Upgrading

The upgrade process is amazingly simple:

1. Download the new firmware image to your PC
2. Use Luci, the OpenWRT web interface, to upload the image
3. Reinstall any additional packages you previously had installed

The Luci upgrade process will preserve your configuration across upgrades, but you should always back up your configuration first. Luci makes this easy, via “System -> Backup/Restore”. The result is a tar.gz of various files, mostly in /etc. You can add custom entries to this list from “Administration”, then “Overview -> User Interface”.

However, the upgrade process doesn’t preserve installed packages or make a list of them. I suggest you keep a list of packages you want to install, or generate a list before upgrading:

opkg list-installed | cut -f 1 -d ' '

For the latest upgrade, I downloaded openwrt-ar71xx-wzr-hp-g300nh-squashfs-sysupgrade.bin from the 10.03.1-rc3/ar71xx section of the Backfire repository.

To use Luci to flash the new firmware, go to “Administration”, then “System -> Firmware”. Select “Browse” and select the firmware image you downloaded, then check “Keep configuration files”. Then select “Upload image”. After uploading, Luci will display the md5sum and size of the new firmware. Verify it, and then select “Proceed”.

The upgrade process goes through several steps, flashing the new firmware and importing the old configurations, and finally rebooting. This takes 5-10 minutes. I recommend doing this over wired Ethernet, although wireless works fine. New firmware images may not include the wireless driver for your hardware, so you may need to use Ethernet after the upgrade to install the needed packages.

After rebooting, edit the package list to point to the new repository and install the missing software. You can do this from the command line or with Luci.

If using the terminal, edit /etc/opkg.conf. If Luci, go to “Administration”, then “System -> Software”, and wait for the page to fully load. Then select “Edit package lists and installation targets”. Change the first line to point to the new repository:

src/gz packages http://downloads.openwrt.org/backfire/10.03.1-rc3/ar71xx/packages

I suspect this would not be necessary if the backup settings excluded /etc/opkg.conf, but it’s easy to work around.

Once that’s done, reload the package list and reinstall any software packages you had previously installed. See the package list in my last post for a handy summary to paste into the terminal.

Finally, enable the services you just installed. In Luci, use “Administration”, then “Services -> Initscripts”. I believe you could avoid this by adding /etc/rc.d to the backup settings before upgrading, but again, it’s easy to work around.

Finally, reboot. All services should start as normal, and everything should work as it did before the upgrade.

Issues with 10.03.1-rc3

As with 10.03, the ath9k driver still cannot support multiple wireless networks with different encryption settings. There are also known issues using PPPoE on the WAN link, but my Internet provider (Virgin Media cable) presents as regular Ethernet so this is not a problem for me.

The nmap package is missing libnl as a dependency.

root@gw-belafonte:~# nmap
nmap: can't load library 'libnl.so.1'

Correct it with opkg install libnl. It is nice to see that OpenWRT has nmap version 5.35DC1, which is newer than the latest Debian/Ubuntu packages.

Comparison of wireless performance among 10.03 images

Each release in the 10.03 series has included a bugfix or improvement to the ath9k wireless driver. To compare them, I re-ran the same iperf/bwm-ng tests from my last post. There appears to have been a small drop in maximum throughput from 10.03 to the 10.03.1 release candidates:

32.5 mbit – Buffalo WZR-HP-G300NH running OpenWRT 10.03
27.8 mbit – Buffalo WZR-HP-G300NH running OpenWRT 10.03.1-rc2
27.2 mbit – Buffalo WZR-HP-G300NH running OpenWRT 10.03.1-rc3

However, there were also major improvements in wireless stability, latency and jitter between 10.03 and 10.03.1-rc2. Using fping -l from my laptop (on 802.11g wireless) to gozer (on gigabit Ethernet) and frances (another laptop on 802.11g wireless) produced:

# 10.03
gozer   : xmt/rcv/%loss = 297/245/18%, min/avg/max = 0.71/182.2/987
frances : xmt/rcv/%loss = 297/239/20%, min/avg/max = 1.60/195.3/979

# 10.03.1-rc2
gozer   : xmt/rcv/%loss = 2799/2775/0%, min/avg/max = 0.71/3.11/196
frances : xmt/rcv/%loss = 2798/2770/1%, min/avg/max = 1.60/5.96/206

# 10.03.1-rc3
gozer   : xmt/rcv/%loss = 372/369/0%, min/avg/max = 0.58/4.77/150
frances : xmt/rcv/%loss = 372/366/1%, min/avg/max = 1.64/9.73/267

Under both 10.03 and 10.03.1-rc2, I have experienced several drops in the wireless connection to two laptops. This usually happens overnight when our laptops are idle, and is accompanied by syslog errors on the router:

Sep  1 01:51:32 gw-belafonte daemon.info hostapd: wlan0: STA 00:1c:bf:00:00:01 IEEE 802.11: disassociated
Sep  1 01:51:32 gw-belafonte daemon.info hostapd: wlan0: STA 00:1c:bf:00:00:01 IEEE 802.11: deauthenticated due to inactivity
Sep  1 01:51:32 gw-belafonte daemon.info hostapd: wlan0: STA 00:1c:bf:00:00:01 IEEE 802.11: authenticated

I haven’t seen this happen since upgrading to 10.03.1-rc3, but I won’t be surprised if it does.

Full disclosure: before replacing the WRT54GL router, I tried to downgrade it to an older release of OpenWRT (Kamikaze 8.09.2). I uploaded the wrong firmware and bricked it. Oops. I had already decided to replace it, but this added some urgency.

My reasons for upgrading are mostly technical. I want to install other software packages on the router, such as mtr and tcpdump. This makes debugging infinitely faster and easier. When the going gets tough, the tough sniff packets. The Buffalo also represents a hardware upgrade in virtually every way – flash storage, RAM, CPU, wireless speed, Ethernet speed, and USB support.

However, there are also a bit of politics involved. DD-WRT’s development model is much more “closed” than OpenWRT, and is heavily centralised. OpenWRT is more of a community project and supports external packages in parallel development. Further, DD-WRT tries to store everything in the device NVRAM (non-volatile RAM), while OpenWRT creates a JFFS2 filesystem much more like a typical Linux system. I’d rather use and support OpenWRT as a project, and I think their way is the way forward.

Installation

The OpenWRT page for the WZR-HP-G300NH gives step-by-step instructions on how to install OpenWRT. These steps worked perfectly, so I won’t reproduce them here. I installed the Squashfs image via the TFTP method. After installation, I logged in via telnet and changed the root password.

There is a known issue where SSH doesn’t start for 2-3 minutes after you change the root password. This happened to me but was just a matter of waiting until SSH started.

The hardware takes about 20 seconds to boot up, then waits for firmware by TFTP for 4 seconds, then loads OpenWRT. In total, boot time is about 45 seconds. This is just longer than my Ubuntu 10.04 media PC waits for an address by DHCP, so whenever I reboot the router I have to manually reconnect to the network. Ironically, the PC boots faster than the router. I hope makers of embedded systems follow Ubuntu’s example of speeding up boot times, because the difference is pretty glaring.

Package Management

Packages can be installed from the command-line or from Luci, the web interface. Before you can do so, you must download a package list from OpenWRT using the package manager, opkg. This tool is similar to dpkg or apt-get from Debian. The package list is kept in a RAM disk, so it does not persist across reboots. Before installing, either run opkg update or login to Luci and click “Administration”, then “System -> Software”, and finally “update package list”.

Install packages with opkg install packagename. Some packages, such as dropbear and openssh-client may overwrite the same files, so you must use the --force-overwrite switch if you see something like this:

root@gw-belafonte:/# opkg install openssh-client
Installing openssh-client (5.4p1-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/openssh-client_5.4p1-1_ar71xx.ipk.
Collected errors:
 * check_data_file_clashes: Package openssh-client wants to install file /usr/bin/scp
        But that file is already provided by package  * check_data_file_clashes: dropbear
 * check_data_file_clashes: Package openssh-client wants to install file /usr/bin/ssh
        But that file is already provided by package  * check_data_file_clashes: dropbear
 * opkg_install_cmd: Cannot install package openssh-client.

Solution:

opkg --force-overwrite install openssh-client

Most packages are configured by the uci command or Luci, and store their preferences in /etc/config.

Remove packages with opkg remove packagename. This does not leave configuration files behind, except for those in /etc/config.

I must say I’m pretty impressed with opkg; it’s an excellent implementation of principles from apt-get and it works very well on such a small platform. It’s certainly much easier to use than DD-WRT, which doesn’t have packages at all. You must select what features you want when you install the firmware, and the choices are slim – standard, micro (small flash), and openvpn are about the only useful choices. It is possible to install OpenWRT packages on DD-WRT devices with sufficient flash, but then why not just use OpenWRT?

Daemons like OpenVPN do not start when they are installed, and they are not configured to start on boot. To start them, either use a command like /etc/init.d/openvpn start or use Luci (“Administration”, then “Services -> Initscripts”).

Wireless

Wireless doesn’t work out of the box, but it is easy to install. If you want to use WEP or WPA, install “wpad-mini”. If you want a more advanced mechanism like RADIUS or EAP, install the full “wpad” package. I preferred to install “wpad” rather than “wpad-mini”, so I could support other WPA authentication mechanisms. We’re always talking about replacing pre-shared keys with RADIUS at work, and the difference in package size is minimal, so I installed the full package.

opkg update
opkg install kmod-ath9k wpad
rm -f /etc/config/wireless
wifi detect > /etc/config/wireless

After that I was able to configure wifi using Luci. You can configure multiple wifi networks but I found the ath9k driver (or chipset) didn’t support different encryption settings. For instance, you can have these:

1. One network with WPA encryption
2. One network with WPA and one network with no encryption

But you cannot have these:

1. One network with WPA and one network with WEP
2. Two WPA networks with different keys

I’ve read that it is possible to do this with software encryption, but it wasn’t sufficiently important to me to continue. If I really want to use my Nintendo DS, I’ll just crack a nearby WEP network or set up a temporary AP on spare hardware I have lying around.

I didn’t test 802.11n wireless, as I have no other hardware which supports it.

USB

The instructions for enabling USB support said to only install the packages you really need. However, the WZR-HP-G300NH has plenty of flash, and I found my FAT32 USB stick wouldn’t mount with just the UTF8 character set installed. So I installed support for all languages and filesystems.

opkg install kmod-fs-btrfs kmod-fs-ext2 kmod-fs-ext3 kmod-fs-ext4 kmod-fs-isofs kmod-fs-reiserfs kmod-fs-vfat kmod-fs-xfs
opkg install kmod-nls-cp1250 kmod-nls-cp1251 kmod-nls-cp437 kmod-nls-cp775 kmod-nls-cp850 kmod-nls-cp852 kmod-nls-cp866 kmod-nls-iso8859-1 kmod-nls-iso8859-13 kmod-nls-iso8859-15 kmod-nls-iso8859-2 kmod-nls-koi8r kmod-nls-utf8
opkg install kmod-usb2 kmod-usb-storage kmod-usb-storage-extras block-hotplug block-mount hotplug2

I then configured the USB drive to mount automatically.

mkdir /mnt/usbstorage -p
uci set fstab.@mount[0].target=/mnt/usbstorage
uci set fstab.@mount[0].device=/dev/sda1
uci set fstab.@mount[0].fstype=auto
uci set fstab.@mount[0].enabled=1
uci set fstab.@mount[0].options=rw,sync,noatime,nodiratime
uci commit fstab
/etc/init.d/fstab enable
/etc/init.d/fstab restart

I didn’t install Samba support. SSH/SCP/SSHFS works fine for me.

HTTPS

The default installation supports SSH but not HTTPS. This strikes me as a strange choice, but it’s easy to resolve:

opkg install luci-ssl

Luci didn’t answer HTTPS until I rebooted the router.

SNMP

I like Cacti, and I like graphing my router’s IP throughput. OpenWRT has two SNMP daemons: mini_snmpd and snmpd. Don’t use mini_snmpd. It only supports SNMP 1/2, and it doesn’t care about SNMP community – it gives SNMP data to anybody who asks for it. It also only runs if you install IPv6 support (package kmod-ipv6).

opkg install snmpd

SNMPd doesn’t have a Luci interface, but it is easy to configure from SSH. Login, and edit /etc/config/snmpd. Change the public and private communities to something less obvious, such as a random password generated by pwgen (also installable with opkg).

config com2sec public
        option secname ro
        option source default
        option community aikeev4H

config com2sec private
        option secname rw
        option source localhost
        option community Heev7nai9aeg4foo3uN7otaing

The private (write) community cannot do much to this device, but I prefer to set it to something very long and then forget about it. Then commit the change and start snmpd (either at command line or Luci’s Initscripts interface).

uci commit snmpd
/etc/init.d/snmpd enable
/etc/init.d/snmpd start

UPNP, Avahi, and NTP Client

I also installed UPNP, Avahi (MDNS), and NTP client support. UPNP and the NTP client can be configured through Luci, but Avahi doesn’t really have anything to configure. OpenVPN supports rdate out of the box, but I use NTP everywhere else, so why not here?

opkg install avahi-daemon luci-app-ntpc luci-app-upnp miniupnpd ntpclient

Enable them using the Luci Initscripts interface.

Utilities

Then I installed all the useful command-line apps that I like to use on routers.

opkg install --force-overwrite bwm fdisk fping iftop ip iptables-utils lft lsof mtr net-tools-hostname ngrep nmap openssh-client rsync screen snmpd sshfs tcpdump

openssh-client is necessary for SSH agent support, which Dropbear’s own SSH client doesn’t offer. I use this with SSHFS to mount my harddrive and dump tcpdump files over the network. This is dangerous, since tcpdump might sniff the SSHFS traffic. Always remember to exclude your own SSH traffic, or bad things will happen:

tcpdump -i eth0 'not tcp port 22'

iptables-utils provides iptables-save, which is a far more sane way to read iptables rules. I can’t even look at normal iptables output any more. fping is ping’s smarter, older, multi-tasking brother. In fact, just try and learn to use all of these utilities. You won’t regret it.

OpenVPN

OpenVPN installation is as easy as the rest:

opkg install openvpn luci-app-openvpn

Next, configure OpenVPN using Luci. It will appear under “Administration”, then “Services -> OpenVPN”. I have an OpenVPN server at work we wish to connect to, so I created a new configuration named “Work”, and then added entries for “Remote host” and “Type of used device” (we use tap, not tun). I then added “Certificate authority”, “Local certificate”, and “Local private key” and uploaded each of the files. I then started OpenVPN using the Initscripts interface.

OpenWRT uses firewall “zones” like “lan” and “wan” to distinguish between outside and inside traffic. Traffic from the “wan” zone which is unknown will be rejected, and traffic from the “lan” group will be masqueraded (NATed) and permitted to exit. This is an excellent design, but it doesn’t have an entry for “vpn”. I tried to create one using Luci (“Administration”, then “Network -> Firewall”), but it doesn’t really work. This is because the firewall loads before OpenVPN. Therefore the tap/tun device does not yet exist, and no rules are added to the firewall to identify the OpenVPN traffic as part of the “vpn” zone. I tried reloading the firewall after OpenVPN, but this caused the WAN interface and VPN to drop, and never worked well no matter how I tried it.

I was really keen on using the Luci interface to configure the firewall, but in the end it was much easier to hack up a solution. I removed my “vpn” zone and just added some lines to /etc/firewall.user. This is a handy hook the developers added, a place to run custom commands after the firewall loads. Here is mine:

root@gw-belafonte:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# 2010-08-26 tyler - OpenVPN
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE

This means all traffic to/from VPN interfaces is accepted (“tap+” matches tap0, tap1, etc), and traffic to the VPN is masqueraded. A quick reboot, and the VPN started up, the firewall rules loaded correctly, and everything worked perfectly.

LED Configuration

This part is just plain fun. Using Luci (“Administration”, then “System -> LED Configuration”) you can control the behaviour of the LEDs on the front of the device. They can be set to stay on or off, can blink with activity, and can be tied to any network device. You can even set one to heartbeat at a rate tied to uptime load. On the WZR-HP-G300NH you can control these LEDs on the face: orange “security”, green “wireless” and “router”, red “diag”; and you can also control the blue “USB” light on the back just above the USB port. I was not able to make the USB LED turn on when a USB stick is mounted, but I was able to configure the first three lights on the face, so that I am alerted to activity on the LAN, WAN, and VPN interfaces. It’s nice to have a “lock” icon when the VPN is connected, as this is a useful external indicator of network trouble.

Syslog

OpenWRT supports logging to an external syslog server. Using Luci, see “Administration”, “System -> System”, and add additional field “External system log server”. Local logs are stored in a circular buffer, and are visible in Luci (“Administration”, then “Status -> System Log”) and from the command line with logread -f. This is very helpful for debugging OpenVPN problems like bad certificates and expired certificate due to a bad system time.

QoS

Quality of Service (QoS, or rate shaping) is done by the qos-scripts package:

opkg install qos-scripts

To configure it, edit /etc/config/qos and set your upload and download rates, and set rules to classify traffic. Then enable and start it using the Luci Initscripts interface. I have a fairly high-bandwidth connection at home and don’t really need QoS, so I don’t use it.

Performance Metrics and Comparison

Total remaining flash storage after all these packages are installed is 17.3 MB. This means the entire system plus my extras are installed in under half the available flash storage. RAM usage just after reboot, while running openvpn, miniupnp, avahi, dnsmasq, ntpclient, dropbear, uhttpd (Luci) with SSL support, and snmpd is 34 MB.

root@gw-belafonte:/etc/config# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 2.8M      2.8M         0 100% /rom
tmpfs                    30.2M     88.0K     30.2M   0% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/mtdblock4           27.6M     10.3M     17.4M  37% /overlay
mini_fo:/overlay          2.8M      2.8M         0 100% /

root@gw-belafonte:/etc/config# free
              total         used         free       shared      buffers
  Mem:        61944        34208        27736            0         1864
 Swap:            0            0            0
Total:        61944        34208        27736

So far it has handled Bittorrent without complaint. Kernel netfilter settings seem to be a fair balance of permissive and careful; TCP timeouts are one hour, UDP timeouts are 60 and 180 seconds, and conntrack can handle up to 16K connections. At 232 bytes each, netfilter connection tracking will consume just under 4 MB of RAM. This is significantly more than the Linksys could support. Edited for brevity:

root@gw-belafonte:/etc/config# sysctl -a | grep tcp_timeout
net.netfilter.nf_conntrack_tcp_timeout_established = 3600

root@gw-belafonte:/etc/config# sysctl -a | grep udp_timeout
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_udp_timeout_stream = 180

root@gw-belafonte:/etc/config# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16384

I compared wifi throughput between a Linksys WRT54GL and the new Buffalo WZR-HP-G300NH. Thankfully I had a spare unit to replace the bricked WRT54GL. Tests were performed using iperf, transmitting UDP datagrams for 30 seconds at various speeds, and monitoring the test with bwm-ng. Data was sent between my gigabit-capable media PC on Ethernet and my laptop on 802.11g wireless. Maximum throughput on the Buffalo is nearly twice as fast as the Linksys:

Command Summary

opkg update
opkg install kmod-ath9k wpad-mini
opkg install kmod-fs-btrfs kmod-fs-ext2 kmod-fs-ext3 kmod-fs-ext4 kmod-fs-isofs kmod-fs-reiserfs kmod-fs-vfat kmod-fs-xfs
opkg install kmod-nls-cp1250 kmod-nls-cp1251 kmod-nls-cp437 kmod-nls-cp775 kmod-nls-cp850 kmod-nls-cp852 kmod-nls-cp866 kmod-nls-iso8859-1 kmod-nls-iso8859-13 kmod-nls-iso8859-15 kmod-nls-iso8859-2 kmod-nls-koi8r kmod-nls-utf8
opkg install kmod-usb2 kmod-usb-storage kmod-usb-storage-extras block-hotplug block-mount hotplug2
opkg install --force-overwrite avahi-daemon bwm fdisk fping iftop ip iptables-utils kmod-ipv6 libnl lft lsof luci-app-ntpc luci-app-openvpn luci-app-upnp luci-ssl miniupnpd mtr net-tools-hostname ngrep nmap ntpclient openssh-client openvpn rsync screen snmpd sshfs tcpdump

Update 2010-08-27: don’t use this script either! See my next post for a better one.

#!/usr/bin/perl
# parse URL
($protocol,$host) = split /:\/\//, $ARGV[0];
($host,$port) = split /:/, $host;

# validate input
if ( $protocol !~ /^(telnet|ssh)$/ || $host !~ /^[a-zA-Z0-9.-]+$/ || $port !~ /(^[a-zA-Z0-9_-]+$|^$)/ ) {
        warn "Invalid URL";
        exit 1;
}

# if SSH, add -p argument
if ( $protocol eq "ssh" && $port != '' ) { $port = "-p $port" ; }

# call terminal emulator
exec("konsole --hold -e $protocol $host $port");
exit;

This script only accepts telnet:// and ssh:// URLs, where the host is a valid domain name and the port is a valid port (including text aliases like “smtp” from /etc/services). It passes SSH port arguments correctly and tells Konsole to stay open after the session terminates.

You can download a more advanced form of this script here.

As with most tinkering in firefox, start by typing “about:config” in the location bar. Right click and select “New”, then “Boolean”. Create two entries:

network.protocol-handler.expose.telnet = false
network.protocol-handler.expose.ssh = false

Now, click on a telnet or SSH URL, and Firefox will prompt you for the application to use. This application must handle the full URL as an argument. On Linux, the easiest solution is to choose /usr/bin/xdg-open. This will open the user’s preferred terminal, whether that is gnome-terminal, konsole, or xterm. You can use xdg-open to open almost any type of file or URL.

Alternatively, choose /usr/bin/putty, or use a simple script as follows. Edit the last line to call whatever application you prefer.

Update 2010-08-25: don’t use this script. See my next post for a better one.

#!/usr/bin/perl
# take URL of form telnet://target:port and call konsole

# get protocol and host
($proto,$addr) = split /:\/\//, $ARGV[0];

# convert "host:port" to "host port" (port is optional)
$addr =~ s/\:/\ /g;

`konsole -e $proto $addr\n`;

A bit of history, for the curious. You may find instructions online stating to create values like these:

network.protocol-handler.app.telnet = "/usr/bin/putty"
network.protocol-handler.warn-external.telnet = false

This is the old method, used in releases prior to Firefox 3.5. These settings are now ignored.

1. save passwords
2. manage connections via the GUI
3. support VNC and RDP
4. work with our IP KVM

This last requirement is the kicker. When I change hosts on our Adderview IP KVM, it draws one frame at 0×0 resolution, and then changes to the resolution of the new host. This has crashed every VNC client I’ve tried except xvnc4viewer. Which of course, doesn’t save passwords or have a GUI (the raw X menu when you press F8 does not count).

I have tried KRDC, Vinagre, xtightvncviewer, and a number of simpler command-line VNC clients. They all seem to be designed to support the “my Mom needs tech support” problem, not the “I manage remote servers” problem. KRDC won’t even login to my KVM; it just hangs after authentication. I suppose that’s better than crashing, but it is still a show stopping bug for me.

Over a year ago, I hacked up a scripted solution involving zenity GTK dialogs, saved password files, and xvnc4viewer, but I’m not going to release that. Instead, meet the last remote desktop client you’ll ever need: Remmina.

Remmina meets all of my requirements, has tons of useful features, and works flawlessly. Not only that, it is extremely responsive. Key presses are limited only by the round-trip time, with no added delay from VNC itself. There are no redrawing or tearing problems. It supports full-screen mode and scrolling inside a view port. It can forward over SSH and will use SSH keys files or your SSH key agent. It can synchronise the clipboard between host and remote server; this is the first time I’ve actually seen that feature work reliably. It can even open a standard SSH or SFTP session, or host a VNC server.

Installation is easy. An older release is available in the Ubuntu Lucid Universe repository, or get the latest version from their PPA.

I ran the Skype binary from the command line, and saw this:

tyler@baal:~$ skype --help
Skype 2.1.0.81

Usage: skype [options]
Options:
  --dbpath=
       Specify an alternative path to store Skype data files.
                        Default: ~/.Skype
  --resources=
    Specify a path where Skype can find its resource files.
                        Default: /usr/share/skype
  --disable-api         Disable Skype Public API.
  --pipelogin           Command line login. "echo username password | skype --pipelogin"
...

This immediately suggested two possibilities.

1. Create a script that reads usernames and passwords from a file, then calls echo username password | skype --pipelogin. Obviously the file is a security risk, but don’t fool yourself. The obfuscated password in the Skype configuration file is no safer.
2. Create a ~/.Skype-name directory for each account, and call skype --dbpath ~/.Skype-name. This has the advantage of letting Skype store the password, but means any configuration changes to Skype have to be made twice.

I opted for the former, because I like writing bash scripts that call zenity or kdialog. First I created a file:

cat > ~/.Skype/passwords

workuser1 password1
homeuser2 password2

^Ctrl-D
chmod 600 ~/.Skype/passwords

Then I wrote a simple script to do the following:

1. Read the password file
2. Display a zenity dialog with a list of usernames
3. Find the password of the selected user
4. Call Skype

Here it is: skype-fe. It worked on the first try. It’s a total hack, and I love it. It is based on previous zenity scripts I’ve written, so it’s not quite as simple as I let on. It won’t shred your hard drive, I promise.

My opinion is that Lucid improves on Karmic in almost every way. That’s not saying much, since the KDE 4 upgrade has been so painful. We’re finally back to KDE 3.5 functionality, and speed is improving with each release. On the other hand, there are a lot of new features in the OS since Hardy – grub2, ext4, ecryptfs, upstart, kernel mode setting, compositing window management, Strigi indexing and Nepomuk semantic desktop. Some of these have dramatically improved performance, while others have increased system requirements just to add eye candy. It’s hard to evaluate KDE on its own, so I’m not going to focus on that.

I backed up my entire drive to an external USB drive formatted for ext3 using rsync. I then booted from the Kubuntu 10.04 AMD64 Desktop CD, and followed the default install options until the disk partitioning step. I always install with separate /, /home, and swap partitions (this normally makes upgrades easier, unless you are reformatting as I did here). I used ext4 for / and /home, and chose to encrypt my home directory. I then followed the rest of the steps and rebooted at the end.

Following the reboot, I used rsync to restore my lost files and most of my dotfiles – .mozilla, .gnome, .gconf, .Virtualbox, and the like. However, I did not restore .kde. Instead I manually copied only some configs, for KGPG, Akregator, and Kopete. The rest of my KDE apps I reconfigured from scratch. I did this because we use Kolab at work, which integrates with Kontact but can be fussy with local contacts files. As of Lucid, Kontact uses Akonadi to manage contacts. I expected trouble, and found it. More on that later.

Finally, since I have an encrypted home directory, I also encrypted swap and created a tmpfs on /tmp. I followed the steps in my guide, and rebooted with no problems.

What’s better:

The ext4 filesystem is noticeably faster. This is the reason I reformatted instead of upgrading. I used ext3 under Karmic, and really wanted to see if what I’d been hearing about the speedy new filesystem is true. It is. It’s faster for booting and it’s faster for reading large data. My Virtualbox virtual machines load in almost half the time, even compared to the same Virtualbox 3.2.6 release on Karmic. I suppose there could be other differences contributing to this but it really stands out. I haven’t run an fsck yet but others report that it is much faster as well.

ext4 has definitely improved performance of copying data inside my encrypted home directory. I barely notice the performance hit from using ecryptfs now. The only time I do is when using rsync to compare large directories (like when my backup process examines my mail archive).

There is a new touchpad control in KDE Control Center. This enables gestures, including two-finger scrolling (but not pinch-to-zoom, which I hope is forthcoming), and different actions for tapping in corners, multi-finger tapping, and so on. Still missing is tap suppression (accidentally tapping while typing), so I still use syndaemon. Create ~/.kde/Autostart/syndaemon.sh, make it executable, and insert:

#!/bin/sh
# Disable touchpad while typing to prevent accidental tapping.
/usr/bin/syndaemon -d -t -i 1

The device notifier plasmoid now has multiple actions when opening attached storage devices, and can be configured to automatically mount drives. This is a vast improvement.

The system tray plasmoid now obeys my auto-hide preferences. Under Jaunty and Karmic, some applications had overriding preferences that caused them to always be hidden or visible. For instance, it was impossible to make KGPG always visible. I frequently use KGPG, so this caused me to almost always have the system tray expanded to show all applications.

Firefox/KDE integration works very well. Open/save file dialogs use KDE, and menus and icons use KDE defaults. The printer dialog is still the native Firefox one.

virt-manager is vastly improved. The GUI is more responsive when connecting, is prettier, and has graphs for CPU, disk, and network I/O.

ClusterSSH works with KWin again. Since 8.10, ClustterSSH has been nearly broken in KDE. First, simply starting it caused copy (to clipboard or selection) to stop working in most QT/KDE apps. Second, the ClusterSSH master window would grab focus and prevent you from giving focus to any of its children xterms. This made it very hard to run commands on just one host without running it on all. I gave up and used various other techniques for managing my servers. But nothing beats ClusterSSH for managing 2-20 servers at once, and I’ve sorely missed it. Welcome back, old friend!

What needed tweaking:

The Oxygen window decoration theme still doesn’t colourise the active window. Open System Settings, go to “Appearance”, then the “Windows” side bar. Under the “Window Decoration” tab, choose “Oxygen”. Under the “Decoration Options” area, choose the “Fine Tuning” sub-tab. Check “Outline active window title”.

Hotkeys in Kmenu are ignored. I use a few quick-launch shortcuts, such as “Win+T” to start a terminal. You can set these when editing the K menu, but they are ignored by default. Open System Settings, select “Input Actions”, and then check “KMenuEdit”.

VirtualBox and virt-manager don’t play well together. I don’t use Xen or KVM on my desktop, but I do manage several KVM-based virtual machine servers. Thanks to the new “install recommends” preference in the package manager, simply installing virt-manager also installs libvirt-bin. This loads the kvm-intel or kvm-amd modules on boot, which then prevents VirtualBox from starting virtual machines, with the error “VirtualBox can’t operate in VMX root mode. Please disable the KVM kernel extension, recompile your kernel and reboot (VERR_VMX_IN_VMX_ROOT_MODE).”

I suppose this is really a problem with the “install recommends” behaviour. I’ve complained about that elsewhere, but I always repeat a good gripe when the opportunity presents.

The solution is to edit /etc/default/libvirt-bin and disable libvirtd:

start_libvirtd="no"

And for good measure, blacklist the modules. Create /etc/modprobe.d/local.conf and insert:

blacklist kvm-intel
blacklist kvm-amd

What still needs work:

Akonadi doesn’t start before Kontact tries to access it. This solution (autostarting “akonadictl start” at login) worked for me, although I (painfully) developed it independently. If only I had used Google.

openvpn with knetworkmanager still doesn’t work. I still prefer Gnome’s network manager applet, which works just fine with Kubuntu. Kill knetworkmanager, and start nm-applet. Next time you login, KDE will tell you that another network manager is running, and ask you if you still want to use Knetworkmanager. Say no. Also, OpenVPN support is more reliable under Lucid. Using Gnome network manager with Kubuntu Karmic, the OpenVPN service would periodically fail to start. Editing VPN preferences and then hitting OK sometimes resolved it, but at other times it was an annoying and random dance to make it work. This seems to be resolved under Lucid.

OpenOffice/KDE integration is improved since Karmic, but still has drawing bugs. In particular, the zoom slider in the lower right often disappears. It’s still there, and clicking in the area makes it reappear and zooms. I prefer the “100% / 75% / …” pull-down of the stock OpenOffice theme, however. This is a vast improvement over the Karmic integration, where simply dragging a spreadsheet tab in Calc crashed OpenOffice, but I’d like to see more development here.

Otherwise, my comments regarding Karmic still hold. Google Earth and Kwin play nicely, qtcurve (KDE/GTK integration) is awesome and no longer has the font bug, and Plasma and Kwin are faster and more stable. Lucid is no great leap forward and Kubuntu is still not an innovator among KDE distributions like Ubuntu is to Gnome. But it is an incremental improvement worth using if you prefer KDE.

I have had a Lucid repository since upgrading my media PC and servers. It now includes dfreer’s znes32 for AMD64 (still working on Lucid) and kregexpeditor (you can have it when you pry it from my cold, dead hands).

Note to developers: when releasing new versions of your library, try to avoid breaking its core functionality.

If you try decompressing a corrupted file, you’ll see a message like this:

tyler@laptop:~$ unzip restore.zip
Archive:  restore.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of restore.zip or
        restore.zip.zip, and cannot find restore.zip.ZIP, period.

I posted a solution on the mailing list. I’ve since uploaded an older version (1.18-1) of this package to my repository, so the process is even more streamlined.

If you are using my repo:
apt-get install libarchive-zip-perl=1.18-1
echo "libarchive-zip-perl hold" | dpkg --set-selections

If you aren’t using my repo but want a quick fix:
wget http://www.tolaris.com/apt/pool/main/liba/libarchive-zip-perl/libarchive-zip-perl_1.18-1_all.deb
dpkg -i libarchive-zip-perl_1.18-1_all.deb
echo "libarchive-zip-perl hold" | dpkg --set-selections

I regularly interact with hundreds of SSL-enabled devices as part of my job. I don’t allow HTTP or telnet interfaces to devices that support HTTPS or SSH. These devices usually have self-signed certificates, and it is not always convenient (or possible, with some devices) to replace them with certs signed by the company’s root CA. This wasn’t a problem when all I had to do was bypass one error dialog. But then Firefox replaced this dialog with an extremely annoying 5-step dance. I’m tired of it.

Enter New MitM Me, a Firefox plugin to restore the old SSL error behaviour. Now Firefox still displays the “This Connection is Untrusted” page. But when you click the “Add Exception…” button, that’s it, you’re done.

I do not recommend that the average user install this plugin. For a casual user, this increases the chance of being defrauded. But if you are like me, if you truly know what you are doing and want to save some time, install it.

Has anyone hacked this plugin to restrict its behaviour to specific IP ranges, or to allow me to choose temporary or permanent with just one click?