Tracebacks and coredumps are computer generated, which makes them more accurate then error messages, but harder for humans to understand. Error messages however are put in place by the programmer which means they can occasionally be misleading, inaccurate, ambiguous or just plain wrong. This is not always the programmers fault, sometimes its hard to describe exactly what went wrong. Other times the error describes the situation perfectly, but the sysadmin jumps to a different conclusion based on his circumstances.

Example

Some time ago we had some users complaining about a problem when trying to use X Forwarding via SSH. On this server /home was mounted off a Novell NetWare NFS share. They were getting the following output and were unable to run X11 applications.

[code]xauth: error in locking authority file /home/daniel/.Xauthority[/code]

Seeing this error I assumed that something was going wrong with the locking mechanism of NFS. I tried mounting the NFS share with the explicit lock option, but the same error remained. I tried explicitly giving the sync option too, but to no avail. I ended up trying many different NFS options until eventually I gave up and asked the Novell administrators to check their servers. I was convinced that something on their end was causing this locking error.

The Novell administrator responded that they could see nothing wrong on their end. This must mean that something was wrong on our side. I tried restarting the nfsstad and lockd initscripts and the whole machine but once again the same issue persisted. I checked the server using the rpcinfo command, which showed that everything was working fine. I even connected to the daemon using telnet (though I couldn’t talks its language) and confirmed a firewall was not in the way.

I thought that maybe there was something going wrong in the interaction between the client and the server, so I ran a tcpdump to capture all the packets transferred between them. this is where I made a small breakthrough. I found a NFS reply that had returned with SERVFAIL and error code 526. Googling for this error and Netware generally pointed towards a problem with character sets not getting preserved to the Novell server. There was nothing but ordinary characters on the filesystem, so much for that idea.

I wanted to know exactly what was happening when xauth was trying to lock the file, so I did an strace on it. Here are the last few lines (after xauth mmaped its libraries).:

[code]stat("/home/e71377/.Xauthority-c", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
unlink("/home/e71377/.Xauthority-c") = 0
unlink("/home/e71377/.Xauthority-l") = -1 ENOENT (No such file or directory)
open("/home/e71377/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = 3
close(3) = 0
link("/home/e71377/.Xauthority-c", "/home/e71377/.Xauthority-l") = -1 ESERVERFAULT (Unknown error 526)
write(2, "xauth: error in locking authori"..., 65xauth: error in locking authority file /home/e71377/.Xauthority
) = 65
exit_group(1) = ?[/code]

So it appears that this was not a file locking problem at all. xauth was successfully creating the files but it failed when it tried to create a hardlink. Reviewing the code for libXau (AuLock.c) revealed exactly why:

[code lang="c"] while (retries > 0) {
if (creat_fd == -1) {
creat_fd = open (creat_name, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (creat_fd == -1) {
if (errno != EACCES)
return LOCK_ERROR;
} else
(void) close (creat_fd);
}
if (creat_fd != -1) {
#ifndef X_NOT_POSIX
/* The file system may not support hard links, and pathconf should tell us that. */
if (1 == pathconf(creat_name, _PC_LINK_MAX)) {
if (-1 == rename(creat_name, link_name)) {
/* Is this good enough? Perhaps we should retry. TEST */
return LOCK_ERROR;
} else {
return LOCK_SUCCESS;
}
} else {
#endif
if (link (creat_name, link_name) != -1)
return LOCK_SUCCESS;
if (errno == ENOENT) {
creat_fd= -1; /* force re-creat next time around */
continue;
}
if (errno != EEXIST)
return LOCK_ERROR;
#ifndef X_NOT_POSIX
}
#endif
}
(void) sleep ((unsigned) timeout);
--retries;
}[/code]

xauth isn’t trying to lock the file through flock() or another file locking method, which means that it is not the cause. Instead xauth is creating a file, and then to make sure it is the only program altering .Xauthority it creates a link. If the link succeeds then its the only program, if not then another program has the lock. The problem happens when xauth tries to make the hardlink. Interestingly there is a fallback for non-POSIX systems, but as RHEL is POSIX compatible it is not used.

It appeared that the NFS server did not support hard links. To test this theory I created several files, and attempted to create hard links using ‘cp -l file1 file2′. and they failed in the exact same way. All I had to do now was explain to the Novell Administrator that the problem was not locking, and was in fact that we were mounting a filesystem which did not support hard links on a POSIX compatible system. The Novell share was changed to support hard links (don’t ask me how, I’m not a Novell guy) and everything was working again.

Conclusion

The lesson to take away from here is not that hardlinks are required on POSIX, or that xauth doesn’t use file locking but locks itself via a dance of hardlinks. The lesson here is that you should never trust error messages. Take them as a hint, use them as a starting point but do not take them as law. You need to remember that the error message was written by a human and you may not be interpreting it how it was written.

Google recently released a chunk of code in the form of an Apache module. The idea is that you install it in your Apache server, it sits in between your application and the web browser and modifies the served requests to make the page load faster.
It does this by using combinations of filters, some are well known best practices, others are newer ideas. For example on filter simply minifies your JavaScript while another embeds small images in a page using data-uris. The changes these filters make range from low risk, to high risk. It should be noted that not all the filters will improve the page time some even making pages slower in some cases.

So what’s the issue?

The issue here really isn’t mod_pagespeed, but it’s the way people are viewing it. In my job as a Web Performance Engineer I have had several people recently say to me “let’s put mod_pagespeed on our web server to make it faster”. This is a break from normal attitudes, if someone were to to say “we should put our images into data-uris” then people would question the speed benefit, or the extra load on the server. For some reason when Google implement a page speed module people just assume that it will make their page faster, and that it will work in their environment. The truth is that Google really have no idea what the module will do to your page.

The second issue is that all these tweaks can usually be better implemented at the application level. If you minimize all your JavaScript as part of your build process then the web server will not have to do it for you. The same applies to data-uris. If they are simply part of the page then the browser doesn’t need to read in the extra image, uuencode it, then compress it. All that is quite a lot of work, which only really needs to be done once.

So what should I use mod_pagespeed for then?

You don’t always have access to the application code. If you are using third party software then before mod_pagespeed you may have had no control over the minification of CSS. This is where the module really shines. It gives you a layer between the application code and the web browser where you can apply all sorts of performance tuning.

The other advantage I can see is for looking for the best tunings to apply to your application quickly. You can setup mod_pagespeed and and run experimental tests with the filters on of and with a control to quickly figure out what rules you should apply in your application.


# echo 1 > /proc/sys/kernel/sysrq
# echo b > /proc/sysrq-trigger


Of course the disk errors meant that it was unable to boot but ‘The Big Hammer’ struck me as something extremely useful.

To attempt to rectify this SPF was created. To setup SPF you add either a TXT or an SPF record to the DNS zone you will be sending from. This record defines which servers are allowed to send mail that is coming from that domain. So on my domain danielhall.me I could publish an SPF record that says only my mail server is allowed to send mail that ends in @danielhall.me. Any mailservers receiving mail that is from my domain but not coming from an address listed in my SPF record can see that the mail is likely forged and throw it away. SPF works well in most situations but fails at a very common use case. If someone I send mail to tries to forward it to another address using an automatic process (no clicking forward in their client) then the mail will appear to come from my domain when it gets to the user it was forwarded to, however it will have came from the original recipients mailserver.

DKIM solves this problem by giving each sending mailserver a cryptographic key pair. The public keys is then published in a DNS record in that zone and stores the private key somewhere safe on the server. The server then proceeds to sign the headers (especially the From: header) and the body of all outgoing emails. This signature is then attached to the email as an extra header. When the receiving server get the email it gets the signature and uses that along with the list of signed headers to verify the signature against the public key of the signing domain. This means as long as the mail has passed through an authorised mailserver at any point it will be considered valid.

Setting up a DKIM is relatively simple process. You will need access to the  zone records for your domain and access to the configuration of all the mailservers which all mail originating at your domain passes through. You also need to be aware that signing mail makes it slightly more processor intensive to send an email. If you send a large amount of email this difference could be quite significant. If you’re using sendmail you may be able to alleviate it by switching to a less resource hungry MTA like Exim. You should also note that in some configurations DKIM can not be setup. For example if you use masquerading in sendmail DKIM will always fail as sendmail will modify the from header after signing.

Ultimately DKIM is a good move for the internet community at large, especially when combined with SPF. DKIM mail is assured to come from the sender and can be cryptographically proven so. While it does take more take a little more effort to setup and maintain it assures mail from your domain is secure and can be assured to have come from you or your company. Ultimately DKIM can protect your company against phishing attempts and boost your spam scores.

Random thought: What would Email look like if it were designed today?

Physically

The phone is still in good physical condition, which is more than I could have said about my old XDA Atom Flame after six months. There are a few scratches on the screen, but I bought a screen protector for it so I can simply peel them off. Surprisingly the various crevices on the phone have avoided build ups of dust which commonly plagues my phones. The battery is beginning to fade, and can only last me around 12 hours with my ordinary usage (which is probably considered heavy usage). This makes weekends away from home interesting as I have to avoid using my phone to stretch the battery over 24 hours.

When I first got the phone I expected that the keyboard keys would fade, or that the keyboard snap mechanism would somehow break. I was wrong, the keys are still as visible as when I first got it, and the snap mechanism still works perfectly.

The OS

In the time I’ve had this phone Android has gone from 1.1 to 2.0. Sadly there haven’t been any official new releases of the phone software. There have however been releases of the well known mod for this phone called ‘CyanogenMod’. Currently CyanogenMod is at Android version 1.5 with parts of 2.0 ported across.

Since the first week I had the phone I’ve been using CyanogenMod and have seen the improvements in it take it from strength to strength. Originally it looks almost the exact same as the original OS but now it includes several features that I could not live without. My favorites would be:

• Tethering to my Linux PC
• OpenVPN settings
• 360 degree rotation
• Improved contacts screen with direct call links
• Voice Search

The Applications

Like any mobile OS the best part is the applications. This is where an OS either make it or breaks it. While Google have been constantly improving the Android platform old apps have remained around and stayed compatible with the phone. Google has also held two developer competitions during the time I’ve had the phone which has brought loads of new apps and innovation. So as each application is its own entity I’m going to review my favorites separately.

Google Maps

When I got the phone Google Maps was simply a map, with limited search capability and able to give directions. Since then however Google have added Street View, Navigation (US Only sadly), Buzz and much better searching. For something I used once a month I now use it almost daily.

ConnectBot

One of the reasons I went for a phone with a hardware keyboard was to make SSHing into my Linux machines easier. ConnectBot handles this perfectly. I cannot stress enough how useful this application is. Recently it has been improved to include support for SSH agents too which improved things even further.

My Tracks

As someone who enjoys hiking and walking having a GPS logger can be extremely useful. My Tracks basically turns your Android phone into a GPS logger and displays the data for you on a map. It also allows you to export the logs in popular formats or simply upload them to My Maps on Google. It can also graph your elevation, speed and display interesting statistics.

Conclusion

All up I still enjoy this phone, and still use it daily. I am looking at moving to either an N900 or the Google Nexus One next. I haven’t moved because the N900 has been having trouble with the USB connectors breaking off, and the Nexus One is too expensive to import into Australia. I doubt I’ll be moving to another phone any time soon and this phone doesn’t look like it will give out any time in the near future.

Random Thought: What is the cell phone market going to look like five years from now? And where the hell is my wristwatch phone?

I bought mine two weeks ago and it has completely replaced my Windows Mobile phone to the point where I actually gave it away. The main issues that I have with Windows Mobile was the instability and the difficult to use interface. This new phone was a breath of fresh air. Amazingly when I was testing it out with the seller it received a weeks worth of SMSes indicating that my Windows Mobile phone had stopped accepting them.

I opted for the T-Mobile option. Mainly because I found one cheap on eBay but also because I knew of an exploit to easily get root, flash a new bootloader and install whatever OS I wanted. I knew with almost absolute certainty that I would want to be able to play with root access to the OS. I could have went with the HTC Hero or Magic (the successors to the G1) but I liked the idea of the flip out keyboard way too much.

The G1 is easy to use without a stylus, in fact it won’t work with a stylus as is uses a capacitive touch screen. This means all the applications, the keyboard and the core OS are designed with that in mind. While I could use my old phone with my thumbs many of the controls were impossible to use without perfect precision. Generally all the controls on the Andriod are larger and easier to manipulate, where the Windows Mobile controls are clunky and small.

The Android marketplace is also something that Windows Mobile could certainly have done with. It is an almost perfect image of the iPhone App Store, except that in the culture of open source most of the applications are free. The applications are easier to search for, review and download making the Android Marketplace a much easier to use and more polished tool.

One thing this phone and my last one have in common was the hacker community around them. Both have multiple ROMs available and its relatively easy to flash a new one. I’m currently running the latest stable CyanogenMod (4.0.4) which was extremely easy to flash courtesy of the latest kernel vulnerability and some specially designed tools.

Random Thought: I thought Androids could make breakfast for me.

Particular points I’m enjoying:

• The desktop wallpaper that has squares on an angled surface is very appealing. The other new desktop wallpapers are very eye catching too.
• Having 3D rendering working properly on my laptop.
• The new Fedora 12 Login Theme is music to my ears (except when I have my laptop speakers turned up and it reverbs horribly).
• EXT4 support seems a bit stronger. Of particular importance barrier based sync now works on LVM metadevices.
• Dracut has made no discernible difference to boot times and ability to boot.
• resize2fs is now able to shrink an ext4 partition. system-config-lvm now recognises ext4 and allows resizing it.

Particular points I’m not enjoying:

• Eclipse is unstable and keeps crashing.
• Turning off the menu icons in GNOME seems like a bad idea, it makes it harder to recognise each menu.
• Modesetting stops me from using 3D effects.
• You can’t drag icons from the menu to the panels or the desktop any more.

So the key part of why a SSH agent and SSH agent forwarding forwarding is so useful is due to the way keys can be attacked. If I wanted to get your SSH private key I could find some flaw in the system that would give me that /home/you/.ssh/id_rsa file you have. Of course a malicious user with root access to the system could just go in and grab it. You can prevent this kind of attack by setting a passphrase on the key. Of course the root user could replace SSH with a special version designed to get your passphrase, steal the key out of memory or setup a keylogger. This means effectively that your private key is not safe on any system where a person you don’t trust has root access, or has other users and exploitable vulnerabilities.

Single Private Key on Multiple Machines

In this example you’re trusting the security of every single machine you have your private key on. Should it get compromised then you have to revoke you public key from every host, and regenerate private keys to place on every host. Every time you put your private key on a machine you increase the chances that it could be compromised.

Multiple Private Keys On Multiple Machines

So we’re getting a little closer to a good solution. In this instance we don’t have to generate our key and roll it out to all hosts in event of a compromise. You can also have segregate groups, on set of keys for work, another for home and so on. Your keys can still be compromised easily though, and once compromised they can be used until you revoke them manually.

SSH Agent Forwarding

There is a way to keep your key safe from compromise. Now I’ll have to explain how SSH authenticates you using your key. When your authenticating with SSH keys your key isn’t sent, the server sends you some random data and challenges your client to encrypt it with your private key. It then verifies the encrypted data by decrypting it with the public key and checking if it matches the data originally sent. Now the way most people would SSH from the second host to another third host is to utilise a private key on the second host to connect to the third host. Unfortunately this method means that you have to store a key (that is open for compromise) on the second host. SSH agent forwarding tells the SSH client on the second server to send the challenge data through to the SSH client (or ssh agent) on the first host. The agent encrypts the data and sends it via the SSH session to the third client.

The beauty of this method is that the second host never sees a private key, and the challenge data is useless to try and connect to a different host. Even if the second host is compromised there isn’t a private key there to compromise. It should be noted that if the second host is compromised it can still request the agent identify for a different host, or the session to the third host can be taken over. Both these are temporary though and unless the malicious user installs their key (something easy to notice) they cannot get back in.

Diagram detailing how an SSH connection is authenticated using agent forwarding.

If you want to know more about how this works, there is a wonderful tech tip at http://unixwiz.net/techtips/ssh-agent-forwarding.html.

But how?

SSH agent forwarding is even easier than copying keys all over the place. The first step is to generate keys for all the machines you log on to directly. You need to be sure these machines are secure and that your keys will stay safe, though this is sometimes not possible. You then add the generated public key to the authorized hosts file of all the machines you will connect to from this one, including ones that take two or more steps to get to. Finally you edit your ~/.ssh/ssh_config file to tell SSH to forward your agent through those hosts. Include the intermediate hosts in this list, but not the endpoints. You could also use SSHmenu to add the arguments automatically to those SSH commands. The following disables forwarding to all hosts, and explicitly enables it to fred, and aaron.missgner.com.

Host fred
  ForwardAgent yes

Host aaron.missgner.com
  ForwardAgent yes

Host *
  ForwardAgent no

Random thought: Linux has Plug ‘n Pray too, you plug the device in and pray the drivers aren’t proprietary.

My machine was still running so I knew I hadn’t wiped anything immediately important. The first thing that I thought of doing was checking what exactly it was that I had wiped and what chance I had of backing up anything before bailing out. Looking at the LVM layout revealed that I’d probably just destroyed the file system I stored my local Fedora repository on, something I could do without. So I umounted it, removed it from /etc/fstab and did a lvremove. This is exactly where I realised the gravity of the situation. LVM was complaining that it couldn’t locate one of the physical volumes. Of course it couldn’t, I’d just blown away all the metadata for it.

Did you know LVM keeps backups of the metadata? Yes, it keeps them in /etc/lvm/backup (for slightly older copies see /etc/lvm/archive) and you can use this to recover the metadata. I thought a good place to do this would be now, before the reboot that could end it all. Try as I might it was refusing to create a volume that already existed and it also complained about the device being in use. I count myself extremely lucky to be able to do what I did next. To me it felt incredible but when you really think about it it makes sense.

I downloaded the Fedora 11 Live CD and burned it to CD. Yep that’s right, while knocking on deaths door my machine managed to launch a torrent client, download a 700Mb ISO and burn it to a CD. After that I backed up the /etc/lvm folder to the USB hard drive that caused this mess. Finally I rebooted into the Live environment. The very next step was to recreate the partition table with fdisk.

Then I recreated the physical volume metadata that was destroyed with the following command:

pvcreate -ff -u DsuvMV-1HVj-SQOU-wZkT-N9M0-LMZd-gPws1U \
 --restorefile /media/usbdisk/lvm/backup/Volgroup00 /dev/sdb1

This forces the creation of a pv with a specific uuid, ignoring any pvs that exist with the same uuid. It also restores the metadata stored in the restorefile. Follow up with this command to restore the full metadata.

vgcfgrestore -f /media/usbdisk/lvm/backup/Volgroup00 -v VolGroup00

Now our LVM metadata is all correct, but at this point we still need to activate the logical volumes.

vgchange -ay

Finally you should fsck your logical volumes to make sure everything is working properly and you don’t get any nasty surprises later. All that is left then is to reboot into your recovered system.

Now thats something they don’t teach you in RHCE!

Random thought: Who needs enemies when I have my own stupidity to contend with?

New Features

Abrt 1.0

ABRT stands for Automated Bug Reporting Daemon. It is a tool designed to make it trivially easy for a user to submit a bug report when an application they are using crashes. This will require a fully updated system (to ensure you’re not reporting bugs already fixed, and the debuginfo packages for the software you’re reporting the bug for (they will be downloaded on demand). This will mean that should an application crash a popup will appear in the system tray, clicking the pop-up will launch a simple wizard to walk the user through the steps of reporting the bug.

Anaconda MDRaid

This feature involves changing the default RAID type from dmraid to mdraid when using Intel BIOS-RAID devices. Mdraid (Linux Software RAID) holds many advantages over dmraid including RAID 5 sets and better flexibility. In the past the dmraid drivers were built into the initrd and hence the only way to stop them loading would be to rebuild the initrd without them. Of course this was a non-solution as you had to do it every time you upgraded the kernel.

FCoE

Fibre Channel over Ethernet is a recent attempt to reduce the number of cables and interfaces in datacenters. With less switches, cables and interfaces then less cooling is needed and less power is needed, which saves money which is clearly good for companies. So currently to get Fedora working over FCoE you have to play some very interesting tricks. This new feature is aiming to get Fedora 12 to easily install and boot straight from FCoE without any hassle.

Fedora Studio

If you have many multimedia applications installed in Fedora 11 you can end up with a very large menu. This can make it difficult to see all the applications and choose the right one. This feature is about creating submenus for media applications to make it easier to find everything.

GFS2 Clustered Samba

This feature (though I must admit I’m not experienced with samba) allows you to export GFS2 clustered filesystems across samba. This means that you can have high availability samba share. Unfortunately that’s as much as I can tell you. If you want to know more, I suggest you visit the feature page.

KDE 4.3

Keeping Fedoa at the cutting edge of the Linux software world involves keeping the desktop environments up to date. A desktop environment is what the user sees most and what will make the most difference to their experience. KDE 4.3 has many new features including: a new default theme, brand new plasma gadgets, Google Calendar support in KOrganiser and a new bug reporting tool.

KSM

KSM or Kernel SamePage Merging allows KVM to request pages of RAM that are identical between multiple virtual machines be shared. This approach works because visualized guests will be running the same daemons, loading the same kernels and loading a large amount of similar files. This requires a large amount of kernel changes which probably wont make it into the 2.6.31 kernel so will have to be backported.

Mobile Broadband Enhancements

The current black spot in NetworkManagers support is around mobile broadband. Today mobile broadband adaptors are becoming commonplace, but support in Linux is anything but easy. Adding NetworkManager support should make it extremely simple to get your broadband working where ever you are, whatever plan you’re on and whatever device you’re using.

Moblin

Moblin is a Linux platform that is optimised to give a better experience on netbooks. This feature involves the addition of new desktop manager from Moblin Core. Moblin is a complete rethink of the GUI in a way that’s designed to be easy to work on netbooks. Its also integrated with socail networking and all the features the ‘new kids’ want. Check out the intro video.

Gnome 2.28

The plan for Gnome 2.28 hasn’t been completely finalized yet. So I cant tell you what you’ll see, what it will be like or whether this feature will eventually be dropped. You can find a list of planned changes for Gnome overall here and a separate list for each Gnome application here.

KVM NIC Hotplug

This feature add support for hot plugging KVM network interfaces. Having to restart every time you want to add a host to a new network, or give it another interface to load balance over can be a royal pain. Adding a new device simply involves creating a new TAP device and passing its file descriptor to QEMU. Some changes to SELinux will be required but that’s about it.

KVM qcow2 Performance

qcow2 is a disk format for QEMU. Currently though it has a poor performance when using it without a in memory write cache. Unfortunately though storing writes in memory means that in the event of a system crash they may not get written to the physical disk. This feature focuses on improving performance so that administrators don’t feel the need to choose between performance and data safety.

KVM Huge Page Backed Memory

Normally on an x86 CPU the page size would be 4 kilobytes, but the Linux kernel has the ability to use huge page sizes. To find out what size a huge page is in you system type ‘cat /proc/meminfo | grep Hugepagesize:’. On my x86_64 bit system this is 2048 Kb. Large pages require less memory for page tables, which increases performance.

KVM Stable Guest ABI

When QEMU is upgraded some of the devices it emulates may change, for example it may support new network cards or different hard drive controllers. These upgrades are equivalent to upgrading the hardware the guest runs on. Unfortunately if Windows detects that hardware has changed it requests activation. Reactivating all your windows guests can become very tiresome every time you upgrade QEMU. This feature is about providing a stabilized hardware to each guest, and only upgrading on the request of the administrator.

libguestfs

Libguestfs allows you to easily access any filesystem that can be accessed by your qemu virtual machines. It borrows code from the Linux kernel and qemu. This saves application developers from using complicated loopback mounts and LVM (of which there is another feature to improve).

Lower Process Capabilities

The DAC_OVERRIDE capability allows a process to override any file permissions that may be set. If we can remove the DAC_OVERRIDE permission from system daemons then they will become a less attractive target for exploitation. If the filesystem permissions are set in such a way as to protect the files even better (such as 0000 permissions on /etc/shadow and 005 on /bin) then attacking a program with root privileges will be even less attractive. This feature is about dropping DAC_OVERRIDE from some system daemons and modifying file permissions system wide.

NetBeans 6.7

Fedora has always been up to date with the latest cutting edge software. Currently NetBeans 6.5 is in Fedora 11. The plan it to move to NetBeans 6.7 to take advantages of the new features.

Ovirt Node

Ovirt node is a host installation of Fedora that is extremely lightweight. The only items included are utilities to run and manage virtual machines and their dependencies. This takes much less memory, disk and CPU for the host leaving more memory available to the guests and increasing the amount of virtual machines you can run on any host.

Open Shared Root

This feature is extremely interesting to me because as part of my work I manage several High Performance Clusters. This feature is about having multiple Fedora systems all boot off the same root filesystem. This way people who manage a large number of systems can make one completely stateless image that they all boot off.

Power Management F12

A sneak addition to Fedora 11 was tuned, so sneaky I only discovered it recently. It allows the system to tune its setting on the fly. For example on my laptop when there is little filesystem activity it can tune the commit interval so it only has to spin up the HD on rare occasions. It has a plugin architecture so it could also tune the network card to 10Mbits when it is hardly being used, or turn off the wireless network card when it isn’t required. This feature involves merging tuned and Red Hats ktune in order to automatically tune the power usage of your PC.

SystemTap Eclipse GUI

There is currently a focus on making SystemTap easier to use. Currently SystemTap only has a CLI GUI, and while there is a vim syntax highlighter it isn’t installed by default. This effectively means there is no IDE for developing SystemTap scripts. Eclipse is a visual editor for writing many types of applications. SystemTap will no doubt benefit With eclipse integration, maybe we’ll even see automatically generated SystemTap scripts.

Systemtap Tracing Refresh

Originally a feature was proposed for Fedora 12 titled ‘SystemTap Static probes’, but the work required for this feature to become a reality hasn’t been finished yet. So that feature has been re targeted for Fedora 13. Instead this feature will focus on documenting and streamlining the SystemTap tools to provide a better user experience. This work going into this feature also enables the ‘SystemTap Static probes’ for the next version of Fedora.

Rakudo Perl 6

Rakudo is an implementation of the Perl 6 specification under the Parrot Virtual Machine. There are currently many implementations of Perl 6 but this one clearly separates the compiler and the runtime and its more actively maintained than the rest. This feature allows Fedora to stay at the cutting edge of technology.

Thusnelda

Thusnelda is the name of the new Theora encoder. As of the libtheora 1.1 release it is now the chosen encoder for Theora video. Thusnelda’s development was supported by Red Hat, Wikimedia and Mozilla. It should be noted that mplayer and ffmpeg include their own implementation for Theora encoders so this feature will not include those applications that rely on them.

Virtual Network Interface Management

Linux allows some very complicated setups for networking, for instance you can bond multiple physical interfaces for increased throughput or reliability, you can set an inteface to tag VLANs and many more. None of these configurations are easy, and NetworkManager has even made some harder. This feature is especially important when guest machines are involved because they can involde some interesting network setups. This feature will introduce a netcf library to allow the easy configuration of complicated network setups. Netcf will not be integrated with NetworkManager in this release of Fedora, but these features will be designed with future integration in mind.

NFSv4Default

Simply put, this feature is about changing the default NFS protocol for Fedora 12 to NFSv4. NFSv4 includes many improvements over its predecessors but most importantly it uses less traffic to perform the same tasks.

PackageKitBrowserPlugin

Lets say I’m writing a blog post that explains how get SystemTap working on your system. I’d have to tell you what packages you’d need to install in order to get it working. Rather than give you a bunch of yum commands to run wouldn’t it be cool if you just clicked a button on my site. That’s basically what is involved in this feature, it means I can add a button which will prompt you to install the features I’ve told it to.

PackageKitCommandNotFound

Ever typed mplayer into a terminal only to find out it isn’t installed yet? This integrates into bashes command not found message to help you find the program you were looking for. Now instead of bash saying command not found when you type iotop for the first time it will prompt you to install it.

SR-IOV

using QEMU you can assign PCI devices directly to the guests machines, but previously this would stop the host from using it, and it would only be available on the one guest. This feature is about allowing multiple guests and the host to simultaneously access one PCI device. This requires driver support so that the machines can be organised and coordinated to prevent mishaps and errors.

Virt Privileges

This feature allows running QEMU as a non root user. Running with these lower privileges limits the damage that can be done by particular vulnerabilities. Another advantage is that you can have a much better intergration with a users desktop. The guest machine will be able to use that users sound server, put disk images in that users home directories and generally integrate with the desktop better.

VirtioSerial

This feature will create an interface between the userspace on the guest and the userspace on the host. This interface will consist of simple character devices that will be able to alert the guest to windows size changes, or transfer copy/paste data bidirectionally.

VirtgPXE

Every time Red Hat fix a bug in etherboot and send a patch upstream the get the response “we currently do not support etherboot, can you use gpxe instead?”. At the moment gxpe is included in Fedora but is not used by QEMU. The plan for this feature is to deprecate etherboot and move towards gxpa.

Virt Storage Management

At the moment if you want a guest machine to use a SAN for storage you’ll have to set it up manually. This feature plans to make it easier to configure by allowing machines to auto-detect and configure the SAN for the virtual machine.

XI2

XInput2 is a major enhancement over XInput1.5. It opens up X to some very interesting posibilities, for example I could have two keyboards and mice attached to my desktop allowing both me and another person to use two applications on the same screen simultaneously. I could copy something to the clipboard and they could paste it. I could drag a picture into their document from my image editor and so on. Somewhat less exciting is support for 32bit keycodes, instead of 255 allowing even more multimedia keys, support for devices that modify the amount of buttons they have at runtime and so on.

YumLangpackPlugin

Fedora is available in many different languages, but finding and installing the correct langpacks to get the language you want can be very difficult. This feature lets yum find and install the correct langpacks when the base langpack is installed. this makes Fedora much more accessable to people who speak languages other than English.

Dropped Features

Debuginfo filesystem

Dropped due to a lack of status updates

Multiseat

Dropped due to a lack of status updates

SystemTap Static probes

See the SystemTap Tracing Refresh.

Random Thought: I just wrote a 2446 word post about Fedora’s features and you expect me to be able to think afterwards? I’m too tired to think!