PiJuice Zero: Power

DV S I D
IN
+

D E
management for a Rasp Pi

ISSUE 287 – OCTOBER 2024

Run advanced AI models on

your home computer

eBPF and Cilium: Netcat and Socat: Expert

Manage your container networking tricks with these
environment with this versatile command-line tools
revolutionary kernel tool Map Machine and OpenStreetMap:
Steganography: Passing Add custom markers and
secrets in plain sight icons to your maps
Coin Counter: Tally your
money with a Pi Pico
W W W. L I N U X - M A G A Z I N E . C O M
10 GLITTERING GEMS
FROM THE FOSS VAULT!
 EDITORIAL
Welcome

TRUST ISSUES
Dear Reader,
Are fortunes changing for Google? Many observers think currently has around 3.5 percent of the search market, could
so, but trillion dollar companies have ways of making prob- easily see its market share double or triple (or more).
lems go away. It does seem like they are on a bit of a losing Apple, on the other hand, would face a $20 billion shortfall
streak when it comes to government tolerance of their in revenue with the loss of the Google subsidy. Would they
anti-competitive behavior. The EU has been leveling fines develop their own search engine? Would they take the loss
against Google for years, and last year, the European Com- and try to generate revenue elsewhere?
mission issued a formal antitrust complaint, suggesting that
Whatever happens will probably take a few years to sort
breaking up the company might be the only remedy [1].
out. The important thing is, the US government is finally
Earlier this year, the EU began investigating Google under
addressing some of the antitrust issues that people like
the new Digital Markets Act [2], which is designed to pre-
me have been complaining about for years. And the feds
vent gatekeeper companies from controlling their markets.
have more on their minds than just Google search. Other
The EU deserves credit for their diligent pursuit, but be- current antitrust actions [4] against big tech include:
cause Google is a US company, the recent antitrust find-
• Amazon – online sellers have long complained about
ing by the US District Court of DC could be far more
Amazon favoring its own products over those of third
eventful. In the first antitrust decision of the Internet era,
parties operating within the Amazon marketplace. The
judge Amit. P. Mehta ruled that Google is a monopoly
argument is that Amazon is both the platform and a
company that uses anti-competitive practices to main-
seller competing on the platform, which puts the other
tain its monopoly on search [3].
sellers at a disadvantage.
It is striking that the government seems to be open to all
• Apple – the company’s stranglehold over its own plat-
possible remedies, including breaking up the company.
form has long concerned regulators. Apple certainly
A hearing to discuss the next steps is scheduled for Sep-
doesn’t have a monopoly level of control over the smart-
tember 6, which means that by the time you read this, you
phone market in general, but the argument is that,
might know more about the government’s direction than I
within the sphere of the Apple universe, the company is
know now. It is interesting that even one of the milder reme-
behaving in a monopolistic manner, blocking competi-
dies suggested for the situation could still have a massive
tor’s access to Apple users. It all depends on how you
impact. The simple step suggested by some observers is to
define the market, but in any case, Apple is facing re-
stop letting Google pay huge sums to phone makers and
newed scrutiny and might eventually face accountability.
browser vendors to make Google the default search engine.
• Meta – Facebook’s parent company is accused of making
Back around the turn of the millennium, the last big high
itself a monopoly by buying its competitors – in particu-
tech antitrust case (against Microsoft) was all about
lar, Instagram and WhatsApp. The case was already dis-
“control of the desktop.” It seems this new case could
missed once, with the judge commenting that the Federal
come down to “control of the home screen.”
Trade Commission (FTC) did not succeed in defining the
Imagine if, the first time you log on to your iPhone, a screen market that Meta/Facebook is accused of monopolizing.
pops up giving you the choice of which search engine to use, (Think about it: What exactly is Facebook’s “market?”)
rather than having that choice made for you by default. That The FTC is now taking another shot at refiling the case.
small step alone could greatly increase the competitive posi-
• Another Google – The US Justice department has filed a
tions of the alternatives. DuckDuckGo, for instance, which
wholly separate lawsuit against Google over advertising,
accusing the search giant of reinforcing its monopoly
Info position through anti-competitive mergers and practices
and strong-arming online publishers and advertisers
[1] “EU Suggest Breaking Up Google’s Ad Business in Prelimi-
into using Google’s ad infrastructure.
nary Antitrust Ruling”: https://www.theverge.com/2023/6/14/
23759094/european-commission-google-antitrust-advertising- Antitrust cases take a long time to develop and an even lon-
market-antitrust ger time to resolve, but they can have a profound effect on
[2] “Apple, Google, Meta Targeted in First Digital Market Act the culture. If even one of these five cases results in a signif-
Probes”: https://www.reuters.com/business/media-telecom/ icant remedy, it could really shake up the Internet industry.
eu-investigate-apple-google-meta-potential-digital-markets- But don’t hold your breath: These tech giants have plenty of
act-breaches-2024-03-25/ resources and are dug in for a long and protracted battle.
[3] “Google is a Monopolist, Judge Rules in Landmark Antitrust
Case”: https://www.nytimes.com/2024/08/05/technology/
google-antitrust-ruling.html
[4] “After Google’s Antitrust Ruling, Here’s Where Other Big Tech
Cases Stand”: https://www.nytimes.com/2024/08/05/ Joe Casad,
technology/antitrust-google-amazon-apple-meta.html Editor in Chief

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 3

 OCTOBER 2024

ON THE COVER
46 eBPF and Cilium 64 Coin Counter 75 Netcat and Socat
The innovative eBPF Roll your own electronic The classic Netcat networking
builds a sandbox at coin counter with a tool allows you to spin up
kernel level, but it is too Raspberry Pi Pico and a network connections from the
complex to integrate little bit of Python. command line, and Socat adds
easily with Kubernetes. still more powerful features.
Cilium fills the gap. 69 PiJuice Zero We’ll show you how to create
This cool tools adds a tiny bind shells and reverse shells.
52 Steganography UPS to your tiny Raspberry
Yes, you really can hide Pi Zero computer. 88 OpenStreetMap
messages and secret data OpenStreetMap’s Map Machine
inside image files. feature lets you add icons and
custom features to your maps.

NEWS COVER STORY

8 News 16 LLMs at Home with Ollama
• Ubuntu 24.10 to Include the Latest Linux Kernel Ollama and Open WebUI let you join the AI revolution
• Plasma Desktop 6.1.4 Release without relying on the cloud.
• Manjaro Team Tests Immutable Version
• Vanilla OS 2 Available
• Debian-Based eLxr Distribution for Edge Deployments
• NVIDIA Driver for Upcoming NVIDIA 560 GPU for Linux IN-DEPTH
• OpenMandriva Lx 24.07 Released
• Kernel 6.10 Available for General Usage 36 LXD-UI
LXC, a command-line manager for Linux containers, is
12 Kernel News quite tricky to use. The LXD-UI web interface makes life
• Speeding Up the Dentry Cache easier.

42 Command Line – electerm

REVIEWS The modern electerm combines terminal, file manager,
and remote connection functions into a single app.
24 bauh Package Manager
The bauh package manager provides a single interface to 46 eBPF and Cilium
manage all of your Linux software. Despite a few issues, eBPF offers a powerful remedy for the complexity of
bauh goes a long way in simplifying package Kubernetes, but it can be difficult to configure and
management. manage. Cilium provides easy access to eBPF’s
revolutionary capabilities.
28 SysLinuxOS
SysLinuxOS puts an end to searching for the right tools for 52 Steganography
admin tasks. Intruders and spies have ways of concealing information
in image files, doc files, and other innocuous locations.
32 Ubuntu MATE 24.04 Welcome to the sneaky art of steganography.
Ubuntu MATE is an intriguing option for users who want
the steady predictability of Ubuntu without the complexity 58 Programming Snapshot – Go WiFi Monitor
and feature-bloat of modern-day Gnome or KDE. To see when clients are joining and leaving the wireless
network, Mike Schilli writes a command-line utility that
95 Back Issues 97 Call for Papers uses an object-relational mapping interface to store and
96 Events 98 Coming Next Month display historical data.

4 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

16 Ollama
Many Linux users are intrigued
by Large Language Model (LLM)
tools like ChatGPT, but if you 73 Welcome
really want to be methodical This month in Linux Voice.

about testing and experimenting, 74 Doghouse – High-Level Languages

why get tangled in the cloud? With all the benefits of high-level languages, there’s
still good value in learning assembly- and machine-
Ollama lets you run LLMs locally level languages today.
on a home computer. 75 Netcat and Socat
Netcat is the Swiss Army knife of networking for
admins. Socat takes this principle one step further,

MakerSpace offering multiplexing, TLS-secured channels, pipes,

Unix sockets, and executables.

64 Coin Counter 78 cksfv

Parking meters and vending machines detect and count the cksfv and the CRC32 algorithm can’t compete with
coins you insert, but how do they work? We’ll show you modern methods as a way to look for intruders, but if
how to mimic the functionality with some particleboard, a you’re just checking for random errors such as a
Raspberry Pi Pico, a few extra chips, and some Python code. misplaced bit, this ancient tool could still be of service.

69 PiJuice Zero 82 FOSSPicks

The Raspberry Pi Zero is a frugal little computer. But without This month Nate looks at The Battle for Wesnoth, Wine,
a power socket, you might be surprised how quickly it can drain Keypunch, Folio, LibreOffice, Zed, and more!
a battery. Active power management
is the order of the day. 88 Tutorial – Map Machine and OpenStreetMap
Use Map Machine’s icons to make the most of
OpenStreetMap data and show as many
map features as possible.

@linux_pro

@linuxpromagazine
TWO TERRIFIC DISTROS
DOUBLE-SIDED DVD!
Linux Magazine
SEE PAGE 6 FOR DETAILS
@linuxmagazine

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 5

DVD
This Month’s DVD

Debian 12.6 and Clonezilla 3.1.3-16

Two Terrific Distros on a Double-Sided DVD!

Debian 12.6 Clonezilla 3.1.3-16

64-bit 64-bit

For many readers, Debian needs no introduction. It is Clonezilla is a rescue disk, run from a Live DVD,
one of the oldest, most popular, and most influential rather than a distribution. It is a partition and disk-
distributions of all time. Much of its status is due to its imaging utility useful for backup and restoration.
strict package guidelines and security updates. These Supporting a wide range of filesystems and
updates are available as released, but periodically they operating systems, Clonezilla allows for the
are bundled into point releases to make them as restoration of bootloaders, and it can run on both
accessible as possible. Debian 12.6 is currently the BIOS or UEFI machines. Based on several image
latest point release for Debian 12, aka bookworm. creation applications, it can create images for entire
Preceded by five point releases, Debian 12.6 offers few disks and store them locally, externally, or remotely.
new packages. What it does include is over 130 bug This latest release includes several bug fixes and
fixes for both minor and major packages and some 60 updates the underlying operating system. Like all
security updates. A handful of minor packages have Clonezilla releases, it is a tool that experienced
also been removed for various reasons, and the administrators use and keep around just in case.
installer has been updated. With these changes, it is
the most secure version of Debian currently available.

Defective discs will be replaced. Please send an email to [email protected].

Although this Linux Magazine disc has been tested and is to the best of our knowledge free of malicious software and defects, Linux Magazine
cannot be held responsible and is not liable for any disruption, loss, or damage to data and computer systems related to the use of this disc.

6 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 NEWS
Updates on technologies, trends, and tools
THIS MONTH’S NEWS
08 • Ubuntu 24.10 to Include
the Latest Linux Kernel
• Plasma Desktop 6.1.4
Release Includes Ubuntu 24.10 to Include the Latest
Improvements and Bug
Fixes
Linux Kernel

09 • Manjaro Team Tests

Immutable Version of its
Canonical announced that Ubuntu 24.10 will be the first release to ship with the
latest upstream kernel.
That means “Oracular Oriole” will come with Linux kernel v6.11. Previously,
Arch-Based Distro
• Vanilla OS 2 Orchid Ubuntu shipped with kernels that would soon reach end of life (EOL), which was
Available driven by Canonical’s need to always ship what they knew would work and had
• More Online been sufficiently tested, vetted, and updated.
According to the Ubuntu Kernel Engineering Director, Brett Grandbois (https://

10 • Debian-Based eLxr
Distribution Announced
discourse.ubuntu.com/t/kernel-version-selection-for-ubuntu-releases/47007 ), the
old policy was a conservative “wait and see” approach, which guaranteed stability
for Edge Deployments on the appointed release day but proved unpopular with consumers looking for the
• NVIDIA Releases Driver latest features and hardware support.
for Upcoming NVIDIA 560 Under the new policy, Grandbois states, “Ubuntu will now ship the absolute lat-
GPU for Linux est available version of the upstream Linux kernel at the specified Ubuntu release
freeze date, even if upstream is still in Release Candidate (RC) status.”
11 • OpenMandriva Lx 24.07
Released
This will, of course, bring about a few complications, such as kernel variants, depen-
dent components, a tighter release, possible unstable releases, and late releases.
• Kernel 6.10 Available for
Grandbois said that any upstream kernel that has a merge window opened after
General Usage
feature freeze would be considered too unstable and its release too far in the future
to be adopted for a pending release.
You can read more about this new policy in Grandbois’s blog post (see above),
which goes into further detail about the issues and guidelines.

Plasma Desktop 6.1.4 Release Includes

Improvements and Bug Fixes
It was only three weeks ago that Plasma Desktop 6.1.3 was released, which is a
very fast turnaround for a desktop environment release (even though it’s just a
point release), but here we are.
The developers of the Plasma Desktop have released their latest iteration that adds
several improvements and fixes.
On top of the list of improvements is a fix for Plasma Widget resizing to make the
animation much smoother. Along the same lines, the developers have managed to
make the pop-ups from the Task Manager to better scale.
There have been a lot of fixes to the KWin Window Manager, such as a fix for X11
windows being stuck in should_get_focus, a fix for checking whether GraphicsBuffer-
View is nil, keeping the titlebar in the screen when open windows are too tall and
would normally place it above the display, and several others fixes.
KWin also is now capable of running with real-time capabilities on systems that
include the musl library. KWin’s 10-bit color support is disabled for monitors that
are plugged into a dock and the triple-buffering features no longer stutter.

8 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 NEWS
Linux News

The Plasma Desktop offers improvements in the folder view, applets/task

manager, and KRunner no longer shows a match if just one query word matches. MORE ONLINE
This update also fixes issues with Discover, Dr. Konqi, KGamma, KPipeWire,
KRdp, KScreen, kscreenlocker, and more.
You can read the details for the entire update in the official release notes: Linux Magazine
https://kde.org/announcements/changelogs/plasma/6/6.1.3-6.1.4/. www.linux-magazine.com

ADMIN HPC
Manjaro Team Tests Immutable Version http://www.admin-magazine.com/HPC/
of its Arch-Based Distro Podman for Non-Root Docker
• Jeff Layton
If you do a quick search, you’ll find there are a handful of immutable Linux dis- Podman is the best non-root Docker tool I’ve
tributions based on Arch (such as Arkane Linux – https://arkanelinux.org/ ). As found. Let me show you why.
immutability seems to make more and more sense with each passing day, it was
only a matter of time before another Arch-based distribution decided to create a ADMIN Online
similar offering. http://www.admin-magazine.com/
That offering is coming from the Manjaro team, and they’re working with the Centralized Monitoring and Intrusion
Arkdep toolkit (which was created by the Arkane Linux team) to create an immutable, Detection
atomic OS on top of the Btrfs filesystem. • Erik Bärwaldt
According to a forum post (https://forum.manjaro.org/t/manjaro-immutable-out- Security Onion bundles numerous individual
now-for-community-testing/166364), the reason the Manjaro team decided to go Linux tools that help you monitor networks
with Arkdep is ease of use and the support for personalized configurations. The or fend off attacks to create a standardized
post also links to the arkdep-build docs, where you can learn how to build your own platform for securing IT environments.
images. The Manjaro team also has offered their Arkdep profiles as a template
DevSecOps with DefectDojo
(https://github.com/manjaro/arkdep-profiles). • Guido Söldner
The plan is for this new immutable version to become an official spin of Manjaro, The DefectDojo vulnerability management
but, as of now, there’s no time frame for when this will happen, as there is a lot to tool helps development teams and admins
do and currently it is only in the testing/information gathering stage. identify, track, and fix vulnerabilities early
Anyone interested in trying the immutable take on Manjaro will need to have a in the software development process.
machine that meets the minimum requirements of 32GB of internal storage (64GB
Secure Kubernetes with Kubescape
recommended) and UEFI boot.
• Martin Loschwitz
You can download the ISO from the official download site: https://download.
Kubescape checks Kubernetes container
manjaro.org/manjaro-gnome-immutable/20240801/manjaro-gnome-immutable- setups for security and compliance issues,
2024.08.01-x86_64.iso. making life easier for administrators.

Vanilla OS 2 Orchid Available

It’s been a year in the making but Vanilla OS 2 Orchid has been officially released.
This time around, the developers have completely rewritten the operating system
with a focus on simplicity and performance.
The developers approached version 2 based on three fundamental concepts: reli-
ability, safety, and coolness. On the reliability side of things, the focus is on what
matters most without interruption, whether that’s managing new projects, viewing
media, or creating content.
Orchid protects critical components from unauthorized access by placing all activi-
ties within an isolated space. Also, data is encrypted and the boot process has been
verified against tampering. For coolness, you’ll find a modern UI that makes it easy
for any user (of any skill) to feel right at home on the desktop.
Orchid ensures the system is always up-to-date, a process that happens in the
background, so it never interrupts you. Users can set the update frequency to best
meet their needs.
Vanilla OS 2 supports multiple graphic cards and, with the help of the new PRIME
Utility, you can switch between integrated and discrete GPUs based on need. Orchid
also is compatible with Linux apps, Android apps, Steam games, and much more.
Developers haven’t been forgotten either. Thanks to the new APX feature, devel-
opers can create customized Linux environments that are seamlessly integrated
with the system. You can read more about this powerful tool here: https://vanillaos.
org/blog/article/2024-07-11/discover-apx-v2-the-new-essential-tool-for-developers-
and-creators-on-vanilla-os-orchid.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 9

NEWS
Linux News

You can download the latest release of Vanilla OS from the official website
(https://vanillaos.org/blog/article/2024-07-11/discover-apx-v2-the-new-essential-tool-
for-developers-and-creators-on-vanilla-os-orchid) and view the release announcement
to find out more: https://vanillaos.org/blog/article/2024-07-28/vanilla-os-2-orchid-
--stable-release.

Debian-Based eLxr Distribution Announced

for Edge Deployments
The eLxr project has released an open source, enterprise-grade Linux distribution for
near-edge networks and workloads.
According to the website, Debian-based eLxr provides a secure and stable edge
distribution, with a predictable release and update cadence that ensures its suitability
for long life cycles and long-term deployments.
eLxr features include:
• Consistent performance and stability, whether on device, on-premises, or in
the cloud.
• Hardware optimization for better performance and overall system integrity
throughout the life cycle.
• Smaller footprint for better performance, optimized workloads, and smaller attack
surface.
• Built-in security features and dedicated hardware features including secure boot,
Trusted Platform Module (TPM), cryptographic engine, and more.
“With eLxr, the power and stability of Debian and its community serve as the
foundation for edge-to-cloud deployments, delivering an enterprise-grade Linux
distribution tailored for non-traditional use cases,” says Mark Asselstine, Principal
Technologist, Wind River Systems, which contributed the initial eLxr release.
eLxr offers a strategic advantage for enterprises aiming to optimize their edge
deployments, the announcement states (https://elxr.org/post/elxr-announcement/ ),
by providing “a seamless operating environment across devices.”
“This project unifies the enterprise tech stack, ensuring accessibility and scalability
across edge and server projects while fostering innovation in areas such as near-
edge networks,” Asselstine notes.
Additionally, eLxr aims to attract a broad range of users and contributors who
value both innovation and community-driven development. The eLxr project’s
mission is focused on accessibility, innovation, and maintaining the integrity of
open source software. These commitments help ensure that users benefit from
a freely available Linux without proprietary restrictions.
Learn more at eLxr: https://elxr.org/.

NVIDIA Releases Driver for Upcoming

NVIDIA 560 GPU for Linux
Along with the release of the new NVIDIA 560 series of GPUs, the installer for the
driver includes the new NVIDIA open-source GPU kernel modules.
Two years ago, NVIDIA released the first GPU driver to include kernel modules
with the goal of replacing the proprietary, closed-source drivers. Since then, the
modules have matured enough that the NVIDIA 560 series will default to the open
source kernel modules.
Get the latest news As well, these new modules aim to add support for the EGL_KHR_platform_x11 and
EGL_EXT_platform_xcb extensions for Xwayland as well as a PipeWire back end to
in your inbox every enable NvFBC to work with Wayland compositors.
week Other highlights include support for multiple concurrent clients to NvFBC direct capture,
support for DRM-DMS explicit synchronization via the IN_FENCE_FD mode, support for
Subscribe FREE variable refresh rates for Wayland with pre-Volta GPUs, as well as plenty of bug fixes.
to Linux Update The new NVIDIA installer will default to the new open source kernel modules on
bit.ly/Linux-Update systems with GPUs that support both proprietary and open kernel modules.

10 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 NEWS
Linux News

Supported GPUs include GeForce RTX 40/30/20 series, MX500/400/300/200/100

series, GTX 16 series, GeForce 16/10 series, GeForce 900/900M/800M/700 series,
and more.
You can learn more about the new NVIDIA display driver in the official release
notes (https://www.nvidia.com/Download/driverResults.aspx/230225/en-us/).

OpenMandriva Lx 24.07 Released

OpenMandriva ROME is one of the first (if not the first) Linux distributions to ship
with the 6.10 kernel, thanks to the latest Lx 24.07 release. On top of that, users
will find Plasma Desktop 6.1, Gnome 46.3, or LXQt 2.0 (depending on which spin
is chosen).
The flagship edition of OpenMandriva defaults to Plasma Desktop, which includes
KDE Gear 24.05.2 and KDE Frameworks 6.4. Unfortunately, the distribution still
relies on X11, due to the developers feeling Wayland isn’t yet mature enough. In
fact, when attempting to install the Wayland release of OpenMandriva as a Virtual-
Box virtual machine (VM), it boots to a black screen; no matter how you tweak the
VM settings, it will not work.
Do keep in mind, however, that the Wayland ISO does work on bare metal and
Qemu with KVM.
Other notable changes to the latest snapshot include support for AMD ROCm,
the latest LibreOffice office suite (with Qt 6 and Plasma 6 integration included),
LLVM/Clang 18.1.8, GCC 14.1.0, glibc 2.39, systemd 255.7, Mesa 24.1.4, and
many others. As well, OpenMandriva packages for Wine, Proton, and Proton ex-
perimental are available.
You can read more about this latest release from the official announcement:
(https://www.openmandriva.org/en/news/article/openmandriva-rome-24-07-released)
and download an ISO from the OpenMandriva SourceForge page (https://source-
forge.net/projects/openmandriva/files/release/ ).

Kernel 6.10 Available for General Usage

The release of kernel 6.10 includes several notable improvements and additions. One
of the more significant changes is improved performance for Intel Core hybrid systems.
On systems running an Intel Core i5-13500H CPU (while also using the EEVDF sched-
uler), users saw up to a 50 percent performance hit. With kernel 6.10, that is no more.
Another big addition is the new Panthor graphics Direct Rendering Manager
(DRM) driver, which vastly improves graphics performance for new ARM Mali
GPUs. Intel also received some graphics love, such as the initial support for Intel’s
upcoming Xe2 graphics hardware.
Support for Intel’s Arrow Lake-H processors and improved functionality with
Lenovo 13X Gen 4, Lenovo ThinkPad 16P Gen 5, and Lenovo ThinkPad 13X laptops
also is included.
This release also features much-improved performance with AES-XTS disk and file
encryption for new Intel and AMD CPUs. As well, kernel 6.10 introduces mseal(),
which goes a long way to protect virtual memory against modifications and adds
Trusted Platform Module (TPM) bus encryption/integrity protection.
In a post to LWN.net (http://lwn.net/ ), Jeff Xu (from the Chromium dev team), said
of mseal(), “Modern CPUs support memory permissions, such as the read/write
(RW) and no-execute (NX) bits. Linux has supported NX since the release of kernel
version 2.6.8 in August 2004.”
Xu continues, “The memory permission feature improves the security stance on
memory corruption bugs, as an attacker cannot simply write to arbitrary memory
and point the code to it. The memory must be marked with the X bit, or else an ex-
ception will occur. Internally, the kernel maintains the memory permissions in a data
structure called VMA (vm_area_struct). mseal() additionally protects the VMA itself
against modifications of the selected seal type.”
If you’re looking to upgrade to the latest kernel, I would strongly advise waiting
until it is made available in your Linux distribution’s default repositories.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 11

NEWS
Kernel News

Zack’s
Speeding Up the Dentry He wanted the size and shape of the
Cache dentry cache to be precisely optimized to
Linus Torvalds wrote an experimental a given system’s particular needs. To
patch intended to speed up filesystem achieve this, Linus wanted to define the
operations, specifically the directory size and shape of the dentry cache at
entry (dentry) cache. However, he didn’t boot time, when more could be deduced
really like his own patch – even though about the specific resources available,
it worked. He hoped one of the kernel rather than at compile time.
developers might do it better. Nothing easier! Actually, no, it’s quite
The dentry cache is a lookup table hard. It might be relatively simple to de-
that sits in RAM and is used by the rest fine the size and shape of the dentry
of the kernel to identify exactly where a cache at boot time, using the available
desired file or directory is located on knowledge of how much memory and
disk. Whenever you open, read, or edit other resources existed on the running
a file, or anything like that, you use the system. But then it would still be neces-
dentry cache. sary to use the dentry cache (i.e., to
Chronicler Zack Brown reports Typically, you really want that dentry look up each file and directory when-
on the latest news, views, cache lookup to be as fast as possible. ever something on the system needed
You don’t want to sit around waiting for them). At that point, having determined
dilemmas, and developments
your file to open. Especially if “you” are these details of the dentry cache dy-
within the Linux kernel not a person but a process such as a da- namically at boot time, the calls into
community. tabase or whatnot, operating on tons the lookup code would need to bring
and tons of files all at once, any delay those details with them each time, so
By Zack Brown
can start to mount up. they could perform those lookups
One such delay is inherent – or has accurately.
been until now – in the way the dentry However, that is not as simple as it
cache is structured in memory. Typically sounds. Passing values from place to
the Linux kernel would define the over- place, or looking them up in a global
all shape and dimensions of this lookup variable, involves performing memory
table in the source code. The C compiler operations, each of which takes a micro-
then would optimize it based on some scopic bit of time. And again, these add
assumptions and expectations about the up, and they add up fast.
amount of RAM available on a typical Linus’s patch avoided those delays in
running system. Then when you booted a disgustingly clever way. Because he
Author your system, you’d have a nice generic wanted to avoid memory operations as
The Linux kernel mailing list comprises dentry cache that would probably work much as possible, his patch imple-
the core of Linux development activities. very well on whatever system you hap- mented “runtime constants” – these are
Traffic volumes are immense, often pened to be using. not variables to be looked up or passed
reaching 10,000 messages in a week, and But Linus was not satisfied. He from function to function, nor are they
keeping up to date with the entire scope wanted a dentry cache that was custom- constants that are the same for all users
of development is a virtually impossible ized for the specifics of an actual run- everywhere. Rather, Linus wanted to
task for one person. One of the few brave ning system, rather than making as- create values that could be determined
souls to take on this task is Zack Brown. sumptions about what might be there. at the start of a given run of the system,

12 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 NEWS
Kernel News

but that would be constant ever after, reasons they please – such as in this
without having to be looked up as case, where Linus wanted to use them
needed. to isolate the locations of specific data
To do this, his code placed some vari- that would otherwise take more time
able-like placeholders in the kernel, to find.
wherever dentry cache lookups needed But this was exactly where Linus ran
to know the size and shape of the dentry into problems. In order to iterate over a
cache. These placeholders were com- single section of the running kernel bi-
piled into the binary without ever being nary, his code needed to know the start
given values – they remained variable- and end addresses of that section in
like. At boot time, his code first deter- RAM. Linus said:
mined the best values to use in those “Sure, I can trivially just do
placeholders. Then the code went
through the actual machine code of the . = ALIGN(8);

kernel running in RAM and replaced, __static_const_start = . ;

one by one, each of those placeholders KEEP(*(.static_const.*))

with the actual constant value that they __static_const_end = . ;

needed to be.
So the variable-like thingamabobs “and now I have the over-all start and
stopped looking like variables and be- end for those sections, but I want it per
came actual numbers, at the exact section.”
spots in the code where they were He went on to say:
needed, without the calling routines “This is actually not even remotely a
ever needing to pass those values into new thing: We do this manually for a lot
the lookup code. of sections, and we have macros to help
Insanity! do it, eg our ‘BOUNDED_SECTION_BY()‘
But as mentioned above, Linus macro in <asm/vmlinux.lds.h> does
wasn’t happy with his implementation, exactly this for any named section.
even though it worked. The process of “But they very much do this on indi-
going through the machine code and vidually named sections, not on the
replacing the placeholders with their kind of ‘do it for this section pattern’
actual values was not as clean as he that I want. Yes, you can do it for pat-
wanted. He wanted the kernel to be terns, and we do:
able to iterate quickly and cleanly over
all the occurrences of each place- BOUNDED_SECTION_BY(.note.*, _notes)

holder. But the running kernel is huge!

Sifting through the whole thing for all “but that creates exactly that same
those placeholders would itself take a ‘bound the whole set of sections by
lot of time. True, it would only add a symbols’, not ‘bound each individual
short delay to the bootup time, but section’ thing.”
maintaining a fast boot time is also a Linus tried a few different ways to
highly valued feature of Linux, not to accomplish what he wanted. He tried a
be sacrificed lightly. linker script, which is a sort of script that
Linus wanted to isolate the occur- is used to organize the various sections
rences of each placeholder into its own during compilation. Then he also tried to
“section” of running code. Then the ker- use objtool, which is a standalone tool
nel would only need to look at that small used to manipulate the files created by
section for all the occurrences of its cor- the compiler before they are linked by
responding placeholder. the linker. But he couldn’t find a way to
Sections are actually a formal type of make that work either.
structure used by compilers and link- He suggested on the Linux kernel
ers. Data, code, symbol names, and mailing list that someone on the objtool
lots of other stuff can get put into its development project might extend obj-
own separate section. There are lots of tool to do what he needed. He said,
reasons for this, including security, “Hmm? Am I barking up entirely the
profiling, and even maintaining the wrong tree? Or does this seem doable
readability of the assembly language and reasonable?”
code itself. However, developers can There was a bit of discussion with
define sections to be used for whatever Josh Poimboeuf, one of the objtool

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 13

NEWS
Kernel News

maintainers. Josh was not in favor of input section was a *pattern*, I can’t
modifying objtool the way Linus do that.
wanted; the two of them went back and “I can hardcode the section names,
forth on it a bit, with Josh eventually which fixes it, but that is what I wanted
agreeing to give it a try. However, it did to avoid (once I hardcode the section
apparently turn out that Linus was names I could have just added the start/
barking up the wrong tree with that end symbols by hand).
request. “That said, clearly there’s a way to just
Elsewhere in the conversation, Ras- do it, since your test-program – using the
mus Villemoes also replied to Linus’s built-in linker script can do it.”
initial post. Rasmus said that, in fact, Linus took a look at Rasmus’s proof-
there was an easy way to do what Linus of-concept code from years earlier and
wanted. In his patch, Linus had named said, “honestly, I think your approach
the various sections using names like may be better than mine.” He went on
.static_const., and this turned out, ac- to say:
cording to Rasmus, to be exactly the “Your thunking approach would proba-
problem. bly be much easier on architectures like
Rasmus said, “I’m probably missing arm64 where the ‘load a constant’ thing
something, but isn’t this exactly what can be a lot less convenient than one sin-
you get for free if you avoid using dots gle contiguous value in memory.
and other non-identifier symbols in the “Would you be willing to resurrect your
section names, i.e. make it ‘__static_ thing for a modern kernel? I’ll certainly
const__’ #sym or whatnot.” try it out next to mine?”
Rasmus went on to say, “If an output And that was the end of the discus-
section’s name is the same as the input sion, but presumably Rasmus will in-
section’s name and is representable deed work with Linus on this. Rasmus’s
as a C identifier, then the linker will proof-of-concept may soon come to sit at
automatically [provide] two symbols: the center of one of the hot paths of the
__start_SECNAME and __stop_SEC- Linux kernel.
NAME, where SECNAME is the name This kind of optimization seems so
of the section. These indicate the start much like witchcraft and wizardry to
address and end address of the output me. The idea of hot patching a running
section respectively. Note: most sec- kernel to replace a bunch of variable-
tion names are not representable as C seeming bits of data with constant val-
identifiers because they contain a ‘.’ ues, all in order to avoid the overhead of
character.” doing something absolutely normal like
Going further, Rasmus said that he passing a value as input to a function
had done a proof-of-concept patch im- call, is wild. Equally wild is the idea that
plementing exactly what Linus wanted – Linus would try to do such an odd thing
runtime constants – several years earlier, and would discover that someone else
but that it hadn’t gone anywhere. As he had already done it and had it waiting
put it, he “either never managed to send for him.
it, or never got a response.” It’s not completely unheard of for
Linus replied with a big laugh – at Linus to post a patch of his own and
himself. He said to Rasmus, “You’re not ask for help with it. But it is generally
missing anything – I am. I clearly missed never the case that someone replies
this linker rule entirely when I was look- with something they’ve already written
ing for some explicit way to set these that is better than what Linus had
start/end symbols, because that rule – done. One thing that does seem to be a
which is almost exactly what I wanted – trademark of Linus’s attitude towards
is implicit.” developers is his willingness to recog-
However, Linus still ran into problems nize when he’s wrong or when some-
trying to use this feature now. He one’s idea is better than his. In this
explained: case, Linus seemed more than happy
“You need to match the output sec- to accept that Rasmus’s approach to
tion name with the input section, and the problem was right and his was
since the whole point was that the wrong. Q Q Q

QQQ

14 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

COVER STORY
LLMs at Home with Ollama

Running large language models locally

Model Shop
Ollama and Open WebUI let you join the AI revolution
without relying on the cloud.

By Koen Vervloesem

L
arge language models (LLMs) such as the ones used by Choosing a Model
OpenAI’s [1] ChatGPT [2] are too resource intensive to Although it is tempting to use the biggest possible LLM with
run locally on your own computer. That’s why they’re Ollama, to prevent frustrations you should consider your
deployed as online services that you pay for. However, computer’s resources. The most important property is the
since ChatGPT’s release, some significant advancements have number of parameters in a model, because the number of
occurred around smaller LLMs. Many of these smaller LLMs parameters determines how much RAM you need. Indeed,
are open source or have a liberal license (see the “Licenses” before you can run a large language model, you need to load
box). You can run them on your own computer without having it completely into RAM.
to send your input to a cloud server and without having to pay Common sizes of LLMs are 7B, 13B, 33B, and 70B, where the
a fee to an online service. B stands for billions of parameters. You should have at least 8GB
Because these LLMs are computationally intensive and of RAM to run a 7B model, 16GB to run a 13B model, and 32GB
need a lot of RAM, running them on your CPU can be slow.
For optimal performance, you need a GPU – GPUs have
many parallel compute cores and a lot of dedicated RAM.
An NVIDIA or AMD GPU with 8GB RAM or more is
recommended.
In addition to the hardware and the models, you also need
software that enables you to run the models. One popular
package is Ollama [3], named for Meta AI’s large language
model Llama [4]. Ollama is a command-line application that
runs on Linux, macOS, and Windows, and you can also run it
as a server that other software connects to.

Installing Ollama
Installing Ollama on Linux is a one-liner:

curl -fsSL https://ollama.com/install U

.sh | sh

Ollama supports NVIDIA and AMD GPUs for accelerated in-

ference. For AMD GPUs, it is recommended that you install
the latest AMD Radeon drivers [5] so you have access to all
features. Moreover, you need to install AMD ROCm [6], a
software stack that enables Ollama to program AMD GPUs.
If you have an NVIDIA GPU, you need to install the CUDA
drivers [7].
Another option is to use the official Ollama Docker image
ollama/ollama [8] from Docker Hub. Make sure to consult the
project’s page on Docker Hub for instructions on how to give Figure 1: Ollama maintains an extensive model
the Docker container access to your GPU. library on its website.

16 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

to run a 33B model. The bigger the model, the better, so it’s clear online model library, which can take a while. After this, it loads
that you need a beefy computer to get the best results. On disk, the model into your computer’s RAM or your GPU’s VRAM, with
the models are stored in compressed form, and hence smaller. a preference for the GPU if you have a supported GPU. If you
For example, most 7B models are between 4 and 5GB on disk. want to verify whether Ollama uses your GPU, run the nvidia-smi
To choose a model with a specific size, also consider your command, which should show that the ollama_llama_server pro-
GPU’s VRAM. For example, if you have a GPU with 8GB cess is using your GPU’s VRAM (Figure 2).
VRAM, Ollama can fully load and run a 7B model on your After a while, a prompt appears signaling that you can send
GPU, which results in excellent performance. On the other your messages to the large language model. You can now start
hand, if you want to run a 13B model on the same hard-
ware, Ollama will only be able to load and run part of the Licenses
model on your GPU. It then loads the rest of the model in
Although many large language models you can download
your system RAM and runs those parts on your CPU, which
are described as “open source,” most of the well-known op-
is much slower. Without a supported GPU, Ollama loads the
tions come with restrictive licenses. For instance, Codestral
complete model in your system RAM and runs it on your
is licensed under the Mistral AI Non-Production License [16],
CPU, which is the worst case. However, if you don’t mind
which means that you can only use this code LLM for re-
waiting for a while on the LLM’s answers, this option is still
search and testing purposes. And the Meta Llama 3 Com-
a viable approach.
munity License Agreement [17] seems quite liberal at first
glance, but you can’t use it to improve any other large lan-
Running the First Model guage model. In contrast, Microsoft’s Phi-3 model family is
Ollama provides an extensive model library [9] (Figure 1). A
licensed under the MIT license. Always consult a model’s li-
good general-purpose model to start with is the 8B version of
cense before using it for more than experimenting.
Llama 3 [10], Meta’s newest LLM. If you click on the model’s
page in Ollama’s model library, you’ll
find more information about the model
and its variants. Ollama offers it in its 8B
and 70B sizes, with a base model and a
variant fine-tuned for dialog. You will
also find variants in various quantization
levels, including compressed versions
that will reduce size and memory usage
at the detriment of precision.
For a first try, just run the default
llama3 model, which is an 8B model
with q4_0 quantization, fine-tuned for
dialog:

ollama run llama3

The first time you run this command,

Ollama downloads the model from the Figure 2: Ollama is using this GPU’s VRAM.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 17

COVER STORY
LLMs at Home with Ollama

a conversation with the model. When you’re finished, enter When you want to ask something about an image, include the
/bye to exit Ollama and unload the model. If, however, you path to the image in your prompt:
think you might want to start again with the same model with-
out unloading and reloading it, enter /clear. The /clear com- >>> Describe this image: /home/koan/U

mand clears the current session context, meaning that the Pictures/image20231029_093210782.jpg

model doesn’t remember the conversation you had until now.

The model will describe what’s in the image, and you can ask
Other Models follow-up questions.
You can now start downloading and running other large Another interesting family of models is Phi-3 [12], created by
language models the same way. An interesting option is Microsoft as a smaller but still high-quality alternative to bigger
LLaVA-Llama 3, based on LLaVA (Large Language and Vision models. Phi-3 Mini has only 3.8 billion parameters and weighs
Assistant) [11]. LLaVA-Llama is a so-called multimodal model 2.3GB, whereas Phi-3 Medium has 14 billion parameters and
that understands images. Download and run it as follows: comes in a 7.9GB download. The medium model also has a ver-
sion with a 128k window size, which means that you can feed
ollama run llava-llama3 it much longer documents. To download and run Phi-3, use

ollama run phi3:medium-128k

Now, if you have downloaded a couple of models this way, you

can use the ollama list command to ask Ollama which models
it has available locally (Figure 3).

Figure 3: Show all models you’ve downloaded. Using Ollama with llm
If you have installed Simon Willison’s
llm [13] command-line client for LLMs,
which I covered in an earlier Linux Mag-
azine article [14], you can also use it with
Ollama’s local models. You just need to
install the llm-ollama plugin [15]:

llm install llm-ollama

All models that you have downloaded

with Ollama are also available for the
llm command, as you can verify with
llm models (Figure 4).
For an example of llm at work, you
Figure 4: Thanks to the llm-ollama plugin, Ollama’s models are also can use Phi-3’s 128k window size ver-
available for the llm command. sion to summarize a longer article by
piping its plain-text file to the llm com-
mand and specifying the model and a
prompt with the request to summarize:

cat long-article.txt | llm -m phi3:U

medium-128k -s "Summarize this article"

If all goes well, you get a summary of

the article. Maybe you need to experi-
ment a bit with a couple of models. In
my test, Llama 3 was much better than
Phi-3 Medium in its summaries, even
though the Phi-3 Medium has a bigger
window size.

Installing Open WebUI

If you’re not fond of the command line,
there’s a powerful web interface for Ol-
lama called Open WebUI [18]. Even for
Figure 5: Open WebUI offers a web-based interface for Ollama. command-line afficionados, Open WebUI

18 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 COVER STORY
LLMs at Home with Ollama

has some advantages. The Open WebUI documentation [19] has Add the following lines:
a good overview of its features and how to use them.
The preferred installation method is as a Docker con- [Service]

tainer. There is a container image with Ollama bundled, Environment="OLLAMA_HOST=0.0.0.0"

but if you’ve already installed Ollama on your computer, as

in this article, you can install an Open WebUI container Then instruct systemd to reload its configuration files and re-
image that communicates with your existing Ollama start Ollama’s service:
instance.
First, you need the Ollama service to listen on all available sudo systemctl daemon-reload

network interfaces, so Open WebUI’s Docker container can sudo systemctl restart ollama.service

reach it. Therefore, edit Ollama’s systemd service:

You’re now ready to run the Open WebUI Docker
sudo systemctl edit ollama.service container:

Figure 6: Llama 3 answers a question about large language models and their popularity.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 19

COVER STORY
LLMs at Home with Ollama

docker run -d -p 3000:8080 --add-host=U or Markdown-formatted documents. For example, when I up-
host.docker.internal:host-gateway U loaded a PDF file with information about the voltage range of a
-v open-webui:/app/backend/data U microcontroller product, Open WebUI saw the ~ in 2.6~3.3V
--name open-webui --restart always U as a strikethrough character, so it interpreted all text until the
ghcr.io/open-webui/open-webui:main next ~ as scrapped. So make sure to pre-process, convert, or ver-
ify files you upload before asking questions about them.
Then open the URL http://localhost:3000 in your web browser. For a multimodal model such as LLaVa and its derivatives,
You’re asked to sign in, but you don’t have an account yet, so the procedure is the same. Just drag an image to a chat in Open
click on Sign up. Enter your name, e-mail address, and pass- WebUI and start asking questions about it (Figure 8). However,
word. Note that you don’t have to register with an online ser- keep in mind that you’ll have to take this chat with a grain of
vice: This is a local account for Open WebUI. After you’re salt. Like any other large language model, a multimodal model
logged in, you’re greeted by the release notes. Click on Okay, has the tendency to invent stuff and give inaccurate results.
Let’s Go! to start.
Adding New Models in Open WebUI
Web Interface for your LLMs Open WebUI also helps you with managing models. Just click
Through Open WebUI, you now have a web interface to access on your user name at the bottom left, choose Admin Panel,
Ollama’s large language models. It immediately gives you some click on Settings, and then on Models. The first thing you can
suggestions for prompts (Figure 5). First select a model at the do is update all models you’ve downloaded by clicking on the
top, and then enter a question in the text field at the bottom. download icon next to Ollama’s URL. Downloading a new
After pressing Enter, you get Ollama’s answer. If you don’t model from Ollama’s model zoo is as easy as entering the
want to select a model every time, click on Set as default at the name in the text box below Pull a model from Ollama.com and
top to use the current model as the default. clicking on the download icon at the right (Figure 9).
The LLM’s answer (Figure 6) comes with options to edit, If you want to query a model about programming language
copy, or read the result aloud. You can also ask the LLM to con- tasks, try the granite-code:8b model from IBM. Open WebUI
tinue the response if it’s too succinct or regenerate the re- starts downloading the model (actually, Ollama is doing this in
sponse if you’re not satisfied. Another interesting addition be- the background), and after a while, the model is accessible from
comes clear if you click on the microphone icon: you can then a new chat. In my experience, downloading bigger models in
speak, and Open WebUI uses OpenAI’s Whisper [20] speech Open WebUI (such as Mistral AI’s Codestral 22B model, which
recognition model (running locally) to recognize what you say weighs 12GB) is error prone, with timeouts as a result. If this is
and put it in the text field. You can then optionally edit your the case, just running ollama pull followed by the name of the
question and send it to the LLM. Note that one of the icons model on the command line is a more reliable alternative.
under a response allows you to read the
LLM’s response aloud, so you can actu-
ally have a completely spoken conversa-
tion with the LLM.
It’s best to start a new chat for every
new topic you want to talk about, be-
cause a new chat starts a new session
from scratch without any context of the
preceding questions and responses. Just
click on New Chat at the top left, option-
ally change the model, and start chat-
ting. Note that it takes some time when
you switch the model, because Ollama
then needs to load the new model into
your GPU’s VRAM.

Describing Documents and

Images
You can also add a file to a conversation,
and then ask to summarize the file or an-
swer questions about it. Click on the plus
sign next to the text field at the bottom,
choose Upload Files, and select the file to
upload. Or just drag the file into the text
field, then ask your questions (Figure 7).
Note that the results highly depend on
the model and the quality of the uploaded
document. It also works best for plain-text Figure 7: Upload a PDF document and interrogate the LLM about it.

20 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 COVER STORY
LLMs at Home with Ollama

With a code LLM, Open WebUI even shows a Run button to some simple tests, the resulting code was usable, but not with-
run the code. Note that the code will run in the web browser, out having to remove some nonexisting or unneeded imports,
which probably doesn’t have all the required libraries. You can fixing some syntax errors, and doing some other minor
also copy the code and try it yourself on your computer. In changes. Clicking a few times on Regenerate also helps to reach
usable code, and you can also tell the
LLM how to fix the code by giving
instructions.
All in all, using a code LLM like this
can be helpful to start with a proof-of-
concept or a one-off script, but some-
times it feels like you’re teaching the
LLM to code and pushing it in the
right direction instead of the other
way around. In my experiments, Gran-
ite Code 8B was too frustrating to
work with and failed to write a work-
ing Bluetooth Low Energy scanning
script in Python, while the 22B big
Codestral was able to write it with a
bit of help (Figure 10). Your mileage
can vary. Bigger models are clearly
better, but they require a GPU with
more VRAM or more of your patience
when waiting for output.

Troubleshooting
If you get an error message, have a
look at Ollama’s logs with
Figure 8: The multimodal model thinks my Norwegian Forest cat’s
journalctl -xe -u ollama
breed could be “Angry Cat,” among other actual breeds.

Figure 9: Downloading a new Ollama model in Open WebUI.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 21

COVER STORY
LLMs at Home with Ollama

The domain of large language models and their software is Regularly upgrading both programs is therefore recommended.
evolving rapidly, and this can lead to some compatibility prob- For Ollama, just rerun the installation command. For Open
lems. For instance, sometimes a model requires new features WebUI in the Docker container, pull the latest Docker image
that haven’t been implemented in Ollama or Open WebUI. with docker pull ghcr.io/open-webui/open-webui:main, stop
and remove the existing container with
docker stop open-webui and docker rm
open-webui, and create a new container
with the updated image using the same
docker run command as the one you
started with.

Conclusion
Ollama and its web interface Open WebUI
are helpful tools that let you experiment
with large language models on a local sys-
tem. You don’t need to depend on Chat-
GPT or other cloud-based LLMs and their
restrictions. Just find a model that suits
your purpose, download it, and run it on
your own computer. However, the world
of large language models is a fast evolving
domain. You’ll need to experiment a lot
and find the LLMs that suit your use cases.
By the time this Linux Magazine issue
reaches you, there might already be better
LLMs than the ones used in this article.
Have a look at the newest and most popu-
lar models in Ollama’s model library, and
give the innovative Ollama a try. Q Q Q

Author
Koen Vervloesem has been writing about
Linux and open source, computer security,
privacy, programming, artificial intelli-
gence, and the Internet of Things for more
than 20 years. You can find more on his
Figure 10: With a bit of help, Codestral can write and explain Python code. website at koen.vervloesem.eu.

Info
[1] OpenAI: https://openai.com [13] Simon Willison’s llm: https://llm.datasette.io
[2] ChatGPT: https://chat.openai.com [14] “Accessing ChatGPT from the Desktop or the Linux Com-
[3] Ollama: https://www.ollama.com mand Line” by Koen Vervloesem, Linux Magazine, issue 276,
[4] Llama: https://llama.meta.com November 2023, https://www.linux-magazine.com/Issues/
2023/276/ChatGPT-Clients
[5] AMD Radeon Drivers:
https://www.amd.com/en/support/linux-drivers [15] llm-ollama plugin:
[6] AMD ROCm: https://rocm.docs.amd.com https://github.com/taketwo/llm-ollama

[7] CUDA Drivers: https://developer.nvidia.com/cuda-downloads [16] Mistral AI Non-Production License: https://mistral.ai/news/

mistral-ai-non-production-license-mnpl/
[8] ollama/ollama: https://hub.docker.com/r/ollama/ollama
[9] Model Library: https://ollama.com/library [17] Meta Llama 3 Community License Agreement:
https://llama.meta.com/llama3/license/
[10] Llama 3: https://llama.meta.com/llama3/
[18] Open WebUI: https://github.com/open-webui/open-webui
[11] LLaVA: https://llava-vl.github.io/
[12] Phi-3: https://news.microsoft.com/source/features/ai/ [19] Open WebUI Documentation: https://docs.openwebui.com
the-phi-3-small-language-models-with-big-potential/ [20] Whisper: https://github.com/openai/whisper

QQQ

22 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

REVIEW
bauh

Snap, Flatpak, and native web applica-

tions, covering the most popular for-
mats, but likely others will be added as
The bauh package manager
development continues. Also, for some
reason, the top half of package release

All-Rounder
numbers are obscured in bauh’s tables,
but other columns are perfectly legible
(Figure 1). In addition, a few of the
buttons on the right side of the main
window seem redundant (possibly to
accommodate varying user prefer-
ences) while, in an effort to avoid jar-
gon, the functions of some fields are
obscure. Fortunately, though, such
problems do not stop bauh from being
already functional. Package installation
and removal are already implemented.
In addition, bauh can also use Time-
shift for backup before making
changes and can be installed in the
system tray. Bauh already supports
custom themes. Written in Qt, bauh
supports all these features with a re-
sponsiveness that makes it usable even
in the early release stage.

Installing and Configuring

bauh
You can install bauh for an individual
account or for the entire system. It has
yet to be included in the repositories of
most distributions. However, bauh’s
GitHub page [2] includes detailed in-
stallation instructions for Arch Linux,
Debian, and Ubuntu directly, and for
Python 3’s pip installer. Judging by the
extra actions listed on the project page
for each distribution, the Arch version
appears to be the most advanced. But
considering the dozen required and the
dozen optional dependencies, the easiest
The bauh package manager provides a single interface to manage way to install bauh is with AppImage, al-
all of your Linux software. Despite a few issues, bauh goes a long though you may need to uninstall App-
ImageLauncher first.
way in simplifying package management. By Bruce Byfield After the basic installation, bauh can

E
be customized by editing the configura-
ver since package managers own commands for administration. For- tion file for either the system or the cur-
added automatic dependency merly known as fpakman, bauh [1] is rent account (Figure 2). Several other
resolution, installing software in designed to simplify package manage- options are detailed on the GitHub page:
Linux has been easy. The great- ment by using a single interface for all • Each packaging format can be set to
est difficulties arose from attempts to formats. In addition, bauh is one of the not display.
use different package formats, such as easiest interfaces available for package • The priority for each source can be
Photo by Curology on Unsplash

Debian’s Alien. These attempts were management either on the desktop or at changed. These sources depend on the
never fully successful and were widely the command line, despite the fact that distribution.
ignored. However, with the popularity some of the interface’s details need to • Custom themes can be created.
of universal formats such as AppImage, be improved. • Icons can be added to the system tray.
Snap, Flatpak, and web applications, Currently at release 0.10.7, bauh has Some of these customizations are also
package management has become more far to go before general release. As I available as command-line options (see
complex, with each format using its write, it supports Arch, AppImage, below). Users may find the default

24 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 REVIEW
bauh

Figure 1: Bauh’s interface has a few problems, but they do not affect functionality.

options satisfactory, especially in their Debian packages has settings whose the Install or Uninstall button on the
first explorations of bauh. exact meaning is sometimes poorly right (Figure 3). If you are uncertain
If you decide to keep bauh, you can labeled: what an installed package does –
upgrade from the user interface. • Software settings set by default to which is perfectly possible, consider-
Auto, which is not defined but proba- ing that a Linux system may have sev-
Post-Installation bly means those listed in /etc/app eral thousand packages – you can click
Orientation and Setup • An option for complete
The first time bauh runs, it takes a few removal of software (i.e.,
seconds to initialize. During this process, Apt’s purge option) set
it collects and categorizes all the pack- to No
ages installed on the system and displays • The time between syn-
its findings in the main window. The de- chronization of the local
fault display shows the packages with system with repositories
available updates, but it can be filtered (judging from the config-
at the top left of the window in several uration file, probably in
other ways, such as by apps, category, or seconds)
package type. A search field and a Refresh • App cache expiration,
button are also available. On the bottom presumably for bauh
right, you’ll find a variety of buttons itself and in seconds
which are not arranged in any obvious • Suggestions expiration,
order (from left to right, they are Sugges- presumably in seconds
tions, Themes, History, Settings, and The settings do have help
Credits). icons, but because online
Before you begin using bauh, you help is not implemented,
may want to do some configuration, al- they are only a promise of fu-
though it is ready to use with the de- ture explanations. For now,
faults. Suggestions provides mostly some of the settings should
websites for creating web applications, probably be done manually
but it also includes games, emulators, rather than automatically.
and a few standard multimedia apps
ranging from Audacity to Krita – a total Working with
of 53 overall. Settings is more practical. Packages in bauh
From its tabs, you can set the types of After so much configura-
packages that your bauh instance sup- tion, working with pack-
ports, as well as its general behavior, ages in bauh is straightfor-
such as whether the system should re- ward. Because bauh uses
boot after each installation, the scale intelligent defaults, it is
of the interface, or how bauh behaves ready to use immediately.
when installed to the system tray. Whether in the main or
There is also has a separate tab for Suggestions window, in-
how each package type behaves, al- stalling or uninstalling is
though settings are sometimes labeled as simple as selecting a Figure 2: Bauh’s configuration file, showing
obscurely. For instance, the tab for package and then clicking the default values.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 25

REVIEW
bauh

command line or a desktop icon, bauh

can be run with selected features. You
might want to add --logs the first few
times you run bauh and are still discov-
ering your preferences or --tray to try
running it from the system tray. Also,
you can run only portions of bauh, with
the self-explanatory --settings or --sug-
gestions options, while --reset removes
all configuration options and cached
data. With --offline, you can do some
operations such as removing a package
without an Internet connection.

Future Development
With support for Arch, Debian, and
universal packages, bauh is off to a
good start. However, the lack of sup-
port for RPM packages seems an over-
sight. Currently, the ability to down-
grade and to record a history of opera-
Figure 3: Installing a package. tions are mentioned on the project
page, but these options are not imple-
one button to view it or another button the system or a single account, but as mented for all package types. Perhaps
to read a technical summary (Figure 4). an added security measure, even instal- most importantly, developers are in-
Usefully, you can install still another lation for a single account requires a creasingly using additional installation
button to ignore updates for a package, password. methods for developing applications
read a history if it is a Flatpak package, Ordinarily, bauh can run without op- such as Git, Homebrew, and pip. As
or remove it completely if it is a Debian tions, relying on automatic settings if bauh moves nearer to its general re-
package. Packages can be installed for you choose. However, from the lease, some of Apt’s features might
also benefit users.
However, this wish list is overly im-
patient. Even with its present half-fin-
ished interface, bauh goes a long way
toward re-simplifying package manage-
ment. For that alone, bauh is a wel-
come addition to a modern Linux dis-
tribution. Q Q Q

Info
[1] bauh: https://github.com/vinifmor/
bauh?tab=readme-ov-file
[2] GitHub: https://github.com/vinifmor/
bauh?tab=readme-ov-file#installation

Author
Bruce Byfield is a computer journalist and
a freelance writer and editor specializing
in free and open source software. In
addition to his writing projects, he also
teaches live and e-learning courses. In his
spare time, Bruce writes about Northwest
Coast art (http://brucebyfield.wordpress.
com). He is also co-founder of Prentice
Pieces, a blog about writing and fantasy at
Figure 4: A detailed summary of each package is available in bauh. https://prenticepieces.com/.

QQQ

26 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

REVIEW
SysLinuxOS

Linux for sys admins

First Aid
SysLinuxOS puts an end to searching for the right tools for admin tasks. By Erik Bärwaldt

F
or many admins, Linux is the op- two ISO images on its homepage: A error reading sector message briefly
erating system of choice when it 5.1GB version uses the lean MATE desk- flashed in the GRUB boot menu on both
comes to tools for system manage- top, while a second 3.6GB version uses virtual machines (VMware, VirtualBox)
ment, monitoring, data recovery, Gnome as its desktop environment. Both and when stored on a DVD.
and rebuilding complete systems. But versions only run on 64-bit computers.
conventional distributions have limits in In addition to numerous standard ap- First Launch
this respect, because they typically only plications such as LibreOffice, Gimp, After starting SysLinuxOS, you are first
come with a few of the required tools. and Firefox, the system comes with a taken to a conventional GRUB boot
For admins, this means laboriously com- variety of smaller, desktop-specific ap- menu that only offers a Live option.
Lead Image © Kritiya Sumpun, 123RF.com

piling a toolkit yourself. SysLinuxOS [1], plications and an impressive collection However, you can install via the Live
based on Debian 12 “Bookworm,” steps of system administration tools, includ- system. After a short wait, a login screen
into the breach providing a sys admin ing both graphical and command-line opens, and you can log in as admin with
toolkit. tools. Instead of targeting a specific ap- a password of root.
plication scenario, SysLinuxOS’s devel- The graphical desktop environment
Strategy opers bundle a wide variety of tools for then opens (Figure 1). The developers
SysLinuxOS v12.3, released in early virtually any admin task you can have already integrated a large number
2024, comes as a hybrid Live system that imagine. of monitoring apps, which tends to
can be set to boot from various remov- In testing, the Gnome variant refused make the desktop a little cluttered. De-
able media. The project currently offers to launch in various environments. An spite this, the many, constantly

28 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 REVIEW
SysLinuxOS

Figure 1: The eye-catching SysLinuxOS desktop requires a full HD resolution.

changing status displays makes for a Interface display data transfers on the network,
genuinely eye-catching user interface. In addition to a conventional panel bar as well as various small status displays
The interface is optimized for a mini- at the top of the screen, the MATE for CPU and RAM utilization in near
mum resolution of 1920x1080 pixels. desktop offers a Plank dock bar at the real time.
As a result, the individual status dis- bottom for launching more applica- Conky, a well-known system monitor,
plays partly overlap at lower tions. The panel bar also comes with is also onboard to keep you up to date
resolutions. several applets including some that with the most important system statuses.

Figure 2: SysLinuxOS also comes with lesser-known applications, such as the sparrow-wifi analyzer.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 29

REVIEW
SysLinuxOS

Conky runs two instances: the conven- Besides Firefox and Google Chrome, Mi- addition to free tools such as EtherApe,
tional vertical status bar on the right- crosoft Edge and the Tor Browser are also Ettercap, FileZilla, htop, Wireshark, and
hand side of the screen and several integrated as web browsers. Tor is actu- Remmina, you’ll also find Oracle’s Virtu-
graphical displays at the center. There ally downloaded from the Internet via a alBox 7.0, AnyDesk 6.3, and the Team-
are also some icons at the top that give script and integrated into the system the Viewer 15.49.2 client. There are also
you direct access to the corresponding first time you call it. other, less well-known free applications
directories on the local system and re- Thunderbird is the email client and such as the sparrow-wifi analyzer (Fig-
mote servers. personal information manager (PIM) ap- ure 2) or LinSSID for monitoring data
plication, and the developers have also transfer rates on wireless networks.
Software added clients for various communication In the Accessories submenu, you will
The Live system’s software features are platforms, including Skype, Zoom, find balenaEtcher and Raspberry Pi Im-
impressive. In addition to typical standard WhatsApp, and Telegram in the Internet ager for creating bootable removable
applications, it comes with many smaller submenu. The Cisco Webex [2] collabor- media. The Wine Windows runtime en-
applications and tools. SysLinuxOS in- ative client is also available. vironment is also fully configured, plus
cludes a very extensive selection of soft- The Networking submenu offers an there are two graphical front ends for
ware, especially for using the Internet. impressive selection of software. In configuring the firewall.
If you look in the System Tools sub-
menu, you will find BleachBit, a graphi-
cal program for freeing up storage space
on mass storage devices; the GParted
partitioner; Stacer for system monitor-
ing; and CPU-X for identifying various
hardware components.

Installation
To install SysLinuxOS, you need to se-
lect the Install SysLinuxOS option in
the System Tools submenu. After enter-
ing the password, you are taken to the
Calamares graphical installer, which
installs the Debian derivative on your
mass storage device in just a few steps
Figure 3: Calamares installs SysLinuxOS on the computer with just a (Figure 3).
few clicks. After the installation and a reboot, you
are taken back to a conventional GRUB
boot menu. Unfortunately, SysLinuxOS’s
GRUB boot manager does not automati-
cally find any other operating systems
you have installed, which means that
you will need to manually configure the
corresponding entries. After installing, it
makes sense to create a complete backup
of all operating systems already installed
on the computer to prevent accidental
data deletion and loss.
The installed instance has the same
software inventory as the Live system.

Package Management
Like Debian, SysLinuxOS uses APT and
DEB packages, but comes without an
additional app store. Instead, the sys-
tem integrates the Synaptic GUI front
end enabling the convenient installa-
tion of additional packages and pro-
grams with just a few mouse clicks.
Synaptic also makes it easier to update
Figure 4: The SysLinuxOS package manager also integrates third-party the system. The package sources also
repositories. include various repositories by

30 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 REVIEW
SysLinuxOS

third-party providers such as Skype, Missing Conclusions

Google, Docker, and Microsoft (Figure 4), Preinstalled tools for backing up data Thanks to its impressive collection of pre-
which are enabled by default. This and restoring deleted data are thin on installed software, SysLinuxOS is a useful
gives you access to more than 65,000 the ground. Although SysLinuxOS does tool for system administrators, although
packages. come with Timeshift for creating snap- the choice of software does seem a little
shots of an entire system, important inconsistent at times. Whereas the system
Virtualization applications for data reconstruction comes with three modern web browsers,
By default, SysLinuxOS already comes such as PhotoRec and TestDisk are two firewalls, and several terminal appli-
with the Docker container environment missing. Although they can be in- cations, it lacks tools for data recovery,
and the associated Docker Compose stalled from the software archives, it cloud backup, and professional data ar-
tool, which considerably simplifies the would be preferable for the operating chiving. Adding these solutions would
development, distribution, and manage- system to include these programs, make SysLinuxOS significantly more use-
ment of applications in containers. given their importance. There is also a ful without too much overhead. Q Q Q
The distribution relies on VirtualBox gap when it comes to solutions to sup-
7.0 and the VMware Player as its virtual- port trouble-free data backup to the
ization solution. These tools can be cloud and corresponding data recon- Info
found in the Networking submenu. struction tools. [1] SysLinuxOS: https://syslinuxos.com
However, many admins are likely to miss Currently, a backlog in terms of soft- [2] Cisco Webex: https://www.webex.com
the free virtualization team of KVM/ ware archive management exists. The
Qemu, which offers a more resource-effi- developers only implement the desktop- Author
cient and flexible approach than the specific front ends for this use case, in- Erik Bärwaldt is a self-employed IT admin
partly proprietary alternatives. Luckily, cluding the associated back ends. Profes- and technical author living in the United
you can install the missing packages at sional applications such as PeaZip would Kingdom. He writes for several IT
any time using Synaptic. further enhance the entire system. magazines.

QQQ
REVIEW
Ubuntu MATE 24.04

Exploring Ubuntu MATE 24.04 LTS

Keeping It Simple
Ubuntu MATE is an intriguing option for users who want the steady predictability of Ubuntu
without the complexity and feature-bloat of modern-day Gnome or KDE. By Daniel LaSalle

T
he Ubuntu project supports a (Ubuntu with Xfce) are all popular al- MATE is often associated with Linux
constellation of different edi- ternatives to the default Gnome-based Mint, where it is one of the headline
tions or flavors that are all built configuration. If you’re looking to com- desktop options.
on the Ubuntu codebase. bine the power and reliability of Ubuntu It didn’t take long for the Ubuntu
Kubuntu (Ubuntu with KDE), Lubuntu with a simple and intuitive desktop en- community to show an interest in the
(Ubuntu with LXQt), and Xubuntu vironment, Ubuntu MATE [1] might MATE desktop. Ubuntu MATE
offer the best of both worlds. launched in 2014, and by 2015, it had
The Leader The MATE (pronounced ma-tay) proj- gained official Ubuntu flavor status.
ect was started in 2011 by developers (See the box entitled “The Leader” for
The Ubuntu MATE project leader, Mar-
tin Wimpress [4] (aka Wimpy), is a fam-
who disagreed with the direction of the a brief profile of Ubuntu MATE project
ily man and a full-time geek who some- Gnome desktop at the time of the leader Martin “Wimpy” Wimpress.) I
times finds the time to work on other Gnome 3 release [2]. They argued that first learned about Ubuntu MATE at a
cool projects. For instance, he devel- new Gnome Shell was unnecessarily local Linux Meetup [3] in 2016. My
oped his own retro arcade game called complicated, and they wanted to con- first impression was that the project
Antsy Alien Attack Pico [5] that took tinue with the Gnome environment they looked like solid work, and the team
second place at the Linux Game Jam had grown accustomed to with was well organized with an impressive
2023 [6]. Wimpy is also invested in Gnome 2. The developers forked the level of maturity and organizational
podcasting, streaming, and various Gnome 2 code to
other endeavors. In 2014, Wimpy and launch the MATE
Ubuntu MATE-cofounder Alan Pope
Lead Image © dirk ercken, 123RF.com

project. Since
had the brilliant idea to remix the then then, the MATE
Unity-based Ubuntu platform into a desktop has found
new spin-off based on the MATE desk-
a stable place in
top environment [7]. As of May 2024,
the Linux desktop
the Ubuntu MATE project’s Patreon
pantheon. Origi-
page [8] had over 300 registered mem-
nally launched by
bers and and was bringing in close to
the Arch Linux Figure 1: After installation, 16GB out of the originally
$500 per month in memberships.
community, today reserved 27GB were still available.

32 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 REVIEW
Ubuntu MATE 24.04

Newest also be familiar to many users (Fig-

Brew ure 4). The included MATE desktop re-
Ubuntu MATE lease is version 1.26.2. Ubuntu MATE
24.04 Noble completes its software lineup with the
Numbat is based Pluma text editor, the Atril PDF viewer,
around the holy the Engrampa archive manager, the Cel-
trinity of Firefox luloid video player, and Gnome Snap-
125, LibreOffice shot as the webcam.
24.2.2, and Evo- In the standard release notes [10],
lution 3.52. It you’ll find the regular bug fixes and
also relies on ker- minor improvements to the usual compo-
nel 6.8 and it nents. One of the biggest internal changes
solves the year is the renaming of Software Boutique to
2038 problem [9].
For the first time
ever, Ubuntu
Figure 2: No matter what your setting requirements MATE 24.04 will
or preferences, Ubuntu MATE has you covered. not include any
games because
structure considering the length of its Ubuntu developers have decided to
existence. stop bundling them in.
Installing Ubuntu MATE 24.04 LTS The MATE window manager’s long
“Noble Numbat” took only a couple of lineage can be seen in several tools
minutes on my modern system. As a ported from the fabled Gnome era (Fig-
new feature, I could choose between ure 3). One that has the most history
performing either a minimal or a com- behind it is Caja, a file editor based on
plete installation. The ISO file weighed the work of the legendary Nautilus proj-
in at 4.2GB, and once fully installed on ect. Ubuntu MATE also contains several
my family computer, the total disk space MATE-related projects such as MATE Figure 3: The high level of matu-
used was 9.2GB (Figure 1). Calculator, MATE Terminator, Eye of rity provided by Ubuntu MATE’s
Veteran users might mourn the lost of MATE, and the MATE system suite Gnome heritage is reflected in the
Ubiquity, the former installation wizard. (Monitor, Disk Usage, Image Mount, numerous ported software that is
However, the new Ubuntu Desktop and Terminal). The Control Center will still relevant today.
Bootstrap installer features better re-
sponse times and also greatly simplifies
the user interface with a lighter and
fresher experience. The Ubuntu Desk-
top Bootstrap installer process has ten
installation steps compared to Ubiqui-
ty’s six steps. As usual, the first step is
choosing the language, followed by the
accessibility settings (Figure 2).
The next steps will allow you to con-
figure the keyboard layout, connect to
the Internet, and then let you choose an
interactive or an automated installation.
The newly added automated installation
feature will allow configurations to be
sourced from an external YAML file.
The other noticeable change is in
step 6, where you have the choice be-
tween a minimal or full installation. A
minimal installation notably does not in-
clude LibreOffice, Thunderbird, and Cel-
luloid. The remaining four steps cover
the topics of proprietary software, ac-
count creation, time-zone selection, and
lastly final review before moving for-
ward in applying the requested changes. Figure 4: The MATE Control Center.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 33

REVIEW
Ubuntu MATE 24.04

App Center (Figure 5). The App Center is software needs. Finally, Gnome Firmware improvement and development. Conse-
quite simple to use, making it easy for replaces Firmware Updater. quently, Ubuntu MATE 24.04 LTS offers
both newcomers and veterans to quickly Because Canonical is committed to five years of support, until June 2029.
become comfortable managing all of their Ubuntu, users can expect continuous Canonical provides up to 10 years of
Expanded Security Maintenance (ESM)
for the full stack and 12 years of security
fixes through its Ubuntu Pro program [11],
which is free for personal use with up to
five systems.

Got Tweaks?
With MATE Tweak [12], you can cus-
tomize the panel interface to resemble
your accustomed workflow. You can
choose from seven layouts, including the
default Familiar (offering the rustic feel
of Ubuntu MATE), Cupertino (featuring a
dock and menubar familiar to macOS
users), Mutiny (a lightweight alternative
familiar to Ubuntu Unity users), Red-
mond (familiar to Windows users), and
Traditional (the original Gnome 2 menu
layout as shown in Figure 6).
MATE Tweak also lets you easily
switch between window managers that
support (or don’t support) compositing.
While Ubuntu MATE 24.04 LTS only
ships with the Marco window manager
installed, you can install Compiz and set
it as the default.

Ubuntu MATE Live

The easiest way to try Ubuntu MATE is
to deploy it via Live mode on your sys-
tem. This way you can try a few scenar-
ios before committing to it as your oper-
ating system of choice. Running Ubuntu
MATE in Live mode mostly depends on
the amount of RAM your system has
alongside its CPU and GPU.
You can also use the Ubuntu Mate Live
session mode as a recovery system. You
will be able to run some low-level tools
or install whatever you might need and
keep your system running for solid re-
covery periods. In that respect, it has re-
placed Knoppix in my toolbox.
Perhaps the most useful feature of the
Live option is the ability to simply carry
it around with you perhaps via a Ventoy
[13] deployment as a bootable USB
drive. You could then try testing it on the
fly when shopping for a new system or
use it as a demo for friends and family.

Conclusion
The greatest thing about Ubuntu MATE is
Figure 5: The totally revamped and visually appealing App Center that it elegantly bridges accessibility and
offers a curated software collection. robustness. By pressing a few keys, it can

34 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 REVIEW
Ubuntu MATE 24.04

navigate into a fast and no-fuss work en- clean, structured, and friendly. Ubuntu [3] Quebec Linux Meetup:
vironment, making it a great choice for MATE 24.04 delivers an impeccable https://rencontres-linux.quebec/
students and professionals alike. In fact, it end-user experience while being mod-
[4] Martin Wimpress:
is so accessible that it even installed my ern, simple, and resource friendly, so
https://wimpysworld.com/
LAN printer without me doing any work. much so that it is a serious contender
Of course nothing is perfect. If you are for reinvigorating any old machine that [5] Antsy Alien Attack:
upgrading from Ubuntu MATE 23.10, is gathering dust or for anyone having https://github.com/wimpysworld/
version 24.04 might break your system lost all hope using computers. antsy-alien-attack
[14]. While writing this article, I was While most new distributions will not [6] Linux Game Jam: https://itch.io/jam/
only able to correctly upgrade one sys- stand the test of time, Ubuntu MATE cele-
linux-game-jam2023/results
tem (out of two) from version 23.10 to brates its 10th anniversary in 2024, a tes-
version 24.04. There have also been timony to Martin Wimpress’s work. Q Q Q [7] MATE Desktop Environment:
other issues with the upgrade [15]. https://mate-desktop.org/
However, these issues may be resolved Info [8] Ubuntu Mate Patreon page: https://
by the time you read this article. [1] Ubuntu MATE:
www.patreon.com/ubuntu_mate
Ubuntu MATE is about more than https://ubuntu-mate.org
[9] Year 2038 problem:
just good looks. Unlike many of its pre- [2] “Canonical Ubuntu Splits From
decessors, Ubuntu MATE keeps push- https://en.wikipedia.org/wiki/
GNOME Over Design Issues” by Joab
ing towards innovation and humanity, Jackson, PCWorld, October 25, 2010, Year_2038_problem
improving their game with each new https://www.pcworld.com/article/ [10] Ubuntu MATE 24.04 LTS Release
release while keeping their project 504223/article-3057.html Notes:
https://ubuntu-mate.org/blog/ubuntu-
mate-noble-numbat-release-notes/
[11] Extended support for Ubuntu Pro cus-
tomers: https://canonical.com/blog/
canonical-expands-long-term-
support-to-12-years-starting-with-
ubuntu-14-04-lts
[12] MATE Tweak: https://ubuntu-mate.org/
features/panel/
[13] Ventoy: https://www.ventoy.net/
[14] “Ubuntu 24.04 Comes with a ‘Flaw’”
by Jack Wallen, Linux Magazine, April
29, 2024, https://www.linux-magazine.
com/Online/News/Ubuntu-24.04-
Comes-with-a-Flaw
[15] Additional issues:
https://ubuntu-mate.community/t/
please-report-bugs/27974

Author
Daniel LaSalle was introduced to the
command prompt while in 5th grade, but
his addiction to technology spans over 30
years. In the past decade he’s been using
Linux every day and freelancing as an in-
Figure 6: Back when Gnome 2 was still king, people lived in a frastructure specialist. https://www.linke-
Traditional user interface world. din.com/in/daniellasalle/

QQQ

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 35

IN-DEPTH
LXD-UI

Container management made easier with LXD-UI

Control Your
Containers
LXC, a command-line manager for Linux containers, is quite tricky to use. Enter the LXD-UI
web interface to make life easier. By Martin Mohr

L
inux Containers (LXC) is an oper- Installation sudo systemctl daemon-reload

ating-system-level virtualization Installing LXD including the web user in-

method that uses containers that terface (UI) entails some unexpected pit- Without this change, you will generally
run in isolation from each other falls on various computers. Interestingly, not be happy with your V-Server.
on a Linux system. The system that pro- the software ran perfectly smoothly on Use the commands from Listing 1 to
vides the containers is referred to as the Ubuntu Desktop 22.04.3. First, I’ll look set up LXD as a Snap image on the
host, and the systems operating in the at how to install LXD on a Strato V- server. Once the installation is complete,
containers are known as guests. All Server [3]. I will then check out the in- you can access the web GUI via the URL
guests use the host’s kernel, which stallation on local hardware with an https://<Host>:8443/. Because the
makes LXC very efficient. However, Ubuntu 22.04.3 server as the operating HTTPS connection is opened with a self-
only systems that work with the same system. created certificate, you need to accept
kernel can be virtualized in this way. To ensure a clean slate for the process, the security warning from the browser
For example, you cannot start Windows I first used the Stratos web interface to before the web GUI splash page appears
in LXC. LXC is managed entirely at the reinstall the V-Server with Ubuntu 22.04. (Figure 1).
command line. After the install, I used
The LXD container manager was de- SSH to open a connection Listing 1: LXD on a Strato V-Server
veloped to help admins handle LXC’s to the server. #### Update system
complexity. LXD is based on the LXC By default, Strato serv- # apt update
components and extends them to in- ers define far too low a # apt upgrade
clude simple tools for administration, as number of tasks in their #### Install Snap
well as tools for the command line. LXD- system configurations. To # apt install snapd
Photo by Fabian Quintero on Unsplash

UI [1], an easy-to-use graphical web change this, you need to #### Install LXD
front end [2], lets you quickly and easily uncomment the Default- # snap install lxd --channel=latest/stable
set up and manage LXC. TasksMax parameter in the #### Enable GUI
Additionally, LXD-UI helps you to con- /etc/systemd/system.conf # snap set lxd ui.enable=true
figure the entire LXD system, including file, setting it to a value of #### Restart LXD
virtual networks, storage pools, and de- 16547 (DefaultTasks-
# snap restart --reload lxd
fault container settings. The bottom line Max=16547). After saving
#### Set HTTPS port for GUI
is that LXD-UI considerably simplifies the changes, reload the
# lxc config set core.https_address :8443
tasks related to Linux containers. service by typing

36 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
LXD-UI

Getting Started
Once you have reached the interface,
first create a new certificate to secure the
connection in the future. Then follow the
installation instructions on the website
including the following command,
among other things:

$ lxc config trust U

add Downloads/lxd-ui.crt

You need to make sure that the host-

name is included in the certificate name;
in other words, you cannot simply copy
and paste the command from the
instructions. Figure 1: To ensure secure communication, first generate a certificate
After installing the certificate in the for the server and web browser.
web browser and on the server,
the two will be able to commu-
nicate securely in the future.
Only browsers whose certificate
matches that of the server can
now access the GUI.
Click on Create instance to
create the first container (Figure
2). Assign a name and then se-
lect an image in Browse images
(Figure 3). For the container to
run, you will need to assign re-
sources to it. To do this, click on
Advanced | Disk device and se-
lect the default pool. Assign the
desired disk space to the con-
tainer and specify the RAM and
the number of CPU cores in Ad-
vanced | Resource limits.
Click on Create and Start to
set up and start the container.
You can now connect to the
container via Instances | <Con- Figure 2: Click on Create instance to launch the dialog for creating a container.
tainer name> | Terminal and
work on it (Figure 4).
When creating containers, the
graphical LXD front end relies
on various profiles whose de-
fault values you can define in
Profiles. This saves a huge
amount of work, because you
no longer have to type in so
much information when creat-
ing a container.

Network Connection
The newly created container
does not currently have a net-
work connection. To set this up,
you first need to create a new
network. Normally this happens
automatically during the LXD Figure 3: LXD offers a large selection of installable images.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 37

IN-DEPTH
LXD-UI

To check whether the

rules work as desired, use
the command from line 3
of Listing 2. Please note
that the system deletes
the firewall rules during a
reboot. To avoid this, you
will need to set the fire-
wall rules permanently.

Local System
The hardware used in
the test was a slightly
older Raspberry Pi with
8GB RAM. In principle,
though, the hardware is
not particularly impor-
tant; just make sure that
you do not immediately
run into resource
bottlenecks.
Figure 4: Once created, a few clicks are all it takes to log in to the new system in a I used Ubuntu 22.04.3
terminal window. Server [4] as the operat-
ing system on my host.
install, but it did not seem to work in translation (NAT), you need an additional The installation already includes LXD,
testing with the Strato server. This could firewall rule on the host system (Listing 2, but it is an outdated version without the
be due to the fact that the V-Server itself line 1). To make a container’s port on the web GUI. Your only option is to delete the
already has a virtual network interface. host’s IP address accessible from outside, existing LXD and install the latest release.
To create a new virtual network for the you first need to set up port forwarding At the time of testing, this was version
containers, go to Networks | Create (Fig- on the host (Listing 2, line 2). 5.19 from the Snap Store (Listing 3).
ure 5). Enter the follow-
ing parameters and cre- Listing 2: Iptables Rules
ate a network: 01 # iptables -t nat -A POSTROUTING -o venet0 -j MASQUERAD
• Type: Bridge 02 # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <Container-IP>:80
(standard)
03 # iptables -t nat -L -v -n
• Name: lxdbr0
• Ipv4 Address:
10.9.173.1/24
• Ipv6 Address:
fd42:7b3f:d2be:70c::1/64
To assign the network to
the container, stop the
container, switch to In-
stances | <Container
name> | Configuration |
Advanced | Network de-
vices in the settings and
assign the network to an
interface (Figure 6).
Then restart the
container.
In the current state,
only the containers on
the virtual network can
communicate with each
other; there is no access
to the Internet. To con-
nect the containers via Figure 5: To add a network connection to the container, you first need to create a vir-
network address tual network.

38 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
LXD-UI

Listing 3: Install New LXD Snap package. It is Info

#### Uninstall previous LXD version
also interesting [1] LXD-UI:
that the V-Server https://github.com/canonical/lxd-ui
$ sudo snap remove lxd
in particular re- [2] Canonical blog on LXD-UI:
#### Install New LXD version
quires so many https://ubuntu.com/blog/lxd_ui
$ sudo snap install lxd --channel=latest/stable
additional steps [3] Strato V-Server [in German]:
#### Enable GUI
until everything https://www.strato.de/server/
$ sudo snap set lxd ui.enable=true runs smoothly. linux-vserver/
#### Restart LXD All told, LXD-UI [4] Ubuntu server download:
$ sudo snap restart --reload lxd offers a good https://ubuntu.com/download/server
#### Set HTTPS port for GUI starting point for
$ sudo lxc config set core.https_address :8443
anyone who Author
wants to come to Martin Mohr has experienced the complete
grips with Linux development of modern computer
Like on the V-Server, the first step is to containers. You can create containers in technology in real time. After completing
install the certificate for the web GUI. I next to no time without having to deal his studies, he mainly has developed
noticed that the default values are stored with what can be quite complex LXC Java applications. The Raspberry Pi has
in the profile and that containers can be commands. Q Q Q rekindled his old love of electronics.
created directly without
additional parameters
for RAM and CPU. The
network bridge created
manually on the V-
Server also already ex-
ists. Last but not least, a
firewall rule is enabled
to regulate the contain-
ers’ access to the
Internet.

Conclusions
Once the LXD environ-
ment is set up, an LXC
container can be created
and managed with just a
few clicks using LXD-UI.
The setup will look
slightly different depend-
ing on the system de-
spite using an identical Figure 6: To use the network, it must be assigned to an interface.

QQQ

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 39

IN-DEPTH
Command Line – electerm

Rethinking basic functions

electerm
The modern electerm combines terminal, file manager, and remote connection functions into a
single app. By Bruce Byfield

L
inux is in an era of revisionism. terminal that replaces man pages with classic apps as Miguel de Icaza’s
Functionality that has been part of AI queries. On the other hand, experi- 30-year-old Midnight Commander.
Linux from the start – such as vir- ments such as electerm [1] merge termi- Electerm is too new to be found in dis-
tual terminals, file managers, and nals, file managers, and remote connec- tro repositories. However, the project’s
commands like ls and cd – is being re- tions into a single app with versions for GitHub page offers DEB, RPM, ARM64,
thought to take advantage of modern Docker and the web. Although few of ARM Beta, Snap, ArchImage, and tarball
hardware and better fit modern needs electerm’s functions are new, merging packages, as well as macOs and Win-
and expectations. These revisions vary these functions into a convenient single dows 10-11 versions. Electerm installs
wildly in quality. On the one hand, some app is such a logical move that electerm ready to use, but you can use the Setting
are eccentrically engineered, such as one seems likely someday to dethrone such icon in the sidebar on the left to

Lead Image © Oleksiy Mark, 123RF.com

Figure 1: Electerm’s command line.

42 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
Command Line – electerm

customize shortcut keys, bookmarks to Where convenient, there is some redun- Compared to desktop file managers such
open on startup, terminal scrollback, dancy, which increases ease of use. as Dolphin, electerm’s file manager is less
background image, a limited selection of Electerm opens in the terminal, which is convenient to use, but it compares favor-
fonts, and password encryption. By de- similar to those installed in most modern ably to other command-line file managers
fault, electerm opens in a white on black distributions, with files, directories, cur- and is certainly more useful than the ven-
theme, but you can choose from 32 pre- sors, and other display elements color- erable ls commands (Figure 2).
defined themes via the Terminal themes coded. It can be customized in Terminal Clicking on Bookmarks lets you import
icon, as well as define your own theme. themes. A right-click menu includes Cut, and export bookmarks, as well as create
You can also add your own bookmarks Copy, Paste, Search, and Split. Compared both bookmarks and categories for
via the New bookmark icon, not only to to many distributions’ default terminals, them. Bookmarks can be local or remote,
files and directories, but also network electerm’s terminal is perhaps rather basic, password-protected and encrypted, and
locations. but it is more than adequate for the most given their own environments and start-
common functions (Figure 1). ing directories. Electerm’s developers
Starting electerm File Manager is
Without options, the electerm command located to the
works with the local system. However, right of Terminal,
options can also make an external con- on the reasonable
nection, making it act as an SSH, Telnet, assumption that it
RDP, or VNC server, or connecting via is the second
serial port. Used as an SSH server, the most-used func-
command is electerm ADDRESS or tion. At the top
electerm PORT. Other protocols must left are icons to
be specified so that the command for toggle the display
Telenet would start with of hidden files or
directories, to
electerm -tp "telnet" -opts move up to the
next directory in
Under the -ops option, the host, port, the hierarchy, or
user, passphrase, or password are en- to create a book-
tered. For example: mark. The right-
click menu gives
electerm -tp "vnc" -opts '{U all the expected
"host":"192.168.1.1","port":3389",U options, although
"username":"root","password":"123456"}' the Edit function
only works with
In addition, temporary environmental the system editor.
variables can be set with To open a binary
file, you need to
--set-env VARIABLES use the less obvi-
ous Open. Figure 2: Electerm’s file manager.
From an already running instance, these
commands can be opened in a new tab
with -T NAME. Commonly used command
sequences can be stored in a CSV file
and loaded with

electerm -bo "/FULL-PATH"

Subwindows
The electerm window is simple in design.
At the top, you’ll find the menu for the
currently selected functions. Below this
are tabs for Terminal and File manager. A
vertical icon sidebar on the left hosts the
basic functions with the Menu at the top
followed by New bookmark, Bookmarks,
History, Terminal themes, Setting, Setting
sync, and BatchOp (batch operation). Figure 3: The bookmarks in electerm are uniquely full featured.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 43

IN-DEPTH
Command Line – electerm

have given careful consideration to a CSV file. It shows the values required bookmark and batch files. Both do more
bookmarks, and the result is more than for a remote and local batch file, as well than their counterparts elsewhere and
a mere link. For convenience, New as what each looks like. For convenience, are easier to use. However, electerm’s
bookmarks has its own icon, but it is an existing file can be imported and most useful accomplishment to date is
identical to Bookmarks (Figure 3). modified when a new file does not the organization of related but tradition-
In most shells, history is a compli- need to be written from scratch. Batch ally separate functions – notably the ter-
cated tool, a matter of scanning with files can be run from the Quick com- minal and file manager – into a single
arrow keys or remembering when an mands link at the bottom of the termi- workflow. True, the organization is not
entry was made. For this reason, many nal. BatchOP removes the need for a yet complete, and sometimes takes a
users tend to avoid it for traversing separate editor, at least for simple while to adjust to, but the trend is to
more than a few entries back. By con- scripts (Figure 4). bring the command line up to date.
trast, electerm’s graphical display Desktops users just might find that
makes its History more powerful than Progress Report electerm makes the command line a
most, for the simple reason that it is As I write, electerm is in early general re- less fearsome place. Q Q Q
easier to use. With a glance and a click, lease. I began working with the 1.39.88
electerm moves to the selection. release, and an upgrade came out just
BatchOp provides a basic editor for before I finished. At this stage, Info
preparing batch files and saving them as electerm’s original features are its [1] electerm: https://github.com/electerm

Figure 4: Written to CSV files, electerm’s batch files make scripting easy.

QQQ

44 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

IN-DEPTH
eBPF and Cilium

Cilium extends the power of

eBPF for Kubernetes networks

Smart
Assistant
eBPF offers a powerful remedy for the complexity of Kubernetes, but it can be difficult to configure
and manage. Cilium provides easy access to eBPF’s revolutionary capabilities. By Roland Wolters

I
n the early 2010s, Linux had already the same time, the first container solu- programs, with many companies basing
begun conquering data centers, and tions appeared, placing even more de- products on it. A foundation [2] sup-
it was on the path to becoming the mands on the network. A new approach ports the ongoing development of the
standard operating system for serv- was needed. technology. The members of the eBPF
ers. At the same time, another data cen- Foundation include well-known names
ter trend emerged: Virtualization. To eBPF Revolutionizes Linux from the cloud and Linux environment
keep pace with the development of virtu- Alexei Starovoitov found a solution: He such as Meta, Google, Red Hat, Intel,
alized infrastructures, networks had to expanded the existing BPF kernel subsys- Netflix, Datadog, and Isovalent, whose
go virtual, too. tem, which was quite simple at the time acquisition Cisco announced at the end
Software-defined networks (SDNs) and had been developed in the 1990s as a of 2023. If you want to find out more
were the first step toward network vir- simple packet filter Starovoitov extended about the history of eBPF, watch the
tualization. The Open Networking BPF to include some foundational capa- 30-minute video documentary on You-
Foundation was founded in 2011 to fur- bilities, launching eBPF [1] in the Tube [3]. Cilium is an application built
ther disseminate and standardize SDNs. process. on eBPF that brings far-reaching moni-
Open vSwitch found its way into the eBPF acts as a kind of kernel VM into toring, extensive security operations,
kernel in 2012, the same year that VM- which generic programs are loaded at and a high-performance network to
ware bought SDN pioneer Nicira. The runtime and then executed. Thanks to Kubernetes.
pace of development was fast – too fast eBPF, it was suddenly possible to change
Lead Image © Dan Barbalata, 123RF.com

for the Linux kernel. Network technol- and extend the way the kernel worked A Brief History of eBPF
ogy requires high performance, which without rebooting, a revolutionary inno- eBPF is a technology that is used to run
for Linux means that it must be part of vation. Because eBPF code can interact programs in a sandbox at kernel level
the kernel. Code changes to the kernel with the kernel and operates on the (Figure 1). The programs are called by
often take many months, and after a re- same layer, it offers capabilities for de- events. These events call trigger hooks,
lease, they are slow to reach the distri- tailed monitoring, enhanced security, i.e., specific locations in the kernel.
butions as packages. This slow pace of and other very powerful features. They include specific function calls, the
change slowed the adoption of rapidly eBPF has now reached the markets. start or end of a function, important
developing network technologies. At It is used in a variety of projects and network events, and so on. You can

46 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
eBPF and Cilium

to be clear which server or VM (and,

therefore, which application) it origi-
nated from. But containers typically
use local, dynamically assigned IP ad-
dresses. In addition, multiple contain-
ers can belong to a single application;
a 1:1 assignment is no longer possible.
Many different containers often run on
a single node. IP addresses come and
go, especially in the case of automatic
down- or upscaling. CNIs can still deal
with this because the appropriate logic
has been installed. But traditional
Figure 1: eBPF runs programs in a sandbox at kernel level. © https://ebpf.io, monitoring or security systems strike
CC-BY-4.0 out if they attempt to rely on IP ad-
dresses in Kubernetes.
also define your own hooks. If no event stands for Express Data Path, a frame- The iptables problem is a different
occurs to call an eBPF program, the work for eBPF that allows the kernel to issue. If a Kubernetes cluster consists
eBPF code is not executed. This means quickly process network packets (see the of several nodes on which many appli-
that the code only runs when it is really box entitled “What is XDP?”). cations are running, the result is a
necessary. eBPF offers revolutionary possibilities large number of IP addresses and
Because eBPF programs interact with for executing programs in a flexible way rules. Iptables goes through them se-
many kernel components, you need ex- directly at kernel level. But writing an quentially: It checks each packet sent
perience in kernel development to write eBPF program and managing it dynami- against a list of rules, one after the
them. The programs themselves take cally is anything but trivial. Using eBPF other. The time required to do so in-
the form of bytecode. They are often for network management with Kuber- creases in a linear way as the number
programmed in pseudo C code, which is netes, in particular, requires a large of rules grows. In addition, iptables
then converted into byte code by a com- number of eBPF programs. has to reload the list of all rules every
piler. When the bytecode is loaded into time a new rule is added; this can take
the kernel, a decisive step in the eBPF Container Networks a long time for a large number of rules
chain takes place: the use of the veri- Kubernetes is used to manage applica- and can cause delays. As a result, per-
fier. The verifier applies various criteria tions that are packaged in containers formance losses and latencies increase
to check the eBPF program, for exam- or groups of containers, known as significantly with the number of rules
ple, whether the program will always pods. For these applications to play a (Figure 2). Things get even worse
terminate, whether it attempts to access useful role, they typically require data, when the Kube proxy enters the fray,
memory outside its limits, whether the which they often also pass on. The which causes the number of rules to
complexity is finite (the verifier checks data streams need a network to be able grow exponentially [5].
every path), and so on. The verifier to flow from A to B. Kubernetes itself eBPF offers far more meaningful
plays an important role, because with- does not implement any network func- identifiers. eBPF understands the
out it the stability of the kernel would tions but leaves this to plugins that namespaces in which containers are cre-
be jeopardized by every new eBPF pro- meet the CNI (Container Network In- ated and can operate at this level. This
gram. The verifier guarantees the safety terface) specification. When the
and security of eBPF, while at the same container runtime builds a pod, it What is XDP?
time limiting the capabilities of eBPF to tells the CNI plugin to create a
XDP works directly with the NIC driver
what is absolutely essential. matching network environment, that
and is called at the earliest possible
eBPF maps, key-value stores in the is, a virtual network interface, includ-
time. It can process the packet as soon
kernel, are another important feature of ing the rules required to route the data as it arrives, even before the driver
eBPF. eBPF programs can use maps to traffic appropriately. does anything else with it. For exam-
exchange data with each other and also Unfortunately, most CNI plugins ple, XDP, which is designed for high
with other applications that run in user have the same weaknesses: IP ad- speed, offers an extremely efficient
space. Maps enable a comprehensive dresses and iptables. IP addresses are way to counter DDOS attacks; an XDP
exchange of data and states, even after becoming a problem because they are program can drop packets practically
an eBPF program has terminated. On no longer as static in container envi- directly on the network interface card.
top of this, eBPF programs can be ronments as they used to be. Before It can also be used to write load balanc-
ers that forward network packets di-
linked together so that they call each the widespread use of containers, IP
rectly from the NIC they just reached. A
other. eBPF maps store data temporarily addresses were one of the main fea-
good example of this is the Katran [4]
and process the data later on. tures used to determine the identity of
load balancer developed by Facebook/
In discussions of eBPF, sooner or later an application. If a data stream came Meta, which is based on XDP.
the term XDP will arise. The abbreviation from an IP address of 1.2.3.4, it used

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 47

IN-DEPTH
eBPF and Cilium

complex K8s envi- eBPF without being a kernel developer

ronment, the CNI yourself.
in Kubernetes As a CNI, Cilium creates the required
therefore must be network interfaces and efficiently routes
based on eBPF. the packets from A to B. And this is not
And that takes us limited to communication within the
to Cilium. cluster. Cilium can also combine several
K8s clusters and make the services avail-
Managers able across borders with the help of Clus-
for eBPF ter Mesh. Of course, you will rarely find a
Programs Kubernetes cluster on its own in an other-
Although writing wise empty space. The applications that
your own eBPF run on it often have to communicate with
Figure 2: Without eBPF, latency increases consider- programs is not other entities outside the cluster. Cilium
ably with the number of services in the cluster; with exactly easy, uses Border Gateway Protocol (BGP),
eBPF, it remains almost the same. © The Cilium Authors, managing many which it speaks natively, to support con-
https://cilium.org small eBPF pro- nections to classic networks. It also sup-
grams in a dy- ports IPv4, IPv6, and IPv4/IPv6 hybrid
means that you can set up communica- namic environment such as Kubernetes operation. Cilium can even perform Net-
tion relationships and rules based on is even more difficult. This is where work Address Translation (NAT) between
namespaces. Doing so enables a far bet- Cilium [6] comes into play. Cilium cre- IPv4 and IPv6 so that you can operate an
ter description of the containers and also ates, loads, and manages the required IPv6 Kubernetes cluster in an IPv4 envi-
of overarching services. In Kubernetes eBPF programs in a dynamic way. All ronment, for example.
environments, the security of an applica- of this is completely transparent to the On top of this, Cilium lets you define
tion does not depend on where it is but user. The bottom line is that you can rules, known as network policies, to
on what ID it has. To do justice to a use the revolutionary capabilities of allow or prevent communication

Figure 3: The interactive policy editor is accessible on the Internet. © The Cilium Authors, https://cilium.org

48 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
eBPF and Cilium

relationships. Basically, Kubernetes al- the outside or leaves the cluster for an traffic. This in turn makes it possible to
lows everything without these rules. outside destination. Cilium supports the use this stream of network traffic for
You could compare this with a city in Kubernetes Ingress Resource and there- monitoring purposes.
which everyone – from cars to bicycles fore TLS termination, load balancing, For example, Cilium can both ensure
to pedestrians – runs or rides around and HTTP on layer 7. Cilium also sup- that data exchanges only take place with
in a chaotic way. The network policies ports the newer Gateway API specifica- *.cilium.io and can count how often
bring order to the chaos, and K8s ad- tion, which extends Ingress to include connections to that destination are es-
mins can use them to control which Layer 4; it offers additional protocols, tablished. It has the ability to display
pod is allowed to communicate with along with HTTP, and includes ex- communication relationships and break
which service. tended functions such as A/B testing them down to the level of DNS names
Cilium understands both general Ku- and canary rollouts. Cilium also man- and HTTP paths. To display communica-
bernetes network policies and Cilium ages outgoing data traffic: For example, tion relationships, Cilium uses the Hub-
network policies. Normal network poli- the Egress Gateway function can ensure ble component (Figure 4), named after
cies enable control on layers 3 and 4 of that a specific endpoint outside the the well-known space telescope. Hubble
the OSI layer, whereas the Cilium net- cluster is always addressed with the is basically a user interface that provides
work policies also cover layer 7 – HTTP same source IP. This considerably sim- insights into the relationships between
paths, for example. (eBPF does not im- plifies integration into environments the services and the data traffic between
plement this L7 support directly, so with IP-based firewalls. those services.
Cilium uses a lean Envoy proxy.) In Cilium as a CNI has now firmly estab- Hubble displays relationships between
addition to this, Cilium lets you filter lished itself on the market. It is a Gradu- services as a service map, showing the
both by pods or namespaces, as well as ated Project of the Cloud Native Founda- matching data streams at the press of a
on the basis of DNS names, services, tion (CNCF), the only CNI with this sta- button. Hubble helps to answer ques-
endpoints, and more. tus. The major cloud providers rely on tions such as:
The interactive policy editor at editor. Cilium, including Azure CNI Powered by • Which services communicate with
networkpolicy.io (Figure 3) provides use- Cilium, AWS EKS and EKS-A, and the each other and how often?
ful insights into the various options for Google GKE Dataplane v2. Increasing • Which service does service X depend on?
Cilium and Kubernetes network policies. numbers of organizations are turning to • Are there any problems with network
The policy editor offers the option of Cilium. The Adopters page at the Cilium traffic? If so, where are connections
clicking together rules and displays the website [7] links to a large number of ex- blocked, and where are packets
result as Kubernetes and Cilium network perience reports. dropped? On which layer is there a
policies. You can download and deploy problem with the connection?
these rules on existing Kubernetes Cilium Hubble • For which services were connections
instances. Cilium can filter network traffic on Layer blocked due to existing rules?
A special case of network traffic oc- 7 because it natively understands the • What is the rate of 4xx (client error) or
curs when data enters the cluster from data stream associated with HTTP 5xx (server error) return codes?

Figure 4: Cilium using the Hubble component to inspect data streams on the network. © Isovalent, https://isovalent.com

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 49

IN-DEPTH
eBPF and Cilium

This information makes Hubble invalu- whether compliance is maintained in Service Mesh
able for troubleshooting existing applica- day-to-day operations. Cilium can also When it comes to Kubernetes and net-
tions in day-to-day operations. Click- encrypt network traffic with Wireguard working, the service mesh is a must
House summarized this in a field report or IPsec. This ensures data confidenti- have. The service mesh is a software
[8] as follows: “I used Hubble to debug ality where networks are shared or are layer that facilitates communication be-
[the issues], to see network flows, how not under the control of a specific user. tween services in applications. Linkerd,
things are going, where it’s blocked, be- Both approaches have their advantages Istio, and Kong offer established solu-
cause we had problems with traffic for- and disadvantages: Wireguard offers tions – what is Cilium’s position? After
warding and it wasn’t clear. What is automatic key management, whereas all, it provides functions such as filter-
that? Is it a network policy or something IPsec shows better latencies and better ing at protocol level, a feature that is
else? When we initially installed Cilium, CPU efficiency in tests. normally associated with a service
we didn’t enable Hubble, but now we On the other hand, Cilium addresses mesh. And that is precisely Cilium’s
have it installed in every cluster because the issue of security with the Tetragon approach.
it is so useful for debugging.” component [9]. Tetragon (Figure 5) also Cilium offers various functions of a
But monitoring also benefits consid- relies on eBPF, but unlike Cilium, it does service mesh. These functions are either
erably from Hubble. You can export not target the data traffic between nodes, implemented directly in eBPF (like TCP
metrics to Grafana to visualize the data. but the nodes themselves. Where Cilium filtering) or in a minimized Envoy proxy
Typical graphs include the number and provides insights across the cluster, (such as protocol-native filtering), of
ratio of HTTP return codes, drop reasons, Tetragon deep dives, plumbing the which you need one per node instead of
HTTP latencies, and DNS errors. You depths of the kernel on the node. one per container. Familiar service mesh
don’t need to use the graphical inter- Tetragon monitors the system calls, the solutions usually start another service
face: Hubble offers an equally powerful namespaces, and so on. By doing so, mesh container for each container,
command-line interface. Tetragon can draw a complete picture of quickly increasing the overhead and
what is happening on a node. complexity. This is not necessary with
Cilium Tetragon One potential use case for Tetragon Cilium.
As the use of Kubernetes for business- is to monitor containers to see whether Cilium’s approach has other advan-
critical applications increases, the secu- new processes are still starting after an tages in addition to reducing complex-
rity and compliance aspects are becom- extended period of uptime. Because ity. Benefits include lower overhead
ing increasingly important. Can Cilium containers are immutable, a new pro- due to the lack of sidecars and a flat
also help with ISO 27000 information se- cess often indicates a possible break- learning curve because the Cilium ser-
curity management and basic in. GitHub uses Tetragon to assign net- vice mesh uses existing methods. What
protection? work traffic to individual processes on is probably the decisive advantage,
Cilium approaches these topics from the host to gain a deeper understand- however, is that you can switch on the
two sides. On one hand, the Cilium op- ing of which application in a cluster is required service mesh functions when
tions provide direct support in securing causing specific traffic. Tetragon not it suits you. Instead of evaluating a
systems. Detailed network policies only offers insights but can also block complete service mesh, testing it,
help to secure services and establish a events. For example, you can prevent training the team on it, and introduc-
zero-trust policy. Hubble handles veri- suspicious access to system files such ing it into testing and production with
fication tasks and continuously checks as /etc/shadow. a lot of effort and a big bang, Cilium

Figure 5: Tetragon provides insights into the inner workings of a node. © The Tetragon Authors, https://tetragon.io

50 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
eBPF and Cilium

Mesh allows you to switch on the re- management involves special chal- If this article has aroused your inter-
quired features during operation when lenges, particularly in the fields of net- est, your next stop should be Cilium
they are needed. This approach simpli- works, monitoring, and security. The Labs [10], where you will find interac-
fies the introduction of service mesh revolutionary eBPF meets those chal- tive programs that you can launch di-
functions. Teams often do not need all lenges, but it poses some challenges of rectly from the browser to get to know
the functions of a service mesh but its own. Cilium makes eBPF’s capabili- Cilium and all of its components. Q Q Q
only a small but crucial part. In such ties manageable, enabling comprehen-
cases, a native service mesh, as imple- sive management of networks in Ku- Info
mented by Cilium, offers an invaluable bernetes and also supporting interfaces [1] eBPF: https://ebpf.io
advantage. to the surrounding IT environment. [2] eBPF Foundation:
It seems that other projects are fol- The Tetragon and Hubble components https://ebpf.foundation
lowing the path taken by Cilium, add a wide range of monitoring and se-
[3] eBPF documentary:
transferring increasing numbers of curity functions. https://www.youtube.com/watch?
functions to the underlying network v=Wb_vD3XZYOA
layer or basing them directly on Cil- Author
[4] Katran: https://github.com/
ium. The service mesh might not be- Roland Wolters is Head of Technical
facebookincubator/katran
come the Kubernetes network of the Marketing at Isovalent where he and his
team are responsible for communicating [5] Kube proxy:
future, but it could simply merge with
the technical value of eBPF, Cilium, and https://isovalent.com/blog/post/
the underlying network layer and the why-replace-iptables-with-ebpf
Isovalent Enterprise for Cilium to
proxies over time, which would cer-
customers, prospects, and partners. [6] Cilium: https://cilium.io
tainly be a desirable outcome for ad-
His areas of expertise include security, [7] Adopters: https://cilium.io/adopters
mins who oversee Kubernetes
automation, and open source. He is a
infrastructures. [8] Case study by ClickHouse:
keen driver of Agile processes and
https://www.cncf.io/case-studies/
would be lost without his Kanban
Conclusions clickhouse
boards. Outside of work, he is usually
Kubernetes is here to stay as a way to most known for trying to frantically keep [9] Tetragon: https://tetragon.io
manage containers. But container up with his rambunctious young triplets. [10] Cilium Labs: https://cilium.io/labs
IN-DEPTH
Steganography

Concealing secrets in plain sight

Nothing Here
Intruders and spies have ways of concealing information in image files, doc files, and other
innocuous locations. Welcome to the sneaky art of steganography. By Chris Binnie

S
teganography is the art of pass- on cryptography and steganography, dis- ancient times messages would be care-
ing secret information. Kapersky guised as a book about magic” [2]. fully concealed on the back of wax tab-
puts it this way: “Steganography This article describes how attackers lets, away from the primary message.
is the practice of concealing hide and extract potentially sensitive • Digital – changing the order of items in
information within another message or data. I will start by covering a sample of an array, converting pictures into sound
physical object to avoid detection. the types of steganography before look- files, adding messages to areas of a file
Steganography can be used to hide ing at common ways of concealing infor- that are usually ignored or used by
virtually any type of digital content, mation online. One common technique metadata, creating deliberate errors in a
including text, image, video, or audio I’ll describe in this article requires two word processor’s document using the
content. That hidden data is then ex- message types: a container and a secret. tracking feature that reveal a message,
tracted at its destination” [1]. The container conceals the secret from concealing messages in images, hiding
This secretive process, which appar- interception and ideally even conceals its data in streamed and on-demand videos,
ently dates back to ancient Greece, ap- existence. altering executable files.
pears to have been named much later. • Social – changing shared file descrip-
The first recorded use of the term stegan- Weaving Yarn tors or titles, purposely misspelling
ography was in 1499 by Johannes Trithe- Steganography covers multiple media words to circumvent keyword filters in
mius in his Steganographia, “a treatise types, including network protocols. oppressive societies.
Photo by Wes Hicks on Unsplash

Some of the principal types of stegan- • Networking – creating covert commu-

Author ography are: nication channels using otherwise un-
Chris Binnie is a Cloud Native Security • Physical – information hidden under used network fields, such as fields
consultant and co-author of the book Cloud the part of an envelope where the within the TCP/IP protocol. For in-
Native Security: https://www.amazon.co.uk/ stamp is stuck, messages in Morse stance, VoIP (Voice over IP) messages
Cloud-Native-Security-Chris-Binnie/dp/ code woven into the yarn of clothing, can be concealed in seemingly cor-
1119782236. invisible ink written on paper. In rupted or delayed packets.

52 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
Steganography

Now that I have covered some of the example doesn’t give you a good reason installed. You’ll learn that Steghide
theory, I’ll describe some examples. to think before you next blindly cut n’ can use the JPEG, BMP, WAV, and AU
paste from a website, it is likely nothing file formats for the cover file and
The Bad Guys will. As you can imagine, all kinds of ex- there are no restrictions on the format
Nefarious payloads can be disguised in- ecutable payloads could be delivered via of the secret data. Steghide can use
side files that are viewed as innocuous. such a method! audio and image files to conceal se-
You won’t be surprised to hear that cretive messages. Apparently, it is also
many different applicable files, includ- Steghide powerful enough to work with other
ing video, audio, and text documents, One very popular tool used by security re- file types, too, but I haven’t confirmed
can contain malicious data. In addition searchers and attackers alike is called this.
to these file types, a web page can also Steghide [4]. You can install Steghide on I’ll start with a screenshot from my
act as the container for delivering se- Ubuntu and other Debian derivatives with laptop’s background, showing the start
crets to those who know how to look of the Steghide help output (using
for them. $ apt update; U --help), as shown in Figure 2. I’ve called
One of my favorite examples is de- apt install -y steghide the screenshot secret_inside.jpg after
scribed at the Life Plus Linux Blogspot quickly converting the format to JPEG
site [3]. The example provides an excel- Run the command man steghide to from PNG using the GNU Image Manipu-
lent reason to be extremely cautious study the manual once the package is lation Program (GIMP) package [5].
about what you copy-and-paste from
web pages. The page presents the Linux
command ls -lat, which serves up a
directory listing, including hidden files,
along with ownership and permissions
for each file. But pay attention to the sur-
reptitious whitespace before the hyphen
in the command.
The text for the payload is colored
white (as is the background of the web
page) so it is perfectly hidden from an
unsuspecting user. If you look at how
the CSS (Cascading Style Sheet) is con-
structed, it is configured to use this
setting:

color: #f3f5f6; // set it U

to the color of the page

In Listing 1 you can see that, despite the

web browser only displaying one
whitespace, a subsequent copy and
paste reveals a remarkable amount of
code that could potentially contain a ma-
licious payload. Note the ls at the start
and the -lat at the end. Clever isn’t it? Figure 1: How the browser interprets the code in Listing 1.
Figure 1 shows exactly how the © http://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html
browser inter-
prets the code. It Listing 1: Malicious White Text
pulls it down ls
using the nefari-
ous stylesheet ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r';
via the HTML sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3;
<span> tag echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3;
when it is echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r';
pasted. And, as sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.';
the webpage echo 'Use GUI interface using visual basic to track my IP'
says, the possi- ls
bilities for such
an attack are
-lat
endless. If that

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 53

IN-DEPTH
Steganography

$ steghide --extract -sf U

secret_inside.jpg

And use -v to get file format informa-

tion in greater detail. The encinfo op-
tion lets you view encryption options
(Listing 2).
The clever simplicity of Steghide is a
good way of get started with steganogra-
phy on the Linux command line. See the
the Steghide documentation [6] for more
information.

Stegosuite
You can install the popular Stegosuite [7]
with the following command:

$ apt install -y stegosuite

Figure 2: An arbitrary image to conceal a secret within (actually, the

start of Steghide’s help file). This command pulls down around
50MB of files onto my laptop. Along
Now that I have an image to use as a passphrase, you can see the cipher used with the application, a number of Java
container, I’ll create a secret. I just need to encrypt the passphrase and the file- packages are installed, which should
a text file with a secret saved inside. I’ll name of the embedded file: give an indication that a UI (User Inter-
use the following command to echo text face) will be included on Linux. I tried
to a file called secret.txt: Enter passphrase: to type stegosuite on the command line
embedded file "secret.txt": as both the root user and my local user
$ echo "Nothing to see here, U size: 33.0 Byte but without success. Opening the main
move along." > secret.txt encrypted: rijndael-128, cbc

compressed: yes Listing 2: Viewing Encryption Information

Now I run the following command to $ steghide encinfo
use the embed option: The cat command reveals the encryption algorithms:
secret was extracted correctly:
<algorithm>: <supported modes>...
$ steghide embed -ef secret.txt U
cast-128: cbc cfb ctr ecb ncfb nofb ofb
-cf secret_inside.jpg $ cat secret.txt
gost: cbc cfb ctr ecb ncfb nofb ofb
Enter passphrase: Nothing to see here, move along.
rijndael-128: cbc cfb ctr ecb ncfb nofb ofb
Re-Enter passphrase:
twofish: cbc cfb ctr ecb ncfb nofb ofb
embedding "secret.txt" in U Use the following command to
<snip?>
"secret_inside.jpg"... done skip the -info option:

The passphrase I used is just abc. As you

can see, Steghide completes the process
nicely. The -ef option lets you specify the
“embedfile” to use (the secret). The -cf is
for the “coverfile” filename (the container).
If you are aware that a file probably con-
tained a secret, but aren’t sure, you can
query the file with the following command:

$ steghide --info secret_inside.jpg

"secret_inside.jpg":

format: jpeg

capacity: 34.1 KB

Try to get information about U

embedded data ? (y/n)

If you click y to continue, you are pre-

sented with a passphrase request for the
secret file. If you supply the correct Figure 3: Stegosuite’s UI, showing the image with the embedded secret.

54 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
Steganography

Another tool that can sometimes

spot hidden files is Binwalk [9]. Bin-
walk has a history of being used by
penetration testers, ethical hackers,
and attackers alike. According to its
GitHub repository, “Binwalk is a fast,
easy-to-use tool for analyzing, reverse
engineering, and extracting firmware
images.”
Binwalk is flexible and appears to
be able to play nicely with lots of dif-
Figure 4: Stegosuite help output from the command line. ferent binary file types, even though
its main purpose is to look inside
ExifTool metadata editing utility [8] firmware images. I pointed Binwalk
Figure 5: The PNG file that I’m using does not show any indication of the directly at the PNG file I created ear-
to test Stegosuite. embedded file. lier, and it reported the information

application drawer in Ubuntu worked a Listing 3: Binwalk Output

treat, though, presenting me with a DECIMAL HEXADECIMAL DESCRIPTION
pop-up, Java-based window. --------------------------------------------------------------------------------
When I click File | Open and load up
0 0x0 PNG image, 597 x 46, 8-bit/color RGBA, non-interlaced
secret_inside.jpg again, I’m presented
41 0x29 Zlib compressed data, compressed
with the view shown in Figure 3.
In Figure 3 you can see that Stegosuite
is only offering two simple options, so I
will return to the command line for as-
sistance. Figure 4 shows the command
line’s help output (using --help).
As you can see in Figure 4, the -c, or
--capacity, option relates to the size of
secret data that can be embedded into
an image. The other options, such as
--embed, --key (used for encryption),
--message (to choose what to add as the
secret), and --extract should all make
sense. There’s also a --files option to
let you embed files directly.
My laptop didn’t like running Stegosu-
ite against the JPEG file, so I created
another file, as shown in Figure 5, with
the X11 error message, which was saved
as error_bar.png. Figure 6: The UI is embedding the secret to a new file path.
The image in Figure 5 does play nicely
with Stegosuite on the command line as
a PNG file:

$ stegosuite -c error_bar.png

Loading png image from U

/root/error_bar.png

Capacity: 2.8 KB

I’ll try to embed a secret into a PNG file.

In Figure 6, you can see the configura-
tion for each parameter, where the key or
password is abc again.
At the bottom of Figure 6, you can see
that the file error_bar_embed.png has
been created in the chris user’s home di-
rectory. In Figure 7, you can see that the Figure 7: The PNG file, according to ExifTool.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 55

IN-DEPTH
Steganography

Listing 4: Low-Tech Obfuscation For the curious, inflating: hidden_dir/2.txt

$ zip hidden_dir.zip hidden_dir/* # This creates the file

I’ve just created inflating: hidden_dir/3.txt

"hidden_dir.zip"
three small text
files (with what Notice the warning in the output stating
adding: hidden_dir/1.txt (deflated 16%)
might be a secret that there’s an unusual 1,743 bytes
adding: hidden_dir/2.txt (deflated 16%) code inside each) somewhere in normal.png. To avoid loose
adding: hidden_dir/3.txt (deflated 16%) and then saved ends, look at this directory listing, which
them inside the shows precisely where that amount of
hidden_dir/ direc- data came from:
$ cat blurry_secret.png hidden_dir.zip > normal.png # This
tory, as so:
creates the file "normal.png"
$ ls -al blurry_secret.png

$ ls hidden_dir/ -rw-rw-r-- 1 chris chris 1743 U

1.txt 2.txt 3.txt Dec 25 07:08 blurry_secret.png

And, now for the clever bit! We will cre-

ate a new image named normal.png. String Thing
However, we will use the built-in cat Before signing off, it is definitely worth
command to send the data from a quick mention of how to quickly scru-
blurry_secret.png and a zipped-up tinize files using built-in tools. The
(compressed) version of the directory magically useful strings utility is part
hidden_dir/ at the new filename nor- of the binutils package and lives under
Figure 8: A simple, arbitrary image mal.png (Listing 4). the file path /usr/bin/strings, which
file that looks identical with and Rather than confuse things with the means it can be called from anywhere.
without an embedded Zip file. leftover files and another directory list- The manual states that the purpose of
ing, imagine all the other files had been the strings utility is to “print the se-
shown in Listing 3. The output does deleted and you are just left with normal. quences of printable characters in files.”
not reveal anything obvious in this png. Surprisingly, it would look identical In other words, even in binary files that
case, but I will return to Binwalk in a to blurry_secret.png, even though it would usually print gobbledygook in a
moment. contains the secretive ZIP file data. terminal if you opened them with the
The before and after images look iden- less command or the vi text editor,
Poor Man’s Steganography tical to the human eye, both like Figure 8. strings will cut to the chase and only
It is also possible to obfuscate messages However, what happens if I look more display human-readable characters that
into seemingly normal files without closely using some of the other tools in might hold a secret message if steganog-
specifically designed steganography this article? Steghide can’t open it be- raphy is involved.
tools. Linux allows you to hide secrets cause it is in PNG format, but the so- Figure 10 shows the heavily abbrevi-
with really simple commands. The idea phisticated Binwalk shows the hidden ated, top-most piece of strings output
for this process was inspired by an arti- files in its analysis output, revealing the
cle by OSTechNix [10], which is defi- three compressed .txt files shown in
nitely worth a read. Figure 9.
Start with an almost empty direc- To get the secrets back from the image
tory. The only item present is a subdi- file, just unzip the compressed normal.
rectory (called hidden_dir/), that con- png image file in a fresh new directory
tains a few text files that I want to for clarity:
keep secret. If you look at Figure 8,
you will see an arbitrary image that is $ unzip normal.png

the only other file in the main direc- Archive: normal.png

tory and is named blurry_secret.png. warning [normal.png]: U

The directory listing is 1743 extra bytes at beginning U
or within zipfile

$ ls (attempting to process anyway) Figure 10: The printable charac-

hidden_dir/ blurry_secret.png inflating: hidden_dir/1.txt ters from the ssh binary.

Figure 9: Binwalk weaves its magic.

56 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
Steganography

scrutinize binary data will also evolve rapidly thanks to

and compressed AI. Stay vigilant. Q Q Q
files for speedier
access. Info
[1] What is Steganography? https://www.
Conclusion kaspersky.com/resource-center/
Steganography is a definitions/what-is-steganography
fascinating topic, [2] Wikipedia on Steganography: https://
and this article en.wikipedia.org/wiki/Steganography
only scratches the [3] Look Before You Paste from Website:
Figure 11: Another file type, ending in .jpg this time. surface. You’ll find http://lifepluslinux.blogspot.com/2017/
a reasonable 01/look-before-you-paste-from-
when it is pointed at /usr/bin/ssh with amount of discussion online regarding website-to.html
the command the role of Artificial Intelligence (AI) in [4] Steghide:
the future of steganography. More accu- https://steghide.sourceforge.net/
$ strings /usr/bin/ssh rately, the focus is on a subset of AI called [5] GIMP: https://www.gimp.org/
Machine Learning (ML), where models [6] Steghide Documentation:
Compare and contrast that to a JPEG are created to baseline what looks normal https://steghide.sourceforge.net/
file, as shown in Figure 11, again signifi- and when to flag abnormal objects. Such documentation.php
cantly abbreviated. models are apparently called steganalysis [7] Stegosuite: https://github.com/
Although that example JPEG file isn’t models and are used to create known- osde8info/stegosuite
showing anything interesting, I am sure good models using files without con- [8] ExifTool: https://exiftool.org
you get the idea of how useful the cealed data, which can then be compared [9] Binwalk: https://github.com/
strings tool can be. I would highly en- against incoming files. It should go with- ReFirmLabs/binwalk
courage you to turn to the strings com- out saying that, as much help that ML [10] Steganography: Hide Files Inside Im-
mand frequently. Along with the zless might give to security researchers, the ages in Linux: https://ostechnix.com/
command, strings provides a way to nefarious, covert concealment of secret hide-files-inside-images-linux
IN-DEPTH
Programming Snapshot – Go WiFi Monitor

Monitoring WiFi devices from the command line

Data
Retention
To see when clients are joining and leaving the
wireless network, Mike Schilli writes a command-line
utility that uses an object-relational mapping interface
to store metrics in SQLite to later display historical
data. By Mike Schilli

“W
hat I don’t know won’t included with every good Linux
hurt me,” as the saying distribution and knocks on the
goes, but the reverse door of all potentially usable IP needs to run as root. This is annoying
is true for my wireless addresses in a subnet to see if a host in two ways: First, you have to use
network. What are all my household gad- responds. On a typical 192.168.0.0/24 sudo to call any programs wrapped
gets doing? After all, no newly released de- subnet of a router for home network around it, which means entering the
vice seems to be able to manage without a use, you can use 255 IP addresses, and root password in a shell session, at
wireless network connection nowadays. nmap scans them with a barrage of least for the first call. Second, this
Or are there actually some devices that I probes at lightning speed (Figure 1). opens up attack vectors; after all, who
don’t even know about? This definitely knows whether a complex Go program
worries me and keeps me tossing and Better Safe than Sorry with all kinds of features is pro-
turning in my sleep. For nmap to be able to discover details grammed to be 100-percent watertight
On top of that, I am interested in more such as the MAC addresses of the de- or whether it offers a loophole for
than the current situation. Curious by na- vices found on the wireless network, it attackers?
ture, I would like to know how long a de-
vice, once discovered, has been operating
on the network, when it joined the net-
work, and whether it is permanently ac-
tive or occasionally lets its assigned IP ad-
dress lease expire and then picks up a
new one later. Let’s build a data logger in
Go to find out.
To detect active devices on the wire-
less network, it makes sense to call up
the nmap scanner. This hacking tool is

Author
Lead Image © Sergey Nivens, 123RF.com

Mike Schilli works as a

software engineer in the
San Francisco Bay Area,
California. Each month
in his column, which has
been running since 1997,
he researches practical applications of
various programming languages. If you
email him at [email protected]
he will gladly answer any questions. Figure 1: The nmap command scans the subnet.

58 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
Programming Snapshot – Go WiFi Monitor

Listing 1: wifiscan.go Listing 3: parse.go

01 package main 01 package main

02 02

03 import ( 03 import (
04 "bufio"
04 "fmt"
05 "fmt"
05 "os/exec"
06 "io"
06 )
07 "os/exec"
07
08 "regexp"
08 const subnet = "192.168.0.0/24" 09 "time"
09 10 )
10 func main() { 11

11 cmd := exec.Command("/usr/local/bin/nmap", "-sn", subnet) 12 func nmap(subnet string) (io.ReadCloser, error) {

12 output, err := cmd.Output() 13 fmt.Printf("Running nmap in %s\n", subnet)

14 cmd := exec.Command("./wifiscan")
13 if err != nil {
15 stdoutPipe, err := cmd.StdoutPipe()
14 panic(err)
16 if err != nil {
15 }
17 return nil, err
16 fmt.Println(string(output))
18 }
17 }
19
20 err = cmd.Start()
21 if err != nil {
Listing 2: wifiscan.build
22 stdoutPipe.Close()
01 $ go build wifiscan.go
23 return nil, err
02 $ sudo chown root wifiscan
24 }
03 Password:
25 return stdoutPipe, nil
04 $ sudo chmod u+s wifiscan 26 }
05 $ ls -l wifiscan 27
06 -rwsr-xr-x 1 root staff 2356144 May 27 11:40 wifiscan 28 func parse(f io.ReadCloser, t time.Time, outCh chan<-
Probe) error {
29 probe := Probe{Device: Device{}}
This is why Listing 1 chooses the defensive approach of bun- 30 defer f.Close()
dling the nmap command into a simple Go binary that does 31 scan := bufio.NewScanner(f)
nothing other than call the network scanner in line 11. The 32
shell commands in Listing 2 assign the built binary to the root 33 for scan.Scan() {
user and use chmod to set the s bit to u+s (line 4). This allows 34 line := scan.Text()
any user to invoke the binary without using sudo, and it still 35 ipRegex := regexp.MustCompile
runs as root. Because its code is short and manageable, this (`Nmap scan report for ([\d\.]+)`)

approach can be justified from a security point of view. 36 macRegex := regexp.MustCompile

(`MAC Address: ([\w:]+) \((.*?)\)`)
By the way, some devices actively hide from scanners
37 if matches := ipRegex.FindStringSubmatch(line);
such as nmap by blocking all port requests leaving nmap in the matches != nil {
dark. In this case, it helps to tap into the wireless network’s 38 if probe.IP != "" {
DHCP server, which can tell you which IPs it has assigned 39 probe = Probe{Device: Device{}}
to these devices and provide the matching MAC addresses. 40 }
If you also want to catch unofficial devices that simply grab 41 probe.IP = matches[1]
an IP, you can try to sniff them out with a packet scanner 42 } else if matches := macRegex.
such as Wireshark [1]. FindStringSubmatch(line); matches != nil {
43 probe.Device.MAC = matches[1]

Washing Out the Nuggets 44 probe.Device.Product = matches[2]

The nmap() function starting in line 12 of Listing 3 calls the 45 if !t.IsZero() {

external wifiscan program, which I just complied, and feeds 46 probe.Timestamp = t

47 }
its output into a pipe, which it passes back to the caller. In
parse() starting in line 28, the task is to read the results that 48 }
49 if probe.IP != "" && probe.Device.MAC != "" {
nmap outputs line by line and to fill the structs representing the
50 outCh <- probe
individual datapoints for each discovered host. The Probe type
51 }
structure is designed to store a timestamp, the IP address of
52 }
the discovered device, its MAC address, and the vendor name
53
returned by nmap.
54 return scan.Err()
The for loop starting in line 33 runs through nmap’s output,
55 }
stores the content of the current output line in line, and

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 59

IN-DEPTH
Programming Snapshot – Go WiFi Monitor

attempts to examine its content with two later in Listing 4), and sends it up to the relational database for the measured
regular expressions: ipRegex for the octets output channel (outCh), where the caller datapoints. The first table, named
of IPv4 addresses and macRegex for the picks up the incoming objects for process- probes, contains the IP addresses with
hex values of MAC addresses. nmap deliv- ing them downstream. timestamps along with references to en-
ers these values in consecutive lines. In tries in the devices device table, where
line 49, the simple state machine checks Object-Oriented Database the MAC addresses and product names
whether the two values are present, pop- Two tables in SQLite (see Figure 2) are of the wireless network devices are
ulates the probe type structure (defined the obvious choice as the schema for the stored. This means that probes does not
have to repeatedly duplicate the recur-
ring data in the main table.
Now it wouldn’t be difficult to botch
up a schema with SQL commands and
insert new entries or query existing
ones. A join of the two tables turns two
into one, and the result would be both
Figure 2: Two SQLite tables function as the schema for the database the metric and device data for each
containing the metrics. measured value. Instead, I’ll try

Listing 4: gorm.go
01 package main 37

02 38 return &DB{DB: db}, nil

03 import ( 39 }

04 "gorm.io/driver/sqlite" 40

05 "gorm.io/gorm" 41 func (db *DB) Add(ip, mac, product string, timestamp

06 "time" time.Time) error {

07 ) 42 var device Device

08 43 res := db.DB.Where(&Device{MAC: mac}).

09 type Device struct { 44 Attrs(Device{Product: product}).

10 ID uint `gorm:"primaryKey"` 45 FirstOrCreate(&device)

11 MAC string `gorm:"uniqueIndex"` 46 if res.Error != nil {

12 Product string 47 return res.Error

13 } 48 }

14 49

15 type Probe struct { 50 probe := Probe{

16 ID uint `gorm:"primaryKey"` 51 Timestamp: timestamp,

17 Timestamp time.Time 52 IP: ip,

18 IP string 53 DeviceID: device.ID,

19 DeviceID uint 54 }

20 Device Device `gorm:"foreignKey:DeviceID"` 55 return db.DB.Create(&probe).Error

21 } 56 }

22 57

23 type DB struct { 58 func (db *DB) Probes() ([]Probe, error) {

24 DB *gorm.DB 59 subquery := db.DB.Table("probes").

25 } 60 Select("min(rowid), *").

26 61 Group("IP, device_id")

27 func NewDB() (*DB, error) { 62

28 db, err := gorm.Open 63 var probes []Probe

(sqlite.Open("wifiwatch.db"), &gorm.Config{}) 64 err := db.DB.Preload("Device").

29 if err != nil { 65 Table("(?) AS sub_probes", subquery).

30 return nil, err 66 Find(&probes).Error

31 } 67 if err != nil {

32 68 return nil, err

33 err = db.AutoMigrate(&Device{}, &Probe{}) 69 }

34 if err != nil { 70

35 return nil, err 71 return probes, nil

36 } 72 }

60 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
Programming Snapshot – Go WiFi Monitor

Definitely Fast
The uniqueIndex tag of the MAC field in the
Device structure in line 11 stipulates that
the mac table column of the devices table
must contain unique values later. This
speeds up the search for devices that may
already be registered. Two hints are then
needed for gorm to link the two tables,
probes and devices, to allow the use of a
foreign key in SQLite later to reference a
device in devices from a row in probes.
Firstly, the Probe structure starting in line
15 is given a field of the type Device, and
secondly, the foreignKey:DeviceID tag stip-
ulates that the foreign key in probes must
be taken from the device_id column. The
conversion from uppercase to lowercase
and CamelCase to underscore takes place
automatically like in comparable ORMs.
These definitions alone enable the
ORM to create the required database ta-
bles with AutoMigrate() in line 33 and to
execute elegant object-oriented Create/
Read/Update/Delete (CRUD) functions
under the hood later. The .schema com-
mand in the SQLite shell in Figure 3
shows us that the SQLite engine has now
actually created the tables after the first
program run.

Objects to Tables
The Add() function starting in line 41
in Listing 4 adds a new datapoint to
Figure 3: The monitor metrics are stored in an SQLite database. the wifiwatch.db database. It expects a
discovered device’s IP address, its
To do this, the MAC and vendor name, and a time-
gorm library from stamp. Line 43 then uses Where() to
GitHub uses Go search for a potential device entry al-
structures such as ready existing in the devices table and
Device and Probe uses FirstOrCreate() to return a device
in Listing 4 and that has already been found or creates
examines their a new one. Armed with the device
tags for clues to entry, line 50 then creates a new struc-
how the individ- ture of the Probe type and calls Cre-
ual fields will ap- ate() in line 55 to inject it into the da-
pear in the data- tabase. All of this takes place quickly
base later. For ex- without using SQL directly.
Figure 4: The tree() function returns historical IP ample, the nu- The gorm package is not even fazed by
addresses of devices on the wireless network. meric field ID in more complicated queries. The Probes()
line 10 with function starting in line 58 is designed to
something different. Other languages `gorm: "primaryKey"` shows the map- return all datapoints for which the IP has
feature object-relational mappers per that the id column in the devices changed for a MAC address. This saves
(ORMs) that convert data structures table (automatically derived from the the display from having to deal with
into relational database models in more lowercase plural of the Device structure countless identical results later; although
or less elegant ways. To do this, the name) acts as the primary key. Later they exist in the database, they are irrele-
mappers run the required SQL com- on, the SQLite engine converts this vant because the IP address was exactly
mands under the hood without the user into an integer value that is automati- the same as the first time.
having to worry about them. Let’s see cally incremented for each new row Packing this into traditional SQL re-
what Go offers in this respect. that is inserted. quires the subquery starting in line 59,

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 61

IN-DEPTH
Programming Snapshot – Go WiFi Monitor

which only returns the first match for a results from the join of both tables with Google router in first place, an intelligent
group of unique IPs for a device entry Find(&probes) later. Pure magic! remote control (Logitech) in second
using min(rowid) as a trick. Line 65 uses place, a surveillance camera (Smart In-
the virtual sub_probes table to nest this Tree on the Terminal novation) in third place, and the recently
subquery within the main query. The Based on the scan results stored in the introduced Ulanzi display [2] (listed
main query’s ORM interface has already database, the tree() function starting in under its network card brand Expressif)
called preload("Device") to join the line 9 of Listing 5 displays the historical in fourth place. The latter apparently
probes and devices tables up front. This activity on the wireless network as a tree refreshed its IP from *.22 to *.23 on
means that gorm only has to collect the in the terminal (Figure 4). You can see the 29.5.2024. Big brother is truly watching!

Listing 5: tree.go Listing 6: wifiwatch.go

01 package main 01 package main

02 02

03 import ( 03 import (

04 "fmt" 04 "flag"

05 "github.com/gdamore/tcell/v2" 05 "time"
06 "github.com/rivo/tview" 06 )
07 ) 07
08 08 func main() {
09 func tree() {
09 update := flag.Bool("update", false, "update db")
10 db, err := NewDB()
10 flag.Parse()
11 if err != nil {
11
12 panic(err)
12 if *update {
13 }
13 updater()
14
14 return
15 root := tview.NewTreeNode("Wifiwatch v1.0").
15 }
SetColor(tcell.ColorRed)
16 tree()
16 tree := tview.NewTreeView().SetRoot(root).
SetCurrentNode(root) 17 }

17 oldMAC := "" 18

18 var node *tview.TreeNode 19 func updater() {

19 20 db, err := NewDB()

20 probes, err := db.Probes() 21 if err != nil {

21 if err != nil { 22 panic(err)

22 panic(err) 23 }
23 } 24
24 25 f, err := nmap("192.168.0.0/24")
25 for _, p := range probes { 26 if err != nil {
26 if node == nil || oldMAC != p.Device.MAC {
27 panic(err)
27 node = tview.NewTreeNode(fmt.Sprintf("%s %s",
28 }
p.Device.Product, p.Device.MAC))
29
28 root.AddChild(node)
30 ch := make(chan Probe)
29 node.SetColor(tcell.ColorGreen)
31 go func() {
30 }
32 err = parse(f, time.Now(), ch)
31
33 if err != nil {
32 n := tview.NewTreeNode(fmt.Sprintf("%s %s", p.IP,
p.Timestamp)) 34 panic(err)

33 node.AddChild(n) 35 }

34 oldMAC = p.Device.MAC 36 close(ch)

35 } 37 }()

36 38

37 err = tview.NewApplication().SetRoot(tree, true).Run() 39 for probe := range ch {

38 if err != nil { 40 db.Add(probe.IP, probe.Device.MAC, probe.Device.

39 panic(err) Product, probe.Timestamp)

40 } 41 }

41 } 42 }

62 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 IN-DEPTH
Programming Snapshot – Go WiFi Monitor

Listing 7: wifiwatch.build presses Ctrl+C. results, with a call to tree() in line 16

$ go mod init wifiwatch
After starting, the launching the terminal UI from Listing 5.
main program in Called with the typical three steps in
$ go mod tidy
Listing 6 exam- Listing 7, the Go compiler cobbles to-
$ go build wifiwatch.go gorm.go parse.go tree.go
ines its com- gether all the sources for this month’s
mand-line param- column to create the wifiwatch binary
The tview library, which is available eters to check whether the user wants after retrieving and precompiling all the
from GitHub, draws the tree graphics. to show the device tree or add new third-party libraries from GitHub.
An object of type TreeView is used for measurements from a nmap run. With When called with the --update flag,
the display; the tree itself consists of --update set, it calls the updater() func- wifiwatch starts the previously compiled
nodes of the TreeNode type. The for loop tion starting in line 19, which in turn wifiscan with its setuid bit and scans the
starting in line 25 iterates over all sorted calls the nmap() function triggering the network as root. The results keep trick-
and condensed values from the data- wifiscan Nmap wrapper and returning ling into the wifiwatch.db database. Sub-
base, storing the previous device ad- a pipe in f with the incoming lines of sequent calls of wifiwatch without pa-
dress it processed in oldMAC. In case of a monitoring data. rameters read the database values and
new MAC in the probe, line 26 detects Line 32 passes this pipe to the parse() display devices and their historical IPs in
that the value has changed from the pre- parser from Listing 3 in a Goroutine that tree form in the terminal. The Ctrl+C
vious round, and line 27 calls NewTree- runs in parallel. The parser creates Probe keyboard shortcut terminates the pro-
Node() to create a new branch in the tree objects from nmap‘s output and sends gram. It sure feels good to know what is
for the new device. However, if this hap- them to the assigned ch output channel. going on. Q Q Q
pens to still be the device and IP from The execution thread uses a for loop in
the last pass, but with a new IP address, line 39 to read the objects from the chan- Info
the branch remains the same and the nel. Line 40 uses Add() to insert each [1] Wireshark:
new IP is written in white as a new leaf datapoint obtained in this way into the https://www.wireshark.org
below the existing branch. database. However, if the user calls wifi- [2] “Flashing and Programming an LED
Line 37 launches the application UI watch without any parameters, the user Display” by Mike Schilli, Linux Maga-
with Run() and executes it until the user gets to see the tree with the acquired zine, issue 281, April 2024, pp. 50-55
MAKERSPACE Coin Counter

Parking meters and vending machines detect and count the

coins you insert, but how do they work? We’ll show you
how to mimic the functionality with some particleboard, a
Raspberry Pi Pico, a few extra chips, and some Python code.
By Christopher Dock

C
ounting coins is a problem that a small ramp and pass several cut-out
was solved decades ago, but I slots. If the coin is the correct size, it
was wondering whether I could falls through the slot. The required
come up with a solution of my width of the slot depends on how fast
own. While I may not have the same set the coin is rolling past whereas the
of sophisticated tools that a parking meter height of the slot needs to be slightly
manufacturer has, it should certainly be larger than the actual coin while still
possible to create an electronic coin coun- being smaller than the next largest
ter using just a Raspberry Pi Pico and coin. In my case, the slots were ap-
some common components. Writing soft- proximately twice the width of the coin
ware that can count is trivial, but how do (see Figure 1).
you detect what type of coin was in-
serted? If you assume that only legal US Table 1: Diameters of US Coins
coins will be used, the easiest way to rec- Coin Metric Imperial
ognize them is by measuring their diame- Penny 19.05mm 0.75in
ter. Table 1 lists the diameters of US coins,
Nickel 21.21mm 0.835in
both in millimeters and in inches [1].
Dime 17.91mm 0.705in
I decided to sort the coins using dif-
ferent sized slots. The coins roll down Quarter 24.26mm 0.955in
Lead Image © Andrey Burmakin, 123RF.com

Figure 1: Each coin slot needs the right height and width so that coins
will fall through the correct slots.

64 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 Coin Counter MAKERSPACE

must go on until the coin has cleared the

detector.

Displaying Amounts
A coin counter is not very useful if it
cannot display the amount counted. To
output the values of the coins counted I
used a four-digit seven-segment display:
That is perfect for numbers as it can dis-
play up to four digits but it is also possi-
ble to add a decimal point to the right of
any of the digits.
The seven-segment display has this
name because it composes each digit of
Figure 2: Gravity will make coins roll down this ramp. seven individual lines (Figure 4, left)
each of which can be turned on or off.
It is not difficult to draw a small rect- slots, but it does not count them. Count- Those seven lines are enough to form
angle, but it is tricky to try and cut it out ing requires detecting when a coin falls the digits 0 through 9. If you accept a
with straight edges that accurately fol- through a slot. This can be done using a mixed usage of uppercase and lowercase
low the rectangle. Making a cardboard TCRT5000 module [2] which uses an in- characters, you can also show hexadeci-
prototype was no problem, but it took frared (IR) sensor to sense distance and mal digits A through F (Figure 4, right).
some more effort to cut the slots out of color. The module includes both an IR With clever usage, you can write simple
particleboard. transmitter and a receiver. It continu- words, such as CLOSE or PAUSE. These
The ramp that the coins roll down ously generates an infrared signal. When displays are common in consumer elec-
needs to be slightly tilted to one side an object is present, the signal reflects tronics such as microwaves and DVD
(see Figure 2). This tilt fulfills two func- and the IR receiver detects it. The value players. Some letters need a little creativ-
tions: First, it ensures that the coin will is read directly from the pin without ity, for example it is hard to show an
fall through when it reaches the correct needing to use either I2C or SPI. (See the “M” with only seven segments.
slot. Second, it creates friction that pre- “TCRT5000 Variations” box about two There are two common types of seven-
vents the coin from racing down the types of TCRT5000 chips.) segment display. The first one is a so-
ramp at full speed and overshooting the Each coin slot must be fitted with a phisticated I2C controlled module. Such
correct coin slot. The ramp has a 10 per- TCRT5000 module (Figure 3) and the a device supports the I2C protocol, a
cent slope, and the entire board is tilted main software loop will check each mod- small bit of memory, an address (by
10 percent. The only problem with this ule to see if it has detected a coin. The which it can be individually referenced),
ramp is that it should have had more TCRT5000 is a very simple device. Un- and quite often also a multiplexer chip
space above each of the coin slots. I had like other I2C devices, it requires no that controls the display. When you use
originally planned to have a small strip setup. Simply apply power and read the this kind of module you can simply pass
of wood across the top. However, be- data pin. The downside is that it has no the value you want to display to the
cause the board was not tall enough, it memory – it is a “dumb” device. The module with a specific address. Each
prevented quarters from fitting through. module needs to be polled to detect a display has its own address, so multiple
coin falling through the slot, and once it identical displays can be easily
Recognizing Coins has detected a coin, continuous polling controlled.
This particleboard structure can be used
to separate the coins into their individual

TCRT5000 Variations
During this project, I discovered that
there are two different types of the
TCRT5000 chip. I have used the module
with three pins: power, ground, and
data out. The three-pin module returns
1 when the object is detected and 0
when no object is detected.
There is also a four-pin module which
returns both an analog and a digital
value when an object is detected. The
four-pin module is often used in line-
following robots but can also be used
for collision detection.
Figure 3: A TCRT5000 module has been affixed below each coin slot.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 65

MAKERSPACE Coin Counter

Electronic Paper Screens

Displaying the total amount is the mini-
mum required functionality for a coin
counter. I thought it might also be inter-
esting to display coin counts or perhaps
display a picture of the coin being pro-
cessed. Initially, I used a tiny electronic
paper screen for showing this informa-
tion. The reason I did not use it after
basic prototyping was the relatively
slow refresh rate. Several coins could
roll through the counter before the dis-
play fully displayed a coin image.

for an alternative to seven-segment

displays.)

A Few Lines of Python

Figure 4: A seven-segment display for one digit, with segment names. The initialization of the coin counter
(Listing 1) is not very complex even
The second type is simpler: It is made four digits active, but all four digits use though it consists of a microcontroller, a
up of the display and a lot of pins to con- the exact same seven inputs. You can four-digit seven-segment display, and a
trol each segment. There is no controller display different values across the four custom printed circuit board (PCB):
that translates digits to on/off states of digits by activating each digit for a brief • Connect the data pin of each of the
segments. For this project, I’ve used this amount of time, such as a few millisec- four TCRT5000s to the Pi Pico. Each
type of seven-segment display. onds. If you do this for all of the digits device is assigned to a Pin object as-
The four-digit display that I’ve used is repeatedly, you will see a full four-digit sociated with one of the coin slots
controlled with just twelve pins. Of the number due to persistence of vision and given a user-friendly name
first eight pins, each one controls one of (POV): The eye perceives images for (lines 7-10).
the segments as well as the decimal longer than their actual durations. • The 12 pins of the seven-segment dis-
point. The remaining four pins control Thus, when you display all the digits re- play can be grouped roughly into two
which of the four digits is active. This is ally fast, the image will remain on the sets for individual segments (“data
similar to writing to memory with a retina and it will appear to the observer bus”) and for digit selection (“address
4-bit address bus and 8-bit data bus. It that all digits are on simultaneously. bus”). Each of those is directly as-
is possible to have more than one of the (See the “Electronic Paper Screens” box signed to a Pi Pico pin, again using Pin
objects (lines 13-26), and will be used
Listing 1: Initialization of All Devices to directly control segments or digits
01 from time import sleep_ms 21 segment_g = Pin(18,Pin.OUT)
on the display.
02 from machine import Pin
• One important step is to initialize all
22 segment_a = Pin(19,Pin.OUT)
variables to a known state. This is es-
03 23 segment_f = Pin(20,Pin.OUT)
pecially true for the pins that are con-
04 OnboardLedPin = Pin(25,Pin.OUT) 24 segment_b = Pin(21,Pin.OUT)
nected to the seven-segment display.
05 25 segment_d = Pin(14,Pin.OUT) This initialization has to take place
06 # sensors
26 segment_e = Pin(15,Pin.OUT) just once, but it is cleaner to put it into
07 quarters = Pin( 8,Pin.IN)
27 separate functions (lines 29-35).
08 nickels = Pin( 9,Pin.IN)
28 # initialization A lot of the code for this project is for
09 pennies = Pin(10,Pin.IN) displaying individual digits on the seven-
29 def alldigitsoff():
10 dimes = Pin(11,Pin.IN) segment display. Listing 2 contains the
30 segment_dollartens.low()
11
31 segment_dollarone.low()
12 # "address bus": select the digit Listing 2: Display Number 6
32 segment_centtens.low()
13 segment_dollartens = Pin(27,Pin.OUT) def draw_6():
33 segment_centone.low()
14 segment_dollarone = Pin(26,Pin.OUT)
segment_a.low()
34
15 segment_centtens = Pin(22,Pin.OUT)
segment_f.low()
16 segment_centone = Pin(28,Pin.OUT) 35 def allsegmentsoff():
segment_g.low()
17 36 segment_a.high(); segment_b.high()

37 segment_c.high(); segment_d.high() segment_e.low()

18 # "data bus": control a segment

19 segment_dp = Pin(16,Pin.OUT) 38 segment_e.high(); segment_f.high() segment_c.low()

20 segment_c = Pin(17,Pin.OUT) 39 segment_g.high() segment_d.low()

66 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 Coin Counter MAKERSPACE

Listing 3: Counting Coins and Calculating the Total

01 def coincounter(): 15 total = total + 10

02 quarter_cnt = 0; dime_cnt = 0; nickel_cnt = 0; 16 if nickels.value() == 1:

03 penny_cnt = 0; total = 0 17 while nickels.value() == 1: sleep_ms(1)

04
18 nickel_cnt = nickel_cnt + 1
05 i = 1 # loop counter
19 total = total + 5
06 while (i < 300):
20 if pennies.value() == 1:
07 drawdigits(total)
21 while pennies.value() == 1: sleep_ms(1)
08 if quarters.value() == 1:
22 penny_cnt = penny_cnt + 1
09 while quarters.value() == 1: sleep_ms(1)
23 total = total + 1
10 quarter_cnt = quarter_cnt + 1
24
11 total = total + 25

12 if dimes.value() == 1: 25 if (i % 100 == 0): print(i)

13 while dimes.value() == 1: sleep_ms(1) 26 # uncomment for limited runs

14 dime_cnt = dime_cnt + 1 27 # i = i + 1

Listing 4: Updating the Seven-Segment with Totals into left and right digits of dollar and cent
01 # get each of the digits, display each one briefly,
amounts (lines 5-8 of Listing 4). For exam-
02 # do it 20 times.
ple, if total is 123 which corresponds to
$1.23, then I need to display 0, 1, 2, 3
03 def drawdigits(amount):
from left to right, and I set
04 # get amount digits, right to left

05 centones = amount % 10; amount //= 10

dollartens = 0; dollarones = 1
06 centtens = amount % 10; amount //= 10
centtens = 2; centones = 3
07 dollarones = amount % 10; amount //= 10

08 dollartens = amount % 10 The rest of the function repeatedly dis-

09 plays each digit in turn (line 12-16). Ini-
10 showtime = 1 tially the total amount will not be
11 for count in range(20): greater than 999 ($9.99), so the digit for
12 drawsingledigit(centones, segment_centone, showtime, False) tens of dollars (on the very left) is only
13 drawsingledigit(centtens, segment_centtens, showtime, False)
shown when we have to (lines 15-16).
14 drawsingledigit(dollarones, segment_dollarone, showtime, True)
The function drawsingledigit (Listing 5)
will then activate the given digit (for ex-
15 if dollartens > 0:
ample segment_dollarone) and call the
16 drawsingledigit(dollartens, segment_dollartens, showtime, False)
appropriate draw_? function for the value
that needs to be displayed (in the exam-
draw_6 function, which displays the processing. It takes a short period of ple: dollarones).
number 6 by activating segments A, F, G, time for a coin to fall through the slot
E, C, and D (in this order). The program past the sensor, thus it is necessary to Putting It All Together
contains similar functions for the other wait for the currently detected coin to Each of the four TCRT5000 modules
numbers, which are not being printed in move out of sensor range (line 9). In needs three connections and the four-
the article. lines 10 and 11, I increase the number of digit seven-segment display requires 12
My particular seven-segment display is quarters and the
a common anode so the segments that total amount (in Listing 5: Drawing a Digit
make up the digit receive power from the cents). 01 # display a digit for duration milliseconds
Pi Pico, and the pins that select the digit At the start of
02 def drawsingledigit(numberdig, whichdigit, duration):
act as ground, completing the circuit. each outer loop, I
03 functlist = [draw_0,draw_1,draw_2,draw_3,draw_4,
The real heart of the coin counter code call the drawdigits
04 draw_5,draw_6,draw_7,draw_8,draw_9]
is the function coincounter, as shown in function, which
Listing 3. It runs an infinite loop and then displays the 05 whichdigit.high() # select the position

continuously checks whether any coins current value of 06 allsegmentsoff()

are falling through one of the coin slots. total via the seven- 07 # select the right draw_? function
The code is fairly repetitive, as each of segment display. It 08 draw_x = functlist[numberdig]
the four coins is processed in the same splits the total 09 draw_x()
way (lines 8-23). For example, when the amount counted so
10 time.sleep_ms(duration)
function detects a quarter (line 8), it will far (which is the
11 whichdigit.low()
enter an inner loop for further number of cents)

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 67

MAKERSPACE Coin Counter

Figure 6: See the final coin counter in action: It sorts

and counts the coins.

by the sensor improved. For example, if I were to de-

placement. Coins sign a second prototype, I could make
Figure 5: This PCB simplifies the setup of all compo- falls through the the board with the ramp a bit taller so
nents of the coin counter. chute in slightly that the coin slot can be the size of a
different ways de- quarter. I am happy with my choice of
connections to the Pico to control the pending on the speed they are traveling acrylic glass, as it shows off the inner
input and output. Using a microcon- down the ramp. This makes the place- workings. The goal was to demystify
troller such as the Raspberry Pico is ment of the sensor tricky. Old coins can electronics and perhaps inspire my
quite easy in small projects, but due to cause problems, as they tend to have nieces to delve into electronics or soft-
all of the required connections this deformities or oxidation buildup. This ware development. Q Q Q
would lead to a rats nest of wires that can cause the coin stop before it
can be difficult to organize or hide. I reaches the correct chute. This problem Info
have designed a small PCB using the is most likely caused by using wood: [1] US Coin Specifications: https://www.
open source KiCad electronic design While it does not add too much friction usmint.gov/learn/coin-and-medal-
tool [3]. My PCB holds the Pico and for fresh coins, it does in the case of de- programs/coin-specifications
the seven-segment display in place, formed and dirty coins. [2] TCRT5000 IR sensor: https://www.
and all TCRT5000 modules can be con- Creating the coin counter (see Fig- elprocus.com/tcrt5000-ir-sensor/
nected to this board (see Figure 5). ure 6 for the final working model) with [3] KiCad: https://www.kicad.org/
This gives a much cleaner look as well these materials was fine for a proto-
as improved reliability because jumper type, but a 3D printer would allow for
wires don’t always make the best con- more precision, which should lead to Author
nection on breadboards and can cause far more accurate results. Using a 3D Christopher Dock is a
some or all of the project to cease printer could reduce any friction and senior consultant for site
working. guarantee coin slots that are much services at T-Systems.
Despite taking the greatest of care, closer to the ideal size. This has been a When he is not working on
the coin counter is not quite perfect. In fun project, but it allows a glimpse into integration projects, he
my tests, about two percent of the coins why commercial products may create likes to experiment with
went down the chute without being several different prototypes during Arduino and Raspberry Pi.
counted. This only occurred at the their design phase. The placement of He is the author of Getting Started with
quarter slot, and it seems to be caused the various components could be Arduino and Raspberry Pi.

QQQ

68 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 PiJuice Zero MAKERSPACE

MakerSpace
PiJuice HAT for battery-powered Pi Zero

Out in Space
The Raspberry Pi Zero is a frugal little computer. But without
a power socket, you might be surprised how quickly it can
drain a battery. Active power management is the order of
the day. By Bernhard Bablok

A
Raspberry Pi Zero (W) can reports it to the Pi. A monitoring pro-
require upwards of 100mA – gram can then shut down the computer
depending on what it is doing. in good time, which in turn protects the
This may not sound like much battery from deep discharge. In both ex-
at first, but given a standard industrial amples, there is also a requirement for
LiPo cell rated at 2,200mAh, that computer sophisticated charging management. In-
won’t even last a day. This makes it all the stead of replacing the battery, in the sec-
more important to use the battery’s energy ond case a solar panel typically re-
sparingly. HATs (Hardware Attached on charges the battery, while the UPS uses
Top) by PiJuice, which have been around the power grid for this task.
for some time, have the circuitry to help Finally, the HAT must also be able to
you do this. In this article, we take a look disconnect the Raspberry Pi from the
at the PiJuice Zero [1], a pHAT that is opti- power supply after shutdown, because
mized for the Raspberry Pi Zero (Figure 1). all Pis prior to the Pi 5 still consume far
too much power even after shutdown.
Use Cases Similarly, an automatic wake-up (which
But first, let’s take a brief look at poten- means reconnecting the battery) may be
tial application scenarios for a power
management HAT: A Raspberry Pi that
is connected to a power outlet but
needs to run continuously requires UPS
protection (UPS being an uninterruptible
power supply). If worst comes to worst,
the back-up battery can step in at light-
Lead Image © Anton Brand,123RF.com

ning speed and bridge the gap until the

power grid is available again.
A second use case is in normal bat-
tery-based operation, for example when
the Pi is running far away from civiliza-
tion. The HAT must supply the board
with a stable voltage, even if the battery
voltage gradually drops. Ideally, the HAT
also measures the charge status and Figure 1: The PiJuice Zero HAT helps a Pi Zero with power management.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 69

MAKERSPACE PiJuice Zero

necessary, for example, timer-controlled manufacturer’s original batteries; the even control the wake-up function via
at sunrise or when the battery is re- only source of supply we were able to the IO2 pin if required.
charged. A Pi that runs for one hour a find in the EU was Botland.de, a Polish
day instead of 24x7 will extend battery distributor. Fortunately, the thermistor is Software
life from less than one day to almost optional, and batteries without this pro- The basic functions such as UPS or bat-
three weeks. tection work just as well. Nevertheless, tery operation are completely autono-
protection is recommended for unmoni- mous, irrespective of whether you install
Setup and Commissioning tored long-term use. the additional software. However, the
Important information for a quick start Apart from this hurdle, commissioning software offers options that can turn out
can be found in the Quick Start Guide [2], the basic functionality is child’s play: Just to be essential, or simply more practical,
while a detailed description of the hard- connect the HAT to the Pi and the battery for many applications. A clean shutdown
ware and software is available from the to the HAT. If the Raspberry Pi is con- at the push of a button is just one of
manufacturer’s GitHub repository [3]. You nected to the mains, you can use its micro many features. For example, you can use
will need a suitable rechargeable battery USB socket and the matching socket on the software to configure the buttons if
for the pHAT; connect it to the matching the HAT. As an alternative to the USB you want to reduce the button hold time
socket on the right (with pins marked socket on the HAT, you can use the J4 for shutdown compared with the default.
VBAT, GND, and NTC; see Figure 1). The connection directly to the right of it: You The software is open source and avail-
pHAT supports batteries with a built-in can feed in up to 10V that way, which is able on GitHub [3]. You do not need to
thermistor. If the battery becomes too ideal for connecting solar panels. download and install it manually, be-
hot during charging, the HAT switches Pressing the SW1 button on the left- cause it is also included in the operating
off for safety reasons. hand side of the pHAT tells it to switch system’s standard package sources. The
However, protected batteries are not the power on. Pressing and holding it for packages you need are pijuice-base
necessarily easy to buy – of the usual 20 seconds triggers a hard power down. (which is required for headless opera-
suspects, only Conrad had them on offer The system shuts down after 10 seconds, tion) and pijuice-gui.
in my country. No one here sells the provided that you installed the appropri- The GUI app has been excellently in-
ate software. Con- tegrated into the desktop, and that in-
nection J5 for an cludes an area in the status bar (Fig-
additional button ure 2). The battery status is shown on
(called SW2 in the the left, and the icon to the right
software) is lo- launches the GUI. The user interface it-
cated slightly self is made up of a series of tabs, each
lower down. of which configures different aspects.
The P3 header As an example, Figure 3 shows wake-up
also plays an in- time configuration. But be careful:
teresting role. You Times must be configured in UTC.
Figure 2: The PiJuice GUI application adds icons to could connect In headless mode, you can use a termi-
the desktop’s status bar. your own micro- nal-based, menu-driven configuration
controller here, or program (Figure 4). But there is not much
even just a sensor cause for you to rely on this, because you
that can commu- can choose either a Python module for in-
nicate with the tegration with your own programs or a
chip on the HAT command-line tool for querying and
via the two IO1/ changing important values. Alternatively,
IO2 pins. A micro- you can create a configuration on a Pi
controller could with a desktop, save it to a file, and then

Figure 3: In the GUI configuration program, you can Figure 4: A terminal-based configuration tool lets
define wake-up times, for example. you use headless Pis, too.

70 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 PiJuice Zero MAKERSPACE

load it on the headless computer. The which matches the data from the docu- With all these HATs and breakouts on
command line helps you with handling mentation. The only problem was cur- offer, you will definitely want to take a
the last two steps. All of this is exemplary rent peaks that cause a sudden voltage look at the software before you buy. This
and leaves nothing to be desired. drop – the HAT was unable to absorb is what separates the wheat from the
Although the manufacturer has thought them via the LiPo cell. In other words, chaff, and the best HAT is ultimately of no
of everything, the software falls short of the PiJuice cannot work miracles. use to you if the software does not support
perfection. This is partly due to the nature As expected, a circuit board with so your specific use case. Q Q Q
of the matter: The hardware is complex many components is not cheap. The
and has many functions. It is not always pHAT comes at £30 / $38 (plus VAT). Info
possible to reflect this consistently in the There is also a larger HAT for regular [1] PiJuice Zero pHAT: https://uk.
software. While there is a detailed descrip- Raspberry Pis that will set you back £70 / pi-supply.com/products/pijuice-zero
tion of each setting, it is not always clear $90 (plus VAT) [4]. It comes with a bat- [2] Quick Start Guide:
what exactly it will do. But this is nit- tery which puts the price difference into https://learn.pi-supply.com/make/
picking, considering the fact that other perspective. You should also consider pijuice-zero-quick-start-guide/
hardware manufacturers often leave delivery charges. But price alone is not [3] GitHub repository:
users out in the cold without any docu- the decisive factor – having a working https://github.com/PiSupply/PiJuice
mentation. I would recommend planning overall system consisting of hardware, [4] PiJuice HAT: https://robosavvy.co.uk/
some time for the configuration work and software, and additional components is pijuice-hat-raspberry-pi-portable-
extensive testing of your use case. more important. The manufacturer not power-platform.html
only sells its HATs, but also matching
Test Run and Conclusion batteries and solar panels. Even if you go Author
The pHAT completed a small trial run for a complete system, the price is still Bernhard Bablok retired from Allianz
with power cuts, time-controlled wake- likely to be south of £150 or $200. Technology SE as an SAP HR developer.
up, and charging of the LiPo cell without If you only need a subset of the func- When he is not listening to music, riding
any problems. The current consumption tions, you can shop around for cheaper al- his bike, or walking, he focuses on Linux,
from the battery when switched off and ternatives. There is a whole range of UPS programming, and small computers. You
without USB was approximately 0.5mA, and RTC HATs with wake-up function. can reach him on [email protected].
 INTRODUCTION LINUX VOICE

Web-based mapping is one of the most significant

developments of the Internet era. Travelers routinely
venture forth without a map in their pocket – it is all online
and accessible through a handy mapping app. Vendors Doghouse – High-Level Languages 74
such as Apple and Google like to position themselves Jon “maddog” Hall
9KVJCNNVJGDGPGƒVUQHJKIJNGXGNNCPIWCIGU
as the gateway to this trove of geographical data, but the
VJGTGŨUUVKNNIQQFXCNWGKPNGCTPKPICUUGODN[
open source community has its own solution: CPFOCEJKPGNGXGNNCPIWCIGUVQFC[
OpenStreetMap, a powerful application built by a
Netcat and Socat 75
community of mappers, developers, and users around the Thomas Reuß
world. This month we help you get 0GVECVKUVJG5YKUU#TO[MPKHGQHPGVYQTMKPI
started with open source HQTCFOKPU5QECVVCMGUVJKURTKPEKRNGQPGUVGR
mapping and OpenStreetMap. HWTVJGTQHHGTKPIOWNVKRNGZKPI6.5UGEWTGF
EJCPPGNURKRGU7PKZUQEMGVUCPFGZGEWVCDNGU
Also in this month’s Linux
Voice, we introduce you to cksfv 78
Daniel LaSalle
the Netcat networking tool
EMUHXCPFVJG%4%CNIQTKVJOECPŨVEQORGVG
and its souped-up YKVJOQFGTPOGVJQFUCUCYC[VQNQQMHQT
counterpart Socat. KPVTWFGTUDWVKH[QWŨTGLWUVEJGEMKPIHQT
Image © Olexandr Moroz, 123RF.com

TCPFQOGTTQTUUWEJCUCOKURNCEGFDKVVJKU
CPEKGPVVQQNEQWNFUVKNNDGQHUGTXKEG
FOSSPicks 82
Nate Drake
6JKUOQPVJ0CVGNQQMUCV6JG$CVVNGHQT
9GUPQVJ9KPG-G[RWPEJ(QNKQ.KDTG1HƒEG
<GFCPFOQTGБ
Tutorial – Map Machine and OpenStreetMap 88
Marco Fioretti
7UG/CR/CEJKPGŨUKEQPUVQOCMGVJGOQUV
QH1RGP5VTGGV/CRFCVCCPFUJQYCUOCP[
OCRHGCVWTGUCURQUUKDNG

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 73

LINUX VOICE DOGHOUSE – HIGH-LEVEL LANGUAGES

MADDOG’S
Jon “maddog” Hall is an author,
educator, computer scientist,
and free software pioneer
who has been a passionate
DOGHOUSE
With all the benefits of high-level languages, there’s still good value in
advocate for Linux since 1994
when he first met Linus Torvalds learning assembly- and machine-level languages today. BY JON “MADDOG” HALL
and facilitated the port of
Linux to a 64-bit system. He
serves as president of Linux
International®. Language Skills
ast month I talked about low-level assembly and ma- A rule of thumb in the early days was that a good assembly

L chine languages and the fact that assembly was a mne-

monic representation of the ones and zeros of machine
language. This month I will discuss what a high-level language
language programmer could “always” write better code than
your average high-level language programmer, whereas a good
high-level language programmer could “always” write better
is, why they were invented, and why people should still learn code than your average assembly language programmer.
some machine/assembly level language. However, your good assembly language programmer could
Machine/assembly-level languages (hereafter just called “always” write better code than your good assembly language
“machine language”) were very slow and tedious to program. programmer for limited size programs – and it would take them
You typically had to code a lot of statements even to do the sim- much longer. Note that the “always” is always in quotes.
plest things. Even simple statements like A=B+C in a high-level I wrote assembly language almost exclusively for IBM main-
language might take 10 or 15 machine-language statements, and frames for over four years. After that I taught data processing
they were prone to mistakes on issues such as register overflow – for three years and used assembly language in a lot of my
which might need instructions to test for and correct overflow and courses to explain how compilers, operating systems, and
which the machine-language programmer might forget to code. database engines worked. Today I feel very strongly that good
The people who foresaw high-level languages said that programmers should understand machine language and the
they believed computers could be programmed in a “natural architecture of computers in general, but I would not advocate
language.” Given the computers of those days, you might un- programming in machine or assembly language.
derstand there were people who thought this was impossible. Instead I advocate using this knowledge for understanding
Fortunately for computer science, the developers of high-level how to write high-level languages in a way that is more efficient
languages did not give up. After the development of some sim- for the machine to execute and in debugging mistakes in opti-
pler languages such as FLOW-MATIC, Grace Murray Hopper mizations that the compiler generates.
headed up the development of COBOL and John Backus devel- I am sure that almost any experienced programmer has
oped FORTRAN. Others followed. found a bug generated by the compiler even though their source
Not only did high-level languages simplify coding computers, code was completely correct. More insidious is the bug gener-
but it also made the programs more portable. Why is this true? ated by the compiler when you turned on some level of optimi-
The main reason why high-level languages are more portable zation to already existing and tested code – everything from
is because there is no longer a one-to-one mnemonic mapping of un-initialized variables moved outside of a loop by a “helpful”
what is coded to what executes on the machine. Instead, typi- optimizer to an “off-by-one” loop counter.
cally a transformation goes from “native-language-like” words to I am not saying that most compilers are not good pieces of
some intermediate state that is less determined by the architec- code, but you need to test every optimization stage every time
ture of any specific machine, and then a transformation from you turn on a new optimization (or group of optimizations) for a
that state to a specific machine’s assembly/machine language. new architecture.
That intermediate state, over the years, has allowed for lots After I write initial code, I will use a profiler to see where the
of flexibility, particularly in languages that are not strongly data- program is spending the most time. If it seems unreasonable, I
typed, to allow program portability to different architectures. will tell the compiler to generate the intermediate code or even
Compilers have also allowed for standardization in linking (especially in the case of RISC CPUs) the machine/assembly
subroutine and function modules, allowing for the easier language for the program.
creation of libraries shareable between different languages Modern-day professors have told me that this type of analysis
facilitated by different companies. is less useful today due to the use of virtual machines and con-
Some optimizations could be done at this intermediate level such tainers. Unless the virtual machine or container actually uses
as moving code outside of a loop while other optimizations (such emulators, most of the code generated by the compiler runs di-
as peep-hole optimizations) would be done at a lower level. Yes, rectly on the hard metal, so getting long-running applications to
peep-hole optimizations could be done by a good assembly/ma- run efficiently saves time, electricity, or cooling (or all three). Or
chine language programmer, but it was a tiring and tedious task. allows your cell phone charge to last a whole day. Q Q Q

74 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 NETCAT AND SOCAT LINUX VOICE

Socat – Netcat on steroids

Switchboard
Netcat is the Swiss Army knife of networking for admins. Socat takes
this principle one step further, offering multiplexing, TLS-secured
channels, pipes, Unix sockets, and executables. BY THOMAS REUß
etcat is undoubtedly a useful tool for On node A, then use tar to pipe the files in ques-

N testing TCP connections or UDP ports,

transferring files, and far more [1]. Socat
[2] offers even more: Besides raw TCP and UDP
tion to Netcat (line 4).
You can do this in the same way with Socat and
tar by telling Socat to listen on port 9876 on node
connections, it supports channels secured by TLS B and routing the corresponding output through
and can access pipes, Unix sockets, and executa- tar (Listing 3, line 1). On node A, you then transfer
bles. As if that were not enough, it can also multi- the output from tar to Socat (line 2). The example
plex multiple client connections. uses the reuseaddr and fork flags for this. The re-
Just like Netcat, Socat expects two position pa- useaddr flag lets you use sockets to open connec-
rameters to establish a connection between two net- tions to this port even if it is already (partially) in
work addresses: socat <address1> <address2>. It can use. The fork flag tells Socat to delegate connec-
make sense to transfer files via raw TCP connections, tions to a child process so it can continue listen-
for example, if you need to work as a different user on ing directly.
the target system than on the source. On many of the
systems I support, sudo I/O logging is enabled. Bind Shell
This means that for SCP or SFTP transfers with A bind shell scenario involves binding a shell to a
a user change (Listing 1), the complete transfer is TCP port on the target host using, say, Netcat.
added to the sudo logs via stdin and stdout. This Working on the source host, you can then use the
can mean several gigabytes of data need to be target port to access the shell – assuming you
stored in the /var/log/sudo/ directory. If you don’t don’t have a firewall blocking the exchange and
want to do without additional security via public that the target socket can be reached.
key authentication and deactivated root accounts,
you have to come up with something smart for
transfers of this type. This is where Netcat and
Socat come into play.
Netcat has always been used to transfer data
from node A to node B (Figure 1), via input and
output redirects, for example. To do this, you first
need to launch Netcat in listening mode on node
B (Listing 2, line 1). Then transfer the content
from node A to the target IP. In the example
shown, Netcat receives the local message of the Figure 1: Two nodes are all you need to set up the test network.
day file (line 2) via input redirection (<). On the
server side, the message is then written to the Listing 1: SFTP Transfer with User Change
output.txt file via output redirection (>). $ sftp -s "sudo -u www-data /usr/lib/openssh/sftp-server" <target>.<host>
You can use tar to transfer multiple files. This
ancient tool takes data from the
standard input and writes it to the Listing 2: Transfer via Netcat
standard output. Multiple files 1 tre@raspi02:~$ nc -l -p 9876 > output.txt
can be transferred in the same 2 tre@raspi01:~$ nc raspi02:*9876 < /etc/motd
way. On node B, just start Netcat
3 tre@raspi02:~$ nc -l -p 9876 | tar -xf -
in listening mode again and pipe
4 tre@raspi01:~$ tar -cf -- <file1> <file2> ... <fileN> | nc raspi02:*9876
the standard output to tar (line 3).

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 75

LINUX VOICE NETCAT AND SOCAT

Listing 3: Socat and Tar

1 tre@raspi02:~$ socat TCP-LISTEN:9876.reuseaddr,fork EXEC:"tar -xf -"

2 tre@raspi01:~$ socat EXEC:"tar -cf -- <file1> <file2> ... <fileN>" TCP:raspi02:9876

Listing 4: Bind Shell with Netcat Listing 5: Bind Shell with Socat
1 tre@raspi02:~$ nc -lvp 9876 | /bin/bash 1 tre@raspi02:~$ socat -d -d TCP4-LISTEN:9876 EXEC:/bin/bash

2 tre@raspi01:~$ nc -nv raspi02:*9876 2 tre@raspi01:~$ socat - TCP4:raspi02:9876

3 tre@raspi01:~$ socat STDIN TCP4:raspi02:9876

Netcat lets you set up

a bind shell scenario rel- Listing 6: Reverse Shell
atively quickly using just
1 tre@raspi01:~$ socat -d -d TCP4-LISTEN:9876 STDOUT
a few commands. On
2 tre@raspi02:~$ socat TCP4:raspi01:9876 EXEC:/bin/bash
node B, again launch
Netcat in listening
mode on port 9876 and use the EXEC protocol. As the next step, set up the
pipe the standard output to a shell (Listing 4, line 1). connection on the source host (line 2). As usual,
On node A, you only need to open a TCP connection the dash (-) stands for the standard input,
to the target host via Netcat (line 2). Once done, you stdin – you could therefore just as easily write
can control node B remotely from node A, even if the command as shown in line 3 of Listing 5. The
there is no SSH connection or similar. same applies to stdout.
Of course, this is only recommended in secure
environments, as Netcat does no more than open Reverse Shells
a raw TCP connection. One of the typical use If you are now hoping that I will show you how to
cases for a bind shell is to work with two servers remotely control a victim using a reverse shell via
that can both be reached via SSH (using a public malicious Office documents or other email attach-
key), but where SSH agent forwarding is disabled. ments, I’m sorry to disappoint you. If you are look-
You cannot jump from node A to node B because ing for specific instructions on how to hack third-
the private key is not available on node A. The at- party systems, you will find them online, of
tempt fails for reasons of authentication. course. I am only interested in useful tools and
You can set up a bind shell with Socat just as procedures for everyday use with Linux.
quickly as with Netcat. As previously mentioned, Reverse shells are, as the name suggests, the
working on the target host, launch Socat using counterpart to bind shells. This means that a shell
Figure 2: Setting up a the command from line 1 of Listing 5. With Socat is not listening on the target computer, but on the
reverse shell on node A. you do not need a pipe to a shell. Instead, simply source machine on a port to which the target host
then establishes a connection at some point. Al-
though this may sound strange or illogical at first,
it makes sense to prevent connections to a com-
pany network being opened from the outside with-
out using well-defined VPN methods. Firewalls are
typically far more permeable when it comes to
opening outbound connections. This is where a
reverse shell enters the scene, for example, to give
you a progress report on a time-consuming
process.
In this example, I started the setup work on
Figure 3: After opening the connection, commands can be executed on node B. raspi01 in order to establish a reverse shell with
Socat. The command from line 1 of Listing 6
starts a TCP listener on port 9876, using the stan-
dard output as the target (Figure 2). Now you can
open the connection from the target host (line 2).
This means that the terminal on raspi01 can be
used to execute commands on the target ma-
chine raspi02, in a similar style to SSH or Telnet
(Figure 3). Only the direction of the connection
setup has been reversed.
Readers with a security background are now
rightly asking what Socat’s USP is – thus far I’ve

76 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 NETCAT AND SOCAT LINUX VOICE

Listing 7: OpenSSL Connection

1 tre@raspi01:~$ openssl req -x509 -newkey rsa:4096

2 -sha256 -days 3650 -nodes -keyout raspi01.key -out raspi01.crt -subj "/CN=raspi01" -addext "subjectAltName=DNS:raspi01"

3 tre@raspi01:~$ socat OPENSSL-LISTEN:9876,cert=raspi01.pem,verify=0,reuseaddr,fork STDOUT

4 tre@raspi02:~$ socat OPENSSL-CONNECT:raspi01:9876,cert=raspi01.pem,verify=0,cafile=raspi01.crt EXEC:/bin/bash

Listing 8: TLS Listener

1 tre@raspi01:~$ socat OPENSSL-LISTEN:9988,cert=raspi01.pem,verify=0,reuseaddr,fork TCP4:127.0.0.1:9988

2 tre@raspi02:~$ socat STDIN OPENSSL-CONNECT:raspi01:9988,cert=raspi01.pem,verify=0,cafile=raspi01.crt

really only presented familiar techniques. But we to it on the host using Telnet, but from any other
are well away from the end of the line, because node on the network. Instead, you can use the
Socat can do far more. command from line 1 of Listing 8 to tell Socat
to launch a TLS listener on port 9988 itself and
Encrypted connect the legacy application as the target.
If you want to use ad hoc connections on untrusted You can then use Socat on node B (line 2) to
networks, it makes sense to use encryption. This is send the standard input to node A through the
where Socat’s OpenSSL capabilities come into play. TLS tunnel.
As a prerequisite for an encrypted connection, you
will need a TLS certificate, although it can be self- Conclusions
signed. In the constellations discussed here, the Socat is an extremely powerful tool that clearly
certificate is only used for encryption and data in- outstrips the old Netcat. The features men-
tegrity. Authenticity cannot be guaranteed, because tioned here only shed light on a small selection
there is no authentication mechanism. If you are of the tool’s capabilities. In addition to TCP, file
setting up bind shells or reverse shells that can be descriptors such as STDIN and STDOUT and
accessed off the Internet, you must be prepared OpenSSL sockets and files can be used as ad-
for potentially unwanted visitors. dress types, but Socat also supports raw inter-
To open an OpenSSL connection, you first faces, pipes, or pseudo terminals (PTYs). The
need to create the certificate (Listing 7, line 1). possibilities opened up by Socat are far too
Then launch Socat on raspi01 in OPENSSL mode diverse to list here. It is therefore definitely well
with a reverse shell (line 2) and dock to this shell worth perusing the tool’s man page [3] in more
on raspi02 (last line, Figure 4). detail. Q Q Q

Legacy Applications Info

Legacy applications exist in many organizations:
[1] Netcat: https://netcat.sourceforge.net
antiquated applications that can be accessed via
unencrypted connections such as Telnet and [2] Socat: http://www.dest-unreach.org/socat/
therefore only listen on the loopback interface [3] Socat man page:
(i.e., locally). But what if you need these tools on https://linux.die.net/man/1/socat
a remote host? One way of doing this would be to
configure the tool so that it listens on the external The Author
interface and is therefore visible to everyone on
the network – oops. Thomas Reuß is a passionate Linux admin
Socat helps to resolve this issue by digging a who is hugely interested in security. He is
tunnel in front of the legacy application. As- currently working as a consultant in the
sume that the tool is listening on port 8877 of SAP environment.
node A’s local interface, 127.0.0.1. You can talk

Figure 4: Opening the OpenSSL connection from node B.

QQQ

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 77

LINUX VOICE CKSFV

Checking data integrity with cksfv

Check It!
cksfv and the CRC32 algorithm can’t compete with modern methods as a way to
look for intruders, but if you’re just checking for random errors such as a
misplaced bit, this ancient tool could still be of service. BY DANIEL LASALLE

yclical Redundancy Checks have been with other systems.” The fact that md5sum [3]

C around since the 1960s and still exist

today as a means for verifying the integrity
of a file. The CRC32 checksum variant has existed
and sha1sum [4] are also now considered inse-
cure is an indication of the recent inactivity at the
cksfv project. However, if you are interacting with
since the 1990s. Although the CRC32 checksum systems that use CRC32 to look for simple data
method is no longer considered safe for security errors, cksfv is still around and runs on most
purposes (see the box entitled “Not a Security Linux systems.
Tool,” a CRC32 check can still identify other forms
of random errors that can occur during data trans- Generating Checksums
mission or storage. It is easy to deploy the cksfv binary[5] via the usual
cksfv (short for “Check Simple File Verification”)
[1] has lived a quite admirable lifetime as a tool for sudo apt install cksfv -y

checking data integrity using CRC32 checksums.

A new version (v1.3.15) appeared in 2020 after a on Debian-based systems. Once that’s done, the
gap of 11 years [2]. Today even the project’s devel- first thing you need to understand is that cksfv
opers want to be sure everyone knows cksfv works in two distinct action modes: creation
should not be considered a replacement for more and verification. In creation mode, cksfv creates
modern tools. The cksfv manpage states, “The al- the checksum for one file or a group of files.
gorithm is cryptographically crippled so it cannot Verification mode is where cksfv uses a previ-
be used for security purposes. Md5sum and sha1- ously stored checksum to verify the current
sum are much better tools for checksumming state of the file.
files. Cksfv should only be used for compatibility Once cksfv is installed on your system, you can
generate a checksum file by entering the cksfv
command followed by the filename. You can use
Not a Security Tool
any regex supported by the shell (such as *.txt)
The Wikipedia entry on the Simple File Veri- to generate a series of checksum with a single
fication (SFV) method used with cksfv command:
states, “SFV verification ensures that a file
has not been corrupted by comparing the $ cksfv *.odt
file’s CRC hash value to a previously calcu-
lated value. Due to the nature of hash func- Most users pipe the results to a file with the .sfv
tions, hash collisions may result in false suffix (Listing 1).
positives, but the likelihood of collisions is If you are working in a folder that has numerous
usually negligible with random corruption”. subfolders and you need to create a single SFV
However, “[ … ] CRC32 is not a collision re- file, use the -R switch. -R populates the results
sistant hash function; even if the hash sum with absolute path names instead of simply file-
file is not tampered with, it is computation- names. To keep it to just the filenames and no
ally trivial for an attacker to cause deliber- path, pair it up with -b or -Rb (Listing 2).
ate hash collisions, meaning that a mali-
cious change in the file is not detected by a Validation Mode
hash comparison”. [1] The other role of cksfv is to check whether the
checksum of a file still matches the recorded

78 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 CKSFV LINUX VOICE

CRC32 checksum value. To validate a file against Listing 1: Creating CRC32 Checksums
a previously stored checksum, use the -f switch $ ls
followed by the SFV file that contains the stored -rw-rw-r-- 1 dls dls 36 Aug 14 10:25 1.txt
checksum: -rw-rw-r-- 1 dls dls 648 Aug 14 10:26 2.txt

-rw-rw-r-- 1 dls dls 36 Aug 14 10:26 3.txt

$ cksfv -f cvlist.sfv
$ cksfv *.txt

; Generated by cksfv v1.3.15 on 2024-08-14 at 10:26.37

Be advised that this command requires that
; Project web site: https://gitlab.com/heikkiorsila/cksfv
both the SFV file and the actual file(s) you are
;
validating are located in the same directory and
; 36 10:25.52 2024-08-14 1.txt
that this directory is the current working direc-
; 648 10:26.06 2024-08-14 2.txt
tory. In cases where the SFV file is not present
in the working directory, use the -g switch fol- ; 36 10:26.01 2024-08-14 3.txt

lowed by the path to the SFV file (Listing 3). 1.txt D5AD97E0

In the event that several SFV files share the 2.txt 74FF6F6A

same parent folder, you could always recursively 3.txt D5AD97E0

work through them by adding -r, however, you $ cksfv *.txt > cksfv.txt

need to combine -r with the -C option and then $ ls

with the parent path (Listing 4). The -C switch -rw-rw-r-- 1 dls dls 36 Aug 14 10:25 1.txt

changes the working directory to wherever the -rw-rw-r-- 1 dls dls 648 Aug 14 10:26 2.txt

data resides. -rw-rw-r-- 1 dls dls 36 Aug 14 10:26 3.txt

If you don’t want to validate all the entries con- -rw-rw-r-- 1 dls dls 286 Aug 14 10:26 cksfv.txt
tained in a single SFV file, simply write the names $ cat cksfv.txt
that are of interest (Listing 5). ; Generated by cksfv v1.3.15 on 2024-08-14 at 10:26.50
Other notable options include -L for accessing ; Project web site: https://gitlab.com/heikkiorsila/cksfv
symlinks recursively and -q for quieting every- ;
thing. If you use quiet mode, you are entitled to re- ; 36 10:25.52 2024-08-14 1.txt
ceive a shell prompt back if everything is fine or ; 648 10:26.06 2024-08-14 2.txt
just have the errors echoed out to you. ; 36 10:26.01 2024-08-14 3.txt
In the event that the case of letters in the filename
1.txt D5AD97E0
has changed between the creation of the SFV file
2.txt 74FF6F6A
and the time of checking, you can direct cksfv to ig-
3.txt D5AD97E0
nore case with the -i switch. Figure 1 shows the list
$
of available command options for cksfv.

Listing 2: Working with the -b and the -R switches

$ ls -l 2.txt 9EE0828B

total 24 2.txt 74FF6F6A

drwxrwxr-x 2 dls dls 4096 Aug 14 10:39 1 3.txt 51DBFD53

-rw-rw-r-- 1 dls dls 17 Aug 14 10:39 1.txt 1.txt 08730823

drwxrwxr-x 2 dls dls 4096 Aug 14 10:39 2 $ cksfv -R .

-rw-rw-r-- 1 dls dls 21 Aug 14 10:39 2.txt ; Generated by cksfv v1.3.15 on 2024-08-14 at 10:41.08

drwxrwxr-x 2 dls dls 4096 Aug 14 10:39 3 ; Project web site: https://gitlab.com/heikkiorsila/cksfv

-rw-rw-r-- 1 dls dls 3 Aug 14 10:39 3.txt ;

; 36 10:39.04 2024-08-14 ./3/3.txt

$ cksfv -Rb .
; 36 10:39.04 2024-08-14 ./1/1.txt
; Generated by cksfv v1.3.15 on 2024-08-14 at 10:41.04
; 21 10:39.40 2024-08-14 ./2.txt
; Project web site: https://gitlab.com/heikkiorsila/cksfv
; 648 10:39.04 2024-08-14 ./2/2.txt
;
; 3 10:39.40 2024-08-14 ./3.txt
; 36 10:39.04 2024-08-14 3.txt
; 17 10:39.40 2024-08-14 ./1.txt
; 36 10:39.04 2024-08-14 1.txt
./3/3.txt D5AD97E0
; 21 10:39.40 2024-08-14 2.txt
./1/1.txt D5AD97E0
; 648 10:39.04 2024-08-14 2.txt
./2.txt 9EE0828B
; 3 10:39.40 2024-08-14 3.txt ./2/2.txt 74FF6F6A
; 17 10:39.40 2024-08-14 1.txt ./3.txt 51DBFD53
3.txt D5AD97E0 ./1.txt 08730823

1.txt D5AD97E0 $

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 79

LINUX VOICE CKSFV

cksfv.rs
Listing 3: Validating Files cksfv.rs [6], created by Martin Larralde [7], is a new
$ pwd
version of cksfv written in Rust. The project’s GitHub
/var/log
page claims that cksfv.rs is “A 10x faster drop-in re-
$ cksfv -g /home/dls/Documents/CV/cvlist.sfv
implementation of cksfv using Rust and the crc-
--( Verifying: /home/dls/Documents/CV/cvlist.sfv )-----------------------
32fast crate.” The other positive thing about this port
CV_3-7.odt OK
is that it can be installed at the user level via Rust’s
CV_5-0.odt OK
Cargo package manager instead of the usual re-
CV_5-1.odt OK
quired sudo access to apt.
CV_5-2.odt OK
I ran a comparison test on a 40GB file. Using
CV_5-3.odt OK
cksfv, the creation time was 2m13s and the
CV_5-4.odt OK
checking took 1m47s. On the other hand, execut-
CV_6-0.odt OK
ing the same steps using the original implementa-
CV_6-1.odt OK
tion took 1m12s for creation and 1m14s for
CV_6-2.odt OK
validation.
CV_6-3.odt OK

------------------------------------------------------------------------
Conclusion
Everything OK
The SFV format has been kicking it strong for
$
well over 2 decades, and it is still relevant today
in some limited contexts. Don’t try to use cksfv
Listing 4: Changing paths for cybercrime protection or other security is-
$ cksfv -C ./Documents -rq sues, but if you’re looking for data errors caused
cksfv: CV_5-3.odt: Has a different CRC
by software bugs, data transmission, or file copy,
cksfv: CV_6-3.odt: Has a different CRC
or if you are interacting with legacy tools that re-
List of sfv files with broken files (or broken sfv files):
quire CRC32 checksums, cksfv is still an avail-
/home/dls/Documents/CV/cvlist.sfv
able option for Linux users. Q Q Q
$

Info
Listing 5: Specifying Files [1] Wikipedia on Simple File Verification:
$ cksfv -f cvlist.sfv CV_3-7.odt CV_6-0.odt https://en.wikipedia.org/wiki/Simple_file_veri-
--( Verifying: cvlist.sfv )--------------------------------------------- fication
CV_3-7.odt OK
[2] cksfv ChangeLog:
CV_6-0.odt OK
https://gitlab.com/heikkiorsila/cksfv/-/blob/
------------------------------------------------------------------------
master/ChangeLog
Everything OK

$
[3] Forging SSL Certificates:
https://www.schneier.com/blog/archives/
2008/12/forging_ssl_cer.html
[4] NIST Retires SHA-1 Crytographic Algorithm:
https://www.nist.gov/news-events/news/
2022/12/nist-retires-sha-1-cryptographic-
algorithm
[5] cksfv Binary: https://zakalwe.fi/~shd/foss/cksfv/
[6] cksfv.rs: https://github.com/althonos/cksfv.rs
[7] Martin Larralde, “Althonos”:
https://github.com/althonos

The Author
Daniel LaSalle was introduced to the
command prompt while in 5th grade, but
his addiction to technology spans over 30
years. In the past decade he’s been using
Linux every day and freelancing as an
infrastructure specialist. https://www.
linkedin.com/in/daniellasalle/
Figure 1: cksfv command-line options.

80 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

LINUX VOICE FOSSPICKS

FOSSPicks This month Nate offers readers delectable treats including

Sparkling gems and new
releases from the world of
Free and Open Source Software

code editors, immersive video games, office suites, and

even a remarkably useful typing tutor. BY NATE DRAKE
Turn-based strategy game
In these tutorials players valuable insight into

The Battle for Wesnoth take on the role of the young

prince Konrad or princess
Li’sar, who learn strategy
gameplay, because Wes-
noth makes use of an RNG
to determine combat out-
ctober 2, 2005, marks the upon finding that the races even from the elderly mage Delfa- comes. This means that

O first time the NFL played

a regular season game
outside the United States when
include the reptilian Drakes.
Wesnoth is available on Steam
and Itch.io, though Linux users
dor. This particular scenario
defaults to the easiest diffi-
culty setting, though players
there’s no certainty
whether a unit’s attack will
succeed. In theory, even
the Arizona Cardinals defeated can also install the Flatpak via can choose from medium, very small units have a
the San Francisco 49ers 31-14 in Flathub. On first launch the game hard, and nightmare for chance of overcoming
Mexico City. It’s also the day that presents players with various other campaigns. Wesnoth much larger ones. Speak-
David White and a team of eager choices including Campaign, also includes six default fac- ing on the official forums
coders made the initial release of Load, and Multiplayer. Wesnoth tions, each with their own back in 2008, David White
The Battle for Wesnoth available noobs are probably safest choos- strengths and weaknesses. refers to this aspect as
to the viewing public. ing a Campaign. In theory, this al- For instance, the Loyalists “luck” and points out that
The game itself is loosely based lows you to play a series of 10-20 are one of the most abun- in Wesnoth one can “play
on the Sega Genesis classic Mas- connected scenarios to train up dant factions with units better, and still lose.”
ter of Monsters. Play is turn-based, your various units into an elite consisting of human cav- The forums are also
across a hex map. The world of fighting force. However, in a more alry, mages, and infantry. where I learned that work
Wesnoth is extremely Tolkien- immediate sense there are also One interesting aspect of is ongoing on multiplayer
esque with Men, Dwarves, Elves, tutorial missions where winning Wesnoth is different fac- campaigns. In the mean-
Orcs, and Goblins. Readers can is less important than mastering tions fight optimally at dif- time multiplayer mode
also imagine my amusement game mechanics. ferent times of day. For in- supports playing against
stance, Loyalists are at their other factions, either
best during daylight hours human or AI controlled. On
whereas the Drakes are selecting multiplayer you’re
most deadly at night. given the choice of playing
Wesnoth has a small core a game against others via
team of developers who the official server, connect-
publish regular updates. For ing to an unofficial server,
instance, in 2021, the world hosting your own game, or
of Wesnoth benefited from even just taking turns to
the introduction of the Dune- play locally on your com-
folk faction, whose units puter. The Wesnoth Wiki
include Soldiers and Riders. warns that games can take
Other changes to the game’s 3-7 hours to play. This also
code are made available to seems to be roughly the
1. Actions Button: Click here to recruit and recall units, as well as plot out enemy the community via develop- amount of time it takes to
moves. 2. Turn Counter: If there’s a maximum number allowed, this will also be ment releases, such as the master the gameplay
displayed here, e.g., 1/18. 3. Gold: It costs to both recruit and maintain units. Vil- most recent version screen, which requires
lages give +2 Gold per turn. 4. Villages: Besides generating income, you can place (1.19.1). This includes careful husbandry of units,
units into villages to heal from combat. 5. Total Units: Different units have unique minor tweaks such as a as well as precision timing
traits, so generally the more you have the better. 6. Timer: This displays either the melee animation for both to help your faction prevail.
current time elapsed or time remaining in multiplayer games. 7. Movement: Click on Dragoon and Cavalier units.
a unit to see where it can move on the hex map. This can take multiple turns. 8. Unit Reading the various Project Website
Stats: These include the current hex position, time of day, weaponry, and unit profile. changelogs also provides https://www.wesnoth.org/

82 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 FOSSPICKS LINUX VOICE

Compatibility layer

Wine
his July, Wine celebrated data structures in shared mem-

T its 31st birthday. Origi-

nally released in 1993,
the name is a backronym for
ory. For those unfamiliar with
Windows parlance, the User32
library is a core component for
“Wine Is Not an Emulator.” The handling device input and win-
program’s compatibility layer al- dow management. Optimizing
lows many Windows programs access to the library’s data Wine is capable of running most Windows applications in Linux via
to be run on Unix-like systems structures theoretically im- its compatibility layer, such as Notepad++.
with varying degrees of success. proves program performance
Fortunately the main website and responsiveness. where CMD.EXE incorrectly parsed lines with nested IF
maintains a comprehensive The Mono Engine has also commands.
AppDB of Windows programs been updated to version 9.2.0. While we’re talking bugs, 23 others have been
(https://appdb.winehq.org/), When Wine is instructed to run smoothed out. This includes those that have plagued
which are graded based on how a .NET application for the first gamers such as a glitch that left Assassin’s Creed III on
nicely they play with Linux. time, it helpfully offers to down- the loading screen due to an issue with the Vulkan ren-
This is where I learned that load the engine automatically. derer. Fans of the awesome third-person stealth shooter
the latest release of Notepad++ One of the most significant Death to Spies can also sleep easier, because Wine 9.12
has a “Gold” rating, which was changes to Wine includes the no longer plays audio only on introductory videos. There’s
borne out by how effortlessly rewrite of the CMD.EXE engine. also a fix for handling asynchronous I/O status in the
the program opened in the latest This was done to ensure that new WoW64 mode for running 32-bit applications.
version of Wine (9.12). This may Wine handles command-line
be due in part to the latest re- operations and includes a num- Project Website
lease’s initial support for User32 ber of bug fixes, such as one https://www.winehq.org/

D&D lexicon

Libellus
hy don’t dragons eat encompasses both Linux users

W paladins? Because
they taste lawful! This
Dungeons & Dragons dad joke
and D&D players, on first launch
it’s clear that the developer has
put a lot of effort into making the
heralded my one and only entry world of D&D easy to navigate.
into the world of D&D in 1996. The main window contains a
The funny part (if it can be called comprehensive list, topped by Libellus is a one-stop
that) centers on the “Alignment” the main classes of players such lexicon for all things Black Dragon.” Each page con-
attribute of various heroes and as Bard, Druid, and Warlock. You D&D such as classes, tains a comprehensive “Actions”
monsters in the D&D universe, can click on any of these to view races, spells, magic section, which is where I discov-
which includes terms such as their attributes such as skills and Items, and equipment – ered that said dragon spews acid
“Lawful Good” and “Chaotic Evil.” starting equipment, which are including stats for the in a 60 foot line, melting anything
If, like me, you find such terms neatly laid out and sometimes “Adult Black Dragon.” in its path. Overall, Libellus is a
and attributes bewildering it may even accompanied by a helpful il- niche product. Still, if you are a
be time to install Michael Ham- lustration. Libellus uses tabbed budding Dungeon Master plan-
mer’s Libellus, currently available browsing, so it’s very simple to ning a campaign you can do
via Flathub. The program acts as scroll through multiple creatures worse than having an easily
a virtual database of all classes, and equipment at the same time. searchable lexicon of every per-
races, spells, magic items, equip- You can also bookmark pages son, creature ,and item players
ment, and monsters to be found for later reading, as well as use can encounter.
in D&D 5th Edition. Assuming the search bar to find a specific
you fall into the center of the item. I did this to display some Project Website
Venn diagram that truly terrifying stats for the “Adult https://libellus.hummdudel.de/

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 83

LINUX VOICE FOSSPICKS

Typing tutor

Keypunch
oyal Linux Magazine read- 30 seconds the program displays

L ers will no doubt recog-

nize the name of Key-
punch developer and Gnome
both your accuracy (as a per-
centage) and typing speed (in
words per minute, wpm). I was
contributor Brage Fuglseth, be- delighted to discover I had a
cause he’s also the creator of 94-percent accuracy rate at
Fretboard, a useful app for look- 87wpm, but this went down con- Mavis Beacon seems to have met her match. Keypunch has a crisp
ing up guitar chords which I cov- siderably when I used the built-in UI and clearly displays typing speed and accuracy.
ered in last month’s FOSSPicks. drop-down menu to change the
Speaking on the Gnome subred- difficulty from Simple to Ad- follows your default keyboard layout. In other words, if
dit, Fuglseth explains that the vanced. This setting included you’re using a Dvorak international layout, text will ap-
icon for his latest offering is a punctuation and numbers along pear in exactly the same way as if you’re typing in any
homage to the old Gnome 2 typ- with basic words. As you type, other Linux program.
ing tutor Klavaro. Keypunch bina- missed letters and spaces are While there is no shortage of typing apps for Linux,
ries are currently available via highlighted in red. Keypunch does offer a much crisper interface than older
Flathub only. The main menu also supports Gnome software like Klavaro. The only downside I could
On launching Keypunch, the “custom text.” By default this is see is that there’s currently no practice mode for specific
default settings display a list of set to “The quick brown fox keyboard layouts like QWERTY. Keypunch just uses com-
assorted dictionary words, which jumps over the lazy dog,” but you mon words instead. Still, what better way to measure
I noted were all eight characters can amend and/or paste in your your typing speed in real-world scenarios?
or less. As you start typing, Key- own text such as song lyrics or a
punch monitors your progress Wikipedia article. The developer Project Website
and highlights any errors. After also stresses that Keypunch https://github.com/bragefuglseth/keypunch

System installer

Calamares
hen it comes to Linux also highly configurable through

W setup, there are few

installers that can
claim to be as lightweight and in-
modification of internal modules.
However, given how familiar the
interface and install options are
tuitive as Calamares. Although to users, many OS developers
the installer is mostly maintained leave settings at default values.
by KDE developers, it’s Linux-ag- The latest version of Cala- The latest version of Calamares (shown here running in SDesk) has
nostic. This is borne out by its mares (3.3.8) contains a slight better support for mounting encrypted swap partitions.
adoption in some of the most modification to the mount mod-
popular distros such as Kubuntu, ule so that the installer can now password hashing scheme for Arch, Debian 11+, and
Lubuntu, KDE neon, Manjaro, and correctly mount LUKS and Ubuntu 22.04+.
the Live version of Debian. LUKS2-encrypted swap parti- There’s also been a key upgrade to the shell process
Calamares is nothing if not in- tions. The partition module it- and contextual process jobs. This new feature means
tuitive. Setup is broken down into self has been overhauled. Fixes that verbose keys can be set individually or globally for
multiple simple steps wherein are now in place for a bug that each command, allowing for more detailed logging
the user chooses the install loca- would sometimes skip boot- and debugging of Calamares. At the time of writing, it
tion, keyboard layout, hard drive loader installation when manual seems the latest version of the installer has yet to work
partitioning scheme, and users. partitioning on MBR systems, as its way into any mainstream distros, though you can
Individual operating systems can happened to me when installing double check this in Live versions of Linux by running
also choose to tweak the “Wel- Ubuntu last Easter. The users calamares --version.
come” screen with their own module also now defaults the
branding and messages. Be- password salt to yescrypt, Project Website
neath the hood, Calamares is which is also the default https://calamares.io/

84 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 FOSSPICKS LINUX VOICE

Launch calendar

Space Launch
f you have yet to boldly go “TBD,” such as a rocket due to

I where no man has gone be-

fore, there’s no reason why
you can’t keep tabs on upcom-
leave the Jiuquan Satellite Launch
Center in China. Clicking on indi-
vidual entries will load more infor-
ing space missions with this mation about the launches them-
helpful app developed by French selves, including their specific
coder Emilien Lescoute. Cur- destinations and missions.
rently only available as a Flatpak By default, only a handful of
install via Flathub, Space launches are displayed but you With Space Launch you, too, can be a Rocket Man by following every
Launch is written in Vala and can click the handy See More but- launch in real-time with crucial mission data such as countdowns.
GTK4. In brief, it’s a one-stop ton to load more details. These are
shop for upcoming launches, listed in date order, with the soon- The General section also allows you to enable
complete with a colorful count- est space missions first. If this be- automatic refreshes of mission data. There’s also
down listing the launch window, comes too overwhelming, you can an option to embed a videostream of launches
timer, and information about the also launch the Preferences menu within the application, but currently this only re-
payload where available. and access the Filters section. veals the text Soon!. The project GitHub page
I say this because most listings From there you can disable infor- stresses that this is an alpha release that can be
are quite transparent, such as mation on launches you don’t prone to crashing and communication problems. I
SpaceX’s quest to put more Star- need on a country-by-country didn’t encounter any specific errors when testing
link satellites in orbit to ensure basis. There’s also a rocker switch it out, but launch data did take some time to load.
global Internet coverage. How- to Hide Starlink Missions with the
ever, other listings list an “un- light-hearted subtext Show only in- Project Website
known payload” with details teresting launches. https://flathub.org/apps/io.gitlab.elescoute.spacelaunch

Markdown editor

Folio
his self-described WYSIWYG Markdown rendering.”

T “beautiful Markdown
note-taking app” is a
fork of another Markdown edi-
This was largely borne out when
I created my first note. In the first
place, any text you highlight can
tor Paper, which is no longer in be automatically converted to
active development. Folio is “plain” or one of various heading Folio lives up to its description as an elegant WYSIWYG Markdown
written in Vala and is available styles using the drop-down text editor, with easily searchable notes saved in .md format.
in a variety of formats including menu at the bottom left. The bot-
Flatpak, Snap, or AppImage. tom pane also contains buttons commands such as block quotes. This is largely
After installing the Snap ver- for further text editing including unnecessary, though, because the WYSIWYG ed-
sion, I was impressed to see bold, italics, strikethrough, and itor lives up to its claims. By default notes are
that Folio’s simplistic interface highlighting. Other buttons are saved in Markdown (.md) format and can be lo-
encourages users to create a devoted to inserting hyperlinks, cated using the Gnome search bar.
virtual notebook with a custom programming code, and even a The Preferences pane includes options for
name and color. You can also horizontal rule. changing both the Note and Monospace fonts.
choose how it will appear in the If you need more exotic Mark- From there you can also display line numbers, as
sidebar of the main window. down features but can’t quite re- well as display a three-pane layout that expands
You can have the app show just member how to format text, you the notebook lists to include the full notebook
the first few title characters, or can also click the info button at names. The Files section also lets you change
you can use initials (e.g., “Code the bottom right. From here you the note storage location.
Book” becomes “CB”). can scroll through Folio’s “cheat-
The project GitHub page de- sheet” of common Markdown Project Website
scribes Folio as “Almost commands as well as less used https://github.com/toolstack/Folio

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 85

LINUX VOICE FOSSPICKS

Office suite

LibreOffice
he LibreOffice suite has

T certainly come a long

way since its inception in
2011 as a fork of OpenOffice. The
latest point release (24.2.5) repre-
sents the new calendar-based
numbering system, which has
been in place since the release of
version 24.2 in late January. It fol-
lows a format similar to main-
stream Ubuntu releases, marking
the current two-digit year then the
month of release. This is ostensi-
bly done to make it easier for LibreOffice Impress can easily open and edit Powerpoint files but also now has better support for the ODF.
users to check how current their
install of LibreOffice is. these can also now be inserted living up to its name, as it now
Because it’s been a while before a table of contents by comes with supports for “Small
since LibreOffice was covered holding Alt+Enter. The Navigator Caps” text formatting, as well as
in FOSSPicks, it’s worth first has also received some impor- support for saving slide show
covering the major changes tant upgrades, including the abil- settings to a local configuration
that were included with the re- ity to drag and drop linkable ele- file. Impress has also received a
lease back in January. While ments onto a text selection to use huge number of bug fixes to im-
previous versions of LibreOffice them as hyperlink text. Nested prove image quality and tweak
supported Auto Recovery, the sections can also now be col- slide hierarchy. The app now also
feature wasn’t enabled by de- lapsed like headings. has better support for Open Doc-
fault. This has now been fixed, Special mention should also ument Format (ODF) formats,
hopefully providing some bet- go to spreadsheet software Calc, though it still opens Microsoft
ter peace of mind that your which now boasts a dedicated PowerPoint files flawlessly.
documents won’t vanish when search field in the Functions side- LibreOffice 24.2.5 builds on
there’s a power outage. bar. Formulas can now be copied these successes: Its main focus
The main word-processing pro- and pasted as plain text into is on fixing annoying bugs and
gram, Writer, has also received Writer or other text editors. Key- crashes reported by users since
tweaks to its Comments feature, board shortcuts have also been the major release earlier this year.
which now supports various text configured to make it easier to After viewing Bugzilla, I noted that
styles (the default is “paragraph”). cycle between sheets. Presenta- these number in the hundreds.
While we’re talking paragraphs, tion software Impress is also still They include a fix for Writer that
was causing certain Microsoft
Word (.docx) documents to open
very slowly. Calc has also re-
ceived a revamp in that it no lon-
ger crashes after users hit down
after using fill down in edit mode.
The developers of this latest
LibreOffice release have also
removed some features. Chief
amongst these is support for the
FTP protocol, apparently in re-
sponse to “browser vendors and
general industry trends.” Draw
and Impress also no longer have
an HTML export wizard.

Writer comes with a number of upgrades, including a more intuitive Navigator and support for Project Website
different comment text styles. https://www.libreoffice.org/

86 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 FOSSPICKS LINUX VOICE

Video player

Celluloid
his popular graphical isn’t moving. Eager to test this is

T front end for the mpv

command-line video
player received its first major
out, I began playing an animated
video from the Internet Archive,
only to find the header bar re-
2024 release in late June. The mained stubbornly in place. I
software is currently available was able to remedy this by
both as a Flatpak and via Snap- opening Preferences and choos-
craft. After installing via the ing Use a floating header bar in Celluloid now supports a floating heading bar if the mouse is still,
Ubuntu software center, I noted windowed mode. There’s an but you need to manually enable this via Preferences.
that Celluloid now has a new equivalent option for playback
loading screen that shows up controls. While reviewing the re- GTK4. The player is already compatible with most mpv user
both when the player is loading lease notes, I also saw that a scripts, so it can use them without modification. The latest
and during buffering. The code major bug that could cause an release now supports multifile user scripts.
has also been reworked to en- mpv reset on opening and clos- A list of compatible scripts can be found at https://
sure the main window now dis- ing the Preferences menu has github.com/mpv-player/mpv/wiki/User-Scripts. To install,
plays much more quickly when now been fixed. users only need to switch to the Plugins tab in Prefer-
launching. The release notes also mention ences and drop the files there. The player now has more
One of the most striking that both the header bar and con- built-in keyboard shortcuts. Use Alt with the arrow keys to
changes, however, is that the trols also have an updated look pan videos or Alt with +/- to zoom. Hold Alt+Backspace to
header bar is no longer fixed. and feel. Beneath the hood, Cellu- undo any changes.
This new “floating” feature ap- loid has been updated to remove
parently means the header bar some of the deprecated GTK API Project Website
hides itself whenever the mouse usage. The app itself is built using https://github.com/celluloid-player/

Code editor

Zed
ack in June 2022, GitHub If you choose to do so, you’ll

B announced the end of life

of their awesome hack-
able text editor (and later IDE)
also benefit from Zed’s inte-
grated GPU-accelerated render,
which supposedly makes for
Atom. Given how much coders blindingly fast code loading. On
cherished the editor, it was hardly first launch you’re prompted to
surprising that former Atom de- choose from basic options such
veloper Nathan Sobo decided to as choosing from one of dozens Zed has a number of funky themes, as well as advanced features
build its spiritual successor. of themes. After this, it’s only a including real-time collaboration and AI integration
However, unlike Atom, Zed is matter of loading your chosen
written in Rust and doesn’t use project. When I did this with a access a variety of Extensions to expand its
the Electron framework. script, I noticed that another irrel- functionality such as support for older ver-
Despite being FOSS, builds were evant file appeared in the side- sions of HTML or new themes. The Prefer-
only originally released for macOS. bar. This was because I’d failed ences menu can also open Settings, an edit-
Fortunately the devs have now to observe the coder’s etiquette able local configuration file that you can use
seen the error of their ways and of- of devoting a dedicated folder to to make further tweaks such as changing the
ficial Linux builds are now avail- my project. Zed automatically fonts. As a lone reviewer, sadly, I wasn’t able
able. Although it’s technically pos- recognized the correct script lan- to test Zed’s famed real-time collaboration
sible to compile Zed from source, guage (Python), but it supports a features, but according to online reviews, the
it can be downloaded and installed huge number of others. feature works flawlessly.
on most Linux distros simply by As befits a code editor, Zed is
running a Bash script from the also highly customizable. You Project Website
main website via curl. can use the Preferences menu to https://zed.dev/

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 87

LINUX VOICE TUTORIAL – MAP MACHINE AND OPENSTREETMAP

Mapping the details

OpenStreetMap Maximized
Use Map Machine’s icons to make the most of OpenStreetMap data and show as
many map features as possible.
BY MARCO FIORETTI penStreetMap (OSM) [1] is an open source Machine to create small digital maps that you can

O success story, a tool that every owner of

any kind of computing device has surely
used at least once, knowingly or not. This collec-
embed in any web page or other digital document.

Map Machine Structure

tively designed digital map of the whole world is, in The Map Machine project consists of two main
fact, integrated into services by the likes of Wikipe- parts: the set of icons I already mentioned, called
dia, Amazon, Apple, Facebook, and countless other Röntgen, and a “renderer” for OpenStreetMap data.
organizations. Besides being a lot of fun, knowing The icons are monochrome 14x14-pixel images,
how to handle OSM maps or raw geographical data usable as a map-painting style in aligned images
from OSM is one of those skills that can likely be created for the Map Machine project. The icons are
useful for everyone, sooner or later. This is why I usable as a paint style when you draw new features
present Map Machine [2], a tool you can use – by or parts of the main OSM map with any dedicated
combining its set of icons with raw OSM data – to editor such as JOSM [3]. Because they are all avail-
create your own custom maps. able under the CC BY 4.0 license, with a proper at-
The Map Machine icon set aims to display as tribution you can use them for any purpose you
many map features as possible, because the orig- want, commercial or not, even if it has nothing to
inal idea behind the project was to show all the do with OSM or with mapping in general.
richness of the OpenStreetMap data. Figure 1 Now for the definitions: The first words to know
shows just a small part of the complete icon set, here are “renderer” and “rendering.” A renderer is
and yet it covers features as diverse as barber any software that “renders” (i.e., creates a human-
shops, diving platforms, power lines, trellises, and viewable digital map or a rendering) out of raw
mailboxes. geospatial data.
Thanks to these icons, end users of OSM maps Dynamic digital maps that you can drag around or
enhanced with Map Machine can quickly locate zoom in and out, like the ones available on the
many more map details. For OSM contributors, OSM website or by Google Maps, are called “slippy”
Map Machine offers an easy way to display every- because they seem to slip around inside the browser
thing they may want to add to the map, no matter window when you drag them with your mouse or
how particular or small. finger to look at a different area, or move towards
In this tutorial, I’ll first provide a short introduction or away from you when you zoom in or out.
to the project and summary of the basic definitions To achieve that effect, maps are drawn inside
Figure 1: A small sample of of digital mapping that you need to know to use the browsers or other map viewing-capable applications
the icons available with Map Map Machine. Then I’ll show you how to use Map by assembling tiles – small square images that rep-
Machine. resent one square part of the map at the current
zoom level. Zooming and slipping are performed
in real time on the user’s device. The tiles that are
actually needed to compose whatever portion of a
map you may want to see in a certain moment are
transmitted to your device by a dedicated tile server
and can be of two kinds: raster or vector.
Raster tiles are just plain images in formats,
such as JPEG or PNG, that are visible with count-
less programs, not just OSM applications. Be-
cause they are made of matrices of fixed-size
square dots called pixels, raster images lose
crispness when zoomed.

88 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 TUTORIAL – MAP MACHINE AND OPENSTREETMAP LINUX VOICE

Vector tiles, instead, are raw geographic data them. You can also use just the first function to
that must still be rendered, but have the great generate an ordinary digital image of a static map.
advantage of yielding the maximum resolution at Internally, the renderer is a Python application built
any desired size. This happens because, unlike on two important open source projects called cairo
raster images, which are bundles of predefined [4] and GEOS [5]. Cairo is a multiplatform 2D-graph-
pixels, vector images are (to simplify) sequences ics library designed to produce PostScript, PDF, and
of instructions to draw all the parts of an image. SVG images, or to display them consistently on all
A vector image can be thought of as a recipe con- output media. GEOS is the “Geometry Engine, Open
taining commands such as “draw a red line from Source” C/C++ library of algorithms used in geo-
the top left corner to the bottom right one” or graphic information systems (GIS) software.
“draw a blue solid circle in the image center, with
diameter equal to one third of the available Installing and Using Map Machine
space.” By their very nature, those instructions To use Map Machine, you must first install the de-
will work without any degradation to the image veloper versions of the libcairo2 and libgeos librar-
no matter how big the output device is (screen or ies, and then the actual map-machine Python mod-
paper, it’s the same). A common vector graphic ule. On Ubuntu and other Debian-derived distribu-
format is Scalable Vector Graphics (SVG). tions, you can do so with these two commands:
In practice, digital maps can be made of both
kinds of tile images, but only the vector tiles will sudo apt install libcairo2-dev libgeos-dev

never lose resolution. You can easily see what I pip install git+https://github.com/enzet/U

mean by selecting the satellite view of any place map-machine

on Google Maps and then zooming in as much as

you can: Eventually, the photo background will The first command installs the libraries from the
look grainy because that is a raster tile, but every standard repositories of your distribution, and the
element of the actual map drawn over it (roads, second uses pip, the Python package installer, to
street names, etc.) will look 100-percent sharp download and configure Map Machine. Please
because it’s part of a vector tile. Another way to note that if you use it as in the command above,
describe the problem is that raster images have pip will set up Map Machine only for your user ac-
their own intrinsic resolution that cannot be in- count. To make the software available to all users
creased, while the resolution of vector tiles is of your Linux desktop, you should run that com-
limited only by the physical resolution of your mand as the root user instead.
monitor or printer. If, for whatever reason, the installation of the
The practical consequences of this difference cairo library or its Python bindings fails, you may
between tile types goes far beyond the maximum install a separate, cairo-independent version of
zoom one can apply. The look of the satellite back- Map Machine with this command:
ground in Google Maps can change only if and
when Google itself switches to newer, or other- pip install git+https://github.com/U

wise different, sets of satellite photos. enzet/map-machine@no-cairo

The final look and feel of vector tiles, instead, is

totally defined by stylesheets that may be very dif- In this case, the resulting package will only be able
ferent from each other and, at least in principle, to generate vector tiles (i.e., SVG files), not raster
freely selectable by each end user each time they tiles (i.e., PNG images). After installation you can
load the map. So you may have a stylesheet that very easily check that everything went right by
paints roads in blue and writes road names in yel- running the first example in the Map Machine
low, and another one that, simultaneously on a dif- home page:
ferent computer, may do the exact opposite, or use
entirely different colors. Ditto for fonts, icon sets, map-machine render --boundary-box 2.284,U

and any other graphic elements, from shape of ar- 48.860,2.290,48.865 --output figures/U

rows to map borders, even if both map renderings esplanade_du_trocadéro.svg

use the same raw data from the same server.

and checking that it returns more or less the
Back to Map Machine same output as shown in Listing 1, and the same
The Map Machine renderer, which is released map of the Paris area called Trocadéro that is visi-
under an MIT license, fetches data from the raw ble in Figure 2. The command tells Map Machine
OSM database to perform two main, strictly related to download all the raw data delimited by the geo-
functions: It can generate static map images or sets graphical coordinates defined with the --bound-
of map tiles of any area of the world, in both raster ary-box parameter and use it to draw a static map
and vector formats, at various zoom levels, and and save it in a vector file named esplanade_du_
serve those tiles to any browser that requests trocadéro.svg, inside the figures folder. The first

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 89

LINUX VOICE TUTORIAL – MAP MACHINE AND OPENSTREETMAP

two numbers passed to --boundary-box are the rendering, drawing all the roads (ways) and specific
longitude and latitude of the southwest corner of features (nodes), from intersections to monuments
the area of interest, and the last two the same co- or single shops. Of course, in the process it also
ordinates for its northeast corner. adds all the Röntgen icons that are needed.
Please note that I said southwest and northeast Running map-machine as in Listing 1 will create
only to highlight a trap you may fall into. Those a cache directory for OSM data in the same di-
terms would not be valid for every place on Earth. rectory where you ran it. That folder stores all
In general, those four numbers must represent, in the raw OSM data you may need for future
this order, the minimum longitude, minimum lati- maps of the same area, in the XML format of
tude, maximum longitude, and maximum latitude Listing 2.
of the area to map. Figuring out why and how, for The XML file, with extension .osm, is named
example, the first two numbers would be the after the coordinates of the area it contains:
“southwest corner” of a map of France but not of, with the same parameters passed to --bound-
say, Argentina, is left as an exercise for the reader. ary-box. Listing 2 is just a very short excerpt of
You can easily see the point of using Map Ma- the actual file that contained more than 1,900
chine by comparing Figure 2 with Figure 3, which tags (i.e., single elements to be placed on the
shows the same area in the OpenStreetMap web- map)! The tags can include links to images or
site with the default rendering. Colors aside, there the Wikipedia description of a place (the Chail-
are many more icons that allow the user to iden- lot and Place José Marti locations), as well as
tify different kinds of places and services. specific infrastructures (such as “traffic sig-
Listing 1 shows an excerpt of the actual textual nals”). It is by looking at those tags that Map
output of Map Machine, but it’s enough to summa- Machine discovers which icons it should add to
rize how this tool actually works. First (with the INFO the map and in which positions.
Getting line), it downloads all the raw data for the The behavior of Map Machine is configurable in
requested area from the central OSM database several ways. For convenience, you may define
using the Application Programming Interfaces any folder to be the cache by passing its absolute
(APIs) developed just for these purposes. Once it path with the -cache option. Similarly, you can set
has that data, Map Machine performs the actual the zoom level (-z, default 18.0) or the size in pix-
els (-s) of the final image.
Listing 1: Map Machine Output
#> map-machine render --boundary-box 2.284,48.860,2.290,48.865 --output
Finding the Right Coordinates
figures/esplanade_du_trocadéro.svg At least for generating static, single-image
INFO Getting https://api.openstreetmap.org/api/0.6/map... maps, Map Machine is simple enough to use
INFO Constructing ways... that the main problem for novices may very well
INFO Constructing nodes...
be how to determine which coordinates they
should give it to map just the area they want.
INFO Drawing [stuff]...
Luckily, finding those numbers is quite easy
INFO Writing output SVG to figures/esplanade_du_trocadéro.svg...
with both OSM and Google Maps. On the OSM

Figure 2: What Map Machine maps look like. Figure 3: The same area of Figure 2, with standard OSM rendering.

90 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 TUTORIAL – MAP MACHINE AND OPENSTREETMAP LINUX VOICE

website, you can read and copy

the longitude and latitude of a Listing 2: Excerpt of Map Machine Cached Data
certain point by first clicking on #> more cache/2.284,48.860,2.290,48.865.osm

that point and then on the <?xml version="1.0" encoding="UTF-8"?>

<osm version="0.6" generator="CGImap 0.9.2 (2125661 spike-07.openstreetmap.org)" ...
“Where is this” string inside the
<bounds minlat="48.8600000" minlon="2.2840000" maxlat="48.8650000" maxlon="2.2900000"/>
search box (Figure 4, which is
<tag k="curve_geometry" v="yes"/>
centered on Rome’s Pantheon).
...
With Google Maps, instead, you
<tag k="highway" v="traffic_signals"/>
can just right-click on a point to
..
open a pop-up box whose first
<tag k="zone:maxspeed" v="FR:30"/>
line contains the desired coordi-
nates (Figure 5). <tag k="wikimedia_commons" v="File:Place José-Marti, Paris 16e 1.jpg"/>
Boundary boxes are not the only
way to define an area, nor the best <tag k="wikipedia" v="fr:Quartier de Chaillot"/>
in all cases. What if you wanted,
for example, to draw a map cen-
tered on a point without bothering to calculate or but it can do more. Except for the custom icons,
retrieve the corners of a box centered around it? you could get the same results by taking screen-
That is no problem, because Map Machine accepts shots of the map on the OSM website. The real
single points, too, as in this example: power and fun of Map Machine is its capability to
automatically generate and serve, to any applica-
map-machine render --output figures/U tion that requests them in the right way, all the
pantheon.svg -c 41.8989621729188,12.U basic tiles needed to compose a slippy map that
476551034904253 -s 1000,1000 -z 20 the end user
can drag
which generates the static map image shown in around or zoom
Figure 6: -c gives the coordinates, -z the zoom as desired. The
level, and -s the size of the image in pixels. only limit is that
you cannot
Generating Tiles for Bigger Maps generate tiles
If all Map Machine could do were single-image, for large areas
static maps with new icons, it would still be cool, with just one

Figure 5: The Google Maps way to show the coordinates of any point.

Figure 4: The “Where is this” string in the search box of OSM gives you the Figure 6: A map centered around the Pantheon monument in Rome,
coordinates of any point you select. created without explicitly specifying its corners.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 91

LINUX VOICE TUTORIAL – MAP MACHINE AND OPENSTREETMAP

run. If you tried, you would get error messages part of the PNG tiles generated for zoom level 18.
similar to this: Figure 8, in which I renamed four of the same tiles
just to make my file manager arrange them in the
Cannot download data: too many nodes U right order, shows how they are indeed parts of
(limit is 50000). Try to request smaller area. one continuous map, without gaps.
Tile generation can be customized with several
Tile creation and serving are separate activities options, the most interesting ones being --mode
that one instance of Map Machine cannot do at and --buildings. --mode allows you to set other
the same time: This software can only serve tiles drawing styles besides the default one, normal,
that were prepared before it was launched. To which is used in this tutorial. --buildings sets
create the tiles of a certain area – which in all the the drawing mode of buildings, which may be,
examples that follow is the part of downtown for example, none or flat.
Rome right around the Pantheon – you should
launch Map Machine in tile mode: The Map Machine Tile Server
Once you have made Map Machine generate all the
map-machine tile -b 12.4772,41.8982,U tiles for a certain area, for all the zoom levels you
12.4779,41.8999 -z 16-20 need, you can use Map Machine to serve those tiles
to any web page in which you want to embed a
This command shows the compact version (-b) of slippy map of the same area – a map that viewers
the --boundary-box option to define the map bound- of your page may drag around and zoom in or out
aries, and a new but predictable use of the zoom just as they would on OSM or Google Maps.
(-z) option: To make a map actually zoomable, you On the server side, you just have to launch Map
must provide one full set of tiles for every zoom Machine in server mode:
level you want. With the command above, Map
Machine will therefore create five different sets of map-machine tile -b 12.4755,41.8970,U

tiles, one for every zoom level from 16 to 20. Had 12.478,41.8997 -z 16-20

I wanted only the 16, 19, and 20 zoom levels, I map-machine server --port 8081 --cache $CACHE

should have written -z 16,19,20. If you don’t

specify any level, Map Machine will generate only where $CACHE is the absolute path to the same
one set of tiles, at the default zoom level 18. cache folder previously used to generate the tiles.
Because the tiles of every zoom level have The --port option tells map-machine to listen for re-
predefined sizes, in general a grid of tiles will quests on TCP port 8081 (the default would be
not match exactly the edges of a boundary box. 8080, but on my computer that port is already
In practice, this is not a problem because Map used by another application).
Machine will take care of that, extending those When Map Machine is running in that mode, ev-
edges until they match those of the minimal tile- eryone who can access the computer it’s running
set that covers the area you want. on can get the map, until you stop the application
All tiles generated by a Map Machine tiling com- by pressing Ctrl+C in the same console, or by kill-
Figure 7: Basic tiles that mand are stored as SVG files in the folder out/ ing it with the kill command. If you run the server
compose the slippy map of tiles/tile_<zoom level>_<x>_<y>.svg and as PNG on your own computer for purely personal, local
Rome’s downtown, with files in out/tiles/tile_<zoom level>_<x>_<y>.svg, use, you can talk to the server by pointing the
Röntgen icons. where x and y are tile coordinates. Figure 7 shows

Figure 8: Four of the tiles of Figure 7, rearranged to show

how they perfectly line up with each other.

92 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 TUTORIAL – MAP MACHINE AND OPENSTREETMAP LINUX VOICE

browser at the address 127.0.0.1:8081 (replace the Leaflet library (the capital L in L.map('map')), that
8081 with whatever port number you chose to is centered on the point of latitude 41.8994, longi-
bind Map Machine to). tude 12.4770, indicated by the arrow in Figure 9, with
As easy as it is, what I just explained is just the initial zoom level 18. The geographical coordinates
server side of making slippy maps with Map Ma- should correspond, more or less, to the center of the
chine, and it’s hardly useful without a browser area for which you previously built the tiles.
that, executing the instructions it finds on a prop- Right after that declaration, the tiles constant
erly written web page, connects to that server, specifies where to ask for the tiles that are needed
fetches all the tiles, and then draws the map with to draw the map. That must obviously be the IP ad-
them in its own window. dress and port number of the Map Machine server,
To build a web page with those properties, take which will be http://127.0.0.1:8081 if, as in the exam-
inspiration from Listing 3. That is the full web page ple, the server runs on the same computer as the
loaded in Firefox in Figure 9, which as you can see browser. If that is not the case, you must substitute
has, besides the Map Machine notice in the bot- the numeric IP address with the correct one, or the
tom-right corner, two buttons on the opposite cor- corresponding domain name (e.g., http://example.
ner to zoom in or out. com/mymaps/). The part after the port number is
That page’s source code is a mix of the example just Map Machine’s already mentioned folder hier-
on the Map Machine home page, which for some archy: tiles/tile_<zoom level>_<x>_<y>.
reason didn’t work at the time of writing, embedded The other parameters passed to the script are
in another demo page, namely the one from the the attribution, which is written together with the
“Quick Start Guide” of the Leaflet JavaScript library Leaflet parameter to the bottom of the map, and
for mobile-friendly interactive maps [7]. The the tile size and zoom offset. The final .addTo(map)
stylesheet and script src are the source links in statement is what tells the browser to actually put
the head section that tell any browser that loads the tiles downloaded from the Map Machine
that page to download the Leaflet code and CSS server into the map.
stylesheet that will be used to manage the tiles. If you click on the plus and minus buttons in the
The lines between the <style> and </style> tags top-left corner, your browser will fetch from the
set the margins for the whole page and for the sec- server the corresponding set of tiles and redraw
tion (the leaflet-container) that will include the the whole map. If there are not enough tiles to fill
map and state that the container should occupy the window with a certain zoom level you will get
the whole page (100% height and width). something similar to Figure 10. Figure 10 shows
The body of the page only contains two ele- the same map shown in Figure 9 zoomed out to
ments: a header (“Map Machine test for Linux level 16, with the arrow indicating to the same
Magazine”) and the HTML division called map that point in Figure 9 to give you an idea of how two
includes, of course, the map. What happens inside levels of zoom change the picture. If you want to
it is much simpler than it may seem at first sight. avoid the empty zones shown in Figure 10, you
In fact, that division contains just a small JavaS- must generate more tiles with successive runs of
cript script that declares a map object as defined in Map Machine.

Figure 9: There it is! A fully working slippy map [6], courtesy of Map Figure 10: At the minimum zoom level, the map will not fit the whole win-
Machine! dow, but it will still work.

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 93

LINUX VOICE TUTORIAL – MAP MACHINE AND OPENSTREETMAP

Finally, Figure 11 shows what you get when images, the maps at all levels are slippy; you can
zooming in as much as the available tiles would drag them around to center them on a particular
allow. Even if it’s not possible to show it with static location or to see whatever could not fit in the
browser window. Also, please note how, as the
zoom level increases, the map remains sharp, be-
cause it uses the right tiles for that level, rather
than enlarging other tiles.

Conclusions
There are other ways to embed parts of Open-
StreetMap in any web page. In the past, for ex-
ample, I have used uMap [8] with great satisfac-
tion, because it’s very intuitive and doesn’t re-
quire you to install anything. Map Machine, how-
ever, is simple to install and use, carries along a
great library of icons, and you can always use it
with the greatest possible speed, regardless of
your Internet connection. Once you have gener-
ated the tiles, in fact, nothing prevents you from
Figure 11: Zooming in, the resolution does not change. downloading the Leaflet script and CSS files
from their website and changing ac-
cordingly their links in Listing 3. If you
Listing 3: The Simplest Map Machine-Compatible Web Page You Can Write
do that, the entire map generation
<!DOCTYPE html>
<html lang="en"> process – from tile rendering to tile
<head> serving and displaying – will run en-
<base target="_top">
tirely inside your computer, even with-
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
out any access to the Internet, always
<title>Testing Map Machine</title> as fast as your processor can run.
<link rel="shortcut icon" type="image/x-icon" href="docs/images/favicon.ico" /> Not bad, isn’t it? Q Q Q
<link rel="stylesheet" href="https://unpkg.com/[email protected]/dist/leaflet.css"
integrity="sha256-p4NxAoJBhIIN+hmNHrzRCf9tD/miZyoHS5obTRR9BMY=" crossorigin=""/>
<script src="https://unpkg.com/[email protected]/dist/leaflet.js" Info
integrity="sha256-20nQCchB9co0qIjJZRGuk2/Z9VM+kNiyxNV1lvTlZBo=" crossorigin="">
</script> [1] OpenStreetMap:
<style> https://openstreetmap.org
html, body {
height: 100%; [2] Map Machine: https://github.com/
margin: 0; enzet/map-machine
}
.leaflet-container {
[3] JOSM map editor:
height: 400px; https://josm.openstreetmap.de/
width: 600px;
[4] cairo graphic library:
max-width: 100%;
max-height: 100%; www.cairographics.org/
} [5] GEOS: https://libgeos.org/
</style>
</head> [6] Slippy maps: https://wiki.
<body> openstreetmap.org/wiki/Slippy_map
<h4>Map Machine test for Linux Magazine</h4> [7] Leaflet: https://leafletjs.com/
[8] uMap:
<div id="map" style="width: 600px; height: 400px;"></div>
<script>
https://umap.openstreetmap.fr/en/
const map = L.map('map').setView([41.8994, 12.4770], 18);
const tiles = L.tileLayer('http://127.0.0.1:8081/tiles/{z}/{x}/{y}', {
maxZoom: 20,
The Author
attribution: 'Map data &copy; ' +
Marco Fioretti (https://mfioretti.
'<a href="https://www.openstreetmap.org/copyright">OpenStreetMap</a> ' +
'contributors, imagery &copy; ' +
com) is a freelance author, trainer,
'<a href="https:/github.com/enzet/map-machine">Map Machine</a>', and researcher based in Rome, Italy,
id: 'map_machine', who has been working with free/
tileSize: 256, open source software since 1995,
zoomOffset: 0 and on open digital standards since
}).addTo(map);
2005. Marco also is a board mem-
</script>
</body>
ber of the Free Knowledge Institute
</html>Lupicatae voluptatio ium qui inient doluptam as exped que odit peliquiam soluptia (http://freeknowledge.eu).

94 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 SERVICE
Back Issues

LINUX Order online:

NEWSSTAND https://bit.ly/Linux-Magazine-catalog

Linux Magazine is your guide to the world of Linux. Monthly issues are packed with advanced technical
articles and tutorials you won't find anywhere else. Explore our full catalog of back issues for specific
topics or to complete your collection.

#286/September 2024
Git Ready
The Git version control system is an integral part of the Linux environment. If you’re looking
for a better foundation in Git, or if you already know the basics and are ready to start building
Git into your own custom apps, we’ll make you Git ready.
On the DVD: openSUSE Leap 15.6 and Tails 6.4

#285/August 2024
Kernel Expoilts
Is Linux secure? Only if you keep up with the patches. This month we take a close look at how
intruders attack unsafe versions of the Linux kernel through known and well-publicized exploits.
We’ll show you how to set up your own out-of-date kernel to practice on, and we’ll introduce
you to some of the tools and techniques attackers use to gain root access.
On the DVD: AlmaLinux 9.4 Boot DVD and Fedora Workstation 40 Live

#284/July 2024
Laptop Security
In the scary world of the Internet, “more secure than Windows” still isn’t secure enough. If
you want to keep your traveling systems safe from the clutches of the espionage economy,
you’ll need some extra help. We show you how to outfit your laptop with the extra defenses
you’ll need for life on the road.
On the DVD: Ubuntu Budgie 24.04 LTS and Rescuezilla 2.5

#283/June 2024
AI Tools
Everyone is fascinated with AI right now, but at the end of all the articles and interviews and
research, it is fair to ask, what can I do with it really? This month we highlight some AI-based
tools that will help you build your own chatbot, sharpen photo images, and more.
On the DVD: Nobara 39 and Manjaro 23.14 Gnome

#282/May 2024
D-Bus
The D-Bus architecture creates a powerful channel for applications to communicate. A
deeper understanding of D-Bus will help you with troubleshooting. Also, if you know how
D-Bus works, you can customize the interaction of audio tools, text editors, and other apps
to save time and simplify your life.
On the DVD: Kubuntu 23.10 and Clonezilla Live 3.1.2-9

#281/April 2024
Virtual Memory
The classic vision of random access memory is just the beginning of the story. Modern hardware –
and modern operating systems – manage memory in ways that old-school programmers could
only have imagined. This month we take a look at virtual memory in Linux.
On the DVD: elementary OS 7.1 and Mageia 9

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 95

SERVICE
Events

FEATURED EVENTS
Users, developers, and vendors meet at Linux events around the world.
We at Linux Magazine are proud to sponsor the Featured Events shown here.
For other events near you, check our extensive events calendar online at
https://www.linux-magazine.com/events.
If you know of another Linux event you would like us to add to our calendar,
please send a message with all the details to [email protected].

All Things Open SeaGL 2024 SC24

Date: October 27-29, 2024 Date: November 8-9, 2024 Date: November 17-22, 2024
Location: Raleigh, North Carolina Location: Seattle, Washington Location: Atlanta, Georgia
Website: https://2024.allthingsopen.org/ Website: https://seagl.org Website: https://sc24.supercomputing.org/
All Things Open is a technology Founded in 2013, SeaGL (the Seattle Atlanta is the place to be this fall as the
conference focusing on the tools, GNU/Linux Conference) is a free, high performance computing community
processes and people making open grassroots technical summit dedicated to convenes for an exhilarating week of
source possible. Our sophisticated and spreading awareness and knowledge sessions, speakers, and networking at its
diverse audience is a technical one that about free / libre / open source software, finest. SC is an unparalleled mix of
includes designers, developers, decision hardware, and culture. SeaGL is geared thousands of scientists, engineers,
makers, entrepreneurs and technologists toward professional technologists, researchers, educators, programmers,
of all types and skill levels. newcomers, enthusiasts, and all other and developers and who intermingle to
users of free software, regardless of their learn, share, and grow.
background knowledge.

Events
MSP GLOBAL Oct 9-10 Barcelona, Spain https://mspglobal.com/

SOSS Fusion 2024 Oct 22-23 Atlanta, Georgia https://events.linuxfoundation.org/soss-fusion/

All Things Open 2024 Oct 27-29 Raleigh, North Carolina https://2024.allthingsopen.org/

2024 WISH (Women in Nov 7 San Jose, California https://community.gsaglobal.org/s/

Semiconductor Hardware) lt-event?id=a1URi000000JahJMAS

SFSCON 2024 Nov 8-9 Bolzano, Italy https://www.sfscon.it/

SeaGL 2024 Nov 8-9 Seattle, Washington https://seagl.org/

KubeCon + CloudNativeCon Nov 12-15 Salt Lake City, Utah https://events.linuxfoundation.org

North America

SC24 Nov 17-22 Atlanta, Georgia https://sc24.supercomputing.org/

Open Source Monitoring Conf. Nov 19-21 Nuremberg, Germany https://osmc.de/

FOSDEM 2025 Feb 1-2 Brussels, Belgium https://fosdem.org/2024/

State of Open Con '25 Feb 4-5 London, United Kingdom https://stateofopencon.com/
Images © Alex White, 123RF.com

Kickstart Europe 2025 Feb 4-5 Amsterdam, Netherlands https://www.kickstartconf.eu/

SCaLE 22x March 6-9 Pasadena, California https://www.socallinuxexpo.org/scale/22x/

FOSS Backstage March 10-11 Berlin, Germany https://24.foss-backstage.de/

CloudFest 2025 March 17-20 Europa-Park, Germany https://www.cloudfest.com/

PyCon US 2025 May 14-22 Pittsburgh, Pennsylvania https://www.python.org/events/python-events/1507/

96 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM

 SERVICE
Contact Info / Authors

Contact Info
WRITE FOR US
Editor in Chief Linux Magazine is looking for authors to write articles on Linux and the
Joe Casad, [email protected] tools of the Linux environment. We like articles on useful solutions that
Associate Editor
Amy Pettle
solve practical problems. The topic could be a desktop tool, a command-
Copy Editor line utility, a network monitoring application, a homegrown script, or
Aubrey Vaughn anything else with the potential to save a Linux user trouble and time.
News Editor Our goal is to tell our readers stories they haven’t already heard, so we’re
Jack Wallen
especially interested in original fixes and hacks, new tools, and useful ap-
MakerSpace Editor
Hans-Georg Eßer plications that our readers might not know about. We also love articles on
Managing Editor advanced uses for tools our readers do know about – stories that take a
Lori White
traditional application and put it to work in a novel or creative way.
Localization & Translation
Ian Travis We are currently seeking articles on the following topics for upcoming
Layout cover themes:
Dena Friesen, Lori White
Cover Design • Cool Rasp Pi Projects
Lori White
• Linux Shortcuts and Hacks
Cover Image
© sdecoret, 123RF.com • System Rescue
Advertising
Jessica Pryor, [email protected]
Let us know if you have ideas for articles on these themes, but keep in
Marketing Communications mind that our interests extend through the full range of Linux technical
Gwen Clark, [email protected] topics, including:
Linux New Media USA, LLC
4840 Bob Billings Parkway, Ste 104 • Security
Lawrence, KS 66049 USA
• Advanced Linux tuning and configuration
Publisher
Brian Osborn • Internet of Things
Customer Service / Subscription • Networking
For USA and Canada:
Email: [email protected] • Scripting
Phone: 1-866-247-2802 • Artificial intelligence
(Toll Free from the US and Canada)
• Open protocols and open standards
For all other countries:
Email: [email protected] If you have a worthy topic that isn’t on this list, try us out – we might be
www.linux-magazine.com
interested!
While every care has been taken in the content of the
magazine, the publishers cannot be held responsible Please don’t send us articles about products made by a company you
for the accuracy of the information contained within
it or any consequences arising from the use of it. The work for, unless it is an open source tool that is freely available to every-
use of the disc provided with the magazine or any one. Don’t send us webzine-style “Top 10 Tips” articles or other superfi-
material provided on it is at your own risk.
cial treatments that leave all the work to the reader. We like complete so-
Copyright and Trademarks © 2024 Linux New Media
USA, LLC. lutions, with examples and lots of details. Go deep, not wide.
No material may be reproduced in any form Describe your idea in 1-2 paragraphs and send it to: [email protected].
whatsoever in whole or in part without the written
permission of the publishers. It is assumed that all Please indicate in the subject line that your message is an article proposal.
correspondence sent, for example, letters, email,
faxes, photographs, articles, drawings, are supplied
for publication or license to third parties on a non-
exclusive worldwide basis by Linux New Media USA,
LLC, unless otherwise stated in writing. Authors
Linux is a trademark of Linus Torvalds.
All brand or product names are trademarks of their Bernhard Bablok 69 Marco Fioretti 88
respective owners. Contact us if we haven’t credited
your copyright; we will always correct any oversight. Erik Bärwaldt 28 Jon “maddog” Hall 74
Printed in Nuremberg, Germany by Kolibri Druck.
Daniel LaSalle 32, 78
Distributed by Seymour Distribution Ltd, United Chris Binnie 52
Kingdom Vincent Mealing 73
Represented in Europe and other territories by: Zack Brown 12
Sparkhaus Media GmbH, Bialasstr. 1a, 85625 Martin Mohr 36
Glonn, Germany. Bruce Byfield 6, 24, 42
Linux Magazine (Print ISSN: 1471-5678, Online Thomas Reuß 75
ISSN: 2833-3950, USPS No: 347-942) is published Joe Casad 3
monthly by Linux New Media USA, LLC, and dis- Mike Schilli 58
tributed in the USA by Asendia USA, 701 Ashland Mark Crutch 73
Ave, Folcroft PA. Application to Mail at Periodicals Koen Vervloesem 16
Postage Prices is pending at Philadelphia, PA and Chris Dock 64
additional mailing offices. POSTMASTER: send ad- Jack Wallen 8
dress changes to Linux Magazine, 4840 Bob Billings
Parkway, Ste 104, Lawrence, KS 66049, USA. Nate Drake 82 Roland Wolters 46

LINUX-MAGAZINE.COM ISSUE 287 OCTOBER 2024 97

NEXT MONTH
Issue 288

October 4
Issue 288 / November 2024

Smart Home
Stalkernet vendors like Amazon and Google
would love to manage the appliances in your
home, but open source tools like Home Assistant
and OpenHAB offer an alternative for the privacy
minded. Next month we explore some free tools
for home automation.

Preview Newsletter
The Linux Magazine Preview is a monthly email
newsletter that gives you a sneak peek at the next
issue, including links to articles posted online.

Sign up at: https://bit.ly/Linux-Update

Image © naiklon, 123RF.com

98 OCTOBER 2024 ISSUE 287 LINUX-MAGAZINE.COM