Foreword to the present, along with a variety of handheld, wireless, and the rapid development of embedded devices, the appropriate hardware and software design has undergone great changes.
Many devices use the Intel, MIPS, Motorola's 32-bit microprocessor and large-screen LCD graphics display. As in the past 10 years, desktop operation mode has made great success, so many developers in embedded design started using similar to desktop operating system. One of the better solution is to use the Linux operating system. As a result of Linux in embedded systems with the desktop computers of all functions and features, while at the same time as an open source code, it allows a wide range of modifications, and also according to the user's specific requirements. Microwindows overview Microwindows is a famous open-source embedded GUI software, which aims to introduce modern graphical Windows environment to run Linux on small devices and platforms. As the XWindow alternatives Microwindows can use less RAM and file storage space (100K-600K) provide similar functionality with the XWindow. This architecture allows designers to easily into a variety of display devices, mouse, touch screen and keyboard, etc. Linux2.2 above version of the kernel code allows the user to the graphics card memory as frame buffer access, so when the user writes to the display device, the control can avoid memory-mapped area of operation, the user can not understand the underlying graphics hardware or haven't used XWindow of graphics programs of development. This is why it is now in widespread use in embedded systems Microwindows. Microwindows portability is very good, basically using C language implementation, only some of the critical code to use the compendium for increased speed. Microwindows support Intel16 bit, 32-bit CPU, as well as arm chips MIPSR4000. Microwindows has been ported to some handheld. It's graphics engine is designed to run on any supported readpixel, writepixel, drawhorzline and drawvertline, and above the setpalette system. In support of the underlying function, upper-class implements the bitmap, cursor, font, and color support. Microwindows support new Linux kernel frame buffer structure that provides each pixel 1, 2, 4, 8, 16, 24 and 32-bit support and additional support for color and grayscale display with color display including true color (each pixel 15, 16 and 32-bit) and color palette (1 per pixel, 2, 4 and 8 bit) two modes. In the color display mode, all color using RGB format is given, the system then converts it to the most similar and can display color and monochrome mode is converted in different shades. Microwindows support window coverage and child window concept, complete client area of the window and cut, proportional and fixed fonts, fonts and bitmap file processing tool. The system uses an optimized drawing functions, so when the user moves a window can provide a better response. Memory graphics draw and moved towards making screen drawing is very smooth, especially when displaying animation, polygon rendering, any area fill, cuts when useful. Although the Microwindows full support for Linux, but its internal structure of portable is based on a relatively simple screen device interface, available in many different RTOS and bare metal. The advantage of this feature prominently reflected in user-designed graphics program does not need to override can be shared by different projects, or even can run on different objects at different RTOS. Microwindows system graphically supported host platforms of simulation of the target platform. In this way, the design of Linux for Microwindows applications can be written on the desktop and development without cross-compile it to test and run, and directly run on the target platform. Desktop running on the host in the target application, which appears in the Xwindow is provided by the Microwindows Xwindow screen-driven, rather than through a frame buffer drivers. This driver can pixel bit depth and color, accurate simulation of the monitor on the target platform, so that even if the desktop system is a 24-bit color, it also can preview display 2bpp shades of the target application. Microwindows uses layered design methods. At the bottom of the screen, mouse/touch screen and keyboard driver that provides access to the physical device. In the middle tier, a portable graphics engine that supports line drawing, area fill, cut and color models. In the upper deck, for various API to accommodate different application environments. Two API: Microwindows Win32 and Nano-X use two popular graphical programming interface: MicrosoftWindowsWin32/WinCE graphics display interface (GDI) and Xlib-like interface. The former applies to all WindowsCE and Win32 application, the latter as Nano-X, apply to all LinuxX plug-in sets the bottom. This will enable a large number of Windows programmers developing graphics applications, similarly you can also have Linux graphics programmer with X interface development graphics applications. Nano-X programming this article will be used in the design of an application Nano-XAPI, and discuss the underlying Nano-X program design issues. Nano-X allows applications to use client/server network protocol or a local UNIX domain interface. This allows several shouldUse the procedures in embedded device or running on the remote host to connect to the server displays the Microwindows, these characteristics makes the operation much like Nano-X XWindows system. On the ground floor and most of the window for creating, deleting, and basic drawing functions, Nano-XAPI and X's are very similar to Xlib library. In addition, because the Microwindows is designed very small, there are many options that can be used for resource configuration files in the package. The following procedure is to create a server-specific Nano-X. (1) initialize Mcrowindows resources package can be downloaded from http://microwindows.org. First compiled to host and embedded target platform to build a Nano-X server. Most of the settings option in the configuration file, extract the resource pack into the microwin/src directory, edit the configuration file. The following are some of the most important ARCH option: ARCH = LINUX-NATIVE ARCH = LINUX-arm ARCH = LINUX-MIPS ARCH = LINUX-POWERPC set for LINUX-NATIVE ARCH option is notification system is currently running the host Linux system-generated program, and for other options set ARCH is to give a RISC target platform for cross-compilation. Use the Microwindows Arch.rules file for each of the options to determine a specific setting. The following settings are used to provide the image support Nano-X server: HAVE_BMP_SUPPORT = Y HAVE_GIF_SUPPORT = Y HAVE_JPEG_SUPPORT = Y settings JPEG images option must give external jpeg decompression Library locations, such as LIBJPEG =/usr/lib/libjpeg.a. Most systems provide unzip library can also be downloaded from the Microwindows Web site. Another important item to choose whether or not to provide support for variable font size, default is in the drivers/genfont.c provides fixed-size bitmap fonts. If you want to display a larger font, such as running an embedded browser, you can join on TrueType fonts or AdobeType1. When the option is determined, you can display the need to specify the font file and pixel size, the Microwindows based external font files to generate the appropriate font size. The latest version also supports external Chinese fonts, all fonts are available in 8-bit ASCII, Unicode-16 or UTF-8. With UTF-8 is Unicode byte-stream encoding scheme. The characters supported options are as follows: HAVE_FREETYPE_SUPPORT = Y HAVE_T1LIB_SUPPORT = Y HAVE_HZK_SUPPORT = Y FreeType and external libraries for T1lib support TrueType fonts and AdobeType1. These libraries must be compiled in advance and in the configuration file should specify its location. Microwindows Web site all the library functions provided for download. (2) configure the output displays the device as Microwindows can frame buffer system and run under XWindows, each display driver is necessary to determine the different settings. If you are already running a Linux desktop, it is best to start with X X screen driver build system, and then for embedded devices to generate a frame buffer. The following options to configure the X screen driver: X11 = Y SCREEN_WIDT = 640 SCREEN_HEIGHT = 480 SCREEN_PIXTYPE = MWPF_TRUECOLOR0888 Microwindows through these options in the X desktop builds a 640 x 480 virtual window, using 8-bit color mode (red, green and blue all use 8-bit representation) output. By changing the settings, you can own the desktop control targets embedded devices simulation. For example, simulate a 16 bits per pixel display, SCREEN_PIXTYPE = MWPF_TRUECOLOR565. One constant in the src/MWPF include/mwtypes.h header file with detailed explanation. Because you must determine the Linux kernel support frame buffer, so set the frame buffer to display more complex. The settings are as follows: X11 = N FRAMEBUFFER = Y FBVGA = Y VTSWITC = Y PORTRAIT_MODE = N FBVGA options introduced in 16-color VGA graphic mode screen driver support, but this option is not available for embedded systems. VTSWITCH option allows Microwindows in the frame buffer controller running, hold down the ALT key you can open another virtual controller. Some embedded systems require this option turned off. PORTRAIT_MODE options using L/R key to specify the system to the left/right to run, and Compaq Corporation of iPAQPDA is very similar. (3) Linux kernel frame buffer support if you run the show "Nano-X server Can ' topen/dev/fb0" that no open frame buffer or the system kernel is not introduced into the frame buffer drivers. The simplest way is to identify when starting the system did you see a Penguin icon, if you do not have an icon you confirm that the following options are in/usr/src/linux/.config file: CONFIG_ CONFIG_B = yFB_VGA16 = y CONFIG_FBCON_VGA = y CONFIG_FBCON_CFB4 = y CONFIG_FBCON_CFB8 = y if the system supports graphics card instead of the standard old VGA, can be CONFIG_FB_VGA16 options. Before rebuilding the kernel, you need to backup the old kernel, and in the lilo.conf file in the backup location. Enable the frame buffer is most of the standard set of embedded systems. The last important configuration for Microwindows specified mouse or touch screen input driver. Current Microwindows is passed on mouse GPM tool or directly using the serial port. Directive GPMMOUSE = Y is select set GPM support, after running gpm tools, such as ' gpm-R – tps2 ' (support for PS/2 mouse); directive SERMOUSE = Y is to choose the serial port, also in src/drivers/mou_ser.c MOUSE_PORT MOUSE_TYPE and set two environment variables. (4) to create a complete demo system once in the configuration file to set a good option, as long as the user no longer changes parameters remain unchanged. At the same time in the src directory, there are many different platform samples configuration files. To create a Nano-X server and run demo, first enter the microwin/src directory, then type "make". All programs in the microwin/src/bin directory of the generated client link libraries are also placed in the microwin/src/lib directory. To run the demo, first run Nano-X server (in the bin/nano-X), and then run the application. Bin/nano-X&sleep1; bin/world running programs before running the Hugh demonstrationworldplottingFriday, May 20, 2011
Skills: Linux for Fedora 8 set local updates source
FedoraCore8 after installation, you have to do is: using yum to update.
Add yum update source, the system comes with updates so odd slow, did not finish. Here is the method of installation used httpd httpd package: # yuminstallhttpd # chkconfighttpdon # servicehttpdstartor #/etc/init.d/httpdstart then install createrepo Kit: # yuminstallcreaterepo and then create the package directory fedora8 and update packages directory: # mkdir-p/var/www/html/yum/base/8/i386 # mkdir-p/var/www/html/yum/updates/8/i386 if any CD, copy all the RPM packages to/var/www/html/yum/base/8/i386 directory: # cd/misc/cd/Packages; cp-V */var/www/html/yum/base/8/i386 # cd or go here to find a mirror http://mirrors.fedoraproject.org/mirrorlists/publiclist/fedora/8, then use rsync to download; example: rsync-avrtrsync://ftp-stud.hs-esslingen.de/fedora/linux/releases/8/everything/i386/os/packages//var/www/html/yum/base/8/i386 note red part must be '/' symbols; down run createrepo command: # createrepo/var/www/html/yum/base/8/i386 this command will create a directory/var/www/html/yum/base/8/i386 repodata folder, which contains the following files: # ls-l/var/www/html/yum/base/8/i386/repodata/total9268-rw-r-r-1rootroot22272752008-01-1221: 11filelists.xml.gz-rw-r-r-1rootroot64874532008-01-1221: 11other.xml.gz-rw-r-r-1rootroot7477142008-01-1221: 11primary.xml.gz-rw-r-r-1rootroot9512008-01-1221: 11repomd.xml then enter/var/www/html/yum/updates/8/i386 directory in the directory using rsync to download the latest rpm packages: rsync-avrtrsync://ftp-stud.hs-esslingen.de/fedora/linux/updates/8/i386/--exclude = debug//var/www/html/yum/updates/8 i386 and then set up/crontab to automatically download the latest packages: 234 */2 ***/usr/bin/rsync-avrtrsync://ftp-stud.hs-esslingen.de/fedora/linux/updates/8/i386/--exclude = debug//var/www/html/yum/updates/8/i386 Finally, access/etc/yum.repos.d/directory, create a repo to the end of the file, as follows: [base-local] name = Fedora $ releasever-$ basearcfailovermethod = prioritybaseurl = http://192.168.0.100/yum/base/$ releasever/$ basearch # mirrorlist = http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$ arch = $ releasever & basearchenabled = 1gpgcheck = 0 [updates-local] name = Fedora $ releasever-$ basearch-Updatesfailovermethod = prioritybaseurl = http://192.168.0.100/yum/updates/$ releasever/$ basearch/# mirrorlist = http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f $ arch = $ releasever & basearcenabled = 1gpgcheck = 0Debian Linux ADSL dial-up and the use of dynamic domain name
Debian ADSL dial-up and under dynamic domain names use I.ADSL dial ADSL general use PPPoE protocol, which is the Debian software is used: apt-getinstallpppoepppoecon rp-pppoe, just install the software.
Then run pppoeconf, automatically detect connection ADSL network adapter, and then enter the corresponding parameter, such as user name, password, etc., you can use to connect Internet pon. The generated profile:/etc/ppp/peers/dsl-providerII. dynamic domain name first to apply dynamic domain name http://www.3322.org/. Application after http://www.3322.org/dyndnspage/client.html his client. Then unzip, I was extracted to/usr/local/bin/ez-ipupdate. In the following directory/etc/ppp/ip-up.d shell, in time, ppp will be executed automatically, so the dynamic domain name updates here, you can automatically update. In addition you can also place this file inside the firewall rules and NAT rules, as I mentioned in the directory below to generate a 02nat (note the property you want to change the executable chmod75502nat: #!/bin/bas # IPTABLES = \ "/sbin/iptables\" # loading the appropriate module modprobeiptable_nat # clearing all rule $ {IPTABLES}-tfilter-FINPUT $ {IPTABLES}-$ {IPTABLES} tfilter-FOUTPUT-tfilter-FFORWARD $ {IPTABLES}-$ {IPTABLES} tfilter-X-tnat-FPREROUTING $ {IPTABLES}-$ {IPTABLES} tnat-FOUTPUT-tnat-FPOSTROUTING $ {IPTABLES}-$ {IPTABLES} tnat-X-tmangle-FPREROUTING $ {IPTABLES}-$ {IPTABLES} tmangle-FOUTPUT-tmangle-X # NAT rule $ {IPTABLES}-tnat-APOSTROUTING-oppp0-jMASQUERADE # open packet forwarding echo1 >/proc/sys/net/ipv4/ip_forward # dynamic domain name update/usr/local/bin/ez-ipupdate-hxxx.3322.org-ippp0-Sqdns-uusername: password which you are applying for xxx.3322.org is the domain name, username is the username, password is password.Reinforcement of the Linux server trick
We all know, network security is a very important issue, and the server is a network security key.
Linux is considered a safer Internet server as an open-source operating system, Linux system security vulnerabilities are found, the Internet from all over the world, volunteers are eager to fix it. However, administrators often fail to timely and correct information, it will give a hacker to exploit. However, relative to these vulnerabilities of the system itself, more security problems are caused by incorrect configuration, you can pass the appropriate configuration to prevent. Services running on the server, the more inappropriate configuration of the opportunities the more, the possibility of a security problem. To this end, this article will explain some of the enhancements to Linux/Unix server system security knowledge. System security records files the operating system's internal log files is to detect whether there is a network intrusion of important clues. If your system is directly connected to the Internet, you find that there are a lot of people on your system to do Telnet/FTP login attempts, you can run "# more/var/log/secure greprefused" to check the system by an attacker to take the appropriate measures, such as the use of SSH to replace Telnet/rlogin, etc. Start and login security 1.BIOS security setting BIOS password and change the boot order to boot the system from the floppy disk. 2. user password user password is a basic Linux security as a starting point, a lot of people are using the user password is too simple, this equals to the trespasser opened, although in theory, as long as there is sufficient time and resources you can use, there is nothing we cannot crack the password of the user. But the password is selected properly are hard to break, the better the user passwords are those that only his own easy to remember and understand a string of characters, and never write it out in any place. 3. the default account should prohibit all default start of the operating system itself and does not need an account, when you first install the system should do, Linux provides many default account number, account number, the more the system more vulnerable to attack. You can use the following command to delete the account. # Userdel username or use the following command to delete the user account. # Groupdelusername4. password file chattr command to the following file plus the unchangeable properties, thereby preventing non-authorized user access permissions. # Chattr + I/etc/passwd # chattr + I/etc/sadow # chattr + I/etc/group # chattr + I/etc/gshadow5. Prohibition of Ctrl + Alt + Delete to restart the machine commands modify/etc/inittab file, the "ca:: ctrlaltdel:/sbin/shutdown-t3-rnow" line commented out. Then reset your/etc/rc.d/init.d/directory permissions of all files, run the following command: # chmod-R700/etc/rc.d/init.d/* so that only root can read, write, or execute all script files. 6. limitation su command if you do not want anybody to be able to su as root, you can edit the file, add the following/etc/pam.d/su two rows: authsufficient/lib/security/pam_rootok.sodebugauthrequired/lib/security/pam_wheel.sogroup = isd at this point, only the isd Group, you can use su as root. Subsequently, if you want the user admin to use su as root, you can run the following command # usermod-G10admin7. the deletion of your login information by default, the login prompt information including Linux distributions and kernel versions of the name and the server host name. For a security demand higher machine, thus revealing too much information. You can edit the/etc/rc.d/rc.local will output system information following line commented out. # Thiswilloverwrite/etc/issueateveryboot.So, makeanychangesyou # wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot # echo "" >/etc/issue # echo "" ¾/etc/issue # echo "Kernel100100uname-r) on100100uname-m)" ¾/etc/issue # cp-f/etc/issue/etc/issue.net # echo ¾/etc/issue then, do the following: # rm-f/etc/issue # rm-f/etc/issue.net # touch/etc/issue # touch/etc/issue.netUse Linux firewalls pretend to against hacker attacks
A firewall can be divided into several different security levels.
On Linux, because there are many different firewall software to choose from, security can be low to high, the most complex software can provide almost no penetration protection. However, the Linux kernel itself has a built in is called the "camouflage" simple mechanisms, in addition to the most dedicated hacker attack, can withstand live most of the attacks. When we dial-up link on the Internet, our computer will be assigned to one IP address, allowing online information to others who return to our computer. A hacker is to use your IP to access the information on your computer. Linux uses the "IP masquerading" method, is to hide your IP, do not let others on the network. There are several groups of IP addresses is specifically reserved for the local network using the Internet backbone routers, and does not recognize. Like the author's computer IP is 192.168.1.127, but if you enter this address into your browser, to believe anything or not received, this is because Internet backbone is they do not know the 192.168.X.X IP-group. On the other Intranet has innumerable computer that is using the same IP, because you cannot access, of course not penetrated or cracked. So, to solve the security issues on the Internet, it seems to be a simple matter, as long as your computer selected a someone else cannot access by IP address, anything. Wrong! because when you browse the Internet, also require a server data sent to you at your screen can't see anything, but the server can only be sent to the information in Internet backbone on legitimate IP addresses. "IP masquerading" is used to resolve this dilemma. When you have a Linux computer, setting to use "IP masquerading", it adds the two internal and external network bridge, and automatically translating from the inside to the outside or from external to internal IP address, usually this movement is called network address translation. In fact, the "IP masquerading" than the more complicated. Basically, the "IP masquerading" server set up between two networks. If you use analog dial-up modem to access the data on the Internet, this is one of the network; your internal network usually corresponds to an Ethernet card, this is the second network. If you are using a DSL modem or cable modem (CableModem), then the system will have a second Ethernet card, instead of an analog modem. Which Linux can manage each of these network IP address, so if you have a Windows computer (IP to 192.168.1.25), located on the second network (Etherneteth1), to access is located in the Internet (Etherneteth0), cable modem (207.176.253.15), Linux "IP masquerading" will be blocked from your browser by all TCP/IP packets, taking the original local addresses (192.168.1.25), then the real address (207.176.253.15). Then, when the server returns the information to 207.176.253.15, Linux will automatically block return packets, and back to the correct local address (192.168.1.25). Linux manages several local computer, and handle every packet, without confusion. Authors have an installation of old 486 computer SlackWareLinux, can simultaneously handle four computer sent to cable modem packets, but does not reduce the speed. In the second edition of the core, "IP masquerading" is sent to the IP management module (IPFWADM, IPfwadm) to manage. The second edition of core while providing a faster, more complex IPCHAINS, continued to provide IPFWADMwrapper to maintain backward compatibility.Saturday, May 7, 2011
Embedded systems and system-level programmable data sheet
6 apply to embedded system programmable chip embedded system hardware volume, weight, power consumption, cost, reliability, have different levels of requirements, some indicators will have special requirements.
For example, mobile phone type of mobile device on power consumption particularly sensitive, information appliances for cost sensitive, and military equipment on reliability index requires extremely high. Therefore, the different application areas, the focus of their needs are different, we need to give serious consideration to choose the right hardware platform. IC has entered a submicron, even very large scale integration of nano-era, with system-level programmable chips embedded system hardware, regardless of size, weight, power consumption, cost, reliability, and so you can achieve the desired result will be the best option. Therefore, specific chip design is an embedded system design of one of the core technology. Applies to the chip for embedded systems can be divided into General and specific chip two categories are discussed as follows: 6.1 universal chip chips mainly standard cell IC, FPGA and gate arrays, etc. Now compare: IC 6.1.1 standard units (that is, half a custom ASIC chip) · advantages: optimal space utilization · can · get the best!. · shortcomings: the establishment of a solid design · Foundation development resources investment. Design difficult ·, request design tools features strong, design with technology continually upgrading; in the design rules length is less than 0.25 μm deep sub-micron (DSM) design, designers typically takes a lot of effort to resolve DSM effect, such as migration, antenna effect. The problem is mainly composed of very small physical structure. This is in the back-end design processes used for the development of tools to address these effects cause. · design staff professional knowledge has set higher requirements, while also need some professional design company provides tools to use. The developer tools area of expertise, the more likely they are to obtain optimal design (smallest at best performance). Design for existing · and tools apply two challenges, shorten design times naturally become project scheduling a determining factor. · prospective unit IC related non-recurring design cost (NRENon-recurringEngineering) costs. The fee is predominantly for etching mask, mask design rule length in MCU μ m following the NRE cost typically up to thousands of dollars, in this case to maintain the balance of payments requires that the chip has enough sales. 6.1.2FPGA (field-programmable gate array) ·: · PGA-costly. · standard cell IC and gate array, the advantages of having programmable FPGA, mask costs; chip completes can be modified through programming, hardware risks. ·: (as technology advances, some shortcomings are gradually overcome) when doing mass production, the FPGA has cost advantages will weaken. · PGA programmability of Silicon area, and thus require larger higher power consumption. In order to adapt to the increased external pin, package prices are more expensive. Even the small batch production, mask-programmable ASIC programme costs can sometimes lower number. 6.1.3 gate array · advantages: · for door structure complete chip, such as "door sea" structure, the design engineer only need to do is through the metal layer of ASIC gate level routing implementation. · gate array technology can achieve the system frequency exceeding current FPGA technology can provide frequency. · gate array development work is relatively easy, as most of you can auto-complete. Gate array development costs much less than the standard unit of IC, because the circuit is only necessary to increase the metal layer, greatly reducing the design steps. · bad: compared with the standard unit of IC, gate array's main drawback is that the area utilization and performance are relatively low. standard cell · IC (i.e. semi-custom ASIC chip) · advantages: optimal area utilization. Get the best performance. · bad: to establish a solid basis for the design, development and resource investment.Anatomy of Linux flash file systems
Flash memory challenges in addition to the previously mentioned some restrictions, management flash devices also faces many challenges.
The three most important challenges are garbage collection, management, bad blocks and average read and write. Garbage collecting garbage collection is a collection of invalid block process (invalid block contains invalid data). Recycling process including valid data moved to the new block, and then erase invalid block so that it becomes available. If the file system of the available space is less, so often in the background this process (or as needed). Management of bad blocks used for a long time, flash devices will occur, or even from the factory will occur but cannot be used. If the flash actions (e.g. Erase) fails or a Write operation is not valid (via invalid error correction code found, ErrorCorrectionCode, ECC), to indicate that there is a bad block. Identify bad blocks, in the internal flash is bad block flag to a bad block table. Specific action depends on the device, but can be done by a group of independent reserved blocks to (different from ordinary block management). On bad blocks are processed in the process — whether it be the factory or in the use process — called bad block management. In some cases, you can pass an internal microcontroller implementation in hardware, file system for the upper layer is transparent. Average read and write to the previously mentioned flash devices belong to the attrition products: become a bad block previously, you can perform a limited number of repeated Erase operation (and therefore a bad block management must be marked). Average read and write algorithms to maximize the life of a flash. Average read and write has two forms: dynamic average read and write and static average read and write. Dynamic average read and write to the address block Erase cycle limit on the number of times. Dynamic average read and write algorithm is not a random block using available, but the average use of blocks, each block is used to obtain the same. Static average read and write algorithm to solve a more interesting question. In addition to maximize the number of times the Erase cycle, some flash devices in two Erase cycle is affected by maximizing Read cycle. This means that if the data in the block storage time is too long and read many times, the data will gradually consumption until lost. Static average read and write algorithm solves this problem because it can periodically move data to a new block.The new format of the source packages deb
In this article the reader tumashu mandpkg-source process for reading notes containing the deb source some of the new format, maybe a friend is interested.
I. benefits of the new format support bzip2, lzma (7z format is estimated), gzip compression format supports multiple upstream tarballs containing binary files, use the old format diff files (diff.gz) to store the package in the source code changes, but the diff file is a text file, so if you want to add a binary file (for example, png icon), you need to use the uuencode converts the binary file as a text file, the more trouble not needed because stripdebian directory and repackage the upstream tarball (debian directory in the source code package unzip deb when automatically .debian.tar. {Gz, bz2, lzma} inside content replace) the change isn't Debian-specific is saved in a single .diff.gz files but saved in debian/patches/multiple patch files. That approach and quilt approach compatible but do not need to use quilt as dpkg-source can handle all the things that extract the patch files during use, in the process of building binary packages in update patchseriesNMUworkflowisnowreally: unpack, hack, rebuild (forall3.0 (quilt) packages). II. new format type Format: 1.0Format: 2.0Format: 3.0 (native) Format: 3.0 (quilt) Format: 3.0 (git) Format: 3.0 (bzr) Sam .Format: 1.0 format describes the format of this is the original: a .dsc files, a file, a .orig.tar.gz .diff.gz file four .Format: 2.0 format describes this formatting is not recommended for wide use, is a transitional form five .Format: 3.0 (native) format describes the format is an extension of the Format: 1.0, can support a variety of compression methods {gz, bz2, lzma} six .Format: 3.0 (quilt) format describes this formatting may be the next version of debian, it is an extension of the Format: 2.0 because it patches are handled and quilt compatible, so naming the source code package: a .orig.tar. {Gz, bz2, lzma} compressed packages, this package is the upstream source code was changed from a .debian.tar. {Gz, bz2, lzma} compressed packages, this package contains a debian-based all changes of zero or more .orig-FreeBsd5.4 + pf + squid reverse proxy battle notes
(The last two in a real application is unreliable, we should first of all, and then gradually open its own services) pf settings to this basic complete the following to start squid part 1, installation of squid./configure--enable-useragent-log--enable-referer-log--enable-default-err-language = Simplify_Chinese--enable-err-languages = "Simplify_ChineseEnglis"--disable-internal-dns--enable-pf-transparent # make # makeinstall # mkdir/home/cache (create the directory where cache) 2, increase the squid running on user and user group (my are set to squid) chownsquid: caceee squid/home/usr/local/squid/etc//add the/etc/hosts squid.con internal DNS resolution, such as my: 192.168.2.2www.aaa.com192.168.2.3mail.aaa.com3, following begin configuring squid.conf file (here's my profile) visible_hostnamecache.example.comcache_dirufs/home/cache102416256cache_mem100MBcache_effective_usersquidcache_effective_groupsquidhttp_port80httpd_accel_hostvirtualhttpd_accel_single_hostofhttpd_accel_port80httpd_accel_uses_host_headeronhttpd_accel_with_proxyon # acceleratermydomainonlyaclacceleratedHostAdstdomain.example1.com # aclacceleratedHostBdstdomain.example2.com # aclacceleratedHostCdstdomain.example3.com # acceleraterhttpprotocolonport80aclacceleratedProtocolprotocolTTPaclacceleratedPortport80 # accessarcaclallsrc0.0.0.0/0.0.0.0 # AllowrequestswhentheyaretotheacceleratedmachineANDtote # rightportwithrightprotocolhttp_accessallowacceleratedProtocolacceleratedPortacceleratedostA # http_accessallowacceleratedProtocolacceleratedPortacceleratedostB # http_accessallowacceleratedProtocolacceleratedPortacceleratedostC # loggingemulate_httpd_logoncache_store_lognone # manageraclmanagerprotocache_objecthttp_accessallowmanagerallcachemgr_passwdpassallsquid.conf file configuration completed 4, directory permissions settings chown-Rsquid: squid/home/cace creates a log file, the default in/usr/local/squid/var/access.log5, create a cache directory:/usr/local/squid/sbin/squid-z start squid/usr/local/squid/sbin/squid in the notes the intention of my building is a Web service through the squid reverse proxy to complete as other (I now only ftp) services through pf to complete it in order to accomplish this goal we need to add the pf rule is the following statement rdron $ lan_ifprototcpfrom $ lan_iftoanyport80-> $ lan_ifport80 ($ lan_if is my gateway of the network card) where access to port 80, you are forwarded to the gateway listening on port 80, Squid in pf rules only allow ftp service (questions about the extranet access, also need to add a similar sentence?) so far, FreeBsd5.4 + pf + squid reverse proxy basically completed.
Linux system depth security hardening (1)
Linux system with its stable and source code publicly available, on the Internet are being used to make the Web server and database server has been more and more, along with it, Linux system security has also been increasingly attach importance to the reinforcement of Linux systems for many people, is imminent.
So, to better consolidation of Linux system to deal with all kinds of emergencies and hacker attacks, we need to start from what? 1. install and upgrade to use the latest Linux distributions, unplug the network cable before installing, disconnect, installs when the physical connections use custom custom installation packages, as well as a small number. Generally speaking, the server is not necessary to install lilo/X-windows, grub boot loader and password restrictions that prevent to physical contact by malicious users. Because Linux install CD rescue mode can bypass this limit, it shall be given to BIOS plus password or locked the server chassis. /Var,/home,/usr, and the use of independent/root etc directory of the physical partitions that prevent garbage data and log filling up the hard drive causing d.o.s attacks. The root account to give strong password. Installed immediately with up2date or apt upgrade system software, sometimes upgrade kernel is necessary because the kernel problems will also provide an opportunity for attackers. Apt is a powerful DebianGNULinux package management tool that can also be used for other versions of Linux. 2. account number if the system user, you can edit/etc/login.defs, change the password policy to delete system unnecessary accounts and groups, if not open anonymous FTP, you can also delete the ftp account. Delete account command as follows: root @ ayazero/] # userdel-r username is the most secure way, but the local maintenance is not very practical, but still need to limit the root remote access, administrators can use an ordinary account to log on remotely, and then su to root, we can use the su users added to the wheel group to improve security. In/etc/pam.d/su file in the head to the following two lines of code: edit/etc/securetty, comment out all allow remote login console root, and the prohibition of the use of all the console program, its commands are as follows: login using ssn is encrypted, if the administrator only from fixed terminal login, you should restrict legitimate ssn client, prevent sniffing and-the-middle attack. At the same time, it will command history back to zero, as the hidden things you did, the command is: 3. service adopts the principle of least service, any unneeded services are commented out. In/etc/inetd.conf in unneeded services with a "#", a higher version already not inetd, but replaced with Xinetd; abolition of post automatically run under the service, do not need to run/etc/rc.d/rc3.d's fertilizer services of first letter "S" to "K", other unchanged. If you want simple, you can use/etc/host.allow and/etc/host.deny these two files, but is recommended to use iptables firewall, so I do not go into the details. (To be continued)
Subscribe to:
Comments (Atom)