Paul Osman

As part of starting my new job I've had to decide what kind of workstation to order. I'm fortunate in that my manager has given me the choice between a generic PC and an Apple machine. There was a time when I used Linux exclusively for all of my desktop and development needs, but about 4 years ago I purchased my first Powerbook and I really haven't touched anything other than Mac OS X on Apple hardware since.

Naturally my first instinct was simple: Get a Mac. I do all of my work on a MacBook Pro and I've grown to appreciate many things about Mac OS X. I fired up my browser and went over to the Apple Store Online to look at my options. What I'd forgotten was that the cost of even the lowest-spec Mac Pro is pretty prohibitive, so I'd have to choose between an iMac and a Mac Mini. Display size is pretty important to me, and the specs on a maxed-out Mini seem so piss-poor, so my best option was a 24" iMac. I've never been a fan of the iMacs (for a variety of reasons) so the fact that this was my best and only option was a bit disappointing to me. Why the hell is it not possible to purchase a Mac Pro for less than $2500 sans-display?

Faced with these limitations from my vendor of choice, I started to consider a PC. After looking around a bit, the prospect of purchasing a PC and running Linux again started to become strangely compelling. Perhaps years of limiting my hardware choices has taken it's toll on me after all. As one is want to do when faced with such a conundrum, I decided to do a little bit of soul searching and figure out exactly what it was (other than the price) that was attracting me to the option of a Lintel PC.

Now before anybody says anything, I'm perfectly aware that I could run Linux on Apple hardware, but I really don't consider that an option. I acknowledge that Apple hardware is generally of good quality, but I really do think it's overpriced. I'm fine paying a fee for a machine that runs OS X but I just can't justify the cost in order to just run Linux on the thing. If I'm going to run Linux, it's going to be on a Frankenstein-ish PC and that's that.

After some thought I decided that the big thing drawing me towards the Lintel option was choice. I didn't realize how much I missed piecing together a system, choosing a processor, shopping for a motherboard and all the fun things that Apple shields me from. I started to imagine my dream system, running Gentoo Linux (with XGL), maybe compiling a xen patched kernel and running a few virtual machines... it all made me feel... happy. The other unexpected realization I made was this: Running Linux on a PC I specced out and built myself makes me feel more... nerdy. For some reason, and I know that this is very unscientific, I just feel more encouraged to tinker on Linux... to try things out, to learn about new corners of the OS or a particular development environment or programming language or whatever the case may be...

Maybe it's the unpolished nature (kind of like living in a fixer-upper house) that does it, but Linux just makes me want to hack more. Apple hardware and Mac OS X is very good at making me feel comfortable or at home in the way a warm bath does... or the smell of bread baking, but it just doesn't inspire me to hack. At least... not anymore. So, we'll see if I still feel this way after a couple of months of customizing my system, emerging portage ebuilds, configuring USE flags, etc. But for now, this is the way I'm going and I'm a little excited to get back into it.

Disclaimer: I'm not leaving OS X behind. I still have my MacBook Pro, I suspect I'll still do a lot of my word processing in iWork and well, it's hard to do anything with Cocoa on Linux... I'm just diversifying my desktop experience.

I’m going to describe how to get two of my favourite development tools, Trac and Subversion, to authenticate against PAM (Pluggable Authentication Module). For those who might not be familiar, Trac is a wiki that has integrated SCM and issue tracking. It’s written in Python and it’s incredibly useful. I’ve been using Subversion for version control for a long time and Trac is perfect for documenting a project as you go, and for keeping track of tasks and bugs. It’s access control settings allow you to specify levels of access for different users, so I often create one group for me and any other developers, and another group for my clients. The clients group can update the wiki, create tickets and get reports or look at milestones, etc. The developers group can administer all aspects of the site. Anyway, as useful as Trac and SVN are, I started to get really sick of handling authentication for them. I used to set up htpasswd files for each repository and wiki and it got to be a real pain, especially when I wanted my clients or developers to also have email, shell access, etc. So I decided to try and get mod_pam_auth working so I could use existing system accounts for Trac and Subversion access (over SSL of course).

mod_auth_pam is an Apache module that implements Basic authentication on top of the Pluggable Authentication Module. Unfortunately, as the project page says, the module is no longer being maintained which is unfortunate, but it works well enough with Apache 2.0.

Installing the module is pretty straightforward if you’re familiar installing Apache modules. I won’t go into too much detail, but as usual you’ll need to load the module in your Apache configuration:

LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so

Once that’s done you can easily set up basic authentication with PAM. Because Basic authentication involves sending a username + password combination in plain text, this setup should not be used without SSL. Within my VirtualHost configuration, I define separate location configs for each trac site and svn repository. It all looks something like this:

<VirtualHost 123.321.123.321:443>
    ServerName host.domain.tld
    SSLEngine On
    ...
    # Trac config
    <Location /trac>
       SetHandler mod_python
       PythonHandler trac.web.modpython_frontend 
       PythonOption TracEnvParentDir /var/lib/trac
       PythonOption TracUriRoot /trac
    </Location>

    <Location "/trac/tracsiteone/login">
       AuthPAM_Enabled On
       AuthType Basic
       AuthName "trac site # 1"
       Require user paul
    </Location>

    <Location "/trac/tracsitetwo/login">
       AuthPAM_Enabled On
       AuthType Basic
       AuthName "trac site # 2"
       Require group developers
    </Location>

    # Subversion config
    <Location /svn>
       DAV svn
       SVNParentPath /var/svn
       SVNListParentPath On
       SVNAutoVersioning On
    </Location>

    <Location "/svn/repositoryone">
       AuthPAM_Enabled On
       AuthType Basic
       AuthName "Repo # 1"
       Require user paul
    </Location>

    <Location "/svn/repositorytwo">
       AuthPAM_Enabled On
       AuthType Basic
       AuthName "Repo # 2"
       Require group developers
    </Location>
</VirtualHost>

So what we have now is two SVN repositories and two Trac wikis. For the first trac wiki and the first subversion repository, only the user 'paul' is given access. For the second, any valid user in the 'developers' group has access. Unfortunately there’s an issue with shadow passwords and this module and I’m not entirely happy with the work-around so I may have to edit this setup to use mod_authnz_external or maybe I’ll eventually move to LDAP. Regardless, I find this works well enough for now and saves a lot of hassle maintaining separate authentication files.

I recently made the decision to move from a shared hosting account to a dedicated server. I was very happy with my shared hosting provider (WebFaction) but it’s not uncommon for me to have several websites or trac wikis or subversion repositories all going at once. I need these to be accessible to me and my clients at all times and my home DSL connection just isn’t dependable enough for hosting. I started looking into dedicated hosting packages but decided to save myself about $80 / month and go for a VPS (Virtual Private Server) package.

When it comes to virtualization, I'm a pretty big fan of Xen. If anyone is interested in the subject and hasn’t already, it’s really worth checking out. At a really high level, here’s how it works: basically you have a DOM0 (Domain-0) patched kernel that you run on your physical machine which you allocate a specific amount of RAM to. Once you have your DOM0 set up correctly you can install any number (RAM permitting) of guest hosts running a DOMU (unprivileged domain) patched kernel. You specify how much RAM you want to allocate to each DOMU and there are a number of ways to handle filesystems. The DOM0 (host OS) manages access to hardware and other low-level stuff and basically makes it completely transparent when working within a DOMU. It comes with some handy userland tools to manage guest hosts and there are 3rd party packages like enomalism (Yes I just plugged my former employer!) that make it really simple.

So I started shopping around for hosting companies offering VPS packages that used Xen and I found one that looked a little nickle and dime, but were local, had reasonable prices and offered my favourite Linux distribution (Gentoo!). I figured I’d give them a shot. One week and 14 hours of downtime later I canceled my account, got a refund and signed up for an account with RimuHosting. Now these people know how to do support! Within minutes of signing up I got an email with a link to setup my PayPal subscription. I setup my subscription and less than an hour later had my account details. First things first, I tried to connect to my host via SSH and got a timeout... good opportunity to try out their support! I emailed their tech support and we were able to figure out that the problem was a lack of a reverse DNS entry on the VPS' IP address. I didn’t know that Mac OS X won’t open an SSH connection in these circumstances. Okay, easy to solve... there’s a handy utility in their control panel to do just that. Once that was working I was up and running and started to set up Apache, Postfix and all the other wonderful software I use.

Now I’m happily hosting several websites (each with MySQL or PostgreSQL databases), Trac wikis, SVN repositories, I’m running AWStats, hosting my mail, and generally loving the VPS life, all for at least a 5th of what a dedicated package would cost!