Artisan Keycaps: Control the

FR D
DV
+

EE
narrative with the ultimate Ctrl key

ISSUE 281 – APRIL 2024

Virtual Memory
Explore the secrets of the swap space

MicroOS: Test drive SUSE’s GPS Location Device:

immutable operating system Track your treks with this
homebuilt GPS recorder
Credential Stuffing: What
happens to those stolen Python and Node-RED: Mix some
passwords? low-code with your maker apps
Strace and Firejail: Monitor
your application’s system calls
10 FF ION DSS!S
FANTASTIC

W W W. L I N U X - M A G A Z I N E . C O M
 EDITORIAL
Welcome

TRACK ME, BABY

Dear Reader,
For some reason, I came across several stories this month policy.) Out of all the 11 products reviewed, 54 percent won’t
on AI Girlfriend apps [1]. OK, I guess I know the reason: let you delete your data when you close your account, and 90
Valentine’s Day. (FYI: I write this column 1-2 months before percent failed to meet minimum security standards.
you read it.) Programs that attempt to simulate an emo- Bad security and invasions of privacy are rampant on the
tional connection with the user have been around for Internet, but in this case, the service is actively engaged in
years, starting with the ELIZA mock therapist app, which soliciting the kind of intimate, personal information that one
was developed in the mid-1960s. But as you can imagine, would only share with a partner. In fact, some of the apps are
these romantic chatbots have gotten much more realistic actually kind of pushy about getting you to share this kind of
with the recent breakthroughs in generative AI. personal information, because the more you share, the more
It is important to write about this new industry without ap- “real” the relationship will appear to the user.
pearing to judge. I personally prefer humans – and the fact A problem that has been with our society since long before
that this statement sounds vaguely sardonic is not due to the invention of romantic chatbots is that we treat con-
my intention but is merely a reflection of how strange this sumer choice as a rational act, when in fact it is packed full
topic is. But I can imagine that this technology would be of of emotions. Part of the depth and beauty of a romantic
comfort to someone who is shy or isolated or who, for relationship is in the sharing, and if you are sharing with
whatever reason, is unable to participate in the wild and someone who has an ulterior motive for wanting the
chaotic world of conventional romance. I can also imagine information, you are, as they say in the carnival business,
that a romantic chatbot might simply be a personal pref- getting played.
erence for some users, and whoever makes this choice
Ironically, if you don’t share deep personal information,
certainly doesn’t owe me or anyone an explanation.
the bot will have no way to connect with you, and the rela-
These chatbots, however, do appear to be doing a lot of tionship will seem perfunctory and superficial (BTW: This
spying, which is something worth talking about. A recent happens in real-life relationships, too). It would be great if
post on Mozilla’s *Privacy Not Included blog [2] reviewed at least one of these companies would offer a version that
several romantic chatbots and concluded that this technol- walls off all this personal data so that no one knows it – now
ogy in its current form represents “a whole ‘nother level and forever – but the user and the user’s own personal bot
of creepiness and potential privacy problems.” According instance; the data is permanently off limits – either because
to the authors, “All 11 romantic AI chatbots we reviewed it is stored locally or it is in some im-
earned our *Privacy Not Included warning label – putting penetrable cloud-based safe space.
them on par with the worst categories of products we have Then when the account disappears,
ever reviewed for privacy.” the data disappears. Of course, this
All but one of the reviewed chatbots were marked down for business model would require a
how they use personal data. The one company that wasn’t means for generating revenue, and
marked down still clocked in at 955 ad trackers in the first charging the consumer directly
minute of use. The company also gives itself the option to would be the only possible source.
share data with “affiliate companies” and it reserves the Then we would see how much
right to change the privacy policy agreement at any time [3]. these bots are really worth to
(Bear in mind this was the company with the best privacy their human companions.
This might sound naive,
but if the goal is to cre-
Info ate intimacy, real,
[1] “Uncharted Territory: Do AI Girlfriend Apps Promote Unhealthy genuine privacy
Expectations for Human Relationships?” by Josh Taylor, The might be a nice
Guardian: https://www.theguardian.com/technology/2023/jul/22/ way to do it.
ai-girlfriend-chatbot-apps-unhealthy-chatgpt
[2] “Happy Valentine’s Day! Romantic AI Chatbots Don’t Have Your
Privacy at Heart,” *Privacy Not Included: https://foundation.
mozilla.org/en/privacynotincluded/articles/happy-valentines-
day-romantic-ai-chatbots-dont-have-your-privacy-at-heart/ Joe Casad,
[3] “EVA AI Chatbot & Soulmate,” *Privacy Not Included: Editor in Chief
https://foundation.mozilla.org/en/privacynotincluded/eva-ai-
chat-bot-soulmate/

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 3

 APRIL 2024

ON THE COVER
28 MicroOS 60 GPS Location Device
A minimal Linux designed for containers is Use this home-built GPS tracker to see where
the perfect system for working with new-age you’ve been.
package tools like Snap and Flatpak.
70 Python and Node-RED
44 Credential Stuffing A low-code drag-and-drop interface can
Find out how an intruder can launch an simplify IoT programming.
attack using a list of stolen passwords.
90 Artisan Keycaps
56 Strace and Firejail Jazz up your keyboard with these exotic and
Tracking system calls will help you watch for strangely beautiful handcrafted keys.
unusual events, such as an application
establishing an unexpected network connection.

NEWS IN-DEPTH
8 News 34 AlmaLinux’s ELevate Migration Tool
• Bootloader Vulnerability Affects Nearly All Linux Distributions CentOS 7 reaches end of life in June 2024, forcing users to
• Microsoft Says VS Code Will Work with Ubuntu 18.04 look for a free enterprise Linux alternative. AlmaLinux’s
• Firefox 122 Release Includes Official DEB for Ubuntu Distros ELevate migration tool can help ease the transition.
• Docker Build Cloud Helps Speed Up Build Time
• MX Linux 23.2 “Libretto” Released 40 Command Line – Nala
• Linux Mint 21.3 – with Extra Cinnamon – Available for Download The latest iteration of Debian’s package manager makes it
easier to manage packages from the command line with
12 Kernel News more readable feedback, parallel downloads, the ability to
• How the Sausage Is Made find the fastest mirrors, and an updated history list.
• A Swift Boot to the Kernel
44 Credential Stuffing
A credential stuffing cyberattack uses username and
COVER STORY password credentials stolen in a data breach to gain access
to your accounts. We explain how it works and how to
16 Virtual Memory avoid becoming a victim.
Virtual memory makes your system safer and more
efficient. But what is it really? We take a look inside this 50 Programming Snapshot – Customizing an
powerful feature that is built into Linux. LED Display
Mike Schilli recently ordered a low-budget LED display and
is all set to customize the firmware and add some
REVIEWS homemade scripts.

24 Distro Walk – Debian LTS 56 Strace and Firejail

The Debian LTS Team works to extend the lifetime of Software from unknown sources always poses some risks.
Debian stable to five years. We talk to team members to With the strace analysis tool and the Firejail sandbox, you
learn more about this little-known project. can monitor and isolate unknown applications to
safeguard your system.
28 openSUSE MicroOS
If you want the most recent software without sacrificing 95 Back Issues 97 Call for Papers
stability, try running a minimal Linux distribution. 96 Events 98 Coming Next Month

4 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

16 Virtual
Memory
The classic vision of random
access memory is just the
75 Welcome
beginning of the story. Modern This month in Linux Voice.
hardware – and modern
77 Doghouse – Open Source Essentials
operating systems – manage A new LPI certification can help those outside of tech
memory in ways that old-school gain a meaningful understanding of open source.
programmers could only have
78 UFW Firewall
imagined. This month we take a UFW takes the complexity out of iptables, which is great
look at virtual memory in Linux. for beginners and is even good for experienced users
who want to keep it simple and avoid hidden mistakes.

81 lsd and eza

MakerSpace LSDeluxe and eza are modern implementations of the
ancient Unix ls command in the Rust programming
language.
60 GPS Location Device
Design and construct a battery-powered GPS receiver and 84 FOSSPicks
recorder in a compact package, with firmware and a Linux- This month Graham looks at Durdraw, Librum, Neon
based GUI application for visualizing the data. Modem Overdrive, Seq66, chess-tui, and more!

70 Python and Node-RED 90 Artisan Keycaps

Adding Python to your Node- Artisan keycaps elevate the mechanical to the
RED arsenal lets you create magnificent.
easy Raspberry Pi robotic
and IoT projects.

@linux_pro
TWO TERRIFIC DISTROS
@linuxpromagazine
DOUBLE-SIDED DVD!
Linux Magazine SEE PAGE 6 FOR DETAILS

@linuxmagazine

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 5

DVD
This Month’s DVD

elementary OS 7.1 and Mageia 9

Two Terrific Distros on a Double-Sided DVD!

elementary OS 7.1 Mageia 9

64-bit 64-bit
Elementary OS is one of the leading distributions focused Mageia is a community-based descendant of Mandrake
on improving the user experience. It bills itself as “The and Mandriva Linux. Both were pioneers of user-
thoughtful, capable, and ethical replacement for Windows friendliness in their day and used their own package
and macOS” and release 7.1 is no exception. management system and utilities. Mageia continues
Specifically, one focus of elementary OS 7.1 is person- this tradition, with a community based largely in
alizing the graphical interface and making it more ac- Europe.
cessible. The Housekeeping app has added the option Mageia 9 offers a smaller minimal install and numerous
of deleting screenshots that are more than 30 days new features. Its install base includes improved parti-
old, while the installer makes options for the vision- tioning and rescue, as well as enhanced NFS support.
impaired more prominent. Similarly, the settings for On the desktop, Mageia 9 features revised documen-
Guest accounts have been made clearer, and Guest tation, and a more systematic Mageia Welcome, while
accounts are erased as soon as a guest logs out. the Mageia Control Center now switches easily be-
Another focus in elementary OS 7.1 is security and privacy. tween PulseAudio and PipeWire, a useful ability in
The 7.1 release introduces the Background & Autostart this time of audio transition. Other changes include
Portal, which lists apps running in the background and a reworked interface for the image burner IsoDumper,
includes controls to prevent apps from running without new tools for creating containers, and a shift from aufs
explicit permission. Among the utilities that use the to overlay2 storage for containers, with a script to en-
portal are Calendar, Mail, Tasks, and Location Services, sure a successful – if slow – migration.
which controls whether remote services can read your Mageia is well-suited for beginners, but more expe-
location. Similarly, the App Center in elementary OS 7.1 rienced users might need a brief adjustment period
now informs users of what information an app can read to become accustomed to all the new app names.
on your local machine and automatic actions that you Before installing, Mageia suggests that all users
may want to disallow – or at least be aware of. read the release notes (https://wiki.mageia.org/en/
Elementary OS long ago established itself as a user- Mageia_9_Release_Notes#Release_highlights) for
friendly distribution. Release 7.1 continues this tradition, errata and possible problems, although many are
more than living up to its billing. concerned with upgrades from earlier releases.

Defective discs will be replaced. Please send an email to [email protected].

Although this Linux Magazine disc has been tested and is to the best of our knowledge free of malicious software and defects, Linux Magazine
cannot be held responsible and is not liable for any disruption, loss, or damage to data and computer systems related to the use of this disc.

6 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 NEWS
Updates on technologies, trends, and tools
THIS MONTH’S NEWS
08 • Fedora Unleashes Atomic
Desktops
• Bootloader Vulnerability
Affects Nearly All Linux
Distributions

09 • Microsoft Says VS Code

Will Work with Ubuntu
Fedora Unleashes Atomic Desktops
With Silverblue continuing to rise in popularity, Fedora saw that the rpm-ostree had
18.04
• Purism Crowdfunding become a viable option. For those who don’t know, rpm-ostree is a hybrid image/
Launched package system that bundles all of the necessary components for a system configu-
• More Online ration into a single commit that can be deployed across numerous devices.
Atomic desktops solve a problem that will most likely become an issue in the fu-

10 • Docker Build Cloud Helps

Speed Up Build Time
ture, as more spins arrive. Currently, Fedora Atomic Desktops is comprised of four
atomic spins: Fedora Silverblue, Fedora Kinoite, Fedora Sway Atomic, and Fedora
• Firefox 122 Release Budgie Atomic.
Includes Official DEB for The problem is, as more and more spins come into being, it becomes more challeng-
Ubuntu Distros ing to include other desktops without introducing more complexities and confusion.
By adopting an atomic approach to these spins, it makes it possible to offer
11 • MX Linux 23.2 “Libretto”
Released
the same stability and flexibility as the base Fedora, while also adding rollbacks
and rebases (the key advantage of using rpm-ostree).
• Linux Mint 21.3 – with
According to Fedora Magazine (https://fedoramagazine.org/introducing-fedora-
Extra Cinnamon – Available
atomic-desktops/ ), “Going forward, new atomic spins will use the ‘Fedora (DE
for Download
name) Atomic’ format to keep things simple and clear. No more questions about
which name refers to what desktop environment. No more mispronunciations.
Much more clarity on why these Fedora spins are different from the regular spins.”
This also will aid in documentation. On that, Joseph Gayoso says (https://fedora-
magazine.org/author/joseph/ ), “For example, some folks may be looking for docu-
mentation on Kinoite not realizing that an article about Silverblue also applies to their
problem. Using so many keywords when you’re looking for information on the one
aspect they all share is inefficient.”

Bootloader Vulnerability Affects Nearly All

Linux Distributions
CVE-2023-40547 (https://nvd.nist.gov/vuln/detail/CVE-2023-40547) has a CVSS
score of 8.3, which means it’s labeled as High. Originally, the vulnerability was
given a score of 9.8 (which placed it in the Critical category) but that has since
changed.
This vulnerability was discovered in shim, which is a small application that loads
prior to the main operating system bootloader (such as Grub) on UEFI-based systems.
The flaw could allow an attack to create a specific HTTP request that could enable
a controlled out-of-bounds write primitive, which could lead to a complete system
compromise.
According to Bill Demirkapi (from the Microsoft Security Response Center), the
bug exists in every Linux bootloader signed in the past decade (https://twitter.com/
BillDemirkapi/status/1750168326611865816).

8 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 NEWS
Linux News

The official description (https://github.com/rhboot/shim/commit/0226b56513b2b8

bd5fd281bce77c40c9bf07c66d) of the issue explains, “When retrieving files via MORE ONLINE
HTTP or related protocols, shim attempts to allocate a buffer to store the received
data. Unfortunately, this means getting the size from an HTTP header, which can
be manipulated to specify a size that’s smaller than the received data. In this case, Linux Magazine
the code accidentally uses the header for the allocation but the protocol metadata www.linux-magazine.com
to copy it from the rx buffer, resulting in an out-of-bounds write.”
Fortunately, all major distributions have released patches for the vulnerability, so users ADMIN HPC
only need to run an update on their systems to avoid being exposed to the issue. http://www.admin-magazine.com/HPC/
Tools to Manage Storage
• Jeff Layton
Microsoft Says VS Code Will Work with We look at management tools and good
Ubuntu 18.04 management habits for Linux and proprietary
storage solutions.
In a recent shock to the Linux community, Microsoft announced that VS Code
AlmaLinux and HPC
would soon stop working with Ubuntu Desktop v18.04. The reason for this was
• Amy Pettle
the version of glibc 18.04 that was used – any version older than 2.27 – was
AlmaLinux steps forward as a free, open
forcing Microsoft to drop support. source enterprise Linux solution for HPC
As you might have expected, the Linux community rose up to complain which systems.
forced Microsoft’s hand. To the surprise of many, Microsoft relented and decided
(after discussing it with the VS Code team) to continue supporting Linux distribu- ADMIN Online
tions that use the older glibc versions until 2025. http://www.admin-magazine.com/
That’s right, there’s still a shelf life. But the 12-month reprieve should give those Abe Sharp
users plenty of time to migrate to a desktop that supports a newer version of glibc. • Sustainable Kubernetes with Project Kepler
Prior to this change of heart, a member of the Microsoft GitHub account, wlovo Measure, predict, and optimize the carbon
(https://github.com/microsoft/vscode/issues/203375 ), said, “Closely related to footprint of your containerized workloads.
#201129 (https://github.com/microsoft/vscode/issues/201129), there will be a sig-
nificant number of machines who will be unable to utilize the latest version of Visual Improved Visibility on the Network
• Christian Pape and Ronny Trommer
Studio Code (VS Code) once v1.86 is made publicly available.”
OpenNMS collects and visualizes flows so
They continued, “It will make all Amazon Linux 2 (AL2) EC2 machines unable to
you can discover which network devices com-
use VS Code, while also affecting enterprise users who may use customized or par- municate with each other and the volume of
allel versions of the glibc library for their own development needs.” data transferred.
Wlovo continued to say, “While I acknowledge the need to update components
to suit the development needs of the VS Code team, it seems a bit heavy-handed Secure and Seamless Server Access
to completely block any alternative paths for those who have a customized or ad- • Tomasz Szandala
vanced need.” The powerful Cloudflare Tunnel provides
secure and seamless access to servers and
In the end, if your Linux distribution depends on a version of glibc older than 2.27,
applications, making it a convenient alterna-
make sure to upgrade before 2025; otherwise, VS Code will fail to work.
tive to VPN for any modern IT infrastructure.

Purism Crowdfunding Launched

Investing in Purism is not only possible but, for the first few days, they’ll be adding
bonus incentives to do so.
Purism (https://puri.sm/ ) has joined StartEngine so that the public can invest in the
company so that it can continue cultivating a movement with top-tier computers,
phones, and services.
According to Purism’s StartEngine page (https://www.startengine.com/offering/
purism), the reasons to invest include an alternative to big tech electronics that are
made in the United States and market traction.
The company has shipped tens of thousands of devices to help consumers avoid
big tech lock-in. According to Purism, the company “creates an alternative technol-
ogy ecosystem to compete against the dominance of the tech giants and stands out
in the market by offering peer-reviewable, privacy-respecting, and security-focused
products. The strong belief that technology should serve its users and not exploit
them is what drives our team of experts to provide easy-to-use products that em-
power individuals.”
The minimum investment is $500 (at $4/share) and the current stats are
$202,176.56 raised, 77 investors, and a $75M valuation. The company achieved
$8M in revenue for the 2022 years, showcasing solid year-over-year growth from

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 9

NEWS
Linux News

$5M in 2021. They’ve grown mostly from initial crowdfunding revenue ($2.5M
raised for the Librem 5 phone, over $400,000 for the Librem 13 laptop, and nearly
$600,000 for the Librem 15 laptop).
Head to the Purism StartEngine page to learn more about this investment
opportunity.

Docker Build Cloud Helps Speed Up Build Time

Docker is never one to stand still, and the latest announcement shows they under-
stand the needs of both developers and the companies that depend on them. With
Docker Build Cloud (available now for existing customers – https://www.docker.com/
products/build-cloud/ ), they’ve created a hybrid environment. This allows develop-
ers to work with their traditional (and familiar) local development tools for tasks such
as coding and debugging, while then making use of the cloud for more resource-in-
tensive workloads or when collaboration is required.
Docker Build Cloud makes it possible for developers to dramatically speed up
build times to not only prevent them from having to wait around while builds are
completed but to also save businesses money and speed up innovation.
According to DoctorBlocks (CTO at Switchboard – https://twitter.com/Doctor-
Blocks), “Docker Build Cloud provides native multi-architecture builders as an out-
of-the-box solution that simply works, without the need to build or manage slow
emulators. Our overall build times improved considerably through the shared
cache feature. Before on our local machine it took 15-20 minutes to build, now
with Docker Build Cloud it’s down to 110 seconds, a massive improvement.”
Existing Docker subscribers can try Docker Build Cloud today and will receive
minutes based on their subscription tier – Docker Personal, Pro, Team, and Business
(https://www.docker.com/press-release/build-cloud-solution-boosts-developer-
productivity-accelerating-build-times/ ). Subscribers can purchase additional minutes
starting at $5 a seat per month for 200 minutes per seat per month, with additional
minutes beyond that starting at $0.05/minute.

Firefox 122 Release Includes Official DEB

for Ubuntu Distros
Firefox 122 has arrived and, to the relief of many Debian and Ubuntu users, it comes
with an official DEB installer.
With this release, you can now install Firefox via DEB, Snap, Flatpak, or run it from
source. To install Firefox via DEB, you’ll need to follow the instructions found on this
support page (https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-
firefox-deb-package-for-debian-based-distributions).
According to Mozilla, the benefits of installing via DEB include native packaging
that can do some things the sandboxed version can’t, packages are 100 percent
built and supported by Mozilla, compiler-based optimizations for improved perfor-
mance, and faster updates.
Even with these benefits, Mozilla still recommends using the Firefox provided by
their distribution’s package manager.
But what else is found in Firefox 122? Firefox now displays images and descriptions
for search suggestions (when provided by a search engine) and has an improved
translation feature.
In addition, MDN Web Docs article suggestions will now be available in the ad-
Get the latest news dress bar for web-dev related information, line-breaking rules for Web content now
match Unicode standards, and more.
in your inbox every Although this isn’t a huge release from Mozilla, it is an important one for Debian/
week Ubuntu users.
Read more on why Mozilla believes you should try the Firefox Linux package for
Subscribe FREE Ubuntu and Debian here: https://blog.mozilla.org/en/products/4-reasons-to-try-mozillas-
to Linux Update new-firefox-linux-package-for-ubuntu-and-debian-derivatives/.
bit.ly/Linux-Update

10 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 NEWS
Linux News

MX Linux 23.2 “Libretto” Released

The team behind MX Linux has announced a new point release of MX-23, code-
named “Libretto.”
This version is based on Debian 12.4 and includes kernel 6.1. All versions have been
updated to the latest packages found in both the Debian and MX repositories.
The Advanced Hardware Support (AHS) Xfce release, however, uses the Liquorix
6.6 kernel with updated firmware and Mesa libraries. There is also an optional opt-in
for auto-updates.
Some of the highlights of this release include PipeWire 1.0, a fix for fstab genera-
tion during installation, the build-essential package has been added by default, two
new tools have been added (MX Locale for managing system local information and
papirus-folder-colors for making Papirius themes with different folder colors), Web-
camoid was replaced with Kamoso (in the KDE Plasma version), and Guvcview for
Xfce and Fluxbox editions.
A fix also was added in the mx-comfort-themes package that improves the display of
apps that included white text on white backgrounds and black text on black backgrounds.
Finally, a new wallpaper option (MX Linux Dessert Landscape) was added.
You can download versions with Xfce (standard or AHS), KDE Plasma, and Flux-
box, as well as 32-bit versions of the Xfce and Fluxbox editions:
• Xfce standard: https://sourceforge.net/projects/mx-linux/files/Final/Xfce/MX-
23.2_x64.iso/download
• Xfce AHS: https://sourceforge.net/projects/mx-linux/files/Final/Xfce/MX-23.2_
ahs_x64.iso/download
• KDE Plasma: https://sourceforge.net/projects/mx-linux/files/Final/KDE/MX-23.2_
KDE_x64.iso/download
• Fluxbox: https://sourceforge.net/projects/mx-linux/files/Final/Fluxbox/MX-23.2_
fluxbox_x64.iso/download
• Xfce 32-bit: https://sourceforge.net/projects/mx-linux/files/Final/Xfce/MX-
23.2_386.iso/download
• Fluxbox 32-bit: https://sourceforge.net/projects/mx-linux/files/Final/Fluxbox/MX-
23.2_fluxbox_386.iso/download
Read more about the new release from the official notes (https://mxlinux.org/blog/
mx-23-2-libretto-released/).

Linux Mint 21.3 – with Extra Cinnamon –

Available for Download
Let the “huzzahs” ring out, the latest version of Linux Mint has arrived. This long-
term support (LTS) release includes the usual round of updated applications, includ-
ing the Hypnotix TV viewer, which adds a favorites feature, custom channels, and
better yt-dlp integration (a fork of youtube-dl).
Other apps to see added features include Warpinator, which now allows you to
connect to devices via IP address.
At the top of the menu for this new release, however, is Cinnamon 6.0. This new
version of the desktop environment adds a new feature called Spices, which are
add-ons to expand the feature set of the default file manager (Nemo).
Version 21.3 also includes experimental support for Wayland. Unfortunately, the
developer team isn’t anticipating the replacement of the Xorg session soon but at
least we’re seeing progress.
Other goodies include Flatpak support rolled into the app store GUI, kernel 5.15,
the ability to choose which monitor on which notifications will appear, and the latest
version of Firefox installed as a DEB (and not a Snap package).
System requirements for Linux Mint haven’t changed (recommended – 4GB
RAM, 100GB storage, and 1024x768 resolution).
You can download a fresh ISO of the Linux Mint 21.3 from the official download
site (https://linuxmint.com/download.php), and read the official release notes in the
official Linux Mint Blog (https://blog.linuxmint.com/?p=4624).

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 11

NEWS
Kernel News

Zack’s Kernel News How the Sausage Is Made anything we might want to do about it
During a power outage, if your Linux before we expire.” But again, Greg said
system is fed directly from the wall, it’s this could be done in userspace.
going to shut down right then and Oleksij remarked specifically, “I have
there. Normally the kernel goes through only 100ms time before power loss. By
a sophisticated power-down operation doing it over use space some we will
whenever you turn it off to make sure have even less time to react.” He added
all of your delicate hardware is handled that in fact his patch didn’t represent a
properly. So, is it actually OK to simply completely new feature: “It exist on dif-
cut the power like that? ferent flavors of automotive Linux for
Not really. Oleksij Rempel recently about 10 years. Linux in cars should be
pointed out that some hardware (such able to handle voltage drops for example
as disk drives) can experience data on ignition and so on. The only new
corruption when unceremoniously thing is the attempt to mainline it.”
Chronicler Zack Brown reports shut down, or in some cases break Greg again said that this was not a
completely. He posted a patch to rank kernel issue and should be done in us-
on the latest news, views, hardware in order of priority so that in erspace. He pointed out that whether
dilemmas, and developments the event of a sudden power loss, cer- in the kernel or in user code, the
within the Linux kernel tain hardware (such as multimedia de- “speed should be the same, just get the
vices) might use those few fractions of ‘power is cut’ signal and have userspace
community. a second to get into a safe state before flush and unmount the disk before
By Zack Brown the end. power is gone.”
Greg Kroah-Hartman took one look at Greg added that Oleksij’s patch would
Oleksij’s email and saw a dark and pain- not win him anything. It wasn’t han-
ful future filled with hardware manufac- dling power loss in any especially faster
turers engaging in bitter warfare over way than the kernel did already. All it
whose products deserved the highest did was prioritize one piece of hardware
priority in the Linux shutdown before the others. “So you are going to
sequence. have a constant fight among device
Greg asked why Oleksij’s feature was types over the years, and people com-
necessary, given that the entire world plaining that the kernel is now some-
had done without it for decades. He sug- how going to guarantee that a device is
gested that the kernel should simply shutdown in a set amount of time,
shut down as it always had. which again, the kernel can not guar-
Mark Brown replied that Oleksij’s antee here.”
patch was not about normal shutdowns Oleksij saw the wisdom of that point,
but had emerged from discussions although he added that he didn’t want to
about how to handle user notifications actually flush and unmount the disk in
during a sudden power outage. To his case because there wouldn’t be
which Greg replied, “I’m sorry, but I enough time for that – he just wanted to
don’t know what that means. Are you shut it down gracefully. To which Greg
saying that the kernel is now going to replied, “If you don’t care about the data,
try to provide a hard guarantee that why is a shutdown command to the hard-
Author some devices are going to be shut down ware needed? What does that do that
The Linux kernel mailing list comprises in X number of seconds when asked?” makes anything ‘safe’ if your data is lost.”
the core of Linux development activities. He added that, if this was desired, it Oleksij explained, “It prevents HW
Traffic volumes are immense, often could be done by user software just as damage. In a typical automotive under-
reaching 10,000 messages in a week, and well as by the kernel. voltage labor it is usually possible to re-
keeping up to date with the entire scope Mark clarified that Oleksij’s patches produce X amount of bricked eMMCs or
of development is a virtually impossible were to handle “notifications from regu- NANDs on Y amount of under-voltage
task for one person. One of the few brave lators that they’re in trouble and we cycles (I do not have exact numbers right
souls to take on this task is Zack Brown. have some small amount of time to do now). Even if the numbers [are] not so

12 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 NEWS
Kernel News

high in the labor tests (sometimes some- Greg also added, “if you attempt to
thing like one bricked device in a month mitigate broken hardware with software
of tests), the field returns are significant fixes, hardware will never get unbroken
enough to care about software solution as it never needs to change. Push back
for this problem. Same problem was on this, it’s the only real way forward
seen not only in automotive devices, but here. I know it’s not always possible, but
also in industrial or agricultural. With the number of times I have heard hard-
other words, it is important enough to ware engineers say ‘but no one ever told
bring some kind of solution mainline.” us that was broken/impossible/what-
Greg replied with raised eyebrows, “So ever, we just assumed software could
hardware is attempting to rely on soft- handle it’ is uncountable.”
ware in order to prevent the destruction At this point, Oleksij rejoined the dis-
of that same hardware? Surely hardware cussion having done some further re-
designers aren’t that crazy, right? search into a userspace solution. He
(rhetorical question, I know….)” summed it up informatively, “I’ve con-
Mark, however, shot back, “Surely cluded that it’s likely not possible. The
software people aren’t going to make no primary issue is that most board designs
effort to integrate with the notification don’t include reset signaling for eMMCs.
features that the hardware engineers Additionally, the eMMC power rail is
have so helpfully provided us with?” usually linked to the system’s main
Mark did agree that there was not nec- power controller. While powering off is
essarily a fantastic solution to the prob- doable, cleanly powering it back on isn’t
lem in this instance, but felt that because feasible. This is especially problematic
actual hardware damage could happen, when the rootfs is located on the eMMC,
“everyone’s just got to try their best with as power cycling the storage device
the reality they’re confronted with, could lead to system instability.” He con-
hopefully what’s possible will improve cluded, “any user space method to
with time.” power off eMMC wouldn’t be reliable or
Greg threw up his hands and re- safe, as there’s no way to ensure it can
marked, “All I see is the shutdown se- be turned back on without risking the
quence changing because someone integrity of the system.”
wants it to go ‘faster’ with the threat of Ferry Toth jumped into the conversa-
hardware breaking if we don’t meet that tion at this point, identifying himself as a
‘faster’ number, yet no knowledge or hardware engineer, though not in the au-
guarantee that this number can ever be tomotive industry at the center of this
known or happen.” To which Mark current topic. He said, “I’d prefer not to
countered, “The idea was to have some- call the HW broken in this case. The life
where to send notifications when the of hardware (unlike software) continues
hardware starts reporting things like during and after power down. That
power supplies starting to fail. We do means there may be requirements and
have those from hardware, we just specs for it to conform to during those
don’t do anything terribly useful with transitions and states. Unlike broken
them yet.” hardware, which does not conform to its
Mark also added that in the case of specs. Typically, a HDD that autoparks
Oleksij’s patch, as well as the whole its heads to a safe position on its last ro-
issue itself, “This seems to be more into tation energy, that’s not broken, that’s
the area of mitigation than firm solution, carefully designed.”
I suspect users will be pleased if they Ferry also said that he agreed with
can make a noticeable dent in the num- Greg’s criticism, saying, “if there is a
ber of failures they’re seeing.” hard requirement to shutdown safely to
Greg was not opposed to mitigation. prevent damage, the solution is not to
However, he again pointed out that Olek- shutdown fast. The solution is to shut-
sij’s patch simply reordered the hard- down on time. In fact, if the software
ware shutdown priority. It didn’t actu- needs more energy to shutdown safely,
ally mitigate anything, except possibly in any hardware engineer will consider that
the one specific case the patch was a requirement. And ask the appropriate
coded for, which would immediately be question: ‘how much energy do you need
disputed by other hardware vendors exactly’? There are various reasons why
seeking similar favoritism. that can not be answered in general.”

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 13

NEWS
Kernel News

Christian Loehle also joined the con- temporary filesystem that is loaded into bootloaders which contains an EROFS
versation at this point, saying that if a memory at boot time in order to give the rootfs and a customized init for booting
given storage device was at risk of actu- kernel access to some key files and mod- as erofs+overlayfs at least for ‘initover-
ally breaking in the event of power loss, ules, in preparation for mounting the ac- layfs’. The main benefit is that the mem-
“it is not suitable for industrial/automo- tual filesystem on the user’s hard drive. ory region specified by the bootloader
tive uses.” Christian concluded even Once the system is prepped and ready, can be directly used for mounting.”
more definitively, “any storage device initramfs melts away and you’ve got a Though he added the caveat that he had
sold as ‘industrial’ should guarantee running system. never actually tried the memmap kernel op-
power-fail safety.” Speaking specifically Before initramfs and its brethren, tion himself and couldn’t guarantee it
to the eMMC devices covered by Olek- Linux would boot a single gigantic ker- would even work.
sij’s patch, Christian said that they nel that had everything and the kitchen Gao also added, “compared to tradi-
would require up to a full second to im- sink built into it – no loadable modules, tional ramdisks, using direct address
plement any proper power-down method because before you finished booting, can avoid page cache totally for un-
– quite beyond the amount of time avail- there was no filesystem to load modules compressed files like it can just use
able during sudden power loss. from. Once the mega hulk kernel fin- unencoded data as mmaped memory.
Oleksij found some of these points to ished booting, it would replace itself For compressed files, it still needs page
be very valuable and forwarded along with a smaller kernel that had been com- cache to support mmaped access but we
some of these questions and issues to piled for the user’s specific system. It could adapt more for persistent memory
the hardware vendor. was cool! But initramfs was an improve- scenarios such as disable cache decom-
The discussion continued, with vari- ment, both in boot speed and resource pression compared to previous block
ous folks putting forward possible ap- utilization. devices.”
proaches to improving the situation. The The problem with initramfs, as Eric In other words, speed – although Gao
questions of exactly what should fall on and his fellows see it, is that it takes time did add, “I have no idea how it’s faster
the hardware maker’s shoulders versus to decompress the initramfs data image than the current initramfs or initrd. So if
userspace versus the kernel, exactly and load it all into memory before the it’s really useful, maybe some numbers
what constituted mitigation versus a kernel can access any of its modules or can be posted first with the current
straight-up fix, and exactly which parts other files. As Eric explained about his ‘memmap’ hack and see it’s worth going
of the kernel might be involved in such proposed replacement, “The benefits further.”
mitigations and fixes resulted in various are, we can start userspace significantly Sensitive to the need for data, Eric
speculations. faster as we do not have to unpack, de- posted a link to some graphs and re-
It’s a fascinating aspect of kernel de- compress and populate a tmpfs upfront, ported, “With this approach systemd
velopment, the attempt to deal with the instead we can rely on transparent de- starts ~300ms faster on a Raspberry Pi
reality of a lot of different intersecting compression like lz4hc instead. What we 4 with sd card, and this systemd in-
situations, none of which may be ideal, believe is the greater benefit, is that we stance has access to all the files that a
while somehow finding the best possible can have less fear of initial filesystem traditional initramfs would. I did this
outcome for the user. Preferably without bloat, as when you are using transparent test on a Raspberry Pi 4 with NVMe
breaking your car’s data storage when decompression you only pay for decom- drive over USB and the results were
the car battery cable pops off one day. pressing the bytes you actually use.” closer to a 500ms benefit in systemd
Eric wasn’t submitting initoverlayfs for start time.”
A Swift Boot to the Kernel inclusion in the kernel yet. Instead, he So initoverlayfs offers about half a
One area of Linux that could always be wanted to know if he and the other de- second speedup.
improved is boot time. Everyone wants velopers working on this were on the However, some of Eric’s graphs
to turn on their device and use it im- right track. They wanted feedback from seemed impressive, showing that init-
mediately. In general, the deepest as- the kernel folks. ramfs would get slower and slower on
pect of any operating system’s boot The discussion immediately moved to systems with larger and larger initial
process is a spinning vortex of horror technical implementation details. ramdisks to load, whereas initoverlayfs
conjured into existence many ages ago For one thing, initoverlayfs relies on seemed to have the same speed no mat-
by someone who understood bare Enhanced Read-Only File System ter how big the ramdisk, because it only
metal. Linux is no exception. However, (EROFS), which touts itself as a fast, se- ever uncompressed the data it actually
there are some aspects of bootup that cure, and lightweight filesystem ideal for needed.
are more accessible and more amena- mounting temporary directory The discussion will undoubtedly con-
ble to improvement. structures. tinue, but regardless of the particular im-
Eric Curtin from Red Hat recently in- Gao Xiang had some suggestions for plementation details, it seems as if init-
troduced initoverlayfs, a new filesystem sticking with EROFS, saying, “I guess ramfs is likely to be replaced at some
he and others had been developing as a you could try to use ‘memmap’ kernel point by something along the lines of
replacement for initramfs. Initramfs is a option to specify a memory region by this faster alternative. Q Q Q

QQQ

14 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

COVER STORY
Virtual Memory

A deep look at how Linux uses virtual memory

Don’t Forget
Virtual memory makes your system safer and more efficient. But what is it really? We take a look
inside this powerful feature that is built into Linux.

By Michael Williams

L
ike other modern operating systems, Linux is multitask- of storage that can be addressed is eight bits (a byte), though
ing, meaning that it can manage multiple running pro- usually memory you can access data in blocks of several con-
cesses at the same time. With that great capability, secutive bytes.
though, comes great responsibility. Linux must ensure Without virtual memory, a program accesses memory by ad-
that no process can meddle with the memory used by another dressing one or more memory cells, using a number that corre-
process. Historically, a vast number of security vulnerabilities sponds directly to the address of that memory cell. The num-
were caused by malicious code being executed from a memory bers are almost always assigned sequentially, starting from 0;
area that was intended for ordinary data storage only and not memory address 0 refers to the first byte of memory, and 19 re-
for executable code. The operating system also must ensure fers to the 20th byte. Accessing memory is thus a very quick
that enough memory is available for the needs of all running and direct operation.
processes and must take steps to make memory available if The main problem with such a scheme is that it is often too
there is not enough. All these responsibilities must be fulfilled direct. If multiple programs are running on the same computer,
as quickly as possible, or otherwise performance will suffer. nothing stops one program from accidentally altering the mem-
Fortunately, Linux provides a way to manage the memory re- ory used by another program. Worse, one or more of the pro-
sources for many disparate processes simultaneously: virtual grams may be malicious or may have been co-opted by mali-
memory [1]. Essentially, when a process refers to a memory ad- cious code, and nothing stops such a program from reading the
dress, it does not refer directly to a physical memory location. memory used by another program. Under such circumstances,
Instead, the memory address is used as an index into one or a seemingly useful utility program you downloaded off the In-
more tables, which are then used to translate the memory ad- ternet could read, for instance, your private financial informa-
dress into a real, physical memory address. tion as stored for online banking purposes.
The concept of virtual memory is so well established that Physical memory has other limitations. The programs you
modern computer hardware almost always has at least some run cannot use more memory than is available in the computer
basic facilities built-in to make virtual memory management system, even when not all of those programs are currently in
easier for the operating system. However, the exact details of use. Actually, it is possible for the programs themselves to
how virtual memory is implemented varies from one hardware write any memory they are currently not using to permanent
platform to another. Most of the concepts outlined in this arti- storage and then free the memory for other uses. Such a proce-
cle apply equally to any platform, but I have chosen to use the dure is known as swapping, and modern operating systems
64-bit x86 (PC) architecture as the basis for examples. often perform swapping when memory runs low. But again,
This article describes how Linux implements virtual mem- without virtual memory, programs must perform the swapping
ory by inspecting the detailed virtual memory map of a very themselves; while technically possible, it is highly error-prone,
simple Linux program. This example program is a bit con- and a mistake can affect not only the program performing the
trived – all it does is wait around, consuming resources until swapping but potentially any other running program.
it is terminated – but it will demonstrate the important fea- Virtual addressing simply inserts one or more extra steps
tures of virtual memory. into the process of addressing memory. Instead of programs ad-
dressing physical memory directly, memory addresses are in-
General Concepts of Virtual Memory terpreted as indexes into a table in memory, known as a page
All computer systems have some amount of relatively fast tem- table, which is set up by the operating system ahead of time.
porary storage, known as the computer’s random-access mem- Each possible virtual address has its own entry in this table,
ory (RAM), physical memory, or just memory for short. As far and each entry contains the physical memory address associ-
as the computer is concerned, the memory is a large space di- ated with the virtual address. The page table acts as sort of a
vided into a number of memory cells. Usually the smallest unit “map,” and each virtual address maps to a physical address,

16 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

which is then used to finally access a physical memory loca- virtual addresses are 48 bits long, whereas physical addresses
tion. Figure 1 illustrates this concept. vary in size from one computer hardware implementation to
If the entry corresponding to a particular virtual address lacks another but generally are between 36 and 40 bits long. Memory
a corresponding physical address, a page fault occurs, and the is managed in 4096 byte (4KiB) blocks at a time; the least-sig-
kernel performs additional processing. The kernel may take one nificant 12 bits of any virtual or physical address are thus inter-
of several actions, from terminating the program to loading the preted directly as an index into the selected block of memory.
necessary data into memory from other storage. The program (These blocks of memory are known as page frames or often
typically terminates if the program attempts to access memory simply pages.) Thus, only the remaining 36 bits of a 48-bit vir-
outside of what it has been allocated; the kernel can fill the page tual address are interpreted as a page table index.
table with valid entries corresponding to the memory locations However, even with a 36-bit index, the page table would
the kernel wants to allow the program to access and then fills all need to be of sufficient size to include 236 entries – about 64
the remaining entries with invalid physical addresses to place billion page table entries. On x86, each page table entry occu-
the rest of memory off-limits to the program. pies 8 bytes, so the page table would have to be about 512 gibi-
Empty entries in the page table can also be used to imple- bytes (GiB). Most computers today do not have sufficient phys-
ment swapping. If the amount of free memory becomes very ical memory to store such an enormous table in memory. On
low, the kernel can move some lesser-used data from memory top of that, each running process on Linux usually gets its own
to other places, usually to some form of permanent storage page table, which means that each running process on a Linux
such as hard disk space. Then, the kernel removes the physical system would need an additional 512 GiB of memory! Obvi-
addresses from the corresponding entries in the page table. ously, using just a single page table is an unworkable solution.
Now, if the program tries to access the data that has been Instead, on the x86 architecture, the most-significant 36
“swapped out,” a page fault occurs and the kernel is called. bits of a virtual address are split into four parts. The
When the kernel inspects the details of what caused the page
fault, it identifies that the data is now stored outside of mem-
ory and then fetches the data back from permanent storage
into memory again, first moving other data out of memory if
necessary to free up some space. In this scenario, the kernel
does not terminate the program but instead restarts the pro-
gram where it left off, before the page fault occurred.
Besides the fact that the memory access took an unusually
long time to complete (due to the extra overhead of the page
fault and the disk access), the program otherwise is completely
ignorant and unaware that anything unusual happened; the de-
tails of the swapping are handled completely transparently,
without the program having to worry about any complicated
memory management details.

Virtual Memory in Practice Figure 1: A virtual address is translated into a physical

Actually, the description of virtual address translation that I address by interpreting the most-significant bits of
just gave is a bit oversimplified. In reality, no practical com- the virtual address as an index into an in-memory
puter system implements address translation with just one table. Each entry in the table contains the physical
table. The reason is one of practicality. On the x86 platform [2], address corresponding to the indexed virtual address.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 17

COVER STORY
Virtual Memory

most-significant 9-bit chunk is used as an index into a first- concepts. This program does nothing more than pause, doing
level page table, consisting of just 512 (29) entries. But in- nothing until terminated by pressing Ctrl+C or using the kill
stead of the selected first-level page table entry pointing di- command at the command line. To reduce its memory and stor-
rectly to the page frame containing the requested data, the age footprint, I have opted not to write it in a high-level lan-
page table entry points to the physical address of a second- guage such as C, C++, Python, or Rust; I wrote it instead in x86
level page table. The second-most-significant 9-bit chunk of assembly language, which is essentially a marginally more
the virtual address is then used as an index into this second- convenient representation of the machine language that the
level page table, which in turn points to a third-level page computer actually executes.
table, and so on for the fourth-level page table. Finally, the Listing 1 provides the code, which I saved into a file called
selected entry in the fourth-level page table is what points to pause.s; you may call it whatever you want, so long as the file-
the page frame containing the requested data. Figure 2 illus- name ends in the .s suffix. (See the “Understanding Assembly
trates this concept of multiple levels of page tables. Language Code” box for more about what exactly the assembly
The advantage of using multiple levels of page tables is that language code means.)
less memory needs to be set aside for the page tables. Most Before you can run the program, you must first assemble and
programs use nowhere near all 48 bits of the available virtual link it; in other words, it must first be converted down into the
address space, which means that page table entries for the va- machine code that the computer can execute. Most high-level
cancies in the virtual address space are unneeded. If a selected languages do this for you behind-the-scenes when you compile
entry in any level of page table contains an invalid physical ad- or run your programs, but with assembly language you must
dress – that is, the entry points to neither the next level of page launch these tasks manually. The following two commands
table nor the final page frame – a page fault is issued, giving will do the trick:
the kernel an opportunity to either terminate the process or
make the requested memory available. Entire swaths of page as pause.s -o pause.o

table entries therefore need not exist. ld pause.o -o pause

The Simplest Possible Example The previous two commands will produce two new files – one
The title of this section is no exaggeration. I want to start off by called pause.o, the other simply pause. The pause file is the
showing you the virtual address map of a real, running pro- final, executable program. I recommend that when you run it,
gram. However, almost all existing programs on Linux (and you run it in the background by appending an ampersand char-
other operating systems) contain excess code and data that acter (&) to the program’s command line. By backgrounding the
they do not really need in order to function correctly. program, you will keep your shell open for further commands
For this reason, I have chosen to write an extremely simple to inspect the program, and the shell will also print the pro-
program for the purposes of demonstrating virtual memory gram’s process ID:

$ ./pause &

[1] 20397

The second number printed (the one outside the square brack-
ets) is the process ID of the pause program. The number will
probably be different on your system; make sure to note down
the process ID, because it will come in very handy for subse-
quent commands.
Once you have started the program, it will continue to run,
sitting in the background doing nothing. When you are done

Listing 1: Extremely Simple Program

.section .note.GNU-stack, "", @progbits

.text
.global _start
.type _start, @function
_start:
movl $34, %eax
syscall

movl $231, %eax

Figure 2: The virtual address is split into four 9-bit
movl $0, %edi
indexes that reference a chain of four much smaller
syscall
page tables; only the fourth-level (and final) page
table contains entries that point to the data origi-
ud2
nally requested.

18 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 COVER STORY
Virtual Memory

with the program, you can terminate it with the kill $ ps -p 20397 -o pid,sz,vsz,rss,comm

command: PID SZ VSZ RSS COMMAND

20397 41 164 0 pause

kill [pid]

The SZ, VSZ, and RSS columns refer to different memory usage
Replace [pid] with the process ID you wrote down earlier. statistics; all values are measured in units of kibibytes, or 1024
bytes. SZ refers to the amount of memory that ps thinks the pro-
Inspecting the Example gram is using; if you use a program other than ps, or even a dif-
Now that the simple example program is running in the back- ferent version of ps, to measure the program’s memory usage,
ground, I will begin by inspecting some basic program statistics this number may vary. VSZ, on the other hand, is how much vir-
using the standard ps command. I first instruct ps to print tual memory the program has been assigned. Not all of that vir-
memory usage information for the simple example program, tual memory has been assigned physical memory, however; the
and only the simple example program: resident set size, or RSS field is supposed to indicate how much
physical memory is actually consumed by the program.
ps -p [pid] -o pid,sz,vsz,rss,comm In reality, the RSS reported by ps is clearly inaccurate. If the
displayed RSS were accurate, it would indicate that the pro-
(Wherever I write [pid], replace it with the [pid] with the gram consumes no physical memory, which is absurd.
process ID of the example program.) On my Linux installa- The SZ column is also likely wrong. On the x86 platform, vir-
tion, running Debian 13 “trixie” Unstable with a version tual memory is handled in small chunks known as pages. Each
6.5.0 Linux kernel on 64-bit x86 hardware, I get the follow- page is usually 4KiB in size, though on some occasions, 2MiB
ing output: or even 1GiB pages could be used. One thing is for sure,

Understanding Assembly Language Code

Assembly language programs are translated into machine need to be passed to the system call, the parameters go into
language using a program called an assembler. But the as- other, specific registers, starting with edi for the first parameter.
sembler by itself does not produce a ready-to-run executable The system call is actually invoked using one of several meth-
file; the assembler only produces an intermediate object file. ods; I have chosen to use the syscall instruction for this purpose
The object file must be passed through another program because it is the fastest way to invoke a system call on Linux.
called the linker to produce a final, executable program. The The first group of program code consists of two lines of code.
linker’s job is to scan through one or more object files, The first (movl $34, %eax) loads the number associated with the
searching for references to program functions and variables pause system call into the eax register. The pause system call sim-
in each object file. Once the location of each so-called symbol ply instructs the kernel to put the program to sleep indefinitely;
has been identified, the linker combines the contents of each the program will not continue until terminated (such as by using
object file into one executable program and then changes all the kill command) or until the program receives a signal which
symbol references to point to the new locations of each sym- it has chosen ahead of time to handle. For our purposes, the
bol in the resulting executable. only way the program can end is if terminated explicitly using
The simple example program in this article consists of only one the kill command. The pause system call accepts no parame-
source code file and contains no references to external symbols ters, so there is no need to fill any other registers with specific
whatsoever; however, the linking process is still necessary to cre- values; all that needs to be done now is to execute the syscall
ate the executable binary file in a file format suitable for execution. instruction to invoke pause.
The first line of the program code is not actually assembly lan- To be on the safe side, in the event that the pause system call does
guage code; it is merely an instruction to the assembler to en- terminate, the next code invokes the system call with number
sure that, when the resulting program is executed, the pro- 231, which is the exit system call. This cleanly ends the program.
gram’s stack is not executable. (An executable stack can make a The exit system call requires one parameter, specifically the re-
program vulnerable to buffer overflow.) turn value of the program (what status code to return to the pro-
The next four lines are also assembler directives. Respectively, the gram’s parent, the program that launched this program). The fol-
.text directive instructs the assembler that program code follows, lowing code (movl $0, %edi) sets this parameter to zero, which will
as opposed to data used by the program; the remaining three lines result in the program returning a status code of zero (indicating a
instruct the assembler to generate a symbol for a program function successful exit).
and to name the function _start. The linker will look for a function The final line of code (ud2) is another unnecessary formality that
by this name when the linking process is performed, as this func- is nevertheless good practice. Most CPUs today will look ahead
tion contains the first code to be executed when the program is ex- and start executing code even before the prior program instruc-
ecuted. All of the actual code of the program is contained within tions have completed. With a program as short as this one, there
this one function, since this program is so simple. is a small chance that the CPU will attempt to execute random
The program code begins with an instruction to place a particu- junk “code” after the end of the real program instructions. The
lar integer value into a specific register. To perform a system ud2 is guaranteed to never be assigned to any actual instruction.
call, the convention on Linux is to place a specific number corre- When any x86 CPU encounters a ud2, the CPU is guaranteed to
sponding to the desired operation in the CPU register eax [3]. immediately stop executing the program code. While unneces-
Linux supports dozens of different system calls, each with its sary, it is good practice to include this line to ensure the system
own system call number assigned to it [4]. If any parameters doesn’t execute code after the end.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 19

COVER STORY
Virtual Memory

though: Memory is always managed in blocks of 4KiB, never Returning to the format of the maps file, the first number on
anything smaller. At first, 41KiB of memory may seem to be a each line, before the dash (-) character, is the virtual memory
semi-reasonable value, but 41 is not an even multiple of the address of the beginning of the virtual memory area. As is the
4KiB page size. Therefore, not a single memory usage indicator convention of memory addresses in general, this number is
reported by ps is an accurate indicator of how much physical printed in hexadecimal (base-16) notation. The second number
memory is in use. (the one following the dash character) is the address of the end
It is interesting to note that the inaccurate RSS reported by ps of the virtual memory region. Note that the ending address is
is not actually ps’s fault; ps simply relies on what the kernel non-inclusive; the address specified by this second number is
tells it is the RSS and takes that value at face value. not a valid address within the virtual memory region, though
the address of the prior byte is.
Detailed Virtual Memory Statistics The third field lists the permissions associated with the
In order to reveal more information about the virtual memory virtual memory region, as well as the type of region. r
used by this program, it is necessary to directly query the process means that the program is allowed to read from any virtual
information that the kernel generates. This information is stored address within the region, w means that the program can
in a set of files within the directory /proc/[pid] [5]. Whenever one write to the region, and x means that the program can run
of these files is read, the kernel generates the contents of the file executable code located in the region. The final letter, p,
on-the-fly, ensuring that the file’s contents are always up-to-date. means that the region is a so-called “private mapping”; this
The first of these files I will read is called /proc/[pid]/maps. letter could alternatively be an s, which means the region is
This file lists all of the virtual memory regions occupied by
the program in a compact but summary form; it does not Private Versus Shared Mappings
list enough information necessary to determine, for in-
If the region is marked private, when the page frame is allo-
stance, how much of each virtual memory region is actually cated (when that region of the file is first read into memory),
loaded into physical memory. Nevertheless, it is a good starting the page frame is initially marked read-only. When the pro-
point to show what virtual memory regions make up the gram subsequently writes to the page, a page fault is gener-
164KiB of total virtual memory space occupied by this tiny pro- ated since the page frame is marked read-only. The kernel de-
gram. Listing 2 is the contents of the maps file on my Linux sys- termines what caused the page fault and responds by allocat-
tem; for brevity, I have removed some unnecessary padding ing another page frame and copying the contents of the read-
that appeared in the original file. only page frame to the new page frame. The new page frame
At first, the format of the maps file looks a bit cryptic, but it’s is marked as writable, and the program’s page tables are up-
actually fairly easy to read once you understand what each col- dated to point to the new, writable page frame instead of the
original, read-only one.
umn means. Each line of the file refers to a different virtual
memory region of the program. There are two types of virtual Now, other programs can still take advantage of the read-only
page frame; they can use the cached copy of that region of the
memory areas: file-backed and anonymous mappings. Anony-
file. The read-only page frame can be removed from memory
mous mappings exist purely in memory; file-backed mappings
whenever necessary, just as before, without any worries of
deserve a little extra explanation.
having to move it to swap space first. The writable, private
As I have explained previously, page faults can be used to copy of the page frame, on the other hand, cannot simply be
“swap out” unused memory and swap it back in from the disk dropped from memory on a whim; if it must be removed from
when it needs to be used again. But page faults can also be memory, it must be moved to swap space first, and copied
used to fill memory with the contents of a file. When such a back from swap space when referenced again. This process of
so-called “file-backed mapping” is initially established, none of making a copy of a memory region only when necessary is
the file’s contents are read into memory. However, as soon as a known as Copy-on-Write, or CoW.
reference is made to the virtual memory region corresponding If the virtual memory region is marked “shared,” however, the
to the file-backed mapping, a page fault occurs, and the kernel page frame is marked writable from the moment it is first allo-
reads the region of the file corresponding to the byte(s) re- cated and filled with file data. The program is allowed to mod-
quested from the virtual memory region. Actually, the entire ify the contents of the page frame in memory at will, but as
4KiB region surrounding the requested byte is read from the soon as the first modification to the page frame is made, the
computer hardware marks the corresponding entry in the page
file; then a page frame is allocated in memory to store the data
table, marking the page as dirty (or, in x86 terminology, “modi-
just read from the file, and the page tables are updated accord-
fied”). Unlike with a private mapping, the modifications are
ingly to point to the new page frame.
made directly to the original page frame; any other running
Subsequent accesses to the requested byte, or any other byte program that maps the same file will see the modifications.
of the file contained within the 4KiB page frame, are read from The contents of the original file itself are also modified; how-
memory without causing a page fault; the region of the file is ever, the kernel is free to defer modification of the file until an
therefore subsequently cached in memory. The page frame is opportune moment, or when it has no choice because the sys-
said to be clean; it consumes memory, but if available memory tem is running low on memory. In any case, once the contents
ever becomes too scarce, the page frame can be simply dis- of the modified page are written to the original file, the page’s
carded from memory without first writing it to permanent stor- contents are no longer out of sync with the file contents, and
age (i.e., the swap space). The exact same data can be read the page is once again marked as “clean”; the page can then
be freed at any moment without worrying about swapping it
back from the file from which it originally came, if the data is
out, at least until the page is subsequently modified again.
ever referenced again.

20 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 COVER STORY
Virtual Memory

a “shared mapping.” (See the box entitled “Private Versus sections of a binary executable file into memory piecemeal,
Shared Mappings.”) without mapping the entire file into virtual address space.
The fourth column is another hexadecimal number. This (Some executable files contain information useful such as de-
number is only meaningful if the virtual memory area is a file- bugging; such information has a purpose for its existence in
backed mapping. It corresponds to the offset into the file at the file, but is not useful when the file is executed.)
which the mapping starts; when this field is zero, reading from The fifth and sixth columns (separated by a colon character),
the beginning of the mapping reads from the beginning of the as well as the seventh column, are also only meaningful in the
file. Similarly, a value of 1000 (4096 in decimal) means that context of a file-backed mapping. The fifth and sixth columns
reading from the beginning of the mapping will read starting at are two hexadecimal numbers known as major and minor de-
an offset of 4096 bytes into the file. This is useful for mapping vice numbers. Together, they uniquely identify the block device
on which the file mapped by the virtual memory re-
Listing 2: Virtual Memory Map gion resides. In Listing 2, the pair 08:01 refers to the
$ cat /proc/20397/maps
first partition on my hard disk drive, the first (and
00400000-00401000 r--p 00000000 08:01 3845150 /home/gordon/pause
only) hard disk installed in my computer. Column
seven is the inode number of the mapped file, writ-
00401000-00402000 r-xp 00001000 08:01 3845150 /home/gordon/pause
ten in decimal; when combined with the major and
7ffd62b52000-7ffd62b73000 rw-p 00000000 00:00 0 [stack]
minor number, the inode number uniquely identifies
7ffd62b73000-7ffd62b77000 r--p 00000000 00:00 0 [vvar]
any file on the entire Linux system, even if the file
7ffd62b77000-7ffd62b79000 r-xp 00000000 00:00 0 [vdso]
has been deleted since it was mapped. If the virtual
memory region is an anonymous mapping, all three
Listing 3: Detailed Memory Map of these values will be zero.
$ cat /proc/20397/smaps
The final column is the full path and name of the
00400000-00401000 r--p 00000000 08:01 3845150 /home/gordon/pause
mapped file. If the file has been deleted since it was
Size: 4 kB
mapped, this column will be followed by the string
(deleted). If the virtual memory region is an anony-
Rss: 0 kB
mous mapping, this field will usually be empty. In
Shared_Clean: 0 kB
some cases, though, the kernel will briefly describe
Shared_Dirty: 0 kB
what exactly the anonymous mapping is used for,
Private_Clean: 0 kB
enclosing the description in square brackets; for ex-
Private_Dirty: 0 kB
ample, in Listing 2, [stack] describes the program’s
00401000-00402000 r-xp 00001000 08:01 3845150 /home/gordon/pause
stack, a temporary “scratch” location in memory
Size: 4 kB
where the program can store various types of data.
Rss: 4 kB
The kernel also fills in some of the stack with data
Shared_Clean: 0 kB
such as any parameters that were passed to the pro-
Shared_Dirty: 0 kB
gram, as well as the program’s environment vari-
Private_Clean: 4 kB
ables, a list of text strings passed to the program by
Private_Dirty: 0 kB its parent process when the program was launched.
7ffd62b52000-7ffd62b73000 rw-p 00000000 00:00 0 [stack] It is important to note that the numbers in the
Size: 132 kB first, second, and fourth columns are always even
Rss: 12 kB multiples of the page size (4KiB); the least-signifi-
Shared_Clean: 0 kB cant (last) three digits of these numbers are always
Shared_Dirty: 0 kB zero. In a following section, I will demonstrate the
Private_Clean: 0 kB practical utility of this fact.
Private_Dirty: 12 kB

7ffd62b73000-7ffd62b77000 r--p 00000000 00:00 0 [vvar] Even More Detailed Memory

Size: 16 kB Statistics
Rss: 0 kB If you just want basic information about each of the
Shared_Clean: 0 kB virtual memory regions, the maps file might be all
Shared_Dirty: 0 kB you need. But the maps file will not tell you how
Private_Clean: 0 kB
much physical memory is being used by a virtual
Private_Dirty: 0 kB
memory region, for instance, or how much can be
7ffd62b77000-7ffd62b79000 r-xp 00000000 00:00 0 [vdso]
jettisoned if memory runs low. That information is
contained in another, similarly named file: /proc/
Size: 8 kB
[pid]/smaps. The far-more-detailed smaps file lists a
Rss: 0 kB
wealth of information about each virtual memory
Shared_Clean: 0 kB
region held by a process. In Listing 3, I show a lim-
Shared_Dirty: 0 kB
ited part of the smaps for my tiny example program.
Private_Clean: 0 kB
For brevity, I have removed unnecessary padding
Private_Dirty: 0 kB
and only included the most relevant fields.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 21

COVER STORY
Virtual Memory

Each section of the smaps file starts with a line describing the process. I used dd to read from a specific location in the mem
virtual memory region. This first line is formatted identically to file – specifically, the region corresponding to the program’s
the lines found in the maps file. The lines that follow give fur- stack – and I used od to produce a “hexdump” of the stack.
ther details about each virtual memory region. The stack contains many byte values that do not correspond
The Size field describes the total size of the virtual memory to any meaningful printable characters, and dumping the
region and whether or not any physical memory is used for any raw contents of the stack onto my terminal window directly
part of the region. It is always identical to the ending address would have resulted in a mess.
of the region minus the starting address. RSS is how much I started off by finding the starting and ending addresses of
physical memory is actually being used by the region; if the the stack area. Looking back at Listing 2 and Listing 3, I see
RSS is zero, then no physical memory is being used for the vir- that the stack starts at address 7ffd62b52000 and ends at ad-
tual memory region, even if the virtual memory region is 16 dress 7ffd62b73000. Recall earlier how I said that the starting
KiB in size. Shared_Clean, Shared_Dirty, Private_Clean, and Pri- and ending addresses are always even multiples of 4096
vate_Dirty further break the RSS down into its component bytes, so you can chop off the last three zero digits – this
parts; the RSS is simply the sum of these four values. leaves you with a starting address of 7ffd62b52 and an ending
What can I determine about the program based on this in- address of 7ffd62b73. To dump the contents of the stack, I
formation? This program consists of five virtual memory re- used the command line:
gions; two of them are file-backed – the file being the pro-
gram executable file itself – while the other three are anony- dd status=none if=/proc/20397/mem U

mous. Adding up the Size fields of each region, I get a total bs=4096 skip=$((0x7ffd62b52)) U

virtual memory size of this program of 164KiB, which exactly count=$((0x7ffd62b73-0x7ffd62b52)) | U

matches ps’s output. However, adding up the RSS of each re- od -Ax -tx1z -w16 -v

gion results in a total physical memory usage of 16KiB – very

much lower than the 164KiB virtual memory size of the pro- The 0x denotes hexadecimal notation; the $(()) is a conve-
gram and also different from what ps reported was the mem- nient shorthand to perform arithmetic directly from the shell
ory consumption of the program. In particular, you can see [6], and it also has the side effect of converting hexadecimal
that the program’s stack consumes most of the physical mem- numbers to decimal numbers – dd only accepts decimal nota-
ory used by the program – 12 KiB – even though the program tion. The dd command [7] reads from the mem file in 4096-byte
includes no code that would explicitly write to the stack area. chunks (bs=4096), starting with the byte at the start of the
In addition, a 4KiB page frame has been allocated to contain stack area (skip=$((0x7ffd62b52))). It reads to the end of the
the program’s code. Even though the program’s code amounts stack area (count=$((0x7ffd62b73-0x7ffd62b52)) – subtracting
to no more than a few bytes – 21 bytes to be exact – again, the starting address from the ending address to get the size of
memory is allocated in 4KiB chunks, so the code uses an entire the region. Then I pipe the output of dd into od [8] to display a
page frame. As you can see, though, the single
page frame allocated for the program’s code has
been marked “clean,” which means that if mem-
ory ever runs low (and the program is not ac-
tively being executed), the page frame containing
the program’s code can safely and immediately
be freed and re-read into memory if it is ever
used again.
By contrast, all of the memory used by the pro-
gram’s stack consists of “dirty” pages that must
be swapped out if memory gets too scarce. This
is to be expected, given that the stack is an anon-
ymous private mapping, and there is apparently
some data on the stack already. But it begs the
question: What is on the stack if the program it-
self has not put anything there? And furthermore,
why is the virtual memory size of the stack
132KiB, of all numbers?
The only way to get an answer to these ques-
tions is to look at the contents of the stack di-
rectly. To do this, I used the starting and end-
ing addresses of the stack region, as listed in
the maps and smaps files. With the help of two
command-line utilities – dd and od – I read
from yet another file to dump the stack con- Figure 3: A hexdump of the simple example program’s stack:
tents: /proc/[pid]/mem. The mem file gives direct Even a tiny example like this program contains a large
access to the virtual memory space of a amount of data on the stack.

22 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 COVER STORY
Virtual Memory

hexdump of the stack, before printing the hexdump on my responds by expanding the stack’s virtual address range by a
terminal window. page. The stack thus starts out small and grows to the size
Figure 3 shows the output I got from the hexdump of the needed to fulfill the program’s storage requirements.
stack. As the stack area is 132KiB, and 12KiB of the stack have Virtual memory regions can be as large as necessary and not
been touched with data, the hexdump is quite long. I have thus need physical memory for untouched regions. So why start small
deleted many lines of output from Figure 3, replacing each and expand even the virtual memory size of the stack only on an
group of deleted lines with a cross-fade effect. on-demand basis? Because a larger virtual memory area means
The stack dump depicted in Figure 3 is consistent with the more page table entries are required to describe the area. Since
information from the smaps file. The smaps file states that the page table entries consume physical memory, this means that a
stack area occupies 132KiB of virtual memory space; with a huge virtual memory area for the stack will indirectly consume
4KiB page size; this equates to 33 pages. However, only three large amounts of physical memory, even if the vast majority of
physical page frames (12KiB) have been allocated for the stack; the stack area has no physical page frames associated with it.
none of the first 30 pages on the stack have been touched, and Thus, the kernel starts all programs off with a small stack and
thus the first 30 pages all still contain only zeroes. Page 31 increases the region’s size only if the program needs it.
mostly only contains zeroes, but the very end of page 31 has
been touched with some data; thus an entire 4KiB page frame Conclusion
had to be allocated for page 31, even though it is mostly empty. This article explored the essential concepts of virtual memory. I
While the meaning of the contents of page 32 may not be im- approached the subject from the perspective of how it is imple-
mediately clear, page 33 clearly is chock full of text strings. mented on the x86 architecture. Other common and popular
Most of page 33 contains the environment variables inherited architectures, such as ARM also support virtual memory.
by the example program from the shell program I used to When you are finished experimenting with the demonstra-
launch the example. The last readable text string in page 33, tion program described in this article, don’t forget to free the
and on the entire stack for that matter, is the name of the pro- resources. Enter
gram (actually the path I used to invoke it – ./pause in this ex-
ample). If I had passed any parameters to the program when I kill [pid]

invoked it, they would appear after the name of the program. C
and C++programmers would know this list of parameters as to terminate the program. QQQ
argv, an abbreviation of “argument vector.”
Page 32 is, for the most part, a list of pointers, first to the Info
elements of argv. Of course, there is only one such element in [1] Virtual memory: https://en.wikipedia.org/wiki/Virtual_memory
argv – the name of the program – since I did not invoke the
[2] Virtual memory implementation on x86: https://en.wikipedia.
program with any parameters. Most of the rest of page 32 is org/wiki/X86-64#Virtual_address_space_details
filled with pointers to each environment variable inherited by
[3] The Linux system call convention: https://www.man7.org/
the program.
linux/man-pages/man2/syscalls.2.html#NOTES
As for why the virtual memory region of the stack is so large,
[4] Linux system call list on x86:
Linux pre-reserves a large amount of virtual address space for
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.
the program parameters and the environment variables – typi-
git/tree/arch/x86/entry/syscalls/syscall_64.tbl
cally 128KiB [9]. Whereas the program is unlikely to change its
[5] Per-process information in /proc: https://docs.kernel.org/
own parameter list once it has started running, it is not uncom-
filesystems/proc.html#process-specific-subdirectories
mon for a program to add or remove environment variables from
its environment, usually immediately before launching a new [6] Arithmetic in the Bash shell: https://www.gnu.org/software/
program. The program’s altered environment will be inherited bash/manual/html_node/Shell-Arithmetic.html
by the new program it launches. The kernel reserves 128KiB of [7] The GNU dd command: https://www.gnu.org/software/
virtual address space on the stack for the environment, to ensure coreutils/manual/html_node/dd-invocation.html
there is enough space near the end of the stack area for any rea- [8] The GNU od command: https://www.gnu.org/software/
sonable number of additions to the environment. coreutils/manual/html_node/od-invocation.html
The stack’s virtual memory size is 132KiB, which is equal to [9] The parameter list and environment size limit on Linux:
the 128KiB of virtual address space for the environment and ar- https://man.archlinux.org/man/execve.2.en#Limits_on_size_
gument list plus an extra 4KiB of address space for the main of_arguments_and_environment
purpose of the stack – as a temporary data storage area for the
program. Of course, as I have already described, physical mem- Author
ory in the form of page frames are not actually allocated for a Michael Williams, better known by his pseudonym Gordon Squash,
region of the stack until that region is used. In addition, if all is a freelance open source software developer. He is a member of
132KiB of the stack space ever do get used up, the next time the Core Developers Team of the MATE Desktop Environment proj-
the program attempts to add more data to the stack, the pro- ect (https://mate-desktop.org/), enjoys hacking anything related to
gram will exceed the virtual address boundaries of the stack, the GTK+ GUI widget toolkit, and continues to develop a fork of
triggering a page fault. Normally the kernel would terminate GTK+ called STLWRT (https://github.com/thesquash/stlwrt) when
the program under such circumstances, but the kernel detects time permits. You can see some of his other current projects on
that the program intended to access the stack, and the kernel his personal GitHub page at https://github.com/thesquash/.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 23

REVIEW
Distro Walk – Debian LTS

Extending the lifetime of Debian stable

Debian LTS
The Debian LTS Team works to extend the lifetime of Debian stable to five years. We talk to
team members to learn more about this little-known project. By Bruce Byfield

T
he increasing number of large collected by Roberto C. Sánchez, the co- for Linux distributions that have support
nonprofit and commercial instal- ordinator of the Debian LTS team, and time frames of five years or more.
lations in the last couple of de- Christopher Huhn volunteered to pro- In 2014, Debian developer Raphaël
cades has made long term sup- vide a user’s persective. Hertzog, owner of the French IT con-
port (LTS) releases a fixture in Linux. sultancy Freexian SARL, commenced
Debian, often seen as one of the more Linux Magazine (LM): How did the an initiative to seek out sponsors to
community-based distributions, is not an Debian LTS project begin? provide funding in support of provid-
exception to this trend. Debian LTS [1] – ing an additional two years of support
funded by Freexian, a service company Debian LTS Team (DLTST): Historically, for Debian stable (version 6,
founded by long-time Debian developer the Debian Security Team had committed “squeeze,” was the stable release at
Raphaël Hertzog [2] – has become a to supporting a particular stable release that time) to provide users a Debian
large subproject, cooperating with the until one year after the release of its suc- stable release that would receive secu-
main Debian distribution but remaining cessor. During the time when the Debian rity updates for five years from its ini-
semi-independent. project was producing new stable releases tial date of release. Raphaël also set
Despite a number of Debian LTS con- less frequently than at present, the secu- about recruiting interested Debian de-
tributors blogging regularly about their rity support time frame worked out to velopers who could perform the work
work, this project within a project has around four to five years. Some years ago, of preparing the required updates (as
flown under the radar for years. Out of the Debian project decided to move to a well as other tasks associated with pro-
curiosity, I contacted Debian LTS to learn more consistent release tempo of approxi- viding this security support).
more. Answers to my questions were mately 24 months between stable re-
leases. The resources of the Debian Secu- LM: When a new Debian release comes
Author rity Team did not allow them to extend out, the former stable repository be-
Bruce Byfield is a computer journalist and the support commitment, as it was not comes oldstable for a year. Why is the
a freelance writer and editor specializing possible for them to support three Debian oldstable repository not sufficient?
in free and open source software. In stable releases simultaneously. As a result
addition to his writing projects, he also of this, the Debian Security Team is now DLTST: The LTS effort continues upload-
Lead Image CC by-SA

teaches live and e-learning courses. In his

committed to supporting each Debian sta- ing to that same oldstable release target.
spare time, Bruce writes about Northwest
Coast art (http://brucebyfield.wordpress.
ble release for three years. This means that users do not have to do
com). He is also co-founder of Prentice However, the popularity of Ubuntu’s anything special in order to use LTS. So,
Pieces, a blog about writing and fantasy at LTS releases and Red Hat Enterprise for instance, if a user installed Debian 12
https://prenticepieces.com/. Linux demonstrated that demand existed “bookworm” today and configured the

24 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 REVIEW
Distro Walk – Debian LTS

standard archive mirror sources, includ- life-cycle phase for every Debian stable upstream developer, the Debian Secu-
ing the security archive, then that user release, rather than a designation rity Team of another Linux distro, or
can expect to receive package updates which applies to some Debian releases someone else entirely. Sometimes the
until around mid-2028 for that system and not to others. patch may require modification and
(five years after the initial release of The LTS effort is sponsored primarily other times an entirely new patch must
bookworm). by companies, organizations, and gov- be developed (either because an exist-
The key takeaway is that the efforts of ernment entities [3] who see a benefit in ing patch does not work with the pack-
LTS contributors result in package up- having Debian stable releases with a age in Debian or because no patch has
loads using the same tools and infra- five-year support life cycle. Since the been developed by anyone else). In
structure as the Debian Security Team’s sponsors are entities which presumably some instances, a package cannot be
uploads, which results in a nearly seam- try to control the costs associated with supported in its current state, and it is
less experience for users. their technology infrastructure, it stands instead updated to a new version,
to reason that supporting the LTS effort though this is very uncommon.
LM: What are the reasons for and advan- is a cost-effective alternative for them as Other types of updates which the LTS
tages of using LTS? Any disadvantages? compared to more frequent upgrades. Team prepares includes firmware up-
dates and volatile packages such as anti-
DLTST: Simply put, a user can install a CH: To give one example, I’m working at virus and time-zone data files, which re-
Debian stable release with confidence the German research institute GSI Helm- quire periodic updates even when no
that it will continue receiving security holtz Centre for Heavy Ion Research in vulnerability exists.
updates until five years from its initial the area of high energy physics, similar to LTS contributors funded through
release. CERN in Geneva but significantly smaller Freexian are also encouraged to go be-
That said, there are some disadvan- (about 1,500 employees). My team takes yond simply preparing updates for LTS.
tages which can come into play in the care of about 1,000 Linux instances of For example, if a given package is not
latter part of the five-year time frame. various flavors (central servers, virtual fixed in any Debian suite, then the con-
As software ages, it can become more machines, desktops), mostly running tributor will often prepare an update for
difficult to maintain. From a user per- Debian GNU/Linux (since 1995). stable in coordination with the Debian
spective, this means that some security On my NAS at home, I run openmedi- Security Team and/or release managers,
updates may be slower to arrive and avault, which is Debian based and also and sometimes also an update for unsta-
also that some packages may have to be profits from LTS support. My install is ble in coordination with the package
dropped from support. This is not com- still Debian 10 (oldoldstable). maintainer.
mon, and it is something which may
also happen during the earlier part of LM: What does the Debian LTS Team’s LM: Why are some architectures unsup-
the life of a stable release. work consist of? ported? A lack of audience? Resources?
Something else?
Christopher Huhn (CH): It adds another DLTST: The most common task is Com-
two years of support to oldstable – for all mon Vulnerabilities and Exposures DLTST: Certain architectures are consid-
packages in the Debian archive! There (CVE) triage. Each new security vulner- erably less popular than others and are
are some small exceptions (the Chro- ability is assigned a CVE ID by a re- generally also more difficult to support.
mium web browser, for example), but sponsible entity. This allows different There are a variety of reasons for this.
it’s a (small and convenient) denylist of organizations (such as vendors or de- Among those reasons are that some ar-
unsupported packages rather than a al- velopers) to coordinate their efforts. chitectures have fewer build resources
lowlist of supported packages. Each new CVE must be assessed to de- available (all security updates must be
termine if it is applicable to Debian built for all supported hardware architec-
LM: Who is the audience for LTS? To (many CVEs are for software packages tures). Also, when the build resources
what extent are the sponsors of Debian and products not shipped by Debian). are available, then dealing with architec-
LTS a reflection of the audience? Then those which are potentially appli- ture-specific bugs and regressions can be
cable must be further assessed to deter- a very time-consuming process.
DLTST: All Debian users. The label mine which packages in Debian are af- The currently supported list of archi-
“LTS” can be used in multiple distinct fected and which versions of those tectures for LTS covers greater than 99.8
ways. Ubuntu, as well as some up- packages. The Debian Security Team al- percent of reported Debian users [4].
stream projects, uses the LTS label to ready does a great deal of this, and the The exclusion of hardware architectures
designate particular releases as those Debian LTS Team supplements this by which have very low usage rates and
which have support for a longer time focusing on assessing the CVEs to de- which are also more difficult to support
frame, whereas other releases receive termine if they affect packages under allows the Debian LTS Team to much
support for a shorter time. The way the the responsibility of the LTS Team. more efficiently apply limited resources.
Debian LTS effort is structured is such After triage, the next most common
that every Debian stable release re- activity is preparing security fixes. This LM: How does Debian LTS’ security and
ceives five years of security update may be as simple as applying a patch its backports compare to that of the
support. That makes LTS more like a developed by someone else, an main releases? And how does the LTS

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 25

REVIEW
Distro Walk – Debian LTS

team interact with the main Debian se- Freexian establishes general guidelines moderately rise with every semi-annual
curity team? based on the expectations that have renewal of the support contract so sup-
been communicated to sponsors about port for really old Debian releases gets
DLTST: The LTS Team follows a set of how funds will be used, and contribu- more expensive over time.
procedures that very closely parallels the tors are expected to work profession- Our plan is to rollover from our cur-
procedures of the Debian Security Team. ally and in accordance with those rent Debian 9 ELTS support to Debian
As a result, updates prepared by the LTS guidelines. However, LTS contributors 10 ELTS in the summer of this year,
Team adhere to the same quality criteria still have a great deal of freedom in de- when the regular LTS support for
as updates prepared by the Debian Secu- ciding how they work, and they use Debian 10 will end. This way we extend
rity Team. The only meaningful differ- their experience and judgment to de- the support lifetime of our Debian in-
ence when it comes to updates prepared cide this. Contributors frequently com- stalls to seven years which is a time
by the LTS Team is that during the LTS municate and collaborate via various span in which you really want to re-
phase of the life cycle there are no point means, often requesting that another place the underlying hardware and up-
releases. contributor review a patch, assist with grade anyhow.
To elaborate, not all updates to a testing, etc.
Debian stable release are made by the That said, Debian LTS is not at all re- LM: How do you see Debian LTS evolv-
Debian Security Team. Certain bug fixes stricted to Freexian. Any Debian devel- ing in the future?
and lower priority security issues are oper is allowed to upload updates to the
fixed by point releases. Point releases re- Debian LTS repository, and there are DLTST: There is not anything specific
quire infrastructure and the involvement some Debian contributors that also we would like to do within the scope
of other teams which lack the resources maintain their packages in Debian LTS, of LTS that we are not already doing.
to extend support up to five years. Be- independently of the Freexian umbrella. We are able to effectively manage the
cause of this, the LTS Team prepares up- Debian LTS is actually quite an open flow of new CVEs, and we are working
dates which may at times be more minor project. towards partnering with upstream de-
than those which the Debian Security velopers and other interested parties
Team would handle during the first three LM: How does end of life for LTS re- on more robust LTS-type support from
years of a release. leases affect users? certain upstream projects. LTS contrib-
The LTS Team interacts with the utors also work towards improving
Debian Security Team on an ongoing DLTST: Users who require support be- Debian as a whole.
basis. We work in the same instance of yond the five-year life cycle are able to
the Debian Security tracker, and LTS subscribe to Freexian’s Extended LTS Conclusion
contributors regularly communicate with (ELTS) offering. Thanks to the Debian LTS Team and
members of the Debian Security Team Christopher Huhn for providing in-
via email and IRC. Members of the CH: The ELTS support has a different sights into how Debian LTS works. It is
Debian Security Team are also often business model: Instead of a flat rate for a measure of how Linux has evolved,
present in the LTS IRC channel. all packages with a few exceptions, you and of how its audience has grown,
pay for the specific source packages you that such a large and active effort has
LM: What is Freexian’s role in Debian want supported (that is, a allowlist). emerged. Q Q Q
LTS? This makes things a bit more
cumbersome. Info
DLTST: Freexian solicits sponsorships, At least in our case, the ELTS support [1] Debian LTS:
acting as the receiver of sponsor funds is more expensive than our LTS sponsor- https://www.debian.org/lts/
and disbursing funds to contributors ship. The number of installs of a specific [2] Freexian: https://www.freexian.com/
performing the LTS work. Because LTS package is not taken into account, so it [3] Debian LTS sponsorship:
contributors funded through Freexian does not matter if an ELTS supported https://www.freexiian.com/lts/debian/
are all experienced Debian developers, package is installed on one or many [4] Debian usage statistics:
they work mostly independently. machines. The costs per package https://popcon.debian.org/

QQQ

26 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

REVIEW
openSUSE MicroOS

Exploring openSUSE’s MicroOS

No Change!
If you want the most recent software without sacrificing stability, try running a minimal Linux
distribution then adding additional services and applications in containers. OpenSUSE MicroOS
provides a robust foundation for implementing this vision. By Koen Vervloesem

O
pen source software develop- the same approach on the desktop: run a RPM packages from openSUSE’s
ment happens so rapidly that minimal Linux distribution that you repositories.
the distributions can’t keep can’t change using a traditional package The root filesystem uses Btrfs and is
pace and often still have older manager, and, instead, install additional mounted as read-only. Updates to the
versions in their repositories. Or, even if applications as Flatpaks or snaps. This packages are transactional: Either an
you don’t have old software, running method allows applications to be pack- update occurs entirely or not at all.
multiple services or applications on the aged together with their dependencies, Consequently, you can never wind up
same operating system sometimes re- thus preventing mutual interference or with a system that is broken due to a
sults in compatibility issues. disruption to the underlying distribution. partial update. Transactional updates
If your goal is to run a couple of ser- With this approach, users are able to run are handled by a wrapper script around
vices in a reliable way, you’ll likely find updated software without facing depen- openSUSE’s Zypper package manager
yourself using a container-based solution dency issues or compromising system called transactional-update [4]. The
like Docker or Podman. But even then, stability. script uses the Snapper [5] tool to cre-
you still need to manage that underlying This article takes a look at MicroOS, an ate a new Btrfs snapshot of the root file-
Linux distribution. In an ideal scenario, immutable version of openSUSE. I’ll start system and then performs a system up-
you would want to only deal with the with the server edition and then move to date. If the installation is successful, the
containers and forget about the host the desktop. The fundamentals remain script marks the new snapshot as the
system. the same for both server and desktop. default snapshot, which is then acti-
Several Linux distributions have intro- The most significant difference lies in the vated with a reboot.
duced minimal systems that offer only the way you install services and applications However, if an error emerges during
packages necessary for running contain- on top of the immutable base. the update, the snapshot is discarded
Photo by Lauren Mancke on Unsplash

ers. You can’t install any software directly and the previous snapshot stays as the
on such a system; you can only install Minimal openSUSE default. Alternatively, you can switch
software in containers. You also don’t OpenSUSE MicroOS [3] is designed to your system into a new snapshot directly
need to manage or update anything after function as a single-purpose system. A without rebooting. MicroOS also runs a
the initial configuration process. This typical purpose is to host containers, but health-checker [6] systemd service that
kind of operating system is somewhat as you’ll see later in this article, you can evaluates whether the system boots as
exaggeratedly called an immutable OS. also use it as a minimal desktop. The op- expected following an update. If it turns
Thanks to technologies such as erating system updates itself automati- out that the system is not “healthy,” the
Flatpak [1] and Snap [2], you can use cally and has a minimal selection of service performs an automatic rollback

28 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 REVIEW
openSUSE MicroOS

to the previous default snapshot of the you can also run the community version many containers on it. I tried it out in
root filesystem. based on SLE Micro, which is openSUSE a virtual machine with 4GB of RAM.
The /usr directory is read-only. The de- Leap Micro [9]. The root partition requires at least
fault configuration is in /usr, hence you As a home user you can choose 5GB, and the partition where /var is
can’t modify it. However, /etc and /var whether you would like to run the roll- mounted needs at least 5GB. Again,
are writable. If you want to make changes ing-release version (MicroOS) or the more is recommended, depending on
to openSUSE MicroOS as an administra- community version of the enterprise tier your container workloads.
tor, you do so in files in /etc. OpenSUSE’s (SLE Micro). However, the architecture Upon starting openSUSE MicroOS for
libeconf [7] merges configuration files of openSUSE MicroOS reduces the risk of the first time, you are presented with a
that are in different locations. Most stan- issues with updates. You also get access text-based wizard that assists with the
dard MicroOS packages are modified to to new functionality faster with a rolling initial configuration. You select your key-
be compatible with this system. All this release in a distribution that is still under board layout, accept the license agree-
infrastructure in MicroOS makes the sys- development. That is why I tested open- ment (GPLv2), choose your time zone,
tem more resilient to risky modifications. SUSE MicroOS and not Leap Micro for and then set a root password. Next, you
this article. In practice, it won’t make are shown the machine’s SSH host keys
Three Server Versions much difference which version you run. and IP address, after which you can log
The openSUSE MicroOS family consists in locally (Figure 1).
of three server versions, so you have to Download and Installation The SSH server does not allow you to
choose one first. The regular openSUSE The openSUSE MicroOS downloads page log in as the root user with just a pass-
MicroOS adheres to the rolling-release [10] offers a multitude of installation im- word. However, you can automatically
model of openSUSE Tumbleweed and is ages. To run containers, you need the Base add an SSH key during the first boot
hence updated continuously. That might System + Container Runtime Environment using cloud-init or Ignition. The configu-
sound precarious for an operating sys- image, which only exists for 64-bit sys- rations for cloud-init and Ignition are
tem expected to provide a reliable base tems. You’ll find an ISO image for Intel, explained on the MicroOS project wiki.
for your containers. However, thanks to ARM, and PowerPC systems, as well as
transactional upgrades, your installation images for the Raspberry Pi and Pine64 System Administration
is automatically rolled back in case of SBCs and for running the operating system MicroOS doesn’t require much for sys-
complications. You can also choose to virtualized in Qemu/KVM or Xen, Virtual- tem administration: It “just works.” But
revert it manually if needed. Box, VMware, Vagrant, or Microsoft it is useful to know some things. The
SUSE also provides a lightweight, con- HyperV. There’s also a version to run command zypper search -i lets you view
tainer-optimized version of its enterprise on OpenStack Cloud that you can config- all installed packages, but for package
edition called SUSE Linux Enterprise ure using cloud-init. I tested the x86_64 management, you need to use transac-
(SLE) Micro [8]. Updates for SLE Micro version for Qemu/KVM and operated it tional-update. By default, a systemd
don’t arrive continuously but are thor- on KVM. The download was 463MB. timer transactional-update.timer up-
oughly tested by SUSE before they’re MicroOS requires at least 1GB of RAM, dates all packages once a day around
pushed to the release. As a home user, and obviously more if you plan to run midnight. If you want to change this
configuration, do so with the following
command, which opens the unit file
with the default editor Vim:

# systemctl edit U
transactional-update.timer

Changing this could be beneficial, for ex-

ample, if the corresponding reboot to
apply the snapshot isn’t convenient at
the default time.
You can also manually run transac-
tional-update to perform system up-
dates and even update, install, or unin-
stall individual packages. However, the
developers recommend against install-
ing individual packages in this manner.
Remember to reboot following each
command to activate the snapshot. If
you still want to pursue the manual
route, be sure to read the instructions
at the project’s wiki. You can also
Figure 1: OpenSUSE MicroOS after the first boot. manually rollback to the previous

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 29

REVIEW
openSUSE MicroOS

snapshot with the transactional-update # systemctl enable --now U configuration, it also comes with Tool-
rollback command. container-pihole.service box [13] by default. Toolbox allows
One situation where you would need you to install the various tools you
to install a package manually is if you You will now see the Pi-hole container need for server management or other
have installed a “Base System”-only running as a systemd service (Figure 2). purposes in separate containers, with-
image of MicroOS and still plan to run You can also run virtual machines out having to modify the base operat-
container workloads. In this case, install rather than containers on top of open- ing system.
Podman and reboot your system so you SUSE MicroOS. Use libvirt with Qemu/ You simply start an openSUSE Tumble-
have a container runtime: KVM as the back end for this purpose. weed Toolbox container with the follow-
Managing your virtual machines is then ing command:
# transactional-update U done with the virsh and virsh-install
pkg install podman commands. The MicroOS wiki contains # toolbox

# reboot some suggestions for getting started with

virtualization [12]. Within this container, the host’s root file-
system is mounted on /media/root/. You
Running Containers Toolbox can now install your favorite manage-
The idea in MicroOS is to run as many of If you install MicroOS in its Base Sys- ment tools in the container with zypper
your services in containers as possible. tem + Container Runtime Environment without polluting the host.
By default, MicroOS uses Podman for
container support. As an example of
running a service in MicroOS, I’ll show
you how to set up and run the Pi-hole
ad-blocking tool [11].
First create some directories:

# mkdir /etc/pihole

# mkdir /etc/dnsmasq.d

Then start the container:

# podman run -d --name pihole U

--label io.containers.autoupdate= U Figure 2: Pi-hole running on openSUSE MicroOS in a Podman container,
registry -e TZ=Europe/Brussels -e U started as a systemd service.
VIRTUAL_HOST=pi.hole -e U
PROXY_LOCATION=pi_hole -e U
ServerIP=127.0.0.1 -e U
WEBPASSWORD=test U
--cap-add=NET_ADMIN -p 8080:80 -p U
53:53/udp -p 53:53/tcp -p 443:443 U
-v /etc/pihole:/etc/pihole:z -v U
/etc/dnsmasq.d:/etc/dnsmasq.d:z U
docker.io/pihole/pihole:latest

Change the ServerIP to the fixed IP ad-

dress assigned to the host system, and
change WEBPASSWORD to something more
secure. Once the container is started,
you can access Pi-hole’s management
interface at http://IP:8080/admin.
Now, if you want this container to
start automatically upon host startup, let
Podman generate a systemd service unit
file for it:

# podman generate systemd --new U

--name --files pihole

# cp container-pihole.service U
/etc/systemd/system/

# systemctl daemon-reload Figure 3: Choose the system role for your openSUSE MicroOS installation.

30 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 REVIEW
openSUSE MicroOS

With exit or Ctrl+D, you exit the In the next steps, confirm the NTP others. The end result is a minimal,
container and close it. If you then type servers, input the root user’s password, stripped-down Gnome desktop
toolbox again, the container is restarted, and review the changes the installer will environment.
and you again have access to all your apply (Figure 4). Click on Install to start All desktop applications are installed
installed tools. the installation process. as Flatpaks in your home directory and
automatically get updated. You can ob-
MicroOS on the Desktop Getting Started with a serve this with the command flatpak
OpenSUSE MicroOS is designed to func- Read-Only Desktop list in a terminal window (Figure 5).
tion as a single-purpose operating sys- After rebooting the system, you’ll be You can install additional applications
tem. On a server, that single purpose is greeted by Gnome’s welcome wizard, using Gnome Software (Figure 6), which
typically running containers. However, which prompts you to select your language is configured to install Flatpaks from
you can also use MicroOS as a system and keyboard layout and decide whether Flathub [14] and to put them in
whose sole purpose is to provide a desk- applications are allowed to use location ~/.local/share/flatpak. These installed
top. Additional software will then be in- services. Following this, choose your time packages don’t touch the underlying op-
stalled in sandboxes. Hence, you can zone, optionally link any online accounts erating system. Of course, the number of
enjoy a stable minimal desktop operat- from Google, Nextcloud, or Microsoft, and available Flatpaks is still limited com-
ing system, while also having access to then create a non-privileged user with cor- pared to what’s in openSUSE’s tradi-
the most recent software. responding username and password. tional repositories. Currently, counting
The openSUSE MicroOS project fea- After this setup, openSUSE Aeon starts the entries in a flatpak remote-ls com-
tures two desktop editions: openSUSE installing applications, such as Firefox, a mand on openSUSE Aeon shows around
Aeon, which includes the Gnome desk- calculator, a text editor, and a few 4,300 Flatpaks on Flathub.
top environment, and openSUSE Kalpa,
which offers the KDE Plasma desktop. It
is worth noting that the Gnome version
is still a release candidate and the KDE
version is still in its alpha stage. As such,
switching for daily use is not universally
recommended: Make sure to test open-
SUSE’s immutable desktop thoroughly
before making the leap.
You also need to know that the config-
uration options are by design fairly lim-
ited: Don’t expect the customization op-
tions found in a regular openSUSE Tum-
bleweed or Leap desktop. However, in
some situations, this approach can be
quite useful. Web browsing, installing
software, and other fundamental func-
tions operate straight out of the box.

Installing openSUSE Aeon

For this article, I tested openSUSE Aeon.
Currently, installation requires down-
loading the 4.2GB ISO image from the
openSUSE MicroOS downloads. The in-
staller is the same as the graphical in-
staller for openSUSE’s regular desktop
version. Figure 4: An overview of the installation settings for openSUSE Aeon.
First, choose your desired language
and keyboard layout, and accept the li-
cense. In the next step, the installer pres-
ents you with a range of system roles.
The first two options are MicroOS and
MicroOS Container Host (the server ver-
sions explained above), succeeded by
two desktop versions: one with Gnome
and the other with KDE. Select MicroOS
Desktop (GNOME) [RC] for openSUSE
Aeon (Figure 3). Figure 5: The list of Flatpaks right after installation of openSUSE Aeon.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 31

REVIEW
openSUSE MicroOS

openSUSE is known for, and you’ll have

to do with Gnome Settings [17] and
Gnome Tweaks [18].

Alternative Software
Installation
As the number of available Flatpaks is
still limited, there will likely come a
time when you need some software
that isn’t available as a Flatpak. Luckily,
openSUSE Aeon comes with Distro-
box [19]. Analogous to Toolbox, Dis-
trobox uses Podman to create contain-
ers that are tightly integrated with the
host. In openSUSE Aeon, those Distro-
box containers share your home direc-
tory, external storage, USB devices,
and graphical applications.
Therefore, if a specific application isn’t
available as a Flatpak in Gnome Soft-
ware, just create a Distrobox container
running openSUSE Tumbleweed with the
Figure 6: Installing software from Flathub via Gnome Software. distrobox-enter command. Within this
container, you can install all RPM pack-
In its everyday use, openSUSE Aeon install and manage Gnome Shell exten- ages available in openSUSE’s reposito-
looks much like a normal openSUSE sions [15], the Extension Manager [16] ries using the familiar zypper commands.
desktop system. As the base OS and is included. However, openSUSE Aeon Currently, the openSUSE repositories
Gnome desktop are built on the same comes with only basic configuration contain more than 51,000 packages.
RPM packages as openSUSE Tumble- tools by default. There is no sign of the To export an application from the con-
weed, that shouldn’t be surprising. To powerful YaST configuration tool that tainer to the host, install an application

Figure 7: Exporting an application from a Distrobox container makes it accessible from Gnome Activities in
the host.

32 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 REVIEW
openSUSE MicroOS

in the Distrobox container, and then, If you then run mosquitto_pub or Info
still from within the container, run the mosquitto_sub from a terminal on your [1] Flatpak: https://flatpak.org
following command (in this case for openSUSE Aeon host, it transparently [2] Snap: https://snapcraft.io/docs/
the qucs-s application): starts the Distrobox container and runs quickstart-guide
the command in the container. The pres-
[3] openSUSE MicroOS:
distrobox-export --app qucs-s ence of the container is only noticeable
https://microos.opensuse.org
by a slightly longer startup time for the
[4] transactional-update: https://github.
This command creates a .desktop file commands.
com/openSUSE/transactional-update
in your host system so that the applica- A last resort for software you can’t
[5] Snapper: http://snapper.io
tion icon appears in Gnome Activities. install with Distrobox is to install RPM
The icon has the application’s name, packages in the openSUSE Aeon host [6] health-checker: https://github.com/
with (on tumbleweed) added to make with the transactional-update com- openSUSE/health-checker
it clear that it will start in an open- mand, as explained earlier for the open- [7] libeconf: https://github.com/
SUSE Tumbleweed Distrobox container. SUSE MicroOS server. However, this ap- openSUSE/libeconf
You can now just start the application proach is only recommended for drivers, [8] SLE Micro: https://www.suse.com/
from within your host’s Gnome Activi- kernel modules, VPN clients, and other download/sle-micro/
ties overview by clicking on the icon low-level packages. [9] openSUSE Leap Micro:
(Figure 7), which will transparently https://get.opensuse.org/leapmicro/
start the Distrobox container in the Conclusion [10] MicroOS downloads:
background and open the application The server version of openSUSE MicroOS https://en.opensuse.org/
window on your desktop. is useful for lazy administrators who like Portal:MicroOS/Downloads
Similarly, you can export command- having a platform to run containerized [11] Pi-hole: https://pi-hole.net
line applications installed in the Distro- services without too much work on the
[12] MicroOS virtualization:
box container, for example, to your underlying host. Furthermore, openSUSE https://en.opensuse.org/
~/.local/bin directory. If you installed Aeon could be the ideal operating system Portal:MicroOS/Virtualization
the mosquitto-clients package with Zyp- for users accustomed to the way mobile
[13] Toolbox: https://containertoolbx.org
per in the Distrobox container, you can operating systems work. On a Chrome-
[14] Flathub: https://flathub.org
export the mosquitto_pub and mosquitto_ book or in iOS or Android, you don’t cus-
sub commands this way (executed from tomize the operating system itself but in- [15] Gnome Shell extensions:
within the container): stall isolated apps. Flatpaks offer a similar https://extensions.gnome.org
experience in openSUSE Aeon. Q Q Q [16] Extension Manager:
distrobox-export --bin U https://flathub.org/apps/com.
/usr/bin/mosquitto_pub U Author mattjakeman.ExtensionManager
--export-path U Koen Vervloesem has been writing about [17] Gnome Settings:
$HOME/.local/bin Linux and open source, computer security, https://help.gnome.org/users/
distrobox-export --bin U privacy, programming, artificial intelli- gnome-help/stable/prefs.html
/usr/bin/mosquitto_sub U gence, and the Internet of Things for more [18] Gnome Tweaks: https://gitlab.gnome.
--export-path U than 20 years. You can find more on his org/GNOME/gnome-tweaks
$HOME/.local/bin website at koen.vervloesem.eu. [19] Distrobox: https://distrobox.it

QQQ

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 33

IN-DEPTH
AlmaLinux’s ELevate Migration Tool

Migrating from CentOS 7

ELevate
to the Future
CentOS 7 reaches end of life in June 2024, forcing users to look for a free enterprise Linux
alternative. AlmaLinux’s ELevate migration tool can help ease the transition. By Rubén Llorente

F
or years, CentOS was the operating by offering 1:1 bug compatibility with Until recently, ELevate only sup-
system of choice for users who RHEL by early 2021, eventually moving ported official operating system reposi-
needed a free enterprise Linux to application binary interface compati- tories. If your CentOS install used
solution. CentOS offered a predict- bility in 2023 when Red Hat restricted “extra” repositories, such as the popular
able life cycle and a long lifespan for access to RHEL source code. Today, Extra Packages for Enterprise Linux
each release, making it a reliable alterna- AlmaLinux provides an alternative for (EPEL) repository, you could only mi-
tive to the commercial Red Hat Enter- former CentOS users as a forever-free, grate using ELevate Testing. ELevate
prise Linux (RHEL) distribution. That all community-governed, production-grade now offers third-party EPEL support for
changed in 2020 when Red Hat replaced platform focused on long-term stability. migrating from CentOS 7 to AlmaLinux 8
CentOS 8 with CentOS Stream and an- While an alternative free enterprise in the stable release [5]. Furthermore,
nounced that CentOS 7 would reach Linux solution like AlmaLinux is good ELevate has added support for other
end of life on June 30, 2024. news in light of the fast approaching repositories (Imunify, KernelCare,
Despite its name, CentOS Stream does CentOS end of life, administrators still MariaDB, NGINX, and PostgreSQL) for
not serve as a replacement for CentOS. need to migrate their existing CentOS all supported systems (AlmaLinux,
While CentOS sat downstream of RHEL, systems to a new enterprise Linux distri- CentOS, EuroLinux, Oracle Linux, and
making it a reliable replacement for bution. Migration isn’t exactly a trivial Rocky Linux).
RHEL, CentOS Stream sits upstream task. Luckily, AlmaLinux has an answer With CentOS 7’s end of life quickly
and serves as a developmental platform for this migration problem: ELevate [3]. approaching, system administrators
for RHEL contributors. As a result, Red By combining Red Hat’s Leapp [4] need to develop a migration plan.
Lead Image © sergeyback, 123RF.com

Hat has warned that CentOS Stream is framework with a community-created AlmaLinux’s ELevate tool can help ease
not considered stable for production migration metadata library and service, the pain of migration. In this article I
environments [1]. ELevate lets you convert an existing will show you how to use ELevate to
As one would expect from the open CentOS 7.x install to the 8.x version of a migrate from CentOS 7 to AlmaLinux 8.
source community, CentOS alternatives RHEL derivative. Developed by Alma-
started popping up almost immediately Linux to be agnostic, ELevate supports Precautions Before
after this announcement. One of these upgrade paths for multiple RHEL deriva- Upgrading
alternatives, AlmaLinux [2], quickly tives (see Figure 1). You can also use This article intends to be a quickstart
stepped in as a replacement for CentOS ELevate as a regular upgrade tool. guide on ELevate to help you upgrade

34 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
AlmaLinux’s ELevate Migration Tool

$ sudo yum install -y U

http://repo.almalinux.org/elevate/U

elevate-release-latest-elU

$(rpm --eval %rhel).noarch.rpm

As mentioned earlier, ELevate uses Red

Hat’s upgrade tool, Leapp. In order to
migrate to AlmaLinux, you must fetch
Leapp, along with the patch files that
will configure it to upgrade CentOS 7
into AlmaLinux:

$ sudo yum install -y leapp-upgrade U

leapp-data-almalinux

Ready to Migrate
It is a good idea to ensure your applica-
tions will run on AlmaLinux before you
migrate. AlmaLinux provides a pre-up-
grade check to determine the feasibility
Figure 1: AlmaLinux supports multiple upgrade paths. Notice that ELevate of the migration. When migrating from
does not support upgrading from Oracle Linux 8 to Oracle Linux 9. CentOS 7, you are likely to get a failure
Upgrading to CentOS Stream 9 is still experimental at the time of writing. message at this stage, which is to be ex-
pected (Figure 2). Make sure you invoke
away from CentOS 7 to AlmaLinux Next, you need to install ELevate. You the preupgrade checks with the following
quickly and painlessly. Before you get can install the standard release from the command:
started, it is important you adopt the associated AlmaLinux repository, which
necessary precautions and make the you can enable as follows: $ sudo leapp preupgrade

required preparations.
While ELevate is being used to up-
grade production systems in the wild,
caution is still advised. At the very least,
you should back up your systems before
you get started, just in case. AlmaLinux
recommends doing a trial run in a
sandbox to verify the migration works
in your environment before migrating
a production system.
The upgrade process will be done in-
place, which means AlmaLinux will be
installed over your CentOS instance di-
rectly. The machine being subjected to
conversion will need to be rebooted
more than once.
Only single-step upgrades are sup-
ported. This means that if you intend to
migrate to AlmaLinux 9, you will need
to migrate to AlmaLinux 8 first and then
upgrade from there.

Gathering the Tools

Before you start migrating, you first must
ensure your CentOS instance is up to
date. I like to reboot after system updates
to ensure every installed service loads
the updated components as follows:

$ sudo yum update -y Figure 2: This failure message is to be expected. In order to proceed fur-
$ sudo reboot ther, you need to fix the problems listed in /var/log/leapp/answerfile.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 35

IN-DEPTH
AlmaLinux’s ELevate Migration Tool

Figure 3: The issues listed in /var/log/leapp/answerfile must be resolved before the upgrade process can
commence.

During the pre-upgrade stage, a report Listing 1: Common Fixes after the Pre-Upgrade
will be saved to /var/log/leapp/
01 sudo rmmod pata_acpi
leapp-report.txt with a list of danger-
ous actions that might occur during 02 echo PermitRootLogin yes | sudo tee -a /etc/ssh/sshd_config

the migration. Some suggestions are 03 sudo leapp answer --section remove_pam_pkcs11_module_check.confirm=True
also given. Most likely, a file will be
generated in /var/log/leapp/answer-
file with questions that require a there is nothing left to do. If not, you moving forward. ELevate helps you mi-
true/false answer. These questions can set SELinux to enforcing mode by grate from CentOS to AlmaLinux, or an-
must be answered before the upgrade editing /etc/selinux/config and setting other RHEL-compatible distribution, with
can take place (Figure 3). You can an- the variable SELINUX within the config relative ease. During testing, I discovered
swer these questions by either editing file to enforcing. You then need to reboot that ELevate could reliably upgrade a
the file directly or using leapp answer. your system for the configuration to take CentOS 7 machine, which hosted a Dock-
Listing 1 shows the bare minimum effect. erized web application and some EPEL
fixes you should perform immediately services, using nothing but the steps de-
after running preupgrade in order to sat- Conclusion scribed in this article (Figure 5).
isfy the answerfile from a CentOS 7 As CentOS’s end of life draws near, you Your new AlmaLinux 8 install should
install. are going to need a migration plan for be able to serve you well until 2029,
Once you are ready, launch the up-
grade by issuing the final command:

$ sudo leapp upgrade

You will need to reboot manually after-

wards (Figure 4). The machine will
boot into your new AlmaLinux 8 distri-
bution. If you run into any additional
issues, please see the ELevate Frequent
Issues page on the AlmaLinux
website [6].

Verifying SELinux State

Running leapp will set SELinux to
permissive mode during the upgrade in
order to carry it out. This should not be
an issue for most users. Nevertheless, if
you had SELinux enabled in CentOS 7,
you might want to have it enabled in Al-
maLinux 8. You can check the current
SELinux state with the following
command:

$ getenforce

If the output of the above command is Figure 4: Once leapp upgrade is finished, the only thing left to do is to
Enforcing, SELinux is enabled and reboot your machine.

36 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
AlmaLinux’s ELevate Migration Tool

Get Involved when it reaches end of life. However,

you can upgrade before then using EL- This article was made possible by
If you’d like to contribute to ELevate,
evate to move forward to AlmaLinux 9 support from the AlmaLinux OS
AlmaLinux has launched the Package
immediately, which will give you a dis- Foundation through Linux New
Evolution Service (PES). PES collects
tribution supported until 2032. Media’s Topic Subsidy Program
bug reports and issues from users as
As a community-driven Linux OS, (https://www.linuxnewmedia.com/
well as supplies information on mi-
AlmaLinux welcomes contributions to Topic_Subsidy).
grating from one RHEL-compatible dis-
the ELevate project.
tribution to another. For more informa-
For more information, Info
tion on how to contribute to PES, see
see the “Get Involved” [1] CentOS Stream in production use: https://www.redhat.com/
the ELevate Contribution Guide [7]. en/resources/centos-stream-checklist
box [7]. Q Q Q
[2] AlmaLinux: https://almalinux.org
[3] ELevate: https://almalinux.org/elevate/
[4] Red Hat Leapp:
https://www.redhat.com/en/resources/leapp-explained-detail
[5] EPEL support:
https://almalinux.org/blog/2024-01-31-elevate-updates/
[6] ELevate Frequent Issues: https://wiki.almalinux.org/elevate/
ELevate-frequent-issues.html#leapp-upgrade-error-caused-
by-important-modules-from-kernel-drivers
[7] ELevate Contribution Guide:
https://wiki.almalinux.org/elevate/Contribution-guide.html

Author
Rubén Llorente is an OpenBSD
enthusiast and a mechanical engineer
whose job is to ensure that the security
measures of the IT infrastructure of a
Figure 5: Welcome to AlmaLinux! This is what a suc- small clinic are both law compliant
cessful migration looks like. and safe.

QQQ

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 37

IN-DEPTH
Command Line – Nala

Debian’s Next Generation

Package Manager

Nala
The latest iteration of Debian’s package manager makes it easier to manage packages from the
command line with more readable feedback, parallel downloads, the ability to find the fastest
mirrors, and an updated history list. By Bruce Byfield

D
ebian’s modern package man- change as Nala gains popularity, as it al- actions can be used in more than one
ager got its start in 1994 when most certainly will. Moreover, the im- way. Experienced users can start using
dpkg became the front end for provement in feedback alone is enough Nala almost immediately. However, if
libapt-pkg. Since then, it has to make Nala a useful option. you need help, you can get more infor-
evolved over several generations of Although Nala is a recent project, it mation with:
front ends. Apt-get provides more de- can already be found in the repositories
tailed feedback than dpkg. The subse- of many Debian derivatives. If it is not nala ACTION --help

quent apt concentrates on apt-get’s yet in yours, the project has a page with
most common use cases, as well as the download instructions [2]. If you use All basic commands shown in Table 1
most often used apt utilities, and adds a Debian, the Nala project page advises have a --debug option for development
progress bar to installations. Along with that “Updates from this repo are slightly or bug reporting and a --raw-dpkg option
these changes, graphical installations faster than the Debian repos, but usually to display only the plain dpkg feedback
have evolved from the original nearly only about a day sooner.” In addition, without Nala’s formatting. Root privi-
impenetrable app to countless user- Nala will not work on Ubuntu 18.04 or leges are required to run all commands.
friendly tools. In the past three years, Debian 10 or earlier because they use Note that the behavior of commands
Nala [1] has become the next genera- earlier versions of Python. Users of these may differ slightly from these defaults if
tion in this evolution, making package releases who want to use Nala can try you modify /etc/nala/nala.conf.
management from the command line installing Python 3 or else installing from
even easier than before by reorganizing source. Nala Innovations
feedback and adding new features such The most obvious change in Nala from
as parallel downloads, selecting the The Basics previous commands is the formatting of
fastest mirrors, and a history that can If you have used dpkg, apt-get, or apt, feedback. The difference is apparent im-
Lead Image © videst, 123RF.com

be used to repeat commands. the basic commands are almost identi- mediately when you compare Figure 1,
Named for a developer’s cat named cal in Nala, with minor differences. a simple package installation using apt-
after a character in The Lion King, Nala Most of the differences consist of com- get, with Figure 2, the same package in-
is a work in progress. Currently, some of bining two commands that are normally stallation using Nala. The text of apt-
its features work only in distributions used one after the other in apt-get/apt get’s feedback – or in apt, for that mat-
that use the standard Debian or Ubuntu into a single command, or at least offer- ter – has only had minor revisions over
package repositories, but that is likely to ing that option (see Table 1). Other the years and is much more compact

40 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Command Line – Nala

Table 1: Basic Nala Commands

Task Command Additional Options Comments
Install a package install PACKAGE-NAME Installs package or space-separated
list of packages
Remove packages (autoremoves) nala remove PACKAGE-NAME --purge See below
Remove configuration files nala purge PACKAGE-NAME Combines apt update and apt
full-upgrade
Update repository listings nala update
Upgrade all installed packages nala upgrade Same as apt update and apt full-up-
grade --auto-remove
Remove packages no longer nala autoremove Same as nala autoremove --purge
needed
Remove configuration files no nala autopurge Same as nala purge
longer needed
Remove .deb files in nala clean --lists also cleans out the package
/var/lib/apt/lists lists in /var/lib/apt/lists
--fetch removes the nala-sources. -fetch erases the results of fetch; it
listed created with nala fetch does not add fetch’s function to clean
--verbose (-v) disables extra
information
List packages nala list QUERY Start a query with /r to use
regular expressions
Search package names, source nala search QUERY Use regular expressions
names, and descriptions
Disable scrolling text and print nala --verbose or nala -v This is opposite of the --verbose com-
extra information mand in most commands; it disables,
not enables

than Nala’s, but it is not designed for

easy reading. By contrast, Nala’s feed-
back is designed for readability, with
extra spacing that often makes it impos-
sible for the entire feedback to be dis-
played on one screen, which may be
why the --verbose option turns off some
of the feedback. To start with, like many
modern apps, it colors its feedback. In
addition, Nala uses boxes to group feed-
back. Most important of all, the text is
condensed. For instance, in Figures 1 Figure 1: Apt-get’s feedback has changed little over the years. It is read-
and 2, where apt-get shows “After this able but not concise.

Figure 2: Nala’s feedback focuses on readability, but it uses more screen space that apt-get’s.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 41

IN-DEPTH
Command Line – Nala

operation, 13.9 MB
of additional disk
space will be used,”
Nala shows “Disk
space required: 13.9
MB,” using four
words instead of 10.
Both are easy
enough to under-
stand, but Nala’s
message is more
quickly compre-
hended. As well, Figure 3: With fetch, Nala can pick the fastest mirrors for downloading and then help a
Nala uses a progress user to create a sources list.
bar like apt’s.
In its fetch com-
mand, Nala adds the
functionality of
Debian’s netse-
lect-apt utility to
find the fastest mir-
rors to download Figure 4: Nala includes a command history to make repetitive actions easier.
(Figure 3). Users can
specify --debian, --ubuntu, or --devuan, written to /etc/apt/sources.list.d/ information about a specific command
stipulating, if desired, the exact reposi- nala-sources.list and is accessible displays. Similarly,
tory after the distribution, such as after you run nala update.
--debian testing. Alternatively, --auto Inspired by the DNF package manag- nala history redo NUMBER OR LAST

will select mirrors non-interactively, er’s history list in Fedora, Nala also of-
prompting for acceptance of each sug- fers its own history list, with each action repeats the specified command, while
gestion. You can also use --https-only numbered (Figure 4). With nala history,
to search only --https mirrors, which a complete list of Nala commands dis- nala history undo NUMBER OR LAST

are more secure than other alternatives. plays. Using

With --fetches NUMBER, you can specify undoes the specified command. With
up to 16 mirrors to select from, while nala history info NUMBER OR LAST all these commands, you can specify
--auto defaults to
three. Once the mir-
rors are fetched, you
can choose the ones
to use with a
comma- and/or
space-separated list.
A range of mirrors
can be specified by
two periods so that
1..3 selects mirrors
1, 2, and 3. At the
start of a range, 0..
will pick only even-
numbered mirrors
within the range, so
that 0..1..5 selects
mirrors 2 and 4.
Similarly 1.. at the
start will include all
odd numbers in the
range that follows.
Whatever options
you choose, the new
sources list is Figure 5: Nala’s configuration file, nala.conf, allows Nala to be extensively customized.

42 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Command Line – Nala

--installed or --verbose (-v) to limit such customization. More than any- know them, you can work around
feedback. If you are unfamiliar with thing, nala.conf illustrates how thor- them. Nala is such an advance over
DNF, Nala’s history is the same basic oughly Nala developers are rethinking a Debian’s established package com-
idea as Bash history. function that users have taken for mands that, unless I am mistaken, in a
However, perhaps Nala’s most origi- granted for decades. few years it might easily replace them,
nal feature is /etc/nala/nala.conf, at least for average users. Scripts that
which offers over 15 ways to customize Rough Edges require apt-get might even be rewritten
exactly how Nala works, mostly Nala still needs some refinements. To the for Nala. Q Q Q
through a series of true/false state- potential confusion of users, once or
ments, each accompanied with an ex- twice it uses single letter options such as Info
planation in a comment above (Fig- -i or whole word options such as --ver- [1] Nala: https://github.com/volitank/nala
ure 5). These choices range from the bose inconsistently. More seriously, if
trivial, such as whether to use megabits you remove a package with Nala and [2] Download instructions: https://gitlab.
rather than megabytes to describe file then change your mind and try to rein- com/volian/nala/-/wikis/Installation
sizes, to options for running custom stall it, you get a message that no such
preinstall or post-install scripts. In be- package exists, not just in Nala, but in Author
tween are matters of preference, such as dpkg, apt-get, and apt. While this quirk Bruce Byfield is a computer journalist and
whether to display less verbose feed- says something about how Nala is writ- a freelance writer and editor specializing
back or to show a list of installable ten and operates, it can be alarming. For- in free and open source software. In
packages after running updates. At least tunately, though, the glitch is easily re- addition to his writing projects, he also
teaches live and e-learning courses. In his
one option might be potentially hazard- solved: Either kill Nala or restart your
spare time, Bruce writes about Northwest
ous: the option to automatically answer computer, and the package reappears as Coast art (http://brucebyfield.wordpress.
yes to each question asked by Nala. All mysteriously as it vanished. com). He is also co-founder of Prentice
the same, I cannot remember any other Still, small problems are to be ex- Pieces, a blog about writing and fantasy at
administrative command that allows pected in a new project. Once you https://prenticepieces.com/.
IN-DEPTH
Credential Stuffing

Understanding and preventing

credential stuffing attacks

Stolen Credentials
A credential stuffing cyberattack uses username and password credentials stolen in a data breach to
gain access to your accounts. We explain how it works and how to prevent yourself from becoming
a victim. By Chris Binnie

T
he good citizens of the Internet name, age, postal address, email ad- What Does the Data
are frequently reminded that dress, and order history were exposed, Look Like?
their passwords should contain a but potentially that’s quite enough for Before looking at one of the tools used by
sufficiently complex combination identity theft. attackers for credential stuffing, let’s have
of alphanumeric and special characters The second part of the answer lies in a look at the kind of data that gets passed
and, of course, meet or exceed a mini- your responsibility to ensure that you around after a successful data breach. One
mum length. Confusingly, the precise use unique passwords for each online website that offers both free and paid ac-
criteria for both is entirely dependent service. Even if you change your pass- cess to such datasets is a European search
on which online service you use. word after a data leak, you are only pro- engine called Intelligence X [1] (see also
While security is everybody’s responsi- tecting yourself on one service (who is the “OSINT Tooling” box). At the time of
bility, what should you be most concerned hopefully running with heightened secu- writing, the splash screen informs visitors
about if an online service lets you down rity, post-compromise). The bad news is that it currently has “110,768,706,582
and leaks your credentials, either through that even if you keep passwords
a malicious attack or simply through in- unique per service but reuse a pattern OSINT Tooling
competence? The answer is twofold. for your passwords across multiple
It is also worth mentioning that under
The first part of the answer depends online services, then you are still at risk. the Tools menu on its website, Intelli-
on whether the online vendor informs For example, penetration testers and at- gence X provides a number of very
you of the data breach straight away. I tackers alike will try a capital letter at useful ethical hacking tools that fall
had my credentials stolen about a de- the start of passwords as it is so under the Open Source Intelligence
cade ago from a website that I had used common. (OSINT) category. According to the
once (around 2010, I think). The vendor In this article, I will look at how at- SANS Institute [2], OSINT “is the col-
reported the leak to a government de- tackers abuse the valuable data often lection, analysis, and dissemination of
Lead Image © peshkov, 123RF.com

partment that did not make the breach made available on the dark web after a information that is publicly available
public for a number of years afterwards, data breach – using automated bots in and legally accessible.”
for reasons that I still don’t find con- many cases. I will explore credential The available tools include email ad-
vincing. When I found out about the stuffing and explain how it differs from dress lookups, people searches (Fig-
breach in 2014, I was horrified and im- password spraying. Importantly, I will ure 1), phone number checks, location
finding, image searches, and the ability
mediately changed my password, even- show you how to protect your online
to find files, to name but a few. That’s a
tually getting the vendor to completely accounts against such nefarious
bookmark worth saving.
close the account. Thankfully, only my attacks.

44 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Credential Stuffing

public data from

.gov and .mil do-
main names. This
level of data cap-
ture hopefully il-
lustrates the pace
at which large da-
tasets can be cre-
ated and made
available to
attackers.

Data, Data,
Data
Now that I’ve cov-
ered accessing data
breach content
from freemium ser-
vices, I’ll move on
Figure 1: Intelligence X offers a treasure trove of tools that can help with online research to a sample breach
(source: https://intelx.io). file from the
000webhost data
records” available and refers to its service The Intelligence X website also pro- breach (named after the compromised
as being able to “Search Tor, I2P, data vides a detailed blog, along with excellent
leaks, public web [...].” examples of the type of data that I will Listing 1:
The search terms that can be used are cover shortly. One post from 2020 [3] 000webhost Breach File Excerpt
notably powerful and include domain refers to a dataset from a breach 1qaz2wsx
names, URLs, IP addresses (and CIDRs), containing:
306187mn
and even Bitcoin addresses. In Figure 2, • 160GB of data
rados1
you can see the redacted output if I • 10+ million selectors
newyork911
search for intelx.io within Intelligence • 29,791 active .gov domains
X’s search results. • 13,208 active .mil domains abc123

For its own domain name, the search Intelligence X’s web crawlers apparently taqiyudin100587

output dutifully reports “Found 446 Text only took 24 hours to gather that volume wjr5443
Files, 372 Website HTMLs, 23 Pastes, 6 of data, which is as staggering as it is nana0428
CSV Files, 3 Database Files, 2 PDF Files, worrying. The blog mentions neatly stor-
1992jp
1 Domain.” That’s a lot of information, ing such data within a new category that
bahamut24ritter
and remember, this is not hiding cloaked the site recently created to encompass all
in secrecy on the
dark web. Instead,
it is fully available
to anyone able to
use a search
engine.
If I drill down
into one of the
files containing
breach data, I am
prompted to sign
up. The choices
are either 50 free
daily lookups or
200 daily lookups
using a paid Re-
searcher account
(EUR2,500 a year),
along with a num-
ber of other
features. Figure 2: Sample information found by Intelligence X (source: https://intelx.io).

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 45

IN-DEPTH
Credential Stuffing

company involved), which can be easily Most people will be familiar with the passwords per user if that account defi-
found on Daniel Miessler’s GitHub dreaded “Your account has been locked, nitely doesn’t exist.
page [4]. I’m confident, however, that please contact Support” message seen This is where OSINT comes in and in-
this file is also available from multiple after getting their password wrong three deed tools such as Intelligence X. It is pos-
locations online if you look for it. List- times. When it comes to reusing creden- sible to discover endless email addresses
ing 1 shows the first 10 lines from tials from a breach, attackers are clever if you look hard enough for users of a par-
Miessler’s sample 000webhost data and will only try a username once or ticular site. I’m not saying this is necessar-
breach file. This data breach [5] affected twice with a password before moving on ily accurate, but a banner appearing on
a gobsmacking 13 million users in 2015. to the next username in order to avoid the Intelligence X splash page, shortly
I will use the passwords from Listing 1 locking out lots of accounts and poten- after saying how much Intelligence X re-
as a test example to explain credential tially raising an alarm. This is only pos- spects privacy, mentions that Facebook
stuffing. (If you are not keen on using sible at scale due to the massive amount sells user data to third parties. As you can
these, Miesler’s GitHub account [6] of data from breaches available online. imagine, that is an online service with a
provides other options.) By making use of automated bots, it’s
possible to simply feed them with on- Using Docker with Hydra
Putting the Parts Together going content (in the form of user- For the Docker installation route, you
Imperva [7], the cybersecurity company, names and passwords) until they suc- will need to make some tweaks to the
explains credential stuffing as “a cyberat- cessfully log into an account. generic commands used in this article.
tack method in which attackers use lists So far, I only have passwords from If you use local files on a laptop for
of compromised user credentials to the 000webhost breach data, but I obvi- usernames and passwords lists, then
you need to mount the local directory
breach into a system. The attack uses ously need usernames or, more com-
into the Docker container. You also
bots for automation and scale and is monly, email addresses that are used as
need to prepend some Docker com-
based on the assumption that many usernames, in order to try and log into mands to the Hydra commands.
users reuse usernames and passwords an online service. Miessler’s GitHub re-
An example of a Docker command
across multiple services.” It is worth re- pository also has a mountain of user- would look as follows:
peating again: Reusing passwords for names available [8], including lists of
multiple services helps attackers with popular male [9] and female names to $ docker run -it vanhauser/hydra -v U
their goals when it comes to credential try in the username field during an -L /home/chris/users.txt U
stuffing. attack. -P /home/chris/passwords.txt -s22 U
What I haven’t said is probably the You can try password lists to success- -t4 -I target.tld ssh
scariest part, however. One of the rea- fully stuff credentials into an online ser-
sons why credential stuffing is so suc- vice’s login page, but you need valid However, the above command won’t
work until you mount a volume. To do
cessful is because of the way that online usernames or email addresses for that
that, you need to convert the above
services protect themselves against a particular service to have a much better
Hydra SSH command to mount local
user entering their password incorrectly chance of success. Otherwise, there is files to a container as follows:
on multiple occasions. little point in trying a couple of
$ docker run -it --mount type=bind,U

Table 1: Hydra Supported Protocols and Services source="/home/chris"/,U

Asterisk ICQ Rlogin target=/tmp,readonlyU

AFP IMAP Rsh vanhauser/hydra -L /tmp/users.txt U

Cisco AAA IRC RTSP -P /tmp/passwords.txt -s22 -t4 U
Cisco auth LDAP SAP/R3 -I target.tld ssh
Cisco enable MEMCACHED SIP
Admittedly, there is a lot going on in
CVS MONGODB SMB
the above command, so I’ll break it
Firebird MS-SQL SMTP down into sections. At the start, I pre-
FTP MYSQL SMTP Enum pend the docker run command and then
HTTP-FORM-GET NCP SNMP v1+v2+v3 mount the volume (read only) from /
HTTP-FORM-POST NNTP SOCKS5 home/chris locally to /tmp inside the
HTTP-GET Oracle Listener SSH (v1 and v2) container. I then point Docker at the
vanhauser/hydra container image and
HTTP-HEAD Oracle SID SSHKEY
tell Hydra to look in the /tmp directory
HTTP-POST Oracle Subversion
for both the usernames and passwords
HTTP-PROXY PC-Anywhere Teamspeak (TS2) files before offering a target host and
HTTPS-FORM-GET PCNFS Telnet asking Hydra to use SSH logins.
HTTPS-FORM-POST POP3 VMware-Auth If you are new to Docker, it may take a
HTTPS-GET POSTGRES VNC couple of attempts to tweak the generic
HTTPS-HEAD Radmin XMPP commands, but it’s not too difficult to
HTTPS-POST RDP transpose the other commands in this
HTTP-Proxy Rexec article using the examples shown here.

46 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Credential Stuffing

massive dataset that you

could search through for
valid users. Plus, even
on the earlier searches
for .gov and .mil domain
names, email addresses
were displayed – more
commonly for teams
rather than individuals,
admittedly, but you get
the idea.

Getting Your
Hands Dirtier
In addition to harvest-
ing lists of passwords
and hunting for rele- Figure 3: Create a personal access token on Docker Hub.
vant usernames for cre-
dential stuffing on the command line, $ apt update; apt install -y docker.io Login Success
you need to consider the automation Now that you have access to Docker Hub
behind such attacks. Unsurprisingly, Next you need to create a personal access (public) images, you can pull Hydra’s
there are multiple automation tools. token as shown in Figure 3. To get there, image with the code in Listing 2.
One such tool, Hydra (sometimes either log in or create a Docker Hub ac- The docker images command con-
called THC Hydra), is part of the Kali count and then click on Account Settings firms that you have pulled around one
Linux suite of tools and available in Van (top right) followed by Security (left). and a quarter gigabytes for Hydra. In
Hauser’s repository [10] on GitHub. The Once you click on the blue New Ac- order to check that the image is valid,
efficient Hydra supports operating with cess Token button (and choose read- you can open Hydra’s help page with
parallel connections. Note the reminder only access), as shown in Figure 3, the following command:
in the README file [11]: “This Tool Is you’re all set. (If you need additional
for Legal Purposes Only!” help in setting up an access token, see $ docker run -it vanhauser/hydra -h

Although I’ve only really talked about [13]). Using this access token as the
web services so far, Hydra purportedly password, you can log into Docker Hub As the heavily abbreviated help page in
supports a significant number of proto- on the command line and see if your ac- Listing 3 shows, Hydra is ready to use.
cols as mentioned in the README file cess token works as follows: Note the authors’ request in Listing 3:
(see Table 1). “Please do not use in military or secret ser-
A quick word of warning: Hydra can $ docker login -u chrisbinnie U vice organizations, or for illegal purposes.”
take a few attempts to get the com- # change your Docker Hub username

mand-line options right, so I recom- Password: U Always Make Lists

mend practicing on a Capture the Flag <enter Personal Access Token here> As my first credential stuffing example
server or a service where you know the using Hydra, I will target an SSH server.
credentials in case you come across Warning: Your password will be stored The syntax is simple and easy to follow
problems. I like to save successful unencrypted in /root/.docker/config. (remember to refer to the “Using Docker
command-line options for later. json. Configure a credential helper to with Hydra” box to use Docker with
There are a few ways to install Hydra remove this warning (see [14]). these commands). I start by using a local
(see the README [11] for more informa-
tion). I will purposely cover generic com- Listing 2: Pulling the Hydra Image
mands. If you want to run these com- 01 $ docker pull vanhauser/hydra
mands using the developer’s preferred in-
02 Using default tag: latest
stallation route with Docker, see the
“Using Docker with Hydra” box. I think 03 latest: Pulling from vanhauser/hydra

Docker is preferred because it guarantees 04 90ac1ecaf92c: Pull complete

you are using the latest version. 05 be7c66840ebb: Pull complete
To use Hydra, I need to install
06 <...snip?>
Docker, log into Docker Hub [12], and
then create a token to pull from the 07

vanhauser/hydra repository on Docker 08 $ docker images

Hub. On Debian Linux derivatives, 09 REPOSITORY TAG IMAGE ID CREATED SIZE
such as Ubuntu, you can get started
10 vanhauser/hydra latest d89f1bd1e06f 6 days ago 1.24GB
with the following command:

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 47

IN-DEPTH
Credential Stuffing

Listing 3: Hydra Help Page That’s all you need for attacking SSH
Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak -- Please do not use in
servers. If you want to attack a web
military or secret service organizations, or for illegal purposes (this is application, then you would need to
non-binding, these *** ignore laws and ethics anyway). append http-get at the end and add -s
for HTTP’s port 80 (I will explain -t
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o shortly) as follows:
FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x
MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/ $ hydra -v -L /home/chris/users.txt U
OPT]] -P /home/chris/passwords.txt U
-s80 -t4 -I target.tld http-get

Options:

-R restore a previous aborted/crashed session Dropping Science

-I ignore an existing restore file (don't wait 10 seconds)
Now that I’ve discussed credential stuff-
ing in theory, I’ll show a successful cre-
-S perform an SSL connect
dential stuffing attack in action using a
-s PORT if the service is on a different default port, define it here
WordPress EC2 instance that I have run-
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
ning in Amazon Web Services (AWS).
-p PASS or -P FILE try password PASS, or load several passwords from FILE
Figure 4 shows the standard login page
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help (note you need the correct URL for the
-y disable use of symbols in bruteforce, see above login page in order to point Hydra di-
-r use a non-random shuffling method for option -x rectly to it).
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login Figure 5 shows what happens when
-u loop around users, not passwords (effective! implied with -x)
you execute the following code:
-C FILE colon separated "login:pass" format, instead of -L/-P options
$ hydra -L users.txt -P passwords.txt U
<...snip?>
-t4 -f XXX.XXXXX.tld https-get U
/wp-login.php

list (in the current directory) of pass-

words (in a file called passwords.txt) I’ll break down the above command to
and just one username with a lowercase highlight the new options. The Xs re-
-l option as follows: dact one of my domain names used for
testing on the WordPress server (that’s
$ hydra -v -l chris -P passwords.txt U the hidden part in Figure 5). Per the
-s22 -t4 -I target.tld ssh Hydra manual, the -f option is for exit-
ing when a successful user/password
Bear in mind that the server may lock a is found. I’ve also lowered the number
user out after three attempts so focusing of parallel threads to -t4 from the de-
on one username isn’t the ideal ap- fault 16 to stop my laptop stressing out
proach. Instead, you can collect a list of too much. Because I’m targeting a
usernames and then save them into a WordPress site running TLS, I use
file, with the uppercase -L option, with https-get instead of http-get like in
full file paths as follows: the previous example. Also pay atten-
tion to /wp-login.php; this is my Word-
$ hydra -v -L /home/chris/users.txt U Press login page’s URL.
Figure 4: A good, old WordPress -P /home/chris/passwords.txt -s22 U For reference, I’ve used a couple of
login page. -t4 -I target.tld ssh the passwords from Listing 1 and

Figure 5: A successful credential stuffing attack: Hydra has discovered my username and password with
ease, shown in light green text.

48 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Credential Stuffing

Table 2: Useful Hydra Options You can read more about email address or first name, use some-
s Try the username as a password password spraying as a thing like chrxbinx0091).
n more subtle form of a brute If you run your own Linux servers,
Attempt to use an empty password
force attack on the Crowd- then I highly recommend Fail2Ban for
r Reverse the login in order to try it as password
Strike website [15]. sophisticated rate-limiting [16]. An ar-
ticle [17] on the Linux Magazine web-
appended my known password to the Mitigating Attacks site offers lots of tips on how to get
last line. The username file is just pop- Now that you know about these types of started with Fail2Ban. One word of ad-
ulated with chris. For clarity, Hydra attacks, there are a few things you vice: Start cautiously to avoid poten-
will try all the passwords available should do to prevent them: tially causing yourself access
against each username unless told oth- • Always use multi-factor authentication problems.
erwise. This example doesn’t really (MFA) for logging in to accounts. If
simulate a real attack, because an at- you use an online service that doesn’t The End Is Nigh
tacker will carefully gauge the sensitiv- offer MFA, nudge them until they do. Hopefully the content covered here has
ity of the online service that they are • At the very least, ensure there are sec- opened your eyes to a very real threat
attacking and work out how many in- ondary defenses in addition to your faced by today’s Internet users.
correct logins are permitted. password, such as a personal identifica- The key thing to remember is that
Pay attention to the the lighter-green tion number (PIN) or a secret word or the success of these types of attacks is
text shown in Figure 5 (the line begin- phrase to complement your password. generally not down to user error di-
ning with [443]). That’s where Hydra Website owners can also add these mea- rectly. Instead, these attacks are a re-
has successfully weaved its magic and sures to improve their security posture: sult of an online service attracting
found a valid account to log in with. • Check for location, browser version, enough attention and not plugging se-
I will leave you to experiment with screen resolution, etc., for each user’s curity holes properly, which allows a
various URLs and other services that the typical login profile and insist on extra data breach. Of course, if you use the
multi-headed Hydra can attack. There login steps if they do not match. same password across multiple ser-
are a lot of other useful Hydra options to • Run CAPTCHA puzzles to add a sec- vices and one online service suffers a
try as you become more proficient at ond layer of authentication. breach, you are making a rod for your
using Hydra (see Table 2). • Introduce rate-limiting to prevent IP own back.
addresses from trying repeated logins. Use a password manager if you strug-
Passwords Everywhere • Blacklist IP addresses that log into gle with unique, complex passwords
In the introduction, I mentioned pass- multiple accounts. and choose which services you use
word spraying, which is very similar in • Add usernames that are not immedi- carefully – not all vendors are equal.
nature to credential stuffing and easily ately guessable (e.g., instead of an Also, always use MFA! Q Q Q
confused. According to security firm
CrowdStrike [15], the difference is that Info
a password spraying attack uses two [1] Intelligence X: https://intelx.io [10] Hydra: https://github.com/
steps: “An attacker acquires a list of [2] SANS Institute: vanhauser-thc/thc-hydra
usernames, then attempts logins across https://www.sans.org/blog/ [11] Hydra README:
all usernames using the same pass- what-is-open-source-intelligence https://github.com/vanhauser-thc/
word. The attacker repeats the process [3] Intelligence X blog post on data thc-hydra/blob/master/README
with new passwords until the attack breach: https://blog.intelx.io/2020/11/
[12] Docker Hub login:
breaches the target authentication sys- 20/open-government
https://login.docker.com
tem to gain account and systems [4] Sample password breach file:
https://github.com/danielmiessler/ [13] Docker access tokens:
access.” https://docs.docker.com/security/
SecLists/blob/master/Passwords/
With password spraying, the key dif- Leaked-Databases/000webhost.txt for-developers/access-tokens/
ference is one common password is re- [5] Leaked data: https://www.zdnet.com/ [14] Configuring a credential helper:
peated across multiple users. If default article/000webhost-hacked- https://docs.docker.com/engine/
passwords are used or password sharing 13-million-customers-exposed reference/commandline/login/#
takes place (something that I haven’t [6] Daniel Miessler: credentials-store
come across, admittedly), then password https://github.com/danielmiessler [15] CrowdStrike:
spraying can be a successful route to [7] Imperva: https://www.imperva.com/ https://www.crowdstrike.com/
compromising an account. learn/application-security/credential- cybersecurity-101/password-spraying
stuffing
[16] Fail2Ban: https://www.fail2ban.org
Author [8] Sample username breach file:
https://github.com/danielmiessler/ [17] “Intrusion Detection with Fail2Ban”
Chris Binnie is a Cloud Native Security by Chris Binnie, Linux Magazine web-
SecLists/tree/master/Usernames
consultant and co-author of the book Cloud site, May 22, 2012:
[9] Top 1,000 list of male names in USA:
Native Security: https://www.amazon.com/ https://github.com/danielmiessler/ https://www.linux-magazine.com/
Cloud-Native-Security-Chris-Binnie/dp/ SecLists/blob/master/Usernames/ Online/Features/Intrusion-Detection-
1119782236. Names/malenames-usa-top1000.txt with-fail2ban

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 49

IN-DEPTH
Programming Snapshot – Customizing an LED Display

Flashing and programming an LED display

Project
Blinking
Lights
Mike Schilli recently ordered a low-budget LED display
and is all set to customize the firmware and add some
homemade scripts. By Mike Schilli
of its configured standard

E
apps: time/date, temperature, humidity
xternal displays that continuously short character strings and gives you a provided by its internal sensors, and cur-
show data without a real screen, sort of cozy Tetris feeling at the same rent battery strength. But that’s not the
even when the computer is taking time. The included firmware can only do objective here. Instead, we will be dis-
a nap, are a genuine upgrade to mundane tasks such as displaying the abling the standard apps one by one in
any office. Of course, they can be used to time, the date, and the battery level, but order to upload our own custom apps in
display the time or weather, but they the Awtrix [2] project offers open source this issue.
can also perform unusual tasks tailored firmware including a browser-based in-
to your needs. The reasonably priced stant flashing tool that turns the device Perpetual Cycle
Ulanzi TC001 [1] ended up on my door- into a Jack of all trades in next to no To do this, you need to press and hold
step within a week for around $60, after time. Figure 1 shows how the new the center button with the circle at the
traveling all the way from China to the firmware boots up. top of the Ulanzi for about two seconds;
USA. My original idea was to use it to The device does not offer much RAM, this will force Awtrix to jump into the
build a “Wealth Clock” that shows the and the processor is a modest ESP32. Al- admin console. One of the submenus
current gold level in all my money stores though this microcontroller can handle there is named Apps.
so that I know how wealthy I am at any WiFi and Bluetooth, its performance Another short press on the circle but-
given time. cannot be compared to that of a modern ton shows the status of the first app
CPU. This is why
Flashing Custom Firmware more demanding
The LED display has a retro feel. Of applications aren’t
course, there are higher-resolution dis- running directly
plays available today, but the LED dis- on the Ulanzi. In-
play is definitely suitable for displaying stead, they are
chugging along on
Lead Image © greenflame, 123RF.com

Author an external com-

Mike Schilli works as a puter with more
software engineer in the power, which then
San Francisco Bay Area, uses an API com-
California. Each month mand to periodi-
in his column, which has cally tell Awtrix
been running since 1997, what to display.
he researches practical applications of After completing
various programming languages. If you the boot process,
email him at [email protected] the firmware ro- Figure 1: Booting the Ulanzi after flashing with the
he will gladly answer any questions. tates through all Awtrix firmware.

50 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Programming Snapshot – Customizing an LED Display

A long press on the circle button

causes the console to jump back up to
the next level and ultimately return to
the infinite app cycle. Once you have
disabled all the default apps, you will
now see nothing but a dark display.

Meaningless Password
The Awtrix firmware’s web UI and API
can be protected with a username and
password using the Admin console (Fig-
ure 2). However, the mini web server on
the device then expects login credentials
for each request via basic authorization
using unprotected HTTP. That is not ex-
actly state-of-the-art: Anyone listening in
on the WiFi network can sniff the
password.
To integrate new custom apps into
the firmware display loop, clients ei-
ther can use the MQTT interface,
which is particularly popular for home
automation systems, or send com-
Figure 2: The Awtrix admin interface in the web browser. mands via the web API. The latter is
not well-documented on GitHub, but,
(e.g., the remaining capacity of the built- because it definitely requires a power ultimately, a POST request to the Ulan-
in battery). The display can be operated socket for continuous operation. zi’s IP on the WiFi network is all it
for around five hours without a power Pressing the arrow buttons to the left takes. After flashing with the new firm-
cable using the built-in battery – but this or right now reveals additional apps ware, the device starts in AP mode. If
is unlikely to be useful to anyone, such as the temperature or humidity you select the new awtrix_XXX WiFi
display, or the network on a laptop or smartphone,
time and date. you can send the WiFi access creden-
Briefly pressing tials for the home network to the
the circle button Ulanzi in the browser that then opens.
switches the dis- After a reboot, the Ulanzi then con-
played app off or nects to the WiFi network and grabs an
back on again; IP, which it shows on the display when
the firmware ac- booting up.
knowledges this API calls for setting up new apps will
by displaying off be sent to this IP and the path /api/cus-
or on. tom; they also require a (freely selectable)

Listing 1: countdown.go
package main
Figure 3: The display counts the days, hours, and import (
minutes until a birthday.
"fmt"

"time"

func DHMUntil(until time.Time) string {

dur := time.Until(until)

days := int(dur.Hours() / 24)

hours := int(dur.Hours()) % 24

mins := int(dur.Minutes()) % 60

return fmt.Sprintf("%02d:%02d:%02d", days, hours, mins)

Figure 4: Followers and uploads on my YouTube
}
channel.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 51

IN-DEPTH
Programming Snapshot – Customizing an LED Display

name for the app and a JSON blob with

the desired display content.

Birthday Countdown
First of all, I decided to add a new app to
the display that counts down the days,
hours, and minutes until a specified
date, for example, a birthday (Figure 3).
Listing 1 uses the DHMUntil() function to
calculate the time span between the cur-
rent time and the corresponding date. It
then divides the resulting number of
hours by 24 to compute the number of
days. A Mod 24 operation extracts the
remaining hours from this, and a Mod 60
on the minutes extracts the remaining
minutes.
What you get back is a string in a
DD:HH:MM format, which the API call in
Listing 2 shows on the display. It is up to
the control computer how often the Figure 5: A money bag as a symbol for the wealth clock.

Listing 2: api.go
01 package main 21 if err != nil {
02 import (
22 return 0, err
03 "bytes"
23 }
04 "encoding/json"
05 "fmt" 24

06 "net/http" 25 resp, err := http.Post(url, "application/json", bytes.

07 ) NewBuffer(jsonBytes))
08
26 if err != nil {
09 const baseURL = "http://192.168.87.22/api/custom"
27 return 0, err
10
11 type apiPayload struct { 28 }
12 Text string `json:"text"`
29 defer resp.Body.Close()
13 Rainbow bool `json:"rainbow"`
30
14 Duration int `json:"duration"`
15 Icon int `json:"icon"` 31 if resp.StatusCode != http.StatusOK {

16 } 32 return fmt.Errorf("%v", resp.StatusCode)

17
33 }
18 func postToAPI(name string, p apiPayload) error {
34 return nil
19 url := baseURL + "?name=" + name
20 jsonBytes, err := json.Marshal(p) 35 }

Listing 3: youtube.go
01 package main 15 service, err := youtube.NewService(ctx, option.
WithAPIKey(ApiKey))
02
16 resp, err := service.Channels.List([]
03 import (
string{"statistics"}).Id(ChannelID).Do()
04 "context"
17 if err != nil {
05 "google.golang.org/api/option"
18 log.Fatalf("%v", err)
06 "google.golang.org/api/youtube/v3"
19 }
07 "log"
20
08 ) 21 if len(resp.Items) == 0 {
09 22 log.Fatal("Channel not found")
10 const ChannelID = "UC4UlBOISsNy4HcQFWSrnV5Q" 23 }
11 const ApiKey = "AIzaSyZmOrarSDWqrnAwIKkWGzj0vaVQtyvPokB" 24
12 25 stat := resp.Items[0].Statistics
13 func youtubeStats() (uint64, uint64, error) { 26 return stat.SubscriberCount, stat.VideoCount, nil

14 ctx := context.Background() 27 }

52 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Programming Snapshot – Customizing an LED Display

countdown is refreshed. If, for example, so. For example, the content of the Go apiPayload type structure contains the
a cron job only starts every 15 minutes, Text attribute, which holds the character text to be displayed (in Text), the Rainbow
the counter will lag behind by a quarter string to be displayed, is text (i.e., low- flag (true value for a colorful display),
of an hour worst case. ercase) in JSON by convention, because and the display duration in seconds in
Communication with the Awtrix firm- JSON fields traditionally start with low- Duration. You can optionally add an icon
ware’s web server API is handled by ercase letters, whereas public Go struc- so that the viewer can visually deter-
Listing 2 using the apiPayload type struc- ture fields start with capital letters. mine which app the displayed value is
ture from line 11. The json.Marshal() The postToAPI() function from line 18 associated with.
packer converts the structure into JSON expects two parameters from the caller: The Post() function from the Go net/
format in line 20 referencing the back- the name of the application and an http standard package then sends the
quoted instructions in the structure to do apiPayload type structure. The JSON blob to the web server, specifying
the application/json MIME type. The
MIME type is mandatory; otherwise, the
server will not route the call correctly.
After checking the HTTP response for
errors, the function finally returns.

Like and Subscribe

In another app, I wanted the Ulanzi to
display the number of subscribers to
my YouTube channel and the number
of videos uploaded to date (Figure 4).
Listing 3 illustrates how the control
computer retrieves the desired numeri-
cal values from YouTube. Google re-
quires a valid API key to access the data;
you can obtain this from the Cloud
Console as shown in last month’s
Snapshot [3].
The official YouTube API client Go li-
brary used in the listing makes it easy to
obtain statistics for a channel. On top of
that, it removes the need for developers
to extract the desired values from the
Figure 6: Icons are available for download from the LaMetric mess of JSON in the server response.
developer page. The channel ID for identifying the de-
sired channel is hard-coded in line 10
and the API key in Line 11.
Just like in last month’s issue, the
code calls NewService() to create a ser-
vice object in line 15. It then invokes the
API client’s List() function with the sta-
tistics parameter to extract the chan-
nel’s statistics metadata. The return
value is a list containing exactly one
match, which line 25 drills down on.
Line 26 then extracts the desired values
for SubscriberCount and VideoCount from
the data structure.

Pixelated Icons
If you install multiple apps, and the dis-
play constantly toggles between them,
icons are a great way to show users
which app generated the text currently
on display. Having said this, it is not so
easy to create a meaningful graphic on a
Figure 7: Awtrix downloads and displays these icons by reference to mini matrix of 8x8 pixels on the display
their numeric IDs. to leave room for the actual data.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 53

IN-DEPTH
Programming Snapshot – Customizing an LED Display

Interestingly, the Ulanzi TC001 with Aw- be referenced by this numerical value in After calling the API from the com-
trix works around this by using predefined the Icons tab (Figure 7). At the touch of a piled Go program, the display will later
icons (Figure 5) from the developer site of button, Awtrix then downloads the respec- show a YouTube-style red play button as
the more expensive competitor product tive icon to the firmware and displays it in an icon, as you can see in Figure 4. It
LaMetric [4]. You can search for suitable the first field of an app whenever the JSON told me that my personal channel on the
icons there using keywords (Figure 6) and data of an app sent to the display refer- platform now has 290 subscribers and
write down their IDs. Later, on the Awtrix ences the corresponding numerical icon ID that I have uploaded no fewer than 85
admin page, the small pixel artworks can in the icon field. videos on cooking and car repairs.

Uncle Scrooge’s Monitor

As for my personal wealth clock, I can’t
publish details, so Figure 8 only shows a
symbolic cash balance. In reality, a Go
program runs the control computer
every day, evaluating all my cash depos-
its and investment values, adding them
up, and attaching them to the end of a
logfile as a numerical value. This means
that the mon() function in Listing 4 only
needs to navigate to the end of the log-
file, extract the first numerical value, and
return it to the caller to determine my
total wealth.
Because the bytes of a file are stored
sequentially on the hard disk and a line
is implemented under Unix in such a
way that there is a newline character at
the end, reading the last line of a file is
by no means trivial. The simplest
method: Tell the program to read the
Figure 8: Symbolic display of the author’s personal wealth. bytes of the file line by line up to the

Listing 4: dago.go
01 package main 25 defer file.Close()

02 26
03 import ( 27 scanner := bufio.NewScanner(file)
04 "bufio"
28 var lastLine string
05 "golang.org/x/text/language"
29 for scanner.Scan() {
06 "golang.org/x/text/message"
30 lastLine = scanner.Text()
07 "os"
31 }
08 "os/user"
32 if err := scanner.Err(); err != nil {
09 "path"
33 panic(err)
10 "regexp"

11 "strconv" 34 }

12 ) 35

13 36 re := regexp.MustCompile(`\d+`)

14 func mon() string { 37 match := re.FindString(lastLine)

15 usr, err := user.Current()
38 n, err := strconv.ParseInt(match, 10, 64)
16 if err != nil {
39 if err != nil {
17 panic(err)
40 panic(err)
18 }
41 }
19
42
20 logf := path.Join(usr.HomeDir, "data/monlog.txt")
43 n = n / 1000
21 file, err := os.Open(logf)

22 if err != nil { 44 p := message.NewPrinter(language.English)

23 panic(err) 45 return p.Sprintf("%d", n)

24 } 46 }

54 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
Programming Snapshot – Customizing an LED Display

Listing 5: ulanzi.go
package main loc, err := time.LoadLocation("America/Los_Angeles")

if err != nil {

import ( panic(err)
"fmt" }
"time"
timerVal := DHMUntil(time.Date(2024, time.August, 1, 0, 0,
) 0, 0, loc))

p = apiPayload{Text: timerVal, Duration: 4, Rainbow: true}

func main() {
err = postToAPI("countdown", p)
// Youtube
if err != nil {
f, v, err := youtubeStats()
panic(err)
if err != nil {
}
panic(err)

}
// Dago
p := apiPayload{Text: fmt.Sprintf("%d/%d", f, v), Icon:
974, Duration: 4, Rainbow: true} p = apiPayload{Text: mon(), Icon: 23003, Duration: 4,
Rainbow: true}
err = postToAPI("youtube", p)
err = postToAPI("dago", p)
if err != nil {

panic(err) if err != nil {

} panic(err)

// Countdown }

next newline character until it reaches means that the mon() function returns the the battery is exhausted, like in the case
the end of the file; it then just needs to correctly formatted string for the money of a prolonged power outage or follow-
remember the content of the last line it store status to the main program. ing a manual restart due to a configura-
processed. tion change, the Ulanzi forgets the man-
However, this is very inefficient, espe- Starting Signal ually edited code and only plays the
cially with longer files, because reading The main program in Listing 5 finally preconfigured apps (unless you dis-
out unnecessary data can take a long lumps it all together. It calls the helper abled them in advance). Things stay
time. For greater efficiency, you can use functions of the three defined apps in se- this way until the next API command
the Unix fseek() function to tell the oper- quence and sends the corresponding comes from the control computer set-
ating system to work its way to the end of JSON data to the display each time. To ting the latest values for all custom
the file without much delay and search compile the Go program in this issue, the apps. Then the cycle starts all over
backwards from there for the beginning of three standard commands in Listing 6 again for your viewing pleasure. Q Q Q
the last line. However, because the logfile process all five source files discussed so
processed by Listing 4 isn’t excessively far and create the ulanzi binary. To keep Info
long, it uses the first, simpler method. the display up to date, a cron job on the [1] Ulanzi TC001 on AliExpress:
To make long numbers easier to read, control computer needs to call the bi- https://www.aliexpress.us/item/
the US and UK comma-separate groups of nary at regular intervals (e.g., hourly). 3256804848125097.html
digits (“10,000”); some other countries, This requires a working WiFi connection
[2] Awtrix custom firmware for the Ulanzi
such as Germany, for example, use dots to the display.
TC001: https://blueforcer.github.io/
(“10.000”) instead. The standard text/mes- If Awtrix restarts, for example, be-
awtrix-light/#/
sage Go library takes care of this in List- cause the device was unplugged and
ing 4, loading the [3] “Programming Snapshot: Process
language library in YouTube View Counts in Go” by Mike
Listing 6: build.sh
line 5 and initializ- Schilli, Linux Magazine, issue 280,
$ go mod init ulanzi
ing it for the Eng- March 2024, pp. 44-49
$ go mod tidy
lish-language area [4] LaMetric icons: https://developer.
$ go build ulanzi.go api.go countdown.go youtube.go dago.go
in line 44. This lametric.com/icons

QQQ

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 55

IN-DEPTH
strace and Firejail

Jail and monitor your applications

Seamless Overview
Software from unknown sources always poses some risks. With This article looks at strace as a monitor-
ing tool and Firejail as a sandbox.
the strace analysis tool and the Firejail sandbox, you can monitor
and isolate unknown applications to safeguard your system. Finding Traces
By Hans-Georg Eßer The strace [1] system call tracer can be
used to discover which software ac-

M
cesses which files. As an example, I’ll
alware can occasionally be- need to trust the provider. If you aren’t show you how to use strace to find out
come an issue for Linux sure, you can monitor these programs to which files the passwd command opens
users. If you download soft- check which files they open and which when you change your password.
ware package from third- network connections they establish. Open two terminal windows and enter
party providers then install them manu- Starting these tests in a sandbox also de- passwd as a normal user in one window.
ally rather than relying on a distribu- nies the program access to your physical Do not answer the prompts for the time
tion’s official standard repositories, you system and private configuration files. being. Instead, pop up a second terminal
and enter as root:

strace -yy -o passwd.log U

-p $(pidof passwd)

This starts logging for the passwd process

in the first window; the tool writes the
information to the passwd.log. Now enter
the old password in the first window and
then enter the new password twice.
After leaving passwd, analyze the log-
file created by strace in the second win-
dow. In Figure 1, two grep calls show
that the old password is abc123, while
the new password is a49152bcbc. In addi-
Lead Image © hywards, 123RF.com

tion, passwd has accessed six files in the

/etc folder since logging began, includ-
ing /etc/passwd and /etc/shadow (the lat-
ter file contains the cryptographic
hashes of the passwords).
As the example shows, strace can eas-
Figure 1: Strace sees everything: It finds both file operations as well as ily monitor processes that are already
communication with the terminal via standard input and output. running. However, it is usually easier to

56 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 IN-DEPTH
strace and Firejail

integrate strace Listing 1: Opening a Connection

when launching 01 $ strace -o ssh.log ssh server42
the program. For 02 [...]
example, line 1 in
03 $ grep ^connect.*sin_addr ssh.log
Listing 1 starts an
04 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0
SSH login on a
05 connect(3, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("192.168.178.173")}, 16) = 0
computer named
server42. Among
other things, Table 1: Strace Filtering Options Listing 2: C Test Program
strace logs all net- strace -e trace=open,close Only open() and close() #include <unistd.h>
work connections strace -e trace=file All file operations #include <fcntl.h>
that are opened;
strace -e trace=network All network operations #define BUFSIZE 4096
you can see this by
taking a look at the
int main () {
ssh.log file. Line 3 is a filter for lines that to open a file named /etc/os-
char buf[BUFSIZE] = {0};
contain sin_addr. In the example, the release and read() to load up to
int fd = open("/etc/os-release", O_RDONLY);
program has opened connections to the 4,095 characters into a buffer. It
int res = read(fd, buf, BUFSIZE-1);
local DNS server 127.0.0.53 and to then calls close() to close the
close(fd);
server42 (on IP 192.168.178.173). file and calls write() to write the
write(STDOUT_FILENO, buf, res);
buffer content to the standard
Strace Magic output (i.e., to the terminal
}

But how does this logging work? Modern window). The open(), read(),
operating systems create a barrier be- write(), and close() library functions Firejail
tween the hardware and the applica- call syscalls of the same name in the Firejail [3] lets you lock programs away
tions. For example, programs are not al- kernel, and strace can monitor their in a jail or sandbox. Much like Docker
lowed to directly talk to a hard disk con- behavior. and container-based virtualization in
troller in order to read and search data If you compile the program and run it general, jail software lets you run pro-
blocks from a connected disk. Instead, with strace, you will find the syscalls in grams in isolation from other applica-
each application has to be configured via the logfile that is created. Listing 3 tions. The view of the filesystem and the
system calls (syscalls for short) to ask shows the command for the call and the network can also be restricted. Firejail
the operating system for help. Syscalls last lines from the logfile generated by offers these features. Preparing the pro-
are selected kernel functions that the strace. The return values of the function gram profiles makes it easier to use Fire-
program cannot use directly by making a calls also appear in the log. jail – ideally, simply precede a program
normal function call. Instead, a more If you monitor an application over a call with the firejail command. Firejail
roundabout procedure is used here. longer period of time, the logfile will is available for installation in the stan-
Each syscall supported by the operating tend to be very large. It makes sense to dard repositories of many distributions.
system has a number that the program use filters during logging. To do so, spec- Typing firejail launches a shell
needs to write to a processor register. The ify which syscalls you want strace to where network access is disabled and
arguments for the syscall are written to log. Details can be found in the Filtering access to the Bash history is prohibited.
other registers. The program then exe- section of the strace manpage [2]. Table These and other restrictive rules are de-
cutes a special machine language instruc- 1 shows some typical examples. fined by the default.profile, which Fire-
tion, for example, syscall, sysenter, or a The -f (--follow-forks) option is also jail loads for the newly launched shell.
classic software interrupt 128 (in assem- important. It tells strace to additionally From default.profile, two additional
bler: int 0x80). This switches the pro- monitor child processes. After all, the in- rules are used via include lines. Figure 2
gram from user mode to kernel mode. teresting things often do not happen in clearly shows that Bash, which is locked
At this point, the operating system takes the application that was launched first, in the jail, can neither read the history
control. In kernel mode, the OS has full ac- but further down in the process tree. nor ping a computer on the network.
cess to the hardware. It uses the syscall
number to find the appropriate syscall Listing 3: Strace Monitors File Access
handler. After an authorization check, it $ strace -e trace=open,read,write,close -o /tmp/testprog.log ./testprog
then completes the task resulting from the PRETTY_NAME="Ubuntu 23.10"
arguments in other registers. Any return [...]
values are stored in another register.
$ tail -5 /tmp/testprog.log
After completing the task, the operating
open("/etc/os-release", O_RDONLY) = 3
system switches from kernel mode back
read(3, "PRETTY_NAME=\"Ubuntu 23.10\"\nNAME="..., 4095) = 393
to user mode. The program then reads the
close(3) = 0
return value and continues its work.
write(1, "PRETTY_NAME=\"Ubuntu 23.10\"\nNAME="..., 393) = 393
Listing 2 shows a test program in the C
+++ exited with 0 +++
programming language that uses open()

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 57

IN-DEPTH
strace and Firejail

In principle, software running in a jail program from spying on your private Listing 4: Private Folder
still has access to the entire filesystem. data. Firejail also hides other users’ pri- $ mkdir ~/privat
The only exceptions to this are areas vate folders. If you add the --noprofile $ firejail --private=$HOME/privat
whose use you explicitly prohibit. As an switch to the call, Firejail does not apply
alternative, you can define a private di- any rules from the standard profiles. In
rectory in which the program runs and this case, for example, network tools Listing 5: Strace and Firejail
from which it cannot break out. The such as ping will work. $ sudo strace -f -u esser \
--private option lets you do this; you If you run Firejail with a program name -o mplayer.log \
can use it as shown in Listing 4. as an argument, the software looks for a
firejail \
This is particularly interesting for pro- suitable profile. The firejail-profiles pack-
mplayer -idx big_buck_bunny.avi
grams that you do not want to access age contains 1,200 profiles for a wide va-
your home directory. The folder speci- riety of applications. At startup, Firejail
fied after --private acts as a substitute shows you which profile files it is using. all media players and allow access to the
home directory in the jail; the applica- For MPlayer, for example, there is the download folder, for example.
tion can create subdirectories and store mplayer.profile file, which includes the Firejail does not work with software
files there, but not in the entire home di- generic rules from whitelist-player-com- that you install from Snap packages be-
rectory. This also effectively prevents the mon.inc (Figure 3). These rules apply to cause it cannot find the binaries from
the Snaps. Combining Firejail with
strace also seems impossible at first
glance, as an attempt to, for example,
have them run MPlayer fails. The solu-
tion here is an strace feature that lets the
monitor itself run with root privileges,
while the monitored program is running
on a normal user account. Listing 5
shows the command, which uses the
strace -u (for user) option.
Firejail offers numerous other op-
tions that you let you fine tune what to
allow and what to prevent the software
from doing [4]. It is also useful to in-
spect the profiles in the /etc/firejail/
folder.

Conclusions
Firejail and strace let you restrict un-
Figure 2: No history, no ping: Firejail disables various functions. known and untrusted software. You can
achieve even greater isolation by using a
virtual machine (VM) such as Virtual-
Box, VMware Workstation, or KVM/
Qemu, but this involves setting up a
Linux system on a VM. Q Q Q

Info
[1] strace: https://strace.io
[2] strace filter options: https://man7.org/
linux/man-pages/man1/strace.1.html
[3] Firejail: https://firejail.wordpress.com
[4] Firejail options:
https://man7.org/linux/man-pages/
man1/firejail.1.html#OPTIONS

Author
Hans-Georg Eßer is professor for
operating systems at South Westphalia
University of Applied Sciences. Prior to
his academic career, he worked in
Figure 3: If you launch MPlayer in the jail, Firejail uses the matching rule magazine publishing, most recently as
file which then references a profile version for all media players. editor-in-chief of EasyLinux.

58 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

MAKERSPACE GPS Location Device

MakerSpace
Making a tiny GPS position recorder

Where in the World

Design and construct a battery-powered GPS receiver and
recorder in a compact package, with firmware and a Linux-
based GUI application for visualizing the data recorded.
By Andrew Malcolm

A
variety of solutions are avail- worldwide in its various forms, no other
able for tracking the location infrastructure is required for operation.
of things, such as locating The downside is that the data is only
“lost” items (e.g., smart dog available when the device is returned to
collars) or locating your luggage (e.g., the user. This compromise will be ac-
Apple AirTags). All these devices have to ceptable for some applications, but not
balance functionality, size, weight, and others. It would be possible to combine
time of battery life (rechargeable or oth- this design with a low-power sub-giga-
erwise). A mobile phone makes a pretty hertz radio transmitter – for example,
good location device, because it has a 868MHz LoRa (long range) – but for a
GPS receiver and a radio transmitter. useful range, the device would have to
However, they are relatively large, are be significantly bigger and heavier be-
expensive, have unnecessary compo- cause the radio would need power to
nents (e.g., displays), and rely on a cel- transmit messages.
lular network that might not be available One potential application of the cur-
in remote areas. rent design would be tracking the move-
Apple AirTags rely on Bluetooth com- ments of a domestic pet, an animal in a
munication with other Apple devices in zoological park, or the migratory pat-
the vicinity to provide position informa- terns of wildlife. I personally use the de-
tion and relay that data to iCloud, which vice to record hikes, because the maps
the user can access with the Find My overlaid with the track provide a concise
app. This useful function allows the tags reminder of the route taken.
to be very small and operate from a In common with all GPS devices, the
small button cell battery. The drawback receiver requires an unobstructed view
to this method is its reliance on other de- of the sky, and concealed use is rarely
Lead Image © Zoya Fedorov, 123RF.com

vices and, again, the presence of a cell practicable, so its use as a plot device in
network. many movies is inaccurate in this re-
The device presented here is com- spect. In a car, for example, the built-in
pletely autonomous; the size of a match- GPS receiver commonly referred to as
box, weighing less than 50g (<2oz), and the satellite navigation (satnav) system
has its own GPS receiver, a LiPo battery is typically installed on the dashboard or
providing several days of operation, and part of the rear-view mirror assembly at
flash memory to store the acquired GPS the top of the windscreen, where it has a
data. Because GPS coverage is clear view.

60 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 GPS Location Device MAKERSPACE

Also worth noting is that reflections of Many excellent

the GPS signal from buildings and trees online PCB com-
can lead to spurious location data, so panies build
some interpretation of the results may good-quality
be required. Some sophisticated devices PCBs in a few
incorporate inertial navigation devices days for less than
(gyroscopes and accelerometers) to $5 (EUR5, £5), so
augment data accuracy. building proto-
type or experi-
Hardware Design mental PCBs is
The completed design, both hardware not prohibitively
and software, can be found on my expensive. Once
GitHub page [1]. The core of the system the PCB design is
is an STM32 microcontroller, specifically complete in
the STM32F072CBT6 [2]. Because of the KiCad, a 3D
huge variety of microcontrollers on the model of the PCB
market, the choice of an appropriate de- assembly is ex-
vice can daunting. Previous experience ported into Free- Figure 1: The transparent 3D model shows that,
tells me that STMicroelectronics (ST) de- CAD and an as- although a tight fit, everything does fit in the case.
vices perform well at a good price point sembly created of
and are very well supported in terms of the case to ensure all the assumptions continuous recording at 10-second inter-
development tools and online resources. about dimensions are correct. vals, without resorting to any power
Having designed a great many projects The 3D model ensures all mechanical management in the firmware.
around these devices, I also know that dimensions match up. The case in Figure Battery life could definitely be ex-
software development will be acceler- 1 is shown in transparent mode with the tended by implementing a sleep/wake
ated by my familiarity with the STM32 location of the USB connector and the cycle, at the expense of longer periods
family and their development tools. battery. The model identified a collision between data acquisition. Because data
This project could just as easily have between the battery connector (to the is written directly to flash memory, no
been based on an Arduino, a PIC, or a Pi right of the USB connector) and the bat- data is lost if the battery runs out of
Pico, but as I say, choice comes down to tery itself. The solution was to omit the charge. Finally three LEDs are provided
familiarity and suitable package configu- connector and solder the battery leads to indicate the charge status, GPS fix ob-
rations with the required I/O. The key directly to the PCB. Because the battery tained, and GPS message reception.
features required in this case are low is rechargeable, it should not require The complete assembly is shown in
power, small physical size, a real-time changing. Figure 3. The extra wires are for a de-
clock, and USB and serial peripheral in- The microcontroller connects to the bugger and can be removed once the
terface (SPI) connectivity. GPS module [5] with a serial universal firmware is downloaded and debugged.
Schematic capture and printed circuit asynchronous receiver/transmitter The full schematic for the final design is
board (PCB) layout were both performed (UART). It connects to 4MB flash mem- shown in Figure 4.
by KiCad [3], a free and open source ory [6] over an SPI bus and provides a
computer-aided design (CAD) tool origi- virtual serial port connection to the Firmware Development
nally developed at CERN. KiCad really is host. Five volts of power is delivered The use of integrated development envi-
an excellent suite of tools and handles over the USB interface and is used to ronments (IDEs) can be controversial
the whole process of electronic design charge the 3.7V LiPo battery via a and very much a matter of taste, and it’s
from schematic capture right through to charger chip [7]. A low-dropout regula- certainly possible to do this type of
generating files for manufacture. A 3D tor provides the system with 3.3V from
viewer generates an image of your de- the raw LiPo voltage, powering the mi-
sign that you can pan and rotate, includ- crocontroller, the flash memory, and
ing the components. the GPS module.
Although PCB layout is in 2D, the abil- The on-board battery charger manages
ity to add 3D models of all the compo- the charge state of the LiPo battery,
nents and view the PCB assembly in a 3D which is small enough, at 45x25x8mm
viewer has saved me from mechanical (1.75x1x0.25 inches), to fit into the
clashes that are not apparent from the 2D smallest plastic enclosure I could find, at
design perspective. You can export the 50x35x20mm (2x1.5x0.75 inches) (Fig-
3D model as a STEP file and import that ure 2) and still leave room for the PCB
into 3D CAD tools, such as FreeCAD [4], with all the circuitry. The battery charge
to build up more complex assemblies, power is derived from the USB interface.
aiding in the design of parts suitable for Once disconnected from the USB host, Figure 2: The enclosure made by
3D printing (e.g., enclosures). the unit runs for more than 72 hours of Hammond [8].

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 61

MAKERSPACE GPS Location Device

Once you have a compiled binary, Figure 5 shows the pin configuration
ST-LINK utilities allow you to program for this design and an example of a uni-
your device, and you can use the GNU versal synchronous/asynchronous re-
debugger (gbd) to debug you program. If ceiver/transmitter (USART) setup. Once
you don’t want to use the hardware ab- saved, the IDE will then generate a set of
straction layer (HAL) libraries provided #define directives for the I/O pins that
by ST, you can generate your own you can use in your code and a complete
header files with the addresses of the set of initialization routines.
microcontroller registers and all the bit At this point, you can continue to use
patterns required for configuration. the IDE or ignore it and use make with the
That said, ST’s C/C++development generated makefile. However, if you stay
platform, STM32CubeIDE [9], which is with the IDE and have your hardware
based on Eclipse, does streamline the connected in an ST-LINK programmer, a
process by integrating the STM- single mouse click in the IDE build menu,
32CubeMX tool, a utility that allows you or a keyboard shortcut will compile,
to configure your microcontroller and download, and run your code. This level
generate a software framework that does of pre-configuration – including, if you
all the initialization and leaves you with like, the inclusion of a real-time operating
Figure 3: The PCB with all the a blank main() function, to which you system (RTOS, e.g., FreeRTOS) – can
components on the underside. add your own code. The HAL libraries leave you free to concentrate on your ap-
The battery is a snug fit! hide a lot of the complexity of setting up plication code. In a commercial environ-
some of the peripherals but are not per- ment, time to market is everything, and
microcontroller development without fect, so they must be used with caution. time savings like this can be invaluable.
one. The ARM compilers and standard li- A number of online resources show how
braries can be downloaded from your to use the IDE to set up the clocks, Firmware
distro’s repository, and you’re off, with UARTs, timers, USB ports, and the like The firmware manages the initialization
the use of any editor that suits you and on an STM32 processor, including ST’s of the external devices (GPS, flash), its
make or cmake – again, your choice. own getting started guide [10]. internal USB port, and other

Figure 4: Schematic for the GPS recorder.

62 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 GPS Location Device MAKERSPACE

The microcontroller communicates

with the external 4MB flash chip over an
SPI bus. SPI commands include reading
and writing sectors, erasing the entire
chip, and erasing blocks of memory for
reuse. Flash write operations are rela-
tively slow, so again, it is useful to be
able to buffer the incoming data.
The incoming data from the GPS re-
ceiver is parsed to extract the data of
interest, balancing completeness of
data against storage requirements in
flash. I decided to store the data in
ASCII to avoid conversion and so that
the data remains human readable.
Each GPS location message received is
reduced to five numbers stored in tab-
separated records (Listing 2): a time-
stamp, latitude, longitude, speed, and
heading. The last two are not strictly
necessary but do help weed out the
Figure 5: The microcontroller configuration. Notice that you can label more obvious erroneous data.
the pins of the microcontroller (bonus points if you use the same names A filesystem is employed to simplify
as on the schematic!). and organize the storage of the GPS data
on the flash device. A number of open
peripherals. After the initialization, the date-based file names for storing the lo- source implementations of filesystems
firmware manages data flow from the cation data. The data is in ASCII format, for embedded flash devices and SD cards
GPS receiver to flash memory (Figure 6) which means it is human readable, and are available; I chose littlefs [14] because
and, when the device is connected to is received by the microcontroller in an it implements flash wear leveling. The
USB, responds to commands sent over interrupt service routine (ISR). A typical other flash filesystems available for STM
the virtual serial bus to deliver data to a burst of sentences that arrive at n-sec- architectures, notably FatFs [15], an im-
host computer. ond intervals may be as much as 500 plementation of the venerable FAT file-
The GPS module has a UART interface bytes, although much of this is discarded system, is more suitable to removable SD
that operates by default at 9600 baud. or suppressed by configuration. In any cards because the lack of wear leveling
Once powered up, the module starts to case, the processing required is too com- will cause the card to fail eventually.
emit GPS “sentences” [11], which con- plex to be performed by the ISR, so it’s Littlefs provides a familiar Unix-like
tain status and location information. It put in a queue. programming API with function calls
is possible to configure the module by The main program loop checks the such as open, read, write, close, mount,
sending configuration packets [12] – for queue at regular intervals, pulls off and format, and so on. Porting it to the unit’s
instance, to change the frequency of the processes any data available, and, if ap- flash memory involves setting some size
location updates. Messages in both di- propriate, writes the digest to flash. The parameters in a configuration file and
rections are checksummed; a calculator “elasticity” provided by the queue providing low-level (SPI) read, write,
to check the checksum calculations is means the main program loop is busy and erase routines to interface to the
available [13]. (e.g., sending data over USB); incoming flash memory.
All the incoming sentences are time- data will not be lost. Listing 1 shows the One part of the GPS message that is
stamped, and this time is used to set the debug data available at the console and not stored explicitly is the “fix obtained”
system clock, as well as to generate a complete GPS sentence. flag, which is set once the GPS receiver

Listing 1: Debug Data and GPS Data

$ fix data became valid time and date set to 082853.000 on 020124

$ $GNRMC,082903.000,A,5120.7303,N,00042.7242,W,1.27,209.74,020124,,,A*6F

Listing 2: Tab-Separated Location Data

84551 51.345459 -0.711883 0.236644 122.980003

84601 51.345448 -0.711883 0.920855 135.509995

84611 51.345440 -0.711855 0.468144 155.309998

84621 51.345444 -0.711878 0.318955 240.389999

Figure 6: Data flow from GPS receiver to
84631 51.345470 -0.711900 0.241789 203.100006
flash storage.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 63

MAKERSPACE GPS Location Device

can see sufficient satellites to be confi- data. From that point on, the parsed data over at midnight a new file is created
dent in its data. The flag is used as a trig- is appended to a file with a name of for- and recording continues.
ger to set the system clock from the GPS mat DD_MM_YY, so when the clock rolls Over time, the root of the filesystem
fills with files containing each day’s GPS
records. At around 50 bytes per record,
that’s about 10 days of data for the cur-
rent flash chip if recording continuously.
Of course, much bigger devices are avail-
able, and for the current design, going
from 4 to 16MB is possible without re-
laying out the board. The host applica-
tion described later allows the user to ar-
chive and offload data files for later re-
view, thus freeing up flash memory for
more data.
Listing 3 shows the routine that pro-
cesses GPS messages from the queue
and writes the processed data to the cur-
Figure 7: Program flow for processing GPS messages. rent file (Figure 7).

Listing 3: Processing GPS Messages

01 /** */ 37 printf("fix data became valid time and date

02 void gps_process_msg(void) set to %s on %s\n$ ", time, date );

03 { 38 }

04 static uint8_t buffer[512]; 39 }

05 40

06 static bool fix_valid = false; 41 float decimal_latitude = nmea_to_decimal_

degrees(latitude, ns);
07 while(queue_size(queue))
42 float decimal_longitude = nmea_to_decimal_
08 {
degrees(longitude, ew);
09 queue_get(queue,buffer, sizeof(buffer));
43 float decimal_speed = atof(speed);
10
44 float decimal_course = atof(course);
11 char time[16];
45 char buffer[330];
12 char date[16];
46 int length = sprintf(buffer,"%.6s\t%12.8f\
13 char latitude[16]; t%12.8f\t%12.8f\t%12.8f\n", time, decimal_
14 char longitude[16]; latitude, decimal_longitude, decimal_speed,
decimal_course);
15 char speed[16];
47
16 char course[16];
48 append_to_current_file(buffer, length);
17 char valid, ns,ew;
49 }
18
50
19 if(debug)
51 if(n < 2 || valid != 'A')
20 {
52 {
21 printf("%s\n$ ", buffer);
53 if(fix_valid)
22 }
54 {
23
55 fix_valid = false;
24 if(check_crc(buffer, sizeof(buffer)))
56 if(debug)
25 {
57 {
26 int n = sscanf((char *)buffer,"$GNRMC,%[^,],%c,%[^,
],%c,%[^,],%c,%[^,],%[^,],%[^,]",time, &valid, 58 printf("fix no longer valid\n$ ");
latitude, &ns,longitude, &ew, speed, course, date); 59 }
27 60 }
28 if(n >= 2 && valid == 'A') 61 }
29 { 62 }
30 if(!fix_valid) 63 }
31 { 64
32 fix_valid = true; 65 // turn on an LED when fix obtained
33 set_time_and_date(time, date); 66 HAL_GPIO_WritePin(LED1_GPIO_Port, LED1_Pin, !gps_get_
34 fix_obtained());

35 if(debug) 67 }

36 {

64 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 GPS Location Device MAKERSPACE

Listing 4: Coordinate Conversion overlaid with the location data Google Maps, which requires a
in the form of a track. The (paid) API key for embedding
01 /** */
maps are uploaded from Google Maps in an external ap-
02 static float nmea_to_decimal_degrees(char *nmea,char nsew)
OpenStreetMap (OSM) with plication. OSM does not have
03 {
the excellent open source li- satellite image data, but the
04 float decimal = 0;
brary osm-gps-map [18]. This maps themselves are detailed
05 if(strlen(nmea)>5)
solution was chosen over and accurate.
06 {

07 char integer_part[3+1];

08 int digit_count = (nmea[4] == '.' ? 2 : 3);

09 memcpy(integer_part, nmea, digit_count);

10 integer_part[digit_count] = 0;

11 nmea += digit_count;

12

13 decimal = atoi(integer_part) + atof(nmea)/60.0f;

14 if(nsew == 'W' || nsew == 'S')

15 {

16 decimal = -decimal;
Figure 8: The CLI is the same in the firmware and the
17 }
GUI.
18 }

19 return decimal;

It is apparent that some conversion of

coordinates in GPS sentences is taking
place from NMEA format [16] [17] to
decimal (Listing 4). NMEA format is (d)
ddmm.mmmm, where d is degrees and
m is minutes. East or west are specified
in another field in the sentence.

Linux-Like Console
The USB interface is configured as a vir-
tual serial port, and on Linux systems it
will appears as /dev/ttyACM0 (or /dev/tty-
ACM1, etc.). You can connect to this port
from a Linux host with a terminal emula-
tor (e.g., Minicom) or programmatically
with the usual file semantics (e.g., open/
read/write/close). Later you’ll see how Figure 9: Map layout is arranged with the help of GTK toolkit.
you can use this to your advantage.
The firmware implements a familiar
command-line interface (CLI), with a few
Linux-like commands (e.g., ls, cat, rm),
which are very helpful during debugging,
so you know what files have been gener-
ated and can print them to the screen
(Figure 8). Later on, after the graphical
user interface (GUI) was developed, the
same interface was used from within the
Linux host, opening the USB device and
issuing the same commands. Therefore,
the same interface serves both as an in-
teractive CLI-like interface and as an API
that the host program can use.

Host Application
The Linux host application is written in C
with GTK+ to provide a GUI. The main
visual element of the application is a map Figure 10: Resetting the home location.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 65

MAKERSPACE GPS Location Device

All the details of loading maps are The API allows you to add tracks in the layout widgets, arranging the file list to
handled by this library along with ren- form of a sequence of points expressed in the left of the main map widget and
dering the maps to a GTK+ widget. You coordinates. Because the map notifies the the various controls below (Figure 9).
can scroll around the map, encompass- application of mouse clicks and other A status bar at the bottom of the appli-
ing the whole world, and zoom in and events, if you click on or get close to a point cation window indicates the number of
out in a manner familiar from Google on the track, application code displays a points loaded to form the current
Maps. (The OSM library caches maps in pop-up giving exact coordinates and a time- track, and a status button to the right
your /tmp folder, so you might see some stamp of when the point was visited. gives live information of free space on
delay in displaying maps as you scroll Layout of the various GTK widgets is the flash drive and the status of the
outside of already cached areas.) provided by three nested GtkBox GPS module.
When the application starts, it checks
for the presence of the device by at-
tempting to open /dev/ttyACM0. If the de-
vice is available, the application issues
the ls command to get a list of files
available on the device, named in the
form DD_MM_YY, so the date of interest
is easy to identify. These file names (and
their sizes) are displayed in a list to the
left of the application.
If you right-click on a selected file, a
pop-up menu appears allowing you to
delete a file or save it to the local disk
in a file-chooser window. Double-
clicking on the selected row will cause
the location data to be plotted on the
map to the right. The map’s home lo-
cation is stored in an INI file, which
defaults to Greenwich, UK, home of
the prime meridian, but that can be
changed at any time to anywhere in
the world by double-clicking on the
desired home location on the map
(Figure 10). Figure 11 shows a typical
track obtained from a recent car jour-
Figure 11: The recorded track is displayed on a map from OpenStreetMap. ney on Christmas Eve.

Listing 5: Retrieving Acquired Points

01 // define the callback function 19 {

02 typedef void (*pf_add_point_t)( long time, double latitude, 20 fgets(buffer, sizeof(buffer), device);
double longitude, double speed, double course); 21
03 22 if((strlen(buffer) == 1) && (points > 0))
04 /** */ 23 {
05 void gps_recorder_device_list_file_points(FILE * device, 24 break;
char *filename, pf_add_point_t add_point)
25 }
06 {
26
07 char buffer[64];
27 int n = sscanf(buffer,"%ld\t%lf\t%lf\t%lf\t%lf", &time,
08 double latitude; &latitude, &longitude, &speed, &course);
09 double longitude; 28
10 double speed; 29 speed *= knot_to_ms;
11 double course; 30
12 long time; 31 if(n == 5)
13 32 {
14 int points = 0; 33 add_point( time, latitude, longitude, speed, course);
15 34 points++;
16 fprintf(device, "cat %s\r", filename); 35 }
17 36 }
18 while(true) 37 }

66 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 GPS Location Device MAKERSPACE

Listing 6: Putting Points on a Map

01 /** */ 13 sprintf(buffer, "%d points displayed", ++points);

02 static void file_tree_view_row_activated(...) 14 gtk_label_set_text(GTK_LABEL(app_data->status_label),

03 { buffer);

04 ... 15

05 /** local function used as callback */ 16 while (gtk_events_pending())

06 void add_point_to_map(long time, double latitude, 17 {

double longitude, double speed, double course) 18 gtk_main_iteration_do(true);

07 { 19 }

08 OsmGpsMapPoint *map_point = osm_gps_map_point_new_ 20 }

degrees(latitude, longitude); 21
09 osm_gps_map_point_set_user_data(map_point, (void*) 22 // call the list function passing a pointer to the
time); local function above.
10 osm_gps_map_track_add_point(track, map_point); 23 gps_recorder_device_list_file_points(app_data->device,
11 filename, add_point_to_map);

12 char buffer[32]; 24 }

Listing 5 demonstrates communication carriage return character), indicating the it will record its location every 10 seconds
with the device over the virtual serial end of the file. Listing 6 shows the use of until the flash memory fills up. I think it’s
link, issuing the cat command and deliv- this routine in the GUI code. sometimes very instructive to build from
ering the data to the caller by way of a scratch what is a familiar item: After all,
callback (pointer to function). The code Wrap-Up you often use satnav and phone geoloca-
reads each line from the file in turn until This GPS recorder was an interesting tion in your everyday lives, but this proj-
a blank line is encountered (a single project: Once it can see the GPS satellites, ect was an opportunity to deconstruct a
seemingly complex system that is often
Info overlaid with so much software and vi-
[1] Author’s GitHub project page: [10] STM32CubeIDE getting started: sual context that it is easy to lose sight of
https://github.com/ https://wiki.st.com/stm32mpu/wiki/ the underlying technology.
andrewrussellmalcolm/GPSRecorder How_to_get_started_with_STM32Cu- The host application does not process
beIDE_from_scratch the data in any way, but you have some
[2] STM32F072CBT6: https://www.st.com/
resource/en/datasheet/stm32f072cb.pdf [11] GPS sentences (registration required): scope for filtering the data on the basis
https://www.antenova.com/product/ of speed and heading data, as well as by
[3] KiCad: https://home.cern/news/news/ gps-radionova-rf-antenna-module/
computing/kicad-software-gets-cern-
applying more sophisticated filtering by
[12] GPS configuration packets (registra- looking at the data as a whole rather
treatment tion required):
than as discrete items. Quite a lot of
[4] FreeCAD: https://www.freecad.org/ https://www.antenova.com/product/
information about these techniques is
[5] M20050-1 (registration required): gps-radionova-rf-antenna-module/
available, and the interested reader is
https://www.antenova.com/product/ [13] NMEA checksum calculator:
https://nmeachecksum.eqth.net/
encouraged to search online. Q Q Q
gps-radionova-rf-antenna-module/
[14] littlefs: https://github.com/
[6] SST26VF032B:
littlefs-project/littlefs Author
https://ww1.microchip.com/downloads/
Andrew Malcolm (MIET,
en/devicedoc/20005218e.pdf [15] FatFs: http://elm-chan.org/fsw/ff/
CEng) is a retired
[7] CN3085: https://radiolux.com.ua/files/ [16] GPS NMEA data: hardware and firmware
https://www.gpsworld.com/ engineer. He maintains
pdf/CN3085.pdf
what-exactly-is-gps-nmea-data/
a keen interest in
[8] Hammond 1551 enclosure:
[17] GPS performance: engineering in general and building
https://www.hammondmfg.com/ https://www.gps.gov/systems/gps/ embedded projects like this one in
dwg9TBU.htm performance/accuracy/ particular. He is a avid user of Linux and
[9] STM32CubeIDE: [18] OpenStreetMap API: https://nzjrs. all the open source and free engineering
https://www.st.com/en/development- github.io/osm-gps-map/docs/ tools available for it. He can be contacted
tools/stm32cubeide.html reference/html/OsmGpsMap.html at [email protected].

QQQ

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 67

MAKERSPACE Python and Node-RED

MakerSpace
Mix low-code Node-RED with Python

Snake Senses
Adding Python to your Node-RED arsenal lets you create
easy Raspberry Pi robotic and IoT projects. By Pete Metcalfe

I
f you want to build some fun Pi two examples that mix Python and
projects but are still working on Node-RED. The first creates a web dash-
your Python skills, then mixing board to drive a Raspberry Pi rover; the
low-code Node-RED with Python entire project only requires two Node-
might be an option for you. Node-RED RED widgets. The second project creates
[1] is a low-code drag-and-drop interface an IoT page that shows temperature and
that is extremely powerful for the cre- humidity data from a BME280 sensor.
ation of Raspberry Pi robotic and Inter-
net of Things (IoT) projects. Getting Started
Node-RED’s Depending on your Raspberry Pi image,
custom scripting Node-RED may already be installed. If
is JavaScript; how- not, see the Node-RED documentation
ever, you can also [2] or your Pi image for custom installa-
use Python, which tion directions.
offers a platform Some excellent dashboard components
to play and learn can be used to create lightweight web in-
Python basics for terfaces. A great widget to include in your
high-level tasks toolset is the Button State flow for creat-
such as schedul- ing an array of buttons. To install this
Figure 1: Add a button array into Node-RED. ing and web dash- component select the Node-RED Menu |
boards while tak- Manage Palette item, click the Install tab,
ing advantage of and search for ui-button (Figure 1).
Node-RED’s low- The next important step is to add a
code interface. Python-enabled widget. Among the var-
In many cases, ious choices, I chose the python-func-
Raspberry Pi fea- tion-ps component (Figure 2) because it
tures are only was recently updated; however, the
available in Py- other choices worked on my test proj-
Photo by David Clode on Unsplash

thon, so even die- ects, as well. The ability to use Python

hard Node-RED instead of JavaScript in Node-RED is an
users could bene- extremely useful feature; however, it’s
fit from knowing not bulletproof, so some care may be
how to integrate needed when you’re using advanced
Python into their Python libraries. In the next section, I
projects. In this use these two widgets to control a Rasp-
Figure 2: Add Python scripting into Node-RED. article, I look at berry Pi rover.

70 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 Python and Node-RED MAKERSPACE

Raspberry Pi Rover Because of the power draw, connecting To test the hardware setup, I found it
Many approaches that use a Raspberry motors directly to a Raspberry Pi is not best to keep the car chassis raised with
Pi can lead to a car or rover. For this recommended; luckily, some good motor the wheels off the ground. This step al-
project I used: or automation shields are available for lowed me to use a standard power plug
• A two-motor car chassis (~$15) around $25. If you’re feeling adventurous, without killing the battery before I was
• A portable battery (5V, 3A output, you can build your own motor shield ready to play. You might have to adjust
~$30) with a L293D chip (16-pin motor driver the wiring to ensure the motors are both
• A Raspberry Pi with a motor shield integrated circuit) for about $4. On this turning in the required direction.
• Four alligator clips and four jumper project, I used an older PiFace Digital The first software step is to install your
wires module, which has good Python support motor’s Python library. (Note: This step
• Elastic bands and duct tape but weak Node-RED functionality. will vary depending on your motor
For this project I wanted to ensure that The two-motor car chassis usually shield.) For my hardware, I installed the
Python scripting with Node-RED could comes without any wiring on the mo- PiFace library with:
be used on a variety of Pi models. I tors. For a quick setup, I use a combina-
tested on a 1 B+, 3, and 4. The PI 1/2 tion of alligator clips and jumper wires pip install pifaceio

are old and slow but they have the ad- to connect the motor terminals to the Pi
vantage of lower power. For a Raspberry motor shield. A couple of strips of duct At this point, you should test the hard-
Pi 3 and 4, the portable battery needs to tape are useful for holding the wires in ware directly with Python. Check your
output 3A. If you are using a Pi 1 or 2 place. Finally, elastic bands keep the hardware documentation for some sam-
you can use a standard 2.1A phone portable battery and the Raspberry Pi at- ple code to turn the motor on and off.
charger. tached to the chassis. To test a single motor with Python
within Node-RED, four flows are used:
two inject, one python-function-ps, and
one debug (Figure 3). A debug flow isn’t
required, but it’s useful to verify that the
Python code runs cleanly. The inject flows
create a message payload with either a nu-
meric 0 or 1 to stop or start the motor.
In the python-function-ps flow, the
incoming Node-RED message (msg) is
accessed as a Python dictionary vari-
able. The following Python examples
read, set, and clear the Node-RED
message:

# get the message payload

Figure 3: Node-RED test logic to control a motor. themsg = msg['payload']

# set the payload

msg['payload'] = "Good Status"

# create a new message item

msg['temperature'] = 23.5

# clear the entire message

msg.clear()

For the PiFace library, my code needed to

do a write_pin command to set a specific
pin. A write command then outputs the
request states for all the pins. To set pin
0 to the incoming payload message, use:

pin = 0

# Pass the msg payload as the U

pin state

pf.write_pin(pin,msg["payload"])

pf.write()

Once the basic testing is complete, the

next step is to define a Node-RED dash-
Figure 4: Node-RED logic to control a Raspberry Pi rover. board with buttons to control the rover.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 71

MAKERSPACE Python and Node-RED

Listing 1: Python Control Code The final Node- payloads, and colors (Figure 5). A
01 #
RED logic for this simple two-character string is used for
02 # Set PiFace Digital Pins project only requires the buttons’ message payloads, with
03 # two widgets: The the first character being the LEFT
04 import pifaceio Button State compo- motor state, and the second being the
05 pf = pifaceio.PiFace() nent creates an RIGHT motor state. A FORWARD com-
06 array of user but- mand sets both the LEFT and RIGHT
07 # Get the Left and Right requested state tons, and python- motors to 1, with a payload of 11. A
08 LEFT = int(msg["payload"][0]) function-ps runs the STOP command sets both motors off
09 RIGHT = int(msg["payload"][1]) Python code to con- with a 00 payload. It’s important to
10 trol the motors (Fig- note, that to turn left, the left motor
11 # Set the left and right pin motor values ure 4). needs to be turned off and the right
12 # the left motor is on pins 0 and right is on pin 1
The Button State motor needs to run – and vice versa for
13 pf.write_pin(0,LEFT)
widget is edited turning right.
14 pf.write_pin(1,RIGHT)
with a double-click. The python-function-ps flow (List-
15 pf.write()
Multiple buttons ing 1) imports the Python pifaceio library
16
can be added with (line 4) and creates a pf object (line 5).
17 return msg
custom labels, Next, the button payload passed in is
parsed to make two variables: the LEFT
and RIGHT requested motor state (lines 8
and 9). Lines 13-15 write the motor
states.
Figure 6 shows the Node-RED dash-
board and the rover with a PiFace Digital
module mounted on a Pi 1. Future en-
hancements to this project could take
advantage of motor shields that support
reverse motor directions or variable-
speed motor settings.

Sensor Project
You have the choice of an excellent se-
lection of Raspberry Pi Python starter
projects, but communicating with sen-
sors and I/O are usually good places to
start for people interesting in building
Figure 5: Configure a Node-RED button array. IoT projects.

Figure 6: Pi Rover with Node-RED dashboard.

72 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 Python and Node-RED MAKERSPACE

In this second project, I look at acquir- The first step in this project is to en- (Listing 2). If everything is hooked up
ing temperature and humidity data from able I2C communications and then in- and working correctly, some values
a BME280 sensor (~$5); however, if you stall a Python BME280 library: should appear:
have a different sensor, you should be
able to adapt this project to your needs. # Enable I2C, 0 = enable, 1=disable # Check BME280 setup with a Python U
For the programming, you gather the sudo raspi-config nonint do_i2c 0 test app

sensor data in Python, and the real-time # Install Python BME280 library #

scheduling and the web dashboard are pip install RPI.BME280 $ python3 bme_test.py

created in Node-RED. The BME280 sen- Temperature: 20.943249713495607

sor is connected to the Pi over inter-inte- BME280 sensors are typically on ad- Pressure: 996.5068353240587

grated circuit (I2C) connections. The se- dresses 0x76 or 0x77. To verify the ad- Humidity: 52.84257199879564

rial data (SDA) and serial clock (SCL) are dress, use the i2cdetect command-line
on Raspberry Pi pins 3 and 5 (Figure 7). tool: This Python code can be moved and
tested in the Node-RED environment
# Scan for I2C devices with inject and debug flows (Figure 8).
$ i2cdetect -y 1 A slight modification to the code in
Figure 8 (lines 17-21) passes the sensor
To ensure that the sensor, I2C commu- results to the dictionary msg variable
nications, and Python library are all instead of doing a print statement as
working, create a Python test program in Listing 2. The debug flow is defined

Figure 7: Pi wiring for a BME280

sensor.

Listing 2: Test BME280 Sensor

01 # bme_test.py - Show values from a
BME280 sensor

02 #

03 import smbus2

04 import bme280

05

06 # BME280 sensor address (default

address could be: 0x76)

07 address = 0x77
Figure 8: Node-RED BME280 test logic.
08

09 # Initialize I2C bus

10 bus = smbus2.SMBus(1)

11

12 # Load calibration parameters

13 calibration_params = bme280.load_
calibration_params(bus, address)

14

15 # Get sampled data

16 data = bme280.sample(bus, address,

calibration_params)

17

18 print("Temperature: ", data.

temperature)

19 print("Pressure: ", data.pressure)

20 print("Humidity: ", data.humidity)

Figure 9: Chart BME sensor data.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 73

MAKERSPACE Python and Node-RED

The final applica- Pi and sensor setup. This project could

tion (Figure 9) uses be enhanced to show the results from
the same Python multiple sensors.
code as in the ear-
lier test circuit, but Summary
a bigtimer widget Python scripting in Node-RED offers
schedules its execu- new programmers a great way to build
tion. Although this some interesting applications without
widget has excel- getting too bogged down in graphical
lent scheduling interfaces. In a few cases, the python-
functionality, to function-ps widget crashed. For me,
keep things simple, this occurred with hardware-specific li-
you can just use braries like pyusb. A good work-
the widget’s mid- around is to use the built-in exec com-
Figure 10: Move the humidity message item to the dle output to send ponent, which can run an external Py-
payload. a pulse every thon program. The exec widget sup-
minute. ports appending message payloads to
to show the complete message, so the The thermometer flow shows the the called program string. Q Q Q
debug pane shows all the sensor temperature value, which is the pay-
results. load message from the Python code. A Info
The next step is to show the results in chart widget reads the same tempera- [1] Node-RED:
a web dashboard, which includes the ad- ture value and presents the results in a https://nodered.org/
dition of two new widgets. The first new two-hour line plot. A change flow [2] Installing Node-RED:
addition is an old-style mercury ther- moves the humidity to the message https://nodered.org/docs/getting-
mometer widget (ui-widget-thermome- payload (Figure 10), which allows a started/
ter), and the second is a scheduler (big- second chart to show the humidity in a
timer). Note that it might be useful to in- bar chart. Author
clude the Node-RED BME280 component Figure 11 shows the Node-RED For more of Pete’s project, see:
for a comparison check. BME280 dashboard with the Raspberry https://funprojects.blog.

Figure 11: Raspberry Pi with BME280 sensor and the Node-RED dashboard.

74 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 INTRODUCTION LINUX VOICE

Computer screens constantly offer a different view, but

computer keyboards? They’re always the same, right? You
can choose an ANSI or ISO layout or, if you want to splurge,
you can get an ergonomic model with a built-in tracking
ball, but those keys really just look like keys – that is, until
you enter the exotic world of artisan keycaps, where a key Doghouse – Open Source Essentials 77
on your keyboard could look like a skull, a flying saucer, or Jon “maddog” Hall
#PGY.2+EGTVKƒECVKQPECPJGNRVJQUGQWVUKFG
a Pokémon figure. This month we take you inside the QHVGEJICKPCOGCPKPIHWNWPFGTUVCPFKPIQH
strange realm of artisan keycaps. QRGPUQWTEG
Also in this issue, get some tips UFW Firewall 78
for better security with the Marcin Gastol
easy-enough-for-everyone 7(9VCMGUVJGEQORNGZKV[QWVQHKRVCDNGU
ufw firewall, and learn about YJKEJKUITGCVHQTDGIKPPGTUCPFKUGXGPIQQF
HQTGZRGTKGPEGFWUGTUYJQYCPVVQMGGRKV
a pair of alternatives to the
UKORNGCPFCXQKFJKFFGPOKUVCMGU
standard directory tool
lsd and eza 81
ls: lsd and eza.
Ferdinand Thommes
.5&GNWZGCPFG\CCTGOQFGTPKORNGOGPVCVKQPU
Image © Olexandr Moroz, 123RF.com

QHVJGCPEKGPV7PKZNUEQOOCPFKPVJG4WUV
RTQITCOOKPINCPIWCIG
FOSSPicks 84
Graham Morrison
6JKUOQPVJ)TCJCONQQMUCV&WTFTCY.KDTWO
0GQP/QFGO1XGTFTKXG5GSEJGUUVWK
CPFOQTGБ
Artisan Keycaps 90
Branden Zavaleta
#TVKUCPMG[ECRUGNGXCVGVJGOGEJCPKECNVQ
VJGOCIPKƒEGPV

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 75

 DOGHOUSE – OPEN SOURCE ESSENTIALS LINUX VOICE

MADDOG’S
DOGHOUSE
A new LPI certification can help those outside of tech gain a
Jon “maddog” Hall is an author,
educator, computer scientist, and
free software pioneer who has been
meaningful understanding of open source. BY JON “MADDOG” HALL a passionate advocate for Linux
since 1994 when he first met Linus
Torvalds and facilitated the port of

Bridging the Gap Linux to a 64-bit system. He serves

as president of Linux International®.

t is not often I write about “work-related” topics, but today I software the programmer’s company does use. Open Source

I have the Linux Professional Institute’s (LPI’s) newest certifi-

cate, Open Source Essentials, on my mind.
It was about three years ago that Evan Leibovitch, one of the
Essentials stresses points about “community.”
Closed source companies often buy software from other
companies. There are contracts that are formed, penalties paid
founders of LPI, and I were discussing the need for an open if schedules slip, trained people who can answer questions regard-
source certificate or certification for nontechnical people. ing the smallest detail. This can allow managers to plan when a
The issue was to address situations that many technical product will be done. In the FOSS world people may not be paid
people had experienced while talking to their nontechnical for the work they do and the software they write. They work on it
managers about free and open source software. in their spare time. Although they are willing to fix bugs and ex-
The trouble quite often started with the engineer using the term plain code, they have to do so on their own time and not their
“free software” in discussing things with their manager. “Well, if it company’s time. This can affect the company who is using their
is free, then how do the developers make money?” was often the code. This is not a reason to stop using open source code, but
question, and the conversation would go downhill from there. understanding this will allow a proper schedule to be made in trade
Once the manager got into their head the differences be- for lower costs in development. A discussion of risk management
tween free software, gratis software, and freedom software is also useful in areas of open source.
the conversations did not get much better. There are certain tools that are useful in open software
Other sticking points were the concept that the software is li- production. Because a lot of the software is produced in a
censed and you do have to obey the license and that some li- distributed, collaborative way, tools that are low or no cost and
censes are not compatible with other licenses, so you do have an distributed widely are preferred and are used predominantly in
obligation to understand the licensing. Of course managers and development of open source.
intellectual property lawyers are not the only ones who need Open Besides open source software, there is also “open data,” which
Source Essentials. Marketing people, educators, investors, people can be used freely to create backgrounds or common data without
writing documentation, trade show people, HR people, and even paying exorbitant fees or worrying about redistribution rights. Open
closed source professionals are also part of the target audience. hardware design can help lower both development and system
Many people might think that open source has been around costs to the end user as well as extend the useful life of the
a long time now, and many people know about it. While it is true hardware.
that many people know the words “open source” and roughly Finally, and probably most important, is an understanding of
what it does, the devil (like so many things) is in the details. the many business models for making money with open source
Another example of the disconnect between managers and (including free software). While many managers are familiar with
open source technical personnel is the need, from time to time, lots of business models for closed source, open source often
for technical people to attend an open source technical confer- requires extra attention to the revenue stream and expense flow.
ence or meeting. Managers are used to sending technical people Unique models such as dual licensing (which often requires a sin-
to trade shows to answer questions from customers. Often the gle assigned copyright holder) can be made with open source.
company pays the registration fee, travel expenses, and salary Open Source Essentials is not a certification that would have
for the time the programmer attends the event. However, in the to be updated every five years or so. It is a certificate that ex-
open source world there often is no “trade show” and program- plains the width and breath of open source. A manager, lawyer,
mers are talking to other programmers at these events. Worse or HR person will understand a lot of the jargon and sticking is-
yet, the conference may be about one part of open source soft- sues after studying the objectives of the certificate and will
ware that the programmer’s company does not even use – it is probably be able to make this study last a lifetime.
just that the programmer is the developer for that software, and In the next few weeks, watch for LPI's Open Source Essen-
other people at the conference do development on parts of the tials certificate at lpi.org. Q Q Q

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 77

LINUX VOICE UFW FIREWALL

Uncomplicate your firewall configuration with UFW

Keep It Simple
UFW takes the complexity out of iptables, which is great for beginners and is
even good for experienced users who want to keep it simple and avoid hidden
mistakes.
ncomplicated Firewall (UFW) [1] is a present on your system, you might still be able to

U
BY MARCIN GASTOL
user-friendly front end for managing find it in your distro’s package repositories. The
rules for the iptables [2] firewall system article will introduce you to some of the most im-
built into Linux. The main goal of UFW is to sim- portant and useful UFW commands. For more on
plify the process of configuring a firewall for setting up and using UFW, see the documentation
users of all experience levels without compro- for your Linux distribution.
mising the integrity and security of the system it
protects. UFW is used in various Linux distribu- Common Threats
tions, particularly Debian-based systems like UWF is capable of addressing some of the most
Ubuntu. common Internet security threats using just a few
UFW operates by abstracting the complexity of simple commands. For instance, attackers often
iptables and providing a simpler command-line in- use port scanners to look for open ports. To block
terface. It comes with reasonable default settings all incoming ports except SSH port 22 (which you
and has support for IPv6. Moreover, UFW allows might need to use for remote access), you could
for easy management of both simple and com- enter the following:
plex network rules, which makes it highly adapt-
able to various security needs. sudo ufw default deny incoming

UFW allows administrators to enforce policies sudo ufw allow 22

and control traffic flow into and out of the net-

work. Proper configuration of UFW can help pre- Another common scenario is attacking an SSH
vent common security threats such as port scan- server using brute force to guess the password.
ning, DDoS attacks, and unauthorized remote A brute force attack forces the would-be in-
access. truder to launch many connection attempts on
Given the complexity and variety of threats in to- a more-or-less continuous basis until the pass-
day’s digital landscape, a well-configured firewall word is discovered. You can use UFW’s rate lim-
is not just a recommendation; it is a necessity. iting feature to slow down the connection at-
UFW serves as a versatile tool that balances ease tempts and thus significantly reduce the effec-
of use with powerful functionality. In environ- tiveness of a brute-force attack. The following
ments where security is paramount, UFW allows command:
for rapid deployment of firewall rules, real-time ad-
justments, and detailed control over both incom- sudo ufw limit ssh

ing and outgoing traffic. This adaptability is cru-

cial, especially in situations where security re- blocks an address that attempts six or more con-
quirements can change rapidly, such as in re- nections in 30 seconds.
sponse to an emerging threat or a new network Another common attack is Distributed Denial of
configuration. Service (DDoS) attack. Although UFW alone can-
Moreover, UFW’s logging capabilities provide not fully prevent DDoS, it can help mitigate
valuable insights into network traffic patterns and smaller-scale attacks by limiting connection rates.
potential security threats. Analyzing these logs
can help identify trends, suspicious activities, and Examples
areas where security policies need adjustment. UFW can limit access to a service to specific IP
UFW is included with Ubuntu-based distros, as addresses or subnets, reducing the risk of unau-
well as many other Linux alternatives. If UFW isn’t thorized access. For example, the following

78 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 UFW FIREWALL LINUX VOICE

command allows only a specific IP to access a requirements and security policies. In cases
database server: where you need to forward traffic from one port to
another, you need to combine UFW with iptables,
sudo ufw allow from 192.168.1.100 to any port 3306 as it doesn’t natively support port forwarding.
Here’s an example of forwarding traffic from port
You can block a specific, threatening IP address 80 to 8080:
directly with:
sudo iptables -t nat U
sudo ufw deny from 203.0.113.4 -A PREROUTING -i eth0 U
-p tcp -dport 80 -j U
Or you can configure the firewall so that it allows REDIRECT -to-port 8080

encrypted HTTPS traffic to the web server but

does not allow unencrypted HTTP traffic using: sudo ufw reload

sudo ufw allow proto tcp from any to any port 443 UFW allows setting rules specific for network in-
sudo ufw deny http terfaces, which is particularly useful in multi-inter-
face environments. For instance, to allow HTTP
To deny any incoming traffic but allow outgoing traffic on eth0, you need to use:
traffic, you can use:
sudo ufw allow in on eth0 to any port 80

sudo ufw default deny incoming

sudo ufw default allow outgoing To enhance data exfiltration prevention, you can
block outgoing traffic to certain IP addresses or
To limit the number of connections to a service, use: ranges. For example:

sudo ufw limit to any port 80 sudo ufw deny out to 203.0.113.0/24

Advanced Configuration For more on how to get the most from your UFW
Some more intricate UFW configurations involve configuration, see the box entitled “UFW Best
tailoring firewall rules to suit specific network Practices.”

UFW Best Practices

Q Update and test firewall rules: Network envi- Q Automate checks: Wherever possible, auto-
ronments are dynamic, and firewall rules mate the process of checking for updates to
should be reviewed and updated regularly to UFW and the underlying operating system.
ensure they remain effective and relevant. Tools like cron are useful for scheduling regu-
Q Document firewall changes: Maintaining a lar updates and checks.
clear record of changes and the reasoning be- Q Test firewall rules after an update: Test to en-
hind them is crucial for future troubleshooting sure the rules you just implemented are work-
and audits. ing as expected. The test can consist of con-
Q Use profiles for known applications: UFW trolled attempts to breach the firewall, mim-
comes with several pre-configured profiles for icking potential attack vectors.
common applications that you can use as a Q Backup and recovery: Back up UFW configu-
starting point for custom rule creation. ration files in case of a system failure or
Q Test configurations in a safe environment: Be- corruption.
fore deploying new rules to a production envi- Q Stay informed: Be aware of the latest security
ronment, test them in a controlled setting to vulnerabilities and updates. Subscribe to
avoid unintended network disruptions. Linux and security forums, newsletters, and
Q Audit and review UFW logs: Audits help identify bulletins to keep up-to-date.
patterns of attempted breaches and can inform Q Intrusion detection system (IDS): Consider
adjustments to the firewall configuration. integrating UFW with an IDS like Snort for
Q Update firewall rules: Check UFW rules on a enhanced monitoring. This combination can
regular basis to ensure they are still relevant provide a more comprehensive view of net-
and effective. work security and potential threats.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 79

LINUX VOICE UFW FIREWALL

Logging For larger environments, integrating UFW logs

Effective UFW monitoring and maintenance require with a centralized log management solution like
a combination of technical strategies and best prac- ELK Stack or Splunk is beneficial, allowing for
tices. Regular log analysis, rule updates, system au- better visualization, monitoring, and alerting on
dits, and proactive measures form the backbone of potential security incidents.
a secure and reliable firewall management strategy. Fail2Ban is a log-parsing application that
Effective firewall management is not only about monitors system logs for symptoms of an auto-
setting up rules but also about monitoring and mated attack on your network services.
maintaining the rules to ensure optimal perfor- Whereas UFW limits the rate of connections,
mance and security. For IT professionals, this Fail2Ban can dynamically alter firewall rules to
means establishing a system that not only detects block IP addresses engaging in suspicious ac-
but also reacts to potential threats in real time. tivities. See the Fail2Ban GitHub page for infor-
Enable UFW logging with: mation on how to configure Fail2Ban to work
with UFW [4].
sudo ufw logging on

Conclusion
UFW logs are typically stored in /var/log/ufw.log UFW’s simplicity, combined with its powerful ca-
For more detailed logging, use the alternative pabilities, provide a reliable and efficient way to
command: secure a Linux system. The ability to configure,
monitor, and maintain a firewall effectively is fun-
sudo ufw logging high damental to ensuring the security and integrity of
your network. Q Q Q
You can configure UFW to log traffic that matches
specific rules. To enable logging for a specific rule:
Info
sudo ufw limit ssh comment 'log SSH attempts'
[1] Uncomplicated Firewall:
https://launchpad.net/ufw
Regularly check UFW logs to monitor for unusual
activities such as repeated login attempts or [2] itptables:
unauthorized access attempts. You can use tools https://en.wikipedia.org/wiki/Iptables
such as grep and awk, or a log management sys- [3] logrotate:
tem, to parse and analyze logs. https://github.com/logrotate/logrotate
To prevent logs from consuming too much disk [4] Fail2Ban:
space, set up a log rotation using the logrotate https://github.com/fail2ban/fail2ban
utility [3], which helps in managing logfiles, al-
lowing them to be automatically compressed, The Author
archived, and removed. Create a log rotation
configuration for UFW logs as follows: Marcin Gastol is a Senior
DevOps Engineer and
/var/log/ufw.log {
Microsoft Certified Trainer
weekly
with extensive experience
rotate 4
in Azure technologies. He
hosts a blog on IT topics at
compress
https://marcingastol.com/
missingok
and is a frequent speaker
notifempty
at tech conferences.
}

QQQ

80 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 LSD AND EZA LINUX VOICE

Modern alternatives for ls

Improving the View

LSDeluxe and eza are modern implementations of the ancient Unix
ls command in the Rust programming language. BY FERDINAND THOMMES

ome people who rely on the command eza, too, the distributions do not always have the

S line may not be aware that some of the

commands they type were introduced 40,
50, or even 60 years ago. They often date back
latest 0.16.1 version in place. Generic archives for
Linux and Windows are available on GitHub, but no
binary packages [5]. The installation instructions [6]
to Unix or the early days of GNU. Of course, explain how to install the current release.
modernized versions of many of these frequently
used commands from the Unix era are now Icons Included
available. Of the two, lsd also displays icons, so you need a
Early versions of the Unix ls command from the patched font set for lsd. This makes setup more
coreutils package have existed since the early complicated than with eza. You can find out how
1960s. Later on, ls was revised by Richard Stall- to integrate a font from Nerd Fonts [7] on your
man and added to the GNU tools. The abbrevia- system in the “Deploying a Nerd Font” box.
tion ls stands for “list”, because the command We decided to use the patched Hack font for
lists files and directories on the terminal. Along displaying icons because the unpatched version is
with cd, ls is definitely one of the most frequently already used on the terminals of numerous distri-
used commands under Linux. butions. If you are using Alpine Linux or Arch Linux
or one of its derivatives, you will find the Nerd
Alternatives Fonts in the archives (Figure 1).
Previous Linux Magazine articles have looked at After installing lsd, you may have to select the Figure 1: To see the Hack
some of the ls alternatives listed on GitHub, such new font in the profile of the terminal emulator Nerd Font, you need to
as broot or ripgrep [1]. Many of these alternatives you use. To display the font in the list, as a Plasma check Display all fonts when
are implementations in modern programming lan- user you need to restart the console and check selecting the font for the
guages. Besides offering improved speed and ex- the Display all fonts box in the profile at the bot- console on the Plasma
tended information, they occasionally come with tom. Gnome displays the font directly. desktop.
new parameters and are almost always visually
enhanced.
The importance of ls is underlined by the fact
that there are two modern alternatives, exa/eza [2]
and LSDeluxe (lsd) [3]. Both are available in the re-
positories of most distributions.
While the recently discontinued exa and its fork
eza are both currently available on many distribu-
tions, exa is likely to disappear soon. On Debian,
any previously installed exa packages are re-
moved when you install eza. That’s why we are
only looking at eza in this article.
To put readers’ minds at ease, LSDeluxe has
nothing to do with drugs, despite the package
name being lsd; the “ls” comes from the ls com-
mand, of course. Version 1.0.0 of LSDeluxe was re-
cently released, but most distributions still come
with older versions. GitHub offers packages and ar-
chives of the latest version for Windows, macOS,
and various Linux architectures [4]. In the case of

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 81

LINUX VOICE LSD AND EZA

Deploying a Nerd Font

Download the desired font from the Nerd
Font website [8]. Unpack the zip archive
and copy the directory created to /usr/
share/fonts/ or /usr/local/share/fonts/,
depending on your distribution. Then make
sure that the fonts have the file permis-
sions -rw-r-r-. Now update the font cache
by typing

sudo fc-cache -fv

Use fc-list | grep Hack or the name of the

selected font to check whether your font is
available on the system. When done, the
echo $'\uf115' command should return a
folder icon.

In addition, eza features a tree view (Figure 3),

Figure 2: The comparison of the depth of which can be defined via levels. This
ls, eza, and lsd with the Comparison makes sense starting in --level=2, which takes
-lah option shows how the I compared the output of the ls, eza, and lsd you one level down into folders, while --level=3
candidates line up if you commands, with the options -lah in each case, delves one level deeper and is equivalent to the
keep the default configura- in a directory with different file types created for output of the ls -R command, but superior in
tion. In lsd’s case, the h the test. The options output a list of all files and terms of display quality. You can configure eza’s
option can be left out; the directories in a long format including permis- color highlighting in the same way as in ls. This
program always gives you sions, the owner, human-readable size informa- puts symlinks and Git on the plus side for eza.
human-readable output for tion, and the last change date (Figure 2). With regard to the options that you call up with
the file sizes. As you can see, the differences between ls and --help, ls is clearly in front. While eza covers the
eza are not particularly big at first glance, while options to a great extent, lsd tends just to focus
lsd stands more obviously apart. Generally, eza on the most important options. Just decide for
Figure 3: In addition to the improves the output with better default settings. yourself what you really need. The reduced op-
conventional display, both It uses colors to differentiate between file types tions of the two alternatives are likely to be com-
alternatives offer a tree view and metadata and supports symlinks, extended pletely sufficient for the majority of users.
with different depth levels. attributes, and Git. While lsd is strongly inspired by the Color LS [9]
project, it is written in Rust instead of Ruby, which
gives lsd a speed advantage. Compared to ls and
eza, it gives the output more colors and impresses
with more appealing visualization and a better over-
view. The -h (humanly readable) parameter, which
I used in the comparison, is not necessary in lsd’s
case because it is set automatically; lsd always
gives you easily readable output for the file size.
The output for lsd --help lists the available op-
tions. In contrast to the tree view in eza, you can
call this up in lsd by typing lsd -tree --depth 2
(Figure 4). Sorting by various criteria is supported.
The --gitsort option provides a better overview in
Git directories (Figure 5)

Colors Galore
The colors that lsd uses by default can be cus-
tomized [10]. The tool is controlled by a configura-
tion file in YAML format, which you will want to
store in ~/.config/lsd/config.yaml. An example is
documented on the project’s GitHub page [11]
(Figure 6).

82 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 LSD AND EZA LINUX VOICE

If you like the look of eza or lsd and would like to gimmick. Ultimately, lsd saves you time, because
use one of these alternatives instead of ls in the you can more easily see the content you are look-
future, it makes sense to create an alias for your ing for in the output. Q Q Q
choice of tool. This means you can continue to use
the ls command, although lsd or eza does the work Figure 4: In lsd’s case, you can specify the display depth in the tree view using the
in the background. I added the following line of --depth option. The visualization is similar to eza’s, but a little more colorful.
code to my ~/.bashrc shell configuration file for lsd:

alias ls='lsd --lA --group-directories-first'

Instead of the usual a, A hides the directory display

for . and .., while group-directories-first displays
directories at the top, followed by files. Simply enter
your preferred options. Some distributions already
come with aliases for ls in the .bashrc; you will need
to comment these out by prepending a #. If you want
to use the alias globally, add it to the /etc/bash.
bashrc. file. If you use Zsh or any other shell, make
sure you add the alias to the configuration file.

Conclusions
If ls does not offer you a good enough overview,
there are two alternatives: eza and lsd. In my opin-
ion, eza does not offer enough to warrant chang-
ing from ls. That’s why lsd gets the nod in this
comparison. You can customize icon themes and Figure 5: With lsd, you can sort the output for directories with a Git connection using the
colors and create your own configuration. gitsort option. In this case, you can see that the release-kde-plasma6 item has not
The additional step of installing the Hack Nerd yet been synchronized with Git.
Font is worth the trouble because the icons offer
an improved overview and are not just a visual

Info
[1] ls alternatives: https://github.com/
ibraheemdev/modern-unix
[2] eza: https://eza.rocks/
[3] LSDeluxe: https://github.com/lsd-rs/lsd
[4] lsd download: https://github.com/lsd-rs/lsd/
releases/tag/v1.0.0
[5] eza download: https://github.com/
eza-community/eza/releases/tag/v0.16.1
[6] Installing eza: https://github.com/
eza-community/eza/blob/main/INSTALL.md
[7] Nerd Fonts: https://www.nerdfonts.com/ Figure 6: The lsd GitHub project page provides a table showing how the standard colors
[8] Nerd Fonts download: in the output are defined.
https://www.nerdfonts.com/font-downloads
[9] Color LS:
https://github.com/athityakumar/colorls
[10] Colors: https://github.com/lsd-rs/lsd/tree/v1.
0.0#colors
[11] Config file: https://github.com/lsd-rs/lsd/
tree/v1.0.0#config-file-content

The Author
Ferdinand Thommes lives and works as a
Linux developer, freelance writer, and tour
guide in Berlin.

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 83

LINUX VOICE FOSSPICKS

FOSSPicks Sparkling gems and new

releases from the world of
Free and Open Source Software

Returning to London from Vancouver this month, Graham was incredibly

lucky to have his flight enveloped by the northern lights, cascading down
over the entire plane for at least 60 minutes. BY GRAHAM MORRISON
Lighting IDE

Q Light Controller Plus 5.0.0

decade or two ago, if your source for other enthusiasts rather inexpensive USB DMX interface (about $15) connected to

A software needs were

slightly non-mainstream
and unusual, you’d likely spend a
than capitalize on it to make
money. We saw this with the mod-
ular automation environment Cha-
your computer, QLC+ performs the same job.
When you first launch QLC+, you’ll need to configure
which DMX interfaces you’re using and then add your lights
small fortune on a proprietary so- taigne and see it again here with to a lighting “universe,” (lights working together for a spe-
lution. This solution would lock Q Light Controller Plus (QLC+). cific purpose). Later you can create macro controls for the
you into its ecosystem and refuse QLC+ is an application devel- lights within a specific universe, or create multiple uni-
to let you leave, and you’d probably oped to control lights and lighting verses for extra control. The lights are attached to fixtures
still be using it today if open setups. Its intended targets are such as horizontal poles, and configuring these from a Fix-
source hadn’t saved the day. While the lights used (e.g., for a stage ture Creator is the next step so that QLC+ has knowledge of
open source applications are fa- performance). QLC+ can control the physical layout. QLC+ has a database of 1,000 fixtures
mous for competing with industry- the lighting and any motion func- and their configurations, and you’ll need to select which
dominating applications like tionality your lights have, like se- you’re using and assign each capability to a range of ad-
Adobe Photoshop, they’re equally quenced moving. The established dresses for each channel they need on your interface. A
brilliant at helping people with DMX protocol is used to control simple slider view can now be used to test your equipment,
more esoteric needs. If a devel- these elements, and a single DMX turning your screen into a wide virtual mixer with faders to
oper has a passion for origami, for channel controls each parameter. control your lights. Faders are mapped to the channels and
example, they’re more inclined to DMX is embedded in costly light- can typically change the RGB values of a light and the
release their software as open ing controllers, but with an brightness. If your lights have motion (e.g., the ability to ro-
tate), these values can be tested and changed.
Next you create one or more scenes: Each scene is a snap-
shot of a light configuration, like when all lights have strobe
enabled. Scenes are used by “chases” that effectively se-
quence scenes, adding delays and fade values. QLC+ in-
cludes functions to map the speed to the musical beat, for in-
stance, and it’s easy to create patterns for your shows. QLC+
even includes an “RGB matrix” to illustrate what your lights
are doing within the application itself, which is brilliant if the
lights are behind you. Lastly, you switch to the Virtual Con-
sole view to create a virtual lighting console. This is a UI de-
signer with a palette of buttons, sliders, and jog wheels that
can be placed anywhere and assigned control of the devices,
scenes, and chases in your library. These can be grouped to-
gether into windows and separately scaled, moved, and col-
ored to give you complete control over your lights and
1. Fitting database: QLC+ includes a huge database of lights and their capabilities, and scenes during a performance. Even more impressive, your
the rigs used to mount them. 2. Fixtures: Each light setup is called a Fixture, and you con- final controller layout can be accessed via a web interface to
figure these first. 3. DMX: Using the DMX protocol, QLC+ can control the light and move- use a tablet or smartphone to control the lighting system re-
ment effects supported by your hardware. 4. Virtual controls: Design your own GUI to motely. It’s almost enough to become a lighting nerd!
control your lights. 5. Show manager: Keep your configurations separate for each perfor-
mance. 6. Effects: Create your own color and movement sequences. 7. Color and gradi- Project Website
ent tools: There are tools to help you create the best sequences and performance effects. https://www.qlcplus.org

84 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 FOSSPICKS LINUX VOICE

ASCII art editor does this for the modern era by

being an immensely fun and sur-

Durdraw prisingly powerful text-based

drawing tool that could almost
run on a Commodore 64.
ne of the reasons home Durdraw is a command-line

O computers in the 1980s

were initially so success-
ful was because they often
ASCII art editor that behaves a
lot like those early drawing pro-
grams, with either 16 or 256 col-
shipped with a demo cassette of ors and optional Unicode and
programs for new computer ANSI characters. The canvas
users to try. These programs size will adapt to the size of your
would often include classic terminal, and you draw on the
games such as chess, keyboard canvas by moving the cursor
training, and then some graphical around and pressing keys, just as Alongside drawing, Durdraw can convert images saved using code
wizardry. This wizardry would you might with any ordinary text page 437 character encoding, popular with old-school ANSI artists.
nearly always be ASCII art, or editor. Function keys can be used
even a simple drawing tool. The to add special characters, and category of commands for animation, too, letting you cre-
Commodore 64 included a cas- the majority of the drawing func- ate and remove frames, duplicate and paste existing art-
sette, while the Commodore tionality is accessed after press- work, and set up delays and playback speed. All of this is
Amiga took this to the extreme, ing Esc. You can then enter on- stored within a JSON-formatted animation file, with op-
bundling many of its early mod- screen menus or type a com- tions to render animations and artwork within PNG and
els with the marvelous Deluxe mand directly. Esc+C will open GIF files when a couple of additional dependencies are in-
Paint. Microsoft similarly bun- the color palette, for example, stalled. It’s perfect if you’re trying to help someone get
dled its famously long-lived Paint while other commands will re- used to the command line or show that it’s not all scary.
graphics editor, and it all helped move or add columns and lines,
imbue computers with a sense select colors, and copy or paste Project Website
of fun and creativity. Durdraw sections. There’s an entire https://github.com/cmang/durdraw

Ebook reader The application itself is Qt-

Librum
based, like Arianna, and is also
just as minimalist in its design as
Arianna, especially in reading
mode. There are light and dark
onsidering the inconve- themes, inverted text, vertical

C nience of reading long-

form text from a computer,
and how web browsers have be-
and horizontal layouts, and sin-
gle- and double-page rendering.
Font rendering is configurable
come our default reading plat- but looks fantastic without any
form, it’s surprising just how many tweaking, and you can quickly
ebook-specific readers there are access your book library via a
for Linux. There’s Calibre, of cover image view. The book
course, which is more of a conver- hosting defaults to the project’s
sion tool and library manager than own server and does require an Librum supports EPUB,
a simple reader, and there’s also account, but the code is open PDF, CBZ comic books, This is something Calibre’s basic
the more simplistic FBReader, source. There isn’t currently an all plain-text files, and web-based library hosting can’t
Okular, Foliate, and Arianna, all of easy option to host your own many image formats. do, but neither will it track your li-
which we’ve looked at in the past. server, but it is possible and the brary statistics. The difference
They differentiate themselves in project intends to make the pro- here is convenience. If any finan-
their design language, or the qual- cess easier. This server integra- cial cut from book sales helps
ity of their text rendering, and how tion does mean library access is the team continue to develop
many different text-based files seamless, regardless of where such a high quality open source
they can read. Librum is another you’re located, and the library will client, it’s perhaps not a bad
beautiful reader we can add to the sync across however many cli- strategy.
list, and its differentiator may even ents you need to use. There’s
be contentious: It defaults to host- even an integrated bookstore Project Website
ing your reading library online. with more than 70,000 books. https://librumreader.com

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 85

LINUX VOICE FOSSPICKS

Flash player and fully interactive projects could

Ruffle
be developed and embedded
within web pages and as full-
screen games and applications.
Flash was soon used by seemingly
ack in the late 1990s when everyone, from infographics at the

B the World Wide Web was

young and the Internet
was full of hope and optimism,
BBC to educational games for chil-
dren. However, with very limited
early Linux support, and proprie-
there was no way to make your tary back ends, compilers, and for-
websites immediately interactive mats, it soon became the bane of
or responsive beyond what you every online Linux user.
could code with JavaScript. This Flash remained dominant for
precluded web pages dynamically years and became an essential
responding to user input, for in- component of the web. When its Whatever you may have thought of Flash at the time, the Ruffle project is
stance, or adding input prompts functionality was eventually re- doing important work by making sure you can still access its content.
and calculations to animations and placed by HTML5, much of that
videos, or even web pages being old content was simply retired and mature, and recent development work has brought its
turned into games. Adobe Flash archived, leaving an important era ActionScript and API compatibility up to 75-percent and
and both of its precursors, Macro- of content inaccessible even to 68-percent complete respectively. It also supports the seven
media Flash and FutureWave Fu- Linux users. Ruffle elegantly solves most commonly used of Flash’s 10 filter effects. Most im-
tureSplash, solved these problems both of these problems, even on pressively, the team has just been able to implement socket
with a user-installed browser plu- Linux! Just like the original, Ruffle support, which means Flash titles can talk to each other,
gin that could play Flash files cre- can be either installed as a allowing even for multiplayer support. It’s a brilliant project
ated with software such as Macro- browser extension or as a desktop and essential if you have anything in Flash you care about.
media’s Director. Through vector application, and it will run the vast
animation and its own ActionScript majority of Flash files you may Project Website
programming language, complex find. The project is already very https://ruffle.rs

Database editor

termdbms
or those of us who only designed to funnel you through a

F dabble in databases when

we need to, they can be
deeply intimidating. It’s not that
specific set of best-practice steps,
complete with auto-completion
and validity checking. But most
we’re scared by their SQL inter- importantly, you shouldn’t need to
faces, particularly, or their configu- remember the syntax of specific
ration; usually it’s because with da- commands and worry about
tabase operations the stakes are typos. The graphical interface
always high. When you don’t should be doing this in the back- Access SQLite- and CSV-formatted databases from the command
spend every day typing queries ground for you. line, and even convert your data between them.
into the same database, it be- For an entire generation of early
comes very easy to make a cata- sys admins, and MythTV users, for those many local servers you may be running in a home
strophic mistake with a single this is what made phpMyAdmin so automation system. Without knowing anything about SQLite,
character typo or a misunderstood popular. phpMyAdmin helped you you can navigate through the tables with any number of rows
target. The solution is of course to visualize MySQL tables and query or columns, perform searches, and update any of the data
get better at it, but this isn’t always results within a GUI that gave you within the database with undo and redo support in SQLite.
possible when you’re running a feedback and checked your input. Everything is interactive, which means as you navigate or
few databases for home automa- Termdbms does the same thing search the user interface updates immediately to show the
tion and database management is from the command line without current state of your search. There are Vim-like controls for
just one of many tasks you do that PHP, for the modern era. It’s a sim- editing, and even support for themes, and it’s brilliant.
aren’t your day job. In those in- ple text GUI to your SQLite- and
stances, some kind of graphical in- CSV-formatted databases (MySQL Project Website
terface can help. They’re often support is planned), and it’s perfect https://github.com/mathaou/termdbms

86 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 FOSSPICKS LINUX VOICE

Terminal forum access

Neon Modem
Overdrive
any of us who used that the wonderfully named

M dial-up modems to ac-

cess bulletin board
systems (BBSs) back in the
Neon Modem Overdrive tries to
recreate for the modern age,
from the comfort of your termi-
1980s and early 1990s were nal on the modern Internet.
more than happy to move on to Neon Modem Override is a BBS-
the Internet, with its new proto- style command-line client that ren-
cols, news clients, and then the ders the stories and comments Access modern online news sites and discussion forums like it’s
web browser. This brave new from several modern and feder- 1988 from the comfort of your command line.
world didn’t require ad-hoc con- ated Internet services in your ter-
nections and costly phone calls, minal. These sites currently in- contents. There are keyboard shortcuts for jumping to any
and of course, it’s become the clude Discourse, the open source comments, and other shortcuts for switching between sys-
dominant technology of our age. forum server; Lemmy, the feder- tems and individual forums, as well as posting your own re-
But that doesn’t mean that every- ated social network; Lobste.rs, the plies. That’s really all there is to it: A limited text-based portal
thing was bad about that time. federated Hacker News equiva- to some of the best sources of information and conversa-
The localized BBS experience in lent; and Hacker News. Which tion on the Internet. Despite being heavily drenched in nos-
particular can’t be easily recre- server you wish to connect to is talgia, it’s a brilliant way to access these sites, and by being
ated on the Internet, and neither selected as a command-line op- terminal-based, it keeps you from the temptation of clicking
can their singular, distraction- tion. The top stories or posts for links or diving too far down any rabbit holes.
free provision of news, conversa- your selected server are listed just
tion, and federated messaging. like messages on an old-school Project Website
This experience is something BBS. Select a post to read its https://github.com/mrusme/neonmodem

Shell history database history into a file and providing

Atuin
commands for accessing it. But
there’s also room for improve-
ment, and it’s some of these po-
ne of the first things most tential improvements that a proj-

O people discover and sub-

sequently depend upon in
the command line is pressing cur-
ect we previously looked at,
McFly, and this particularly pick,
Atuin, attempt to provide.
sor up to get to the previous com- The big different between how
mands. This is a huge help when your Bash, ZSH, and Fish shells
you’re learning because it means save their history and how Atuin
you don’t have to type the same works is that Atuin saves your his-
commands out again if you make tory to an SQLite database, rather
a mistake. But it’s also massively than a flat text file. This brings all
convenient when you can’t re- kinds of advantages and is much Atuin stores your terminal history on a server so you can access
member the exact command you more practical if you want to keep your previous commands from any device.
need, or if you need to change only your history around for more than
a single parameter in a previous a session or two. Atuin replaces impressively, you can choose to host your history online with
command, or you want to see the your terminal’s Ctrl+R and cursor- end-to-end encryption and the project’s own servers. This
exact command sequence you up functionality with its own does require an account, and giving up a little trust, but self-
used to achieve a specific com- search box where you now type hosting the server component is also possible. You can then
plex output. All of this is possible a search query. Matching com- sync your command history across multiple devices, which
with cursor up, and you soon learn mands from your history are is perhaps the biggest improvement to history in decades,
about cursor down and even shown and can be selected. The and the best reason for using Atuin.
Ctrl+R for searching your previous history includes when the com-
commands. This is thanks to the mand was last run and how long Project Website
terminal saving your command it took to execute. Most https://atuin.sh

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 87

LINUX VOICE FOSSPICKS

MIDI sequencer and looper

Seq66
hile pop music produc- paradigm, Seq66 has

W tion has always re-

volved around loops,
and music software in particular
been built entirely
around the concepts
of loops. You can see
has always put loops at the cen- this immediately
tre of their recording capabilities, when you first launch
it’s only in the past decade that its Qt-based UI. The
looping became a popular form of main window con-
improvisational composition. sists of a small 8x4
Many types of musicians now grid of 32 squares.
create music by recording short Each square can po-
phrases live, looping that phrase tentially hold its own
with the hit of a button or the tap MIDI clip, sequence, If you want to run Seq66 on a small screen, it requires only 450x340 pixels – ideal
of a foot pedal, and adding to this or loop, and they can for a portable Raspberry Pi setup.
loop with additional loops which all be played inde-
are then muted and unmuted as pendently by clicking on them the right-click menu on the square. This will create a de-
the composition progresses. The during playback. To start, you fault-sized empty sequence that will loop automatically,
software and hardware solutions need to get some MIDI data into adding any data as it’s received. The final MIDI creation
built to do this have become those squares, and there are method is the editor, which can be opened for any square
known as “loopers,” and there’s a three ways to do this. The first is and used to either add notes and MIDI data, or to tweak
huge variety to choose from, from to import MIDI data from a file preexisting data. It uses the familiar matrix grid for notes
specifically built guitar pedals and from the File menu. Each MIDI with controller data beneath them, and you can drag and
self-contained boxes, to plugins channel in the file will go to a dif- drop notes and tweak parameters with your cursor di-
and clip launchers in applications ferent square. The second is to rectly. There are uncommon options for restricting notes
such as Ardour. But there are very record input directly into a to specific scales or chords, and there’s an “LFO” that can
few that target MIDI alone, and square. This requires a MIDI automatically change a control value according to a re-
that is exactly what Seq66 does. source, such as an external key- peating waveform, with individual controls over the
Unlike what might be called a board or virtual keyboard, and speed and depth.
traditional MIDI sequencer based you need to first create and Re- While the focus is on live performance and improvisa-
more on the old tape machine cord enable the sequence from tion, there are several tabs in the main window that are
used to help turn loops into a
complete track. The most impor-
tant of these is the song editor
which lets you sequence the con-
tents of each loop into a song. It’s
quick and easy to use and is a lot
more intuitive than equivalent
functions on fully fledged digital
audio workstations. You can even
use the song editor to transpose
loops without affecting the source
loops, which is perfect for sec-
tions of a tune where you want to
add a key change. The entire proj-
ect can then be saved as a ses-
sion, and even sequenced with
other sessions as part of a playl-
ist that you might use for a perfor-
mance. It’s a different approach
and a great choice for any bud-
ding MIDI musicians.

Project Website
Seq66 includes MIDI control, playlists, song sequencing, and editing and compression. https://github.com/ahlstromcj/seq66

88 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 FOSSPICKS LINUX VOICE

OG 3D RPG

Daggerfall Unity
e’ve looked at open towns, villages, and dungeons. All

W source recreations of
two other titles in
Bethesda’s Elder Scrolls epic RPG
of this has been captured in a
new open source recreation of
the original Daggerfall engine
series, with remakes of both Mor- called Daggerfall Unity, to reflect
rowind and Oblivion clients. But its being built with the Unity gam-
their predecessor, Daggerfall, is ing middleware.
perhaps the most enigmatic. It Daggerfall graphics have a
was originally released in 1996 at unique charm that would be lost if You will need the original Daggerfall assets to play Daggerfall Unity,
a time when first-person games textures and models were re- but these have been legally available for free for some time.
were only just getting a foothold placed, and Daggerfall Unity goes
in the PC gaming world. The to great lengths to retain this closer to the modern era is mod support. One of the most
game was remarkable for two charm while also upgrading the substantial mods available is called DREAM, which up-
things. Its graphics were amazing visual quality. The modern lighting grades many of the game’s assets, including sound, music,
for the time, despite being pixel- engine and high-resolution video, and the textures. But there’s also a “quest pack” that
lated and low texture by today’s modes make a big difference, and adds 195 new and original guild-based challenges to the
standards, and the game’s scale there’s a larger draw distance game. If you’ve not played this since the ‘90s, or never
foreshadowed Bethesda’s ambi- without any of the dynamic scen- played the game at all, all of these additions plus the new
tions for open world design. It ery loading of the original. It’s also engine make it a great choice if you’re looking for some
was possible to travel to two very smooth, and the team behind nostalgic distractions while we wait for Elder Scrolls 6.
completely different regions in this project has apparently fixed
Daggerfall, and there were thou- hundreds of bugs that were in the Project Website
sands of procedurally generated original. Bringing the game even https://github.com/Interkarma/daggerfall-unity

Command-line chess the game doesn’t yet include a

chess-tui
chess engine to play against.
This means you will either need
to play against yourself, or share
your terminal with a friend to play
ven the earliest home against. This isn’t ideal, but it

E computers could play

chess. It was one of those
games you bought because you
does make a great social aspect
to the game if you share a game
over SSH with a trusted friend or
knew it could never be completed, family member, or even some-
or become redundant, and would one sitting alongside you.
instead teach or improve your own The developer is working on
chess abilities for as long as the chess-engine integration and
data cassette worked. Even in the the ability to play against a bot, Play chess with a friend from the comfort of your own command
age of AI, computer chess is as as well as Universal Chess Inter- line with the wonderfully austere chess-tui.
popular as ever, and thousands face support which will enable
of people play chess online or on chess-tui to communicate with
their phones every day. But what various local and online chess and include a list of the moves you make on the right
about from the command line? engines. The fundamentals of side of the board. It’s also tiny and very fast and can be
What about when you want to the game are already imple- installed almost anywhere, ether through building with
hide a chess game behind an SSH mented, however, and include cargo or within its own Docker image for that online-
session, or some important-look- the essential rules for stale- hosted game. It may still be at an early stage of devel-
ing coding work. Chess-tui has mate, piece moving, and move opment, but the aesthetics of chess on the command
you covered, and it also helps that repetition, alongside piece pro- line fit perfectly with the game itself, hopefully helping
chess-tui looks a lot like those motion, which is everything you the game go from strength to strength.
early home computer chess pro- need to complete a game. The
grams. But there’s currently one ASCII graphics include valid Project Website
important caveat, and that is that move previews and coverage https://github.com/thomas-mauran/chess-tui

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 89

LINUX VOICE ARTISAN KEYCAPS

Handcrafted artisan keycaps

Sculpted Keys
Artisan keycaps elevate the mechanical to the magnificent. BY BRANDEN ZAVALETA

he keyboard has a long history. Though of the mechanical keyboard community as a

T the first typewriter was made in 1867, the

concept dates back to a 1714 patent for
a “Machine For Transcribing Letters.” And it was
whole. The mechanical keyboard subreddit has
more than 1.2 million followers [1], while the keycap
subreddit has over 33,000 [2].) Though remaking
more than 100 years after the first typewriter and replacing keyboard cases has died down from
that the modern keyboard appeared, 1986’s IBM the height of its popularity due to the extreme avail-
Model M. A mere 21 years after the Model M, the ability of keyboards of any style imaginable, the
mechanical keyboard community took flight with number of keycap artisans has continued to grow.
the birth of the geekhack forum. This was by all
accounts the beginning of the keyboard renais- What Is an Artisan Keycap?
sance that ushered in today’s highly customized An artisan keycap is an Esc key, a spacebar, a
keyboards: those with patterned colors, hot backspace, or any other keyboard key that has
swappable switches, and so many variations of been designed and sculpted by hand. Most often
the keyboard’s classic click clack. these are cast in resin, but metalwork and whittled
By 2009 keyboards had become more than a keycaps exist too.
tool; for some, customizing them became a A single artisan keycap can cost more than an
hobby. And within the beating hearts of this entire standard keycap set, and that’s just for
hobby’s diehards, two art forms were born: case the batch-made pieces. If you want to individu-
modding and the artisan keycap. (Based on the ally commission an artist or collective, you can
number of followers on their respective subred- expect to pay not just hundreds of dollars, but
dits, artisan keycap fans are only a minute portion for the very best, you can expect to pay thou-
sands of dollars for one
Figure 1: A keycap design in progress. © Courtesy of Artkey Universe or two nubs of plastic. So
why do they cost so
much? And why do
people buy for them?
Well, the first reason
is that making them is
incredibly labor inten-
sive (Figure 1). It’s
highly specialized, deli-
cate work that takes
the steadiest of hands
and the strength of will
to fail and start again –
and that’s not to men-
tion the hours of con-
ceptualization, sketch-
ing, and prototyping.
Put simply, while most
people use their whole
keyboard for their daily
work, a keycap artisan
works within the con-
fines of a single

90 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 ARTISAN KEYCAPS LINUX VOICE

Figure 2: Dwarf Factory often pairs custom displays with

their keycaps for those who find the keycap too precious to
use. Above is the McWhale keycap in the Xpider display. Figure 3: The Clack Factory
© Courtesy Dwarf Factory industry of keycap artisans. ClickClack himself Red Rum Skull keycap sells
started Clack Factory, and nail polish, airbrushed, online for almost $200.
keycap, and perfection is often measured by a and dipped keycaps also began to appear. © Courtesy EliteKeyboards
hair’s breadth.
But what makes the keycaps valuable isn’t only The Gamut of Keycap Types
the work hours involved, but the experience of their Today, the artisan keycaps have made strides in
use, and sometimes not even that, because many multiple directions and have evolved into a highly
collectors opt to keep their keycaps in displays varied medium, as varied as the art you’ll see in any
rather than use them (Figure 2). For this, the arti- gallery (Figure 4). For example, the Artkey Universe
sans at Artkey Universe [4] offered this explana- team specializes in keycaps that have been exter-
tion: “The keyboard is nothing more than a piece nally shaped for a tactile sculpture, the so-called
of technology, but when you put an artisan keycap pure sculpted keycaps. These include soldiers with
on it, it becomes something more soulful.” These helmets jutting out or pigs with protruding noses.
keycaps are more than toys or trinkets; they are They have a physical effect on your typing.
miniature artworks to display proudly and to gaze Dwarf Factory [6], on the other hand, encases
at lovingly during your work day or your off-hours. their sculpts in resin. These are the profiled key-
Keyboard fanatics use artisan keycaps to turn caps, and you often wouldn’t notice a physical dif-
the sterile mechanics of the modern workspace ference by just running your finger along one. By
into a personal pleasure. In fact, the first known crystallizing their sculpts in resin, the artisans enjoy
artisan keycap was given away as a fun prize on greater freedom of shape and fragility – inside the
the geekhack forum. A keeb (keyboard) lover resin fish swim, flowers grow, and birds fly.
named ClickClack [5] had a garbage bag filled with Then there are the keycaps that throw caution
6,968 keys, and whoever could guess that number to the wind. They care not for fragility or tactility.
won his prototype keycap, the red Clack Skull (Fig- These are figure keycaps. They stand on their own
ure 3). And from that one event sprung an entire as monuments and statement pieces for your

Figure 4: The three types of keycaps – the profiled keycap, the pure sculpted keycap, and the figure keycap – are strikingly
different. © Courtesy Dwarf Factory

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 91

LINUX VOICE ARTISAN KEYCAPS

Artisan keycap designers generally begin as mem-

bers of the community. If you look at keycap forums
on Reddit or geekhack, you’ll see many burgeoning
artisans sculpting their first keycaps and buyers
quickly popping up. The hobby seems to lend itself
to aficionados, to obsessives. According to the
Dwarf Factory team, a single keycap can inspire
artistic creativity. And with consecutive pieces, the
work can become more intricate and delicate.
The process begins with the concept stage,
spitballing ideas and sketching plans. For the Art-
key and Dwarf Factory teams, this is the most
upbeat phase. The Dwarf Factory team gets ideas
from anything from beloved films from childhood
to everyday experiences like a hurried lunch. This
variety of inspirations has led to a microcosmos
Figure 5: The tractor beam of Keychron’s UFO keycap glows of styles and interests within the artisan keycap
on backlit keyboards [7]. © Courtesy Keychron community.

keyboard. These range from Pokémon and animé The Artisan’s Process
characters to more conceptual works such as Despite the artisan moniker, not all keycaps are
Keychron’s UFO keycap, whose tractor beam glows handmade, and some are instead designed as 3D
with your keyboard’s backlight (Figure 5). models, cast in molds, and then shipped out. But
for the most prestigious, intricate works, the true
The Birth of a Keycap Artisan artisan pieces, the process is as follows:
How does one become a keycap artisan? Well, for Q The conceptual phase is where the brainstorm-
the founders of Artkey Universe, one of the most ing happens, as well as sketching and design-
prestigious and recognizable artisan collectives, it ing the keycaps. Designers fit the proportions
began as an after-work hobby between three high and shape of the content to a keycap.
school friends. Together they sculpted and Q The sculpting phase differs by artisan. Some
painted in a cramped studio and shared their work will make 3D-computer models to be 3D printed
with the keycap community. The artisan keycap in parts, while others will hand sculpt a prototype
community may be only a fraction of the mechani- until it’s acceptable (Figure 7) – which can take
cal keyboard community in size, but it is still made up to six months of trying and retrying [8]. Dwarf
up of thousands of enthusiasts. When the com- Factory says, “If you want to become a resin key-
Figure 6: Artkey Universe’s munity brimmed with excitement for Artkey caps cap maker … prepare yourself for the constant
keycaps are as much a tex- *MKYVIɄ XLIWIXLVIILSFF]MWXWUYMGOP]FIGEQI annoyance you’ll encounter almost every day.”
tural experience as a visual full-time artisans shipping out thousands of key- Once the prototype has set the mold, the hun-
one. © Courtesy Artkey Universe caps a year. dreds of keycaps can be cast and painted by
hand. During this process bubbles will form in the
resin, dust may get trapped, and imperfections will
give each keycap a touch of unique flair. “It’s the
true beauty of any proper handmade keycap,”

Figure 7: Some keycaps are sculpted with clay and cast in

resin, while others are painted by hand. © Courtesy Artkey Universe

92 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 ARTISAN KEYCAPS LINUX VOICE

Dwarf Factory says. When the batch is complete,

Info
each keycap is carefully packaged and sent to
travel the globe to find its new home. [1] r/MechanicalKeyboards subreddit:
https://www.reddit.com/r/
Buying an Artisan Keycap MechanicalKeyboards/
Though some keycap artisans sell out almost
[2] r/keycaps subreddit:
every batch, that doesn’t mean that artisan key-
https://www.reddit.com/r/keycaps/
caps are in enormous demand. Instead, keycaps
are preordered or batch-bought. This practice will [3] “Hands-On” by Bruce Byfield, Linux Magazine,
be familiar to buyers of the more obscure or lux- issue 155, October 2013,
ury keyboards, but the idea is simply to lock in the https://www.linux-magazine.com/Issues/
sales before the lengthy creation process. So to 2013/155/Handcrafted-Keyboards
snag an artisan keycap of your own, you’ll have to
[4] Artkey Universe: https://artkeyuniverse.com
follow your favorite artisan and wait around until
a drop is announced or a preorder is available. [5] Artisan keycap history: https://artisancollector.
Similarly, when an artisan works on commission, com/artisan-keycap-history/
a minimum quantity purchase of your commis- [6] Dwarf Factory: https://dwarf-factory.com
sioned keycap is required. This may mean shelling
[7] Keychron: https://www.keychron.com/
out for a batch of three, five, or 10 keycaps just to
guarantee your personal flair. Because of this, indi- [8] Artkey’s prototyping process:
viduals tend to commission budding keycap design- https://www.gamepro.com.au/news/
ers, while companies commission the forerunners. artisan-keycaps-artkey-universe-chat/
For example, eSports teams are particularly fond of
placing their sculpted logos on their Esc keys while The Author
their teams battle it out in the digital arena.
On top of that, keycap companies – in this case, Branden Zavaleta is an
Dwarf Factory – may license major brands such Australian freelance
as Pokémon (Figure 8) or collaborate, as they did journalist. His work
with Diablo IV, so there is clearly a growing interest focuses on the arts in all
their forms and can be
in these pieces. It may only be a matter of time be-
found in The AU Review,
fore you see sculpted keycaps in gashapon (vend-
The Curb, GamePro, Far
ing machines that dispense capsule toys) and at
East Films, and more.
the shopping center. Q Q Q

Figure 8: Artisan keycaps have also attracted the attention of major brands, leading to many charming collaborations such
as this Pokémon set by Dwarf Factory. © Courtesy Dwarf Factory

QQQ

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 93

 SERVICE
Back Issues

LINUX
NEWSSTAND
Order online:
https://bit.ly/Linux-Magazine-catalog

Linux Magazine is your guide to the world of Linux. Monthly issues are packed with advanced technical
articles and tutorials you won't find anywhere else. Explore our full catalog of back issues for specific
topics or to complete your collection.

#280/March 2024
Plasma 6
KDE’s classic Plasma desktop can be as simple as you need it to be or as complicated as you
want to make it. This month we explore the powerful Plasma 6 release that is making its way
to your Linux distribution.
On the DVD: Linux Mint 21.3 MATE and Zorin OS 17 Core

#279/February 2024
Intrusion Detection
You don’t need a fancy appliance to watch for intruders – just Suricata and a Raspberry Pi.
On the DVD: EndeavourOS Galileo 11 and Arch Linux 2023.12.01

#278/January 2024
Scientific Computing
A crypto mining rig is built for math. Can an old rig find a second life solving science problems?
That all depends on the problem. Also this month, we explore a few popular data analysis
techniques and stir up some analysis of our own with the R programming language.
On the DVD: Kubuntu 23.10 and Fedora 39

#277/December 2023
Low-Code Tools
Experienced programmers are hard to find. Wouldn’t it be nice if subject matter experts and
occasional coders could create their own applications? The low-code revolution is all about
lowering the bar for programming knowledge. This month we show you some tools that let
you assemble an application using easy graphical building blocks.
On the DVD: MX Linux MX-23_x64 and Kali Linux 2023.3

#276/November 2023
ChatGPT on Linux
Everybody’s talking about ChatGPT, and ChatGPT is talking about everything. Sure you can
access the glib and versatile AI chatbot from a web interface, but think of the possibilities if
you tune in from the Linux command line.
On the DVD: Rocky Linux 9.2 and Debian 12.1

#275/October 2023
Think like an Intruder
The worst case scenario is when the attackers know more than you do about your network. If you
want to stay safe, learn the ways of the enemy. This month we give you a glimpse into the mind of
the attacker, with a close look at privilege escalation, reverse shells, and other intrusion techniques.
On the DVD: AlmaLinux 8.2 and blendOS

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 95

SERVICE
Events

FEATURED EVENTS
Users, developers, and vendors meet at Linux events around the world.
We at Linux Magazine are proud to sponsor the Featured Events shown here.
For other events near you, check our extensive events calendar online at
https://www.linux-magazine.com/events.
If you know of another Linux event you would like us to add to our calendar,
please send a message with all the details to [email protected].

DrupalCon Portland 2024 ISC 2024 PyCon US 2024

Date: May 6-9, 2024 Date: May 12-16, 2024 Date: May 15-23, 2024
Location: Portland, Oregon Location: Hamburg, Germany Location: Pittsburgh, Pennsylvania
Website: https://events.drupal.org/ Website: https://www.isc-hpc.com/ Website: https://us.pycon.org/2024/
portland2024

The biggest open-source event in North The ISC High Performance 2024 Produced by the Python Software
America, DrupalCon, is coming back to the conference and exhibition is an annual Foundation, the biggest Python
Oregon Convention Center in Portland, global gathering for HPC technology conference in the world is coming to
Oregon. We can't wait to see you at this providers and users. Join us for 5 days Pittsburgh in 2024 and online. The core
one-of-a-kind experience! Whether you’re focusing on HPC, machine learning, data of the conference, May 17-19, packs in
new to Drupal or a longtime member of analytics, and quantum computing where three days worth of our community’s
the Drupal community, you’ll find new more than 3,000 international attendees best talks, amazing keynote speakers,
insights and connections to advance will exchange ideas and knowledge on and our famed lightning talks to close
your career and your business. Reinventing HPC. out each day.

Events
FOSSASIA April 8-10 Hanoi, Vietnam https://summit.fossasia.org/

Texas Linux Festival April 12-13 Austin, Texas https://2024.texaslinuxfest.org/

Embedded Open Source Summit April 16-18 Seattle, Washington https://events.linuxfoundation.org/

Open Source Summit North America April 16-18 Seattle, Washington https://events.linuxfoundation.org/

Open Source Camp on Kubernetes April 18 Nürnberg, Germany https://opensourcecamp.de/

Linux Security Summit North America April 18-19 Seattle, Washington https://events.linuxfoundation.org/

php[tek] 2024 April 23-25 Rosemont, Illinois https://tek.phparch.com/

DrupalCon Portland 2024 May 6-9 Portland, Oregon https://events.drupal.org/portland2024

ISC 2024 May 12-16 Hamburg, Germany https://www.isc-hpc.com/

DORS/CLUC May 15-19 Zagreb, Croatia https://www.dorscluc.org/

PyCon US 2024 May 15-23 Pittsburgh, Pennsylvania https://us.pycon.org/2024/

Icinga Summit 2024 June 5-6 Berlin, Germany https://icinga.com/summit/

CloudFest USA June 5-8 Austin, Texas https://www.cloudfest.com/usa/
Images © Alex White, 123RF.com

stackconf June 18-19 Berlin, Germany https://stackconf.eu/

Open South Code June 21-22 Málaga, Spain https://www.opensouthcode.org/conferences/
opensouthcode2024
useR! July 8-11 Salzburg, Austria and Virtual https://events.linuxfoundation.org/user/
GUADEC 2024 July 19-24 Denver, Colorado https://foundation.gnome.org/2023/12/20/
guadec-2024-in-denver-colorado/

96 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM

 SERVICE
Contact Info / Authors

Contact Info
WRITE FOR US
Editor in Chief Linux Magazine is looking for authors to write articles on Linux and the
Joe Casad, [email protected] tools of the Linux environment. We like articles on useful solutions that
Copy Editors
Amy Pettle, Aubrey Vaughn
solve practical problems. The topic could be a desktop tool, a command-
News Editors line utility, a network monitoring application, a homegrown script, or
Jack Wallen, Amber Ankerholz anything else with the potential to save a Linux user trouble and time.
Editor Emerita Nomadica Our goal is to tell our readers stories they haven’t already heard, so we’re
Rita L Sooby
especially interested in original fixes and hacks, new tools, and useful ap-
Managing Editor
Lori White plications that our readers might not know about. We also love articles on
Localization & Translation advanced uses for tools our readers do know about – stories that take a
Ian Travis traditional application and put it to work in a novel or creative way.
Layout
Dena Friesen, Lori White We are currently seeking articles on the following topics for upcoming
Cover Design cover themes:
Lori White
Cover Image • Open hardware
© lukjonis, 123RF.com
• Linux boot tricks
Advertising
Brian Osborn, [email protected] • Best browser extensions
phone +49 8093 7679420
Marketing Communications
Let us know if you have ideas for articles on these themes, but keep in
Gwen Clark, [email protected] mind that our interests extend through the full range of Linux technical
Linux New Media USA, LLC topics, including:
4840 Bob Billings Parkway, Ste 104
Lawrence, KS 66049 USA Security
•
Publisher
Brian Osborn • Advanced Linux tuning and configuration
Customer Service / Subscription • Internet of Things
For USA and Canada: Networking
Email: [email protected]
•
Phone: 1-866-247-2802 • Scripting
(Toll Free from the US and Canada) Artificial intelligence
•
For all other countries: • Open protocols and open standards
Email: [email protected]
www.linux-magazine.com If you have a worthy topic that isn’t on this list, try us out – we might be
While every care has been taken in the content of the interested!
magazine, the publishers cannot be held responsible
for the accuracy of the information contained within Please don’t send us articles about products made by a company you
it or any consequences arising from the use of it. The
use of the disc provided with the magazine or any work for, unless it is an open source tool that is freely available to every-
material provided on it is at your own risk. one. Don’t send us webzine-style “Top 10 Tips” articles or other superfi-
Copyright and Trademarks © 2024 Linux New Media
USA, LLC.
cial treatments that leave all the work to the reader. We like complete so-
No material may be reproduced in any form lutions, with examples and lots of details. Go deep, not wide.
whatsoever in whole or in part without the written
permission of the publishers. It is assumed that all
Describe your idea in 1-2 paragraphs and send it to: [email protected].
correspondence sent, for example, letters, email, Please indicate in the subject line that your message is an article proposal.
faxes, photographs, articles, drawings, are supplied
for publication or license to third parties on a non-
exclusive worldwide basis by Linux New Media USA,
LLC, unless otherwise stated in writing.
Linux is a trademark of Linus Torvalds.
All brand or product names are trademarks of their Authors
respective owners. Contact us if we haven’t cred-
ited your copyright; we will always correct any Chris Binnie 44 Vincent Mealing 75
oversight.
Printed in Nuremberg, Germany by Kolibri Druck. Zack Brown 12 Pete Metcalfe 70
Distributed by Seymour Distribution Ltd, United
Kingdom Bruce Byfield 6, 24, 40 Graham Morrison 84
Represented in Europe and other territories by: Joe Casad 3 Mike Schilli 50
Sparkhaus Media GmbH, Bialasstr. 1a, 85625
Glonn, Germany. Mark Crutch 75 Ferdinand Thommes 81
Linux Magazine (Print ISSN: 1471-5678, Online
ISSN: 2833-3950, USPS No: 347-942) is published
Hans-Georg Eßer 56 Koen Vervloesem 28
monthly by Linux New Media USA, LLC, and dis- Marcin Gastol 78 Jack Wallen 8
tributed in the USA by Asendia USA, 701 Ashland
Ave, Folcroft PA. Application to Mail at Periodicals Jon “maddog” Hall 77 Michael Williams 16
Postage Prices is pending at Philadelphia, PA and
additional mailing offices. POSTMASTER: send ad- Rubén Llorente 34 Branden Zavaleta 90
dress changes to Linux Magazine, 4840 Bob Billings
Parkway, Ste 104, Lawrence, KS 66049, USA. Andrew Malcolm 60

LINUX-MAGAZINE.COM ISSUE 281 APRIL 2024 97

NEXT MONTH
Issue 282

Issue 282 / May 2024

April 5

D-Bus
The D-Bus interprocess communication
mechanism coordinates the process lifecycle
and offers a way for applications to talk to each
other. Next month we take a deep look at this
essential component of the Linux ecosystem.

Preview Newsletter
The Linux Magazine Preview is a monthly email
newsletter that gives you a sneak peek at the next
issue, including links to articles posted online.
Sign up at: https://bit.ly/Linux-Update

Image © smon, 123RF.com

98 APRIL 2024 ISSUE 281 LINUX-MAGAZINE.COM