/boot/grub/menu.lst contains
title Linux 2.6.17 root (hd0,1) kernel /boot/bzImage-2.6.17 vga=834 acpi_sleep=s3_bios boot