blino's website

Free software developer and more

/blog/mandriva/specs/mdv2007 draknetprofile Wed, 31 May 2006

The old profile selection menus have been moved out of the Mandriva Control Center.

Profile selection and creation is now centralized in the new draknetprofile tool.

0 comment(s)
/blog/mandriva/specs/mdv2007 Hardware applet specs for 2007.0 Tue, 30 May 2006

This hardware applet (or more correctly helper) will notify hotplugged devices that require configuration, and allow the user to run the configuration tool.

It should use gnome-volume-manager and kde-volume-manager the most it can, and rely on standard HAL classes.

  • add harddrake-handled classes in HAL configuration files (/etc/hal)
  • generic case: make g-v-m and k-v-m run a wrapper tool for classes it doesn't handle (requires a patch in each of these volume-managers):
    • USB modems
    • USB/PCMCIA network/wireless cards
    • USB printers
    • USB scanners
  • prefer direct configuration of g-v-m and k-v-m when it handles a class (from above list), it's about specifying the wrapper tool path
  • display a notification icon with a notification buble from the wrapper
  • allow to remember per-device configuration choice
  • show a "Run tool?" popup with Yes/No buttons and a "Remember configuration" checkbox
  • provide a tool to manage list of automatically configured devices (merge in harddrake)
0 comment(s)
/blog/mandriva/specs/mdv2007 Live specs for 2007.0 Tue, 30 May 2006

Faster boot

  • sort files in loopback, based on their access order
  • readahead

urpmi sources for DVD media

  • add urpmi sources after install if packages media are present on the live medium (to be done at end of draklive-install)

Save config on local media (Move-like)

  • save live config on local medium (USB key, disk), three possible levels:
  1. save /home and /etc, ask for local medium location at end of finish-install, and create new unionfs mounts for both /home and /etc
  2. save whole /, ask for local medium location in stage1 (not really user friendly, maybe improve with fbmenu)
  3. save whole /, ask for local medium location at end of

finish-install, and modify the main unionfs mounts (only possible if unionctl allows to modify branches for the / mount, wasn't possible in 2006.0, maybe it's better with initramfs and switch_root)

  • (3) is best if possible, (1) is easy, (2) would need more work
  • a further step would be to allow to save config on a remote server (probably not for 2007.0)

Bi-arch

  • build bi-arch live systems (requires an isolinux program that can load a specific initrd based on the architecture)

More technical tasks

  • use stage1 to load modules, and maybe mount loopbacks, instead of using a custom initrd with a brute force hardware detection
  • clean draklive-install by integrating needed parts in the installer (wasn't done in 2006.0 because the installer code was frozen at the time the tool was written)
0 comment(s)
/blog/mandriva/specs/mdv2007 Network specs meeting for 2007.0 Mon, 29 May 2006

Interactive Firewall (2006.0 specs bits/ideas)

ipset

  • don't duplicate attackers list in mandi's memory, make ipset list the reference
  • use a libified ipset instead of calling the external program
  • handle manual editions in ipsets (make ipset send a signal to mandi)
  • use ipset lib to save/restore IP lists

IFW GUI

  • allow to edit default timeout for blacklists

Text mode interface

  • add notifications on console (using wall?)
  • provide text-mode tool to list attacks and control mandi for cases where ipset manipulation isn't enough
  • show examples or minimal help pointers in text notifications

Services monitoring

  • watch inbound server connections and notify them using a bubble (already available in cooker)
  • don't make the bubble look like it's an attack, show it's just a notification
  • use a specific icon per service type

SSH brute force attacks

  • detect ssh brute forces attacks using a PAM plugin like pam_abl
  • make mandi aware of the attacks

drakfirewall

  • SMB conntrack
  • NFS conntrack (rpc_conntrack)

Interactive Firewall, new feature: control ports opened in LISTEN state

The idea is to dynamically open a port in the firewall when an application listens on it, and close it when it is unneeded. This would be interactive (using net_applet) and controlled by users with enough power.

  • detect new ports in LISTEN state and their matching process (using a kernel patch that would send notifications on a netlink, received by mandi)
  • add opened/closed ports list drakids/drakfirewall, with process names
  • save opened ports in a ports ipset
  • remove ports from the ipset once they're closed (requires a kernel notification as well)
  • don't use and configure current /etc/shorewall/rules.drakx by default anymore, maybe add an advanced option "Don't use dynamic rules (use shorewall rules)"
  • require proper DBus permissions to flush configuration, console ownership isn't enough, allow it for root and the ifwadmin group only
  • allow to remember the choice

Interfaces

  • keep old drakfirewall layout: services list and checkboxes
  • new advanced interface (much like current drakids):
    • log window with process/port/verdict
    • opened ports window
    • closed ports window
  • popup in net_applet, with process/service labels, Open/Close/Ignore buttons, and a "Remember choice" checkbox

Security in other operating systems

Firewall redundancy

  • have a look at keepalived, ucarp, and ct_sync
  • provide a basic "Local network" control interface, allowing to specify nodes using their MAC address (detect hosts on network, and show hostname/IP address/MAC address)

Network tools

Drakconnect

  • bluetooth support
  • 3G/Edge/GPRS support (almost integrated)
  • use icons to represent connection type

Drakroam

  • Ad-hoc networks support
  • non-broadcasted SSID support
  • use different icons for WEP/WPA: open/weak/strong icons would be nice, I like how it's done on the N770
  • allow users to write settings (in a ~/.wireless.d/ for example, the initscripts would then try to use it if USERCTL is "yes"), be careful about security issues (shell sourcing)

Connection status

  • improve connection test: parse pppd/dhclient output if possible
  • add a "Network interface status" window:
    • link ok
    • modem synchronized
    • interface up
    • wireless authentication
    • wireless network association
    • current address

Profiles

  • move profiles from MCC menu to draknetprofile
  • maybe try to select profile based on location (see metaconf and guessnet)
0 comment(s)
/blog/mandriva/specs/mdv2007 Meeting about install in Mandriva 2007 Mon, 22 May 2006

The install team (Titi, Pixel, me) brain-stormed with David about the installer for Mandriva 2007.

We mostly talked about the media selection: it should be redesigned to ease updates installation and to make thirdparty media usage easier (for example with a new proprietary drivers media).

Another important point is that the rpmsrate file should disappear, it will better be replaced by task packages.

Maybe we can use "Suggests" rpm tags for requires such as alsa sub-packages. For example gstreamer would suggest gstreamer-alsa, that would be picked if alsa if selected.

But we should still provide package selection based on hardware detection. The network::thirdparty may be used to get a list of packages (mainly to select packages copied from CDs), and extended for modules other than network.

0 comment(s)
blosxom Optimised for standards.
Olivier Blin (2005)