™ SPONSORED BY

Since 1994: The Original Magazine of the Linux Community FEBRUARY 2014 | ISSUE 238 | www.linuxjournal.com WEB DEVELOPMENT Develop and Deploy Quickly with PaaS Cloud Services Build a Blog with Django and MongoDB Keep Your DNS Search History Private + GUEST EOF: GIRLS AND SOFTWARE V

WATCH: ISSUE ADD SPLIT INTRO TO SECURITY OVERVIEW TESTING RACK GUIDELINES TO YOUR HOSTING AND FOR WEB WEB APP DEPLOYMENT DEVELOPMENT

LJ238-Feb2014.indd 1 1/21/14 7:52 PM It's Easier to Savor Your Mornings When You Actually Get to Sleep

Code breaks. Apps get buggy. Users complain. New Relic helps you relax by showing you the root cause of your application issues, pointing out bottlenecks, and giving you code-level alerts when something goes wrong. Enjoy your co!ee, you've earned it.

NewRelic.com/sitback

LJ238-Feb2014.indd 2 1/22/14 11:04 AM It's Easier to Savor Your Mornings When You Actually Get to Sleep

Code breaks. Apps get buggy. Users complain. New Relic helps you relax by showing you the root cause of your application issues, pointing out bottlenecks, and giving you code-level alerts when something goes wrong. Enjoy your co!ee, you've earned it.

NewRelic.com/sitback

LJ238-Feb2014.indd 3 1/22/14 11:04 AM FEBRUARY 2014 CONTENTS ISSUE 238 WEB DEVELOPMENT FEATURES 64 A Shining Ruby 76 Simple Ways to 84 Using Django and in Production Add Security to MongoDB to Build Environments Web Development a Blog An introduction Defensive techniques for Why use MongoDB to Rack hosting and the most common Web instead of a Rack-based application attacks, as recommended relational database? deployments. by the OWASP. Mihalis Tsoukalos Fabrizio Soppelsa Nitish Tiwari Cover Cover Image © Can Photo Stock Inc. / maxkabakov

ON THE COVER ‹+L]LSVWHUK+LWSV`8\PJRS`^P[O7HH:*SV\K:LY]PJLZW ‹)\PSKH)SVN^P[O+QHUNVHUK4VUNV+)W  ‹2LLW@V\Y+5::LHYJO/PZ[VY`7YP]H[LW ‹.\LZ[,6-!.PYSZHUK:VM[^HYLW ‹(KK:WSP[;LZ[PUN[V@V\Y>LI(WWW ‹0U[YV[V9HJR/VZ[PUNHUK+LWSV`TLU[W ‹:LJ\YP[`.\PKLSPULZMVY>LI+L]LSVWTLU[W

4 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 4 1/21/14 7:52 PM INDEPTH 100 Cloud Computing Basics— Platform as a Service (PaaS) PaaS providers offer end-to-end services to develop, design and run business applications in an agile and scalable environment. Mitesh Soni COLUMNS

30 Reuven M. Lerner’s 28 WARZONE 2100 At the Forge Split Testing 38 Dave Taylor’s Work the Shell Framing Images with ImageMagick 44 Kyle Rankin’s Hack and / Own Your DNS Data 48 Shawn Powers’ The Open-Source Classroom BirdCam, Round Two

112 Guest EOF 38 IMAGEMAGICK Girls and Software Susan Sons KNOWLEDGE HUB 98 Webcasts and Whitepapers IN EVERY ISSUE 8 Current_Issue.tar.gz 10 Letters 16 UPFRONT 28 Editors’ Choice 60 New Products 117 Advertisers Index 48 BIRDCAM, ROUND TWO

LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 5

LJ238-Feb2014.indd 5 1/21/14 7:52 PM Executive Editor Jill Franklin [email protected] Senior Editor Doc Searls [email protected] Associate Editor Shawn Powers [email protected] Art Director Garrick Antikajian [email protected] Products Editor James Gray [email protected] Editor Emeritus Don Marti [email protected] Technical Editor Michael Baxter [email protected] Senior Columnist Reuven Lerner [email protected] Security Editor Mick Bauer [email protected] Hack Editor Kyle Rankin lj@greenfly.net Virtual Editor Bill Childers [email protected]

Contributing Editors )BRAHIM (ADDAD s 2OBERT ,OVE s :ACK "ROWN s $AVE 0HILLIPS s -ARCO &IORETTI s ,UDOVIC -ARCOTTE 0AUL "ARRY s 0AUL -C+ENNEY s $AVE 4AYLOR s $IRK %LMENDORF s *USTIN 2YAN s !DAM -ONSEN

Publisher Carlie Fairchild [email protected]

Director of Sales John Grogan [email protected]

Associate Publisher Mark Irgang [email protected]

Webmistress Katherine Druckman [email protected]

Accountant Candy Beauchamp [email protected]

Linux Journal is published by, and is a registered trade name of, Belltown Media, Inc. PO Box 980985, Houston, TX 77098 USA

Editorial Advisory Panel "RAD !BRAM "AILLIO s .ICK "ARONIAN s (ARI "OUKIS s 3TEVE #ASE +ALYANA +RISHNA #HADALAVADA s "RIAN #ONNER s #ALEB 3 #ULLEN s +EIR $AVIS -ICHAEL %AGER s .ICK &ALTYS s $ENNIS &RANKLIN &REY s !LICIA 'IBB 6ICTOR 'REGORIO s 0HILIP *ACOB s *AY +RUIZENGA s $AVID ! ,ANE 3TEVE -ARQUEZ s $AVE -C!LLISTER s #ARSON -C$ONALD s #RAIG /DA *EFFREY $ 0ARENT s #HARNELL 0UGSLEY s 4HOMAS 1UINLAN s -IKE 2OBERTS +RISTIN 3HOEMAKER s #HRIS $ 3TARK s 0ATRICK 3WARTZ s *AMES 7ALKER

Advertising % -!),: [email protected] URL: www.linuxjournal.com/advertising 0(/.%     EXT 

Subscriptions % -!),: [email protected] URL: www.linuxjournal.com/subscribe MAIL: PO Box 980985, Houston, TX 77098 USA

LINUX is a registered trademark of Linus Torvalds.

LJ238-Feb2014.indd 6 1/21/14 7:52 PM $UH\RXFRQVLGHULQJVRIWZDUHGHÀQHGVWRUDJH"

zStax StorCore =)68QLÀHG6WRUDJH IURP6LOLFRQ ZFS Unified Storage 0HFKDQLFVLVWUXO\VRIWZDUHGHÀQHGVWRUDJH

)URPPRGHVWGDWDVWRUDJHQHHGVWRDPXOWLWLHUHGSURGXFWLRQVWRUDJHHQYLURQPHQWWKHzStax StorCore =)6XQLÀHGVWRUDJHDSSOLDQFHVKDYHWKHULJKWPL[RISHUIRUPDQFHFDSDFLW\DQGUHOLDELOLW\WRÀW\RXUQHHGV

zStax StorCore 64

February Case Study Feature

zStax StorCore 104

1HZ6WRUDJH6ROXWLRQLV0XVLFWRWKH(DUV 7DONZLWKDQH[SHUWWRGD\ RI)DVW*URZLQJ'LJLWDO0XVLF&RPSDQ\ www.siliconmechanics.com/zstax

LJ238-Feb2014.indd 7 1/21/14 7:52 PM Current_Issue.tar.gz

Developing SHAWN POWERS Webs

piders are really cool. Granted, about split testing. When it comes they’re terrifying, but they’re to commercial Web sites, a high S still really cool. They keep the “conversion rate” is the ultimate pest population down, they create goal for a company, and it’s the job super heroes, and they socialize with of the Web developer to create a little girls eating curds and whey, site that accomplishes that goal. but most impressively, they make Reuven shows how to do just that webs. Their ability to develop such with Ruby, but the principles extend intricate and useful constructions to any platform. Next, Dave Taylor with nothing more than spinnerets finishes his series on scripting with and a little ingenuity is impressive. ImageMagick with a description of Also impressive is the ability for how to put frames around images, programmers to develop applications again from inside a script without the for our Web, the World Wide Web, need for user interaction. and make them accessible instantly Kyle Rankin gives a great lesson on to anyone on the planet. Applications hosting DNS on your own network. usually take more than one evening With Kyle’s article, you’ll learn not to build, but with this issue of Linux only how to host your own DNS to Journal, we hope to make your Web- help with uptime, but also how to weaving a little more efficient, and protect your privacy. My column goes your Web a little more awesome. in the opposite direction, as I expose We start the Web Development my entire backyard to the Internet. issue with Reuven M. Lerner’s column Specifically, I revisit BirdCam. I’ve gotten lots of feedback and questions about

V VIDEO: my backyard setup, so in this article, I Shawn Powers runs discuss some of the changes I’ve made, through the latest issue. including adding motion detection.

8 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 8 1/21/14 7:52 PM CURRENT_ISSUE.TAR.GZ

For the past few years, Ruby has MongoDB to create a blog. been one of the most popular Web “The Cloud” is quite clearly here development platforms available. to stay. It’s also evolving in such a I’m not a developer myself, but it’s way that the concept of “servers” apparently very straightforward for is becoming less and less important. developers. As a sysadmin, I can tell We’re all familiar with Software as a you it’s not as easy to manage the Service (SaaS), but going even further underlying hosting system. Fabrizio down that rabbit hole is Platform as Soppelsa provides some DevOps a Service (PaaS). Mitesh Soni explores insight and describes managing the benefits of using PaaS and a Ruby system to host those describes how to leverage the concept applications. If you need to host Ruby into your Web development needs. applications, but have struggled to Gone are the days when companies manage the environment, you’ll love need to manage their own Java Fabrizio’s article. platforms. With PaaS in the cloud, Nitish Tiwari follows with a Web development platforms are just great article on security in Web one more commodity you can buy. applications. With the fast-paced We end this issue with a guest post world of Web development, it’s easy from Susan Sons, who responded to overlook a security hole. With TO $OC 3EARLS $ECEMBER  %/& Nitish’s recommendations, you can column on women and Linux. I urge avoid some of the more common you to read her article, and hopefully it exploits. Rather than plugging holes furthers the conversation even more. after the fact, it’s better for everyone We’ve put together a great issue for if the development is done with you this month, and whether or not security in mind from the beginning. you’re a Web developer, you should If you’re developing a Web site find plenty of helpful information that likely will get lots of traffic, you between the digital covers.Q MIGHT BE INTERESTED IN USING A .O31, database instead of the traditional Shawn Powers is the Associate Editor for Linux Journal. relational-style system. Unfortunately, He’s also the Gadget Guy for LinuxJournal.com, and he has such a system isn’t as common, and an interesting collection of vintage Garfield coffee mugs. many folks aren’t sure where to Don’t let his silly hairdo fool you, he’s a pretty ordinary guy begin. This month, Mihalis Tsoukalos and can be reached via e-mail at [email protected]. explains how to use Django and Or, swing by the #linuxjournal IRC channel on Freenode.net.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 9

LJ238-Feb2014.indd 9 1/21/14 7:52 PM letters

Receive your subscription as an enhanced digital edition or PDF for your PC or Mac, on your Nook, Kindle or other eReader (.epub and .mobi formats), or via native Android or iPhone/iPad apps.

Just sayin’.

PS. Please, don’t say that PCs include Linux. In computer slang, PC refers to Windows, and Mac refers to OS X. —Eli

Linux Journal Audience You make a fair point, but the funny First, this is not a hate note, nor part is that if the blurb had specified, any kind of boycott. It’s just about “Windows PC, Mac OS X, and Linux”, something that does not feel right. we’d have gotten messages pointing out that Windows doesn’t have claim Today, I received an e-mail from to the word “PC”. you guys with a renewal offer. And, I was shocked to see that the I think “PCs running Windows or promotion appeals to practically all Linux” would be most correct, but platforms’ users, except...well... then we’d get letters from FreeBSD Linux users! readers. Thank you for the good nature of your letter though, it’s We complain all the time about how greatly appreciated.—Shawn Powers vendors lock out Linux users. For example, there’s a lot of hardware Electronic LJ Is Very Hard for Me out there that is Linux compatible, I subscribed to Linux Journal but you won’t see it mentioned sometime in the first half of the on the box. And, then a Linux 1990s, so that makes my subscription magazine promo reads like this: about 20 years or longer. I read

10 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 10 1/21/14 7:52 PM [ LETTERS ]

almost all issues, almost entirely, have no problem staring into lamps scanning the difficult articles, FOR HOURS BUT ) DO % PAPER ISNT REALLY zapping through “news items” and a simple alternative. And printing the learning from comments in letters whole issue on normal printing paper, from other readers. Yes, I wanted even with a modern “colour laser” to go on following Linux. As a side BUT ON ! PAPER IS heavy. note (I married since), I changed my subscription to a cheaper ACM offers a print subscription, and I delivery: through ACM membership. read it—not everything (some articles !PPARENTLY THEY HAD BETTER %5 in ACM are too difficult), but I read postage conditions? But, the big parts of it. Linux Journal, which magazine disappeared from the real, tangible world. There was nothing left to hold while traveling, although I could have risked being “the guy who opens a laptop in the Brussels metro”. How long before it falls? I LINUX JOURNAL don’t see laptops getting stolen, but I ARCHIVE DVD don’t see laptops on public transport, except on long-distance travel.

I wouldn’t mind paying extra to have a paper version again. It can be done: localized digitalized printing, with local postage. Isn’t there something like “lulu” and other, often small print-and-ship companies?

A second, but important reason not TO READ A  PAGE MAGAZINE ON anything backlit is eye strain. I am NOW AVAILABLE surely not the only Linux Journal www.linuxjournal.com/dvd reader with aging eyes. Teenagers

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 11

LJ238-Feb2014.indd 11 1/21/14 7:52 PM [ LETTERS ]

IS  THE SAME SIZE BUT ON hPRINTER super-female manager. paper” is a heavy book. From what I have seen elsewhere and Is there really no way to find a heard from most of my smart female local printer (in Germany, Belgium, friends, women are not the “be all Netherlands, France, Denmark and and end all” in the workplace. One so on) who can ship the magazine at major problem women have in the reasonable over-land rates? workplace is that they commonly do —HansRens not work well together.

I wish I had a better answer for A good and bad characteristic of you, but we don’t have any near- women is that they tend to be more future plans for offering paper relationship-oriented. Typically, issues. Honestly, I miss the paper pretty women who are not so version as well. I’m not sure of the smart are particularly threatened legality of having a personal copy by smarter women and then display professionally printed, but using all the characteristics that are the something like Lulu or HP MagCloud antithesis of those excellent female probably would work, and can be managerial tributes not attributed done for single print runs. It’s not to men. From many men’s point of perfect, but hopefully, it will suffice view, women in the workplace is a until full-size, color e-ink becomes good thing except when there are a reality.—Shawn Powers women competing with each other. Then you have all sorts of sniping, Women in the Workplace back-stabbing, mental-health days With respect to Doc’s article in Linux off, a very unhappy workplace and Journal, “Mars Needs Women” in the the resulting significant reduction in December 2013 issue, I have a few production. This is not to say that related (at least to me) comments. men aren’t the root cause of similar problems, but that is certainly not as A few years ago, I worked for a common as for women. woman who used to work for me, and she was an excellent manager for both An example: one female bar owner men and women. She is an anomaly in I talked to a few years ago said she that she is very much like the mythical would much rather hire male waiters

12 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 12 1/21/14 7:52 PM [ LETTERS ]

because when she “told them off” Considering Women in Linux or otherwise constructively criticized Regarding Doc Searls’ article “Mars them, they much less frequently Needs Women” in the December 2013 took the criticism personally and got issue: I enjoy reading articles about on with the job. The male waiters women and Linux. I would like to share quickly would forget the incident with you my observations of a local but still take the criticism to heart. Linux club meeting. Although there are three or four female members (out of Don’t get me wrong. I like having 300), I am often the only woman. There women in the workplace. I liked are 20 or so men, of varying ages, working for some women, and I very everyone with some sort of laptop. I am much disliked working for some introverted and find it difficult to talk very incompetent male managers, to people in general. Most of the men and I enjoyed supervising a group also seem rather shy, but I never sense of women in a pool. It is interesting that I do not belong. I have talked with that I don’t remember experiencing two members actively, and they were the problems I have noted above, friendly and supportive. My feelings of but I did hear, indirectly, that awkwardness are caused by my inability the women very much preferred to interact with them. I go to the working for me rather than a female meetings in order to have some sort of manager. But then I didn’t really contact with others who use Linux. care about relationships other than I made extra effort to be transparent, I have been using Linux since a friend and I made sure that I was, as well installed it on my first computer in 1993 as was perceived to be, fair and just. using something like 20 floppy disks. I never have mastered it, and I usually fix We need more articles, not in Linux problems by re-installing. I’ve gone to a Journal, that are more honest about FEW ,INUX CONFERENCES HERE IN %UROPE ) women in the workplace and how to get am American living in the Netherlands). I women working better with each other. can code in C but have hesitated to get It must be possible, as there are many more involved. I tend to work on one examples where there are very successful project at a time, and if I start a Linux female businesses and organizations. project, all my other projects get ignored. Note, nursing is not one of them. —Roger I am writing this because I feel that

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 13

LJ238-Feb2014.indd 13 1/21/14 7:52 PM [ LETTERS ]

framing the discussion in terms of men and women is not helpful, especially when using Western At Your Service stereotypes. I rarely read that some women also are introverted and shy. Therefore, I do not fit in SUBSCRIPTIONS: Linux Journal is available in a variety of digital formats, including PDF, either group Doc discussed in his article. It looks .epub, .mobi and an on-line digital edition, as well as apps for iOS and Android devices. like some progress is being made for younger Renewing your subscription, changing your e-mail address for issue delivery, paying your women (I am 53). But one should not forget that invoice, viewing your account details or other not all women match the “Venus” stereotype. subscription inquiries can be done instantly on-line: http://www.linuxjournal.com/subs. —Rose Dlhopolsky E-mail us at [email protected] or reach us via postal mail at Linux Journal, PO Box 980985, Houston, TX 77098 USA. Please remember to include your complete name Doc Searls replies: Thanks to Rose and others and address when contacting us.

who have reached out in response to my “Mars ACCESSING THE DIGITAL ARCHIVE: Needs Women” EOF column in December 2013. Your monthly download notifications will have links to the various formats I wrote it to stimulate thought and conversation, and to the digital archive. To access the digital archive at any time, log in at and I think succeeded at that. http://www.linuxjournal.com/digital.

LETTERS TO THE EDITOR: We welcome your letters and encourage you to submit them One more thought: it is an error in statistics to at http://www.linuxjournal.com/contact or mail them to Linux Journal, PO Box 980985, impute cause to correlation. So, is the high ratio of Houston, TX 77098 USA. Letters may be men to women in Linux one that correlates to factors edited for space and clarity. other than gender? If so, should we be talking about WRITING FOR US: We always are looking for contributed articles, tutorials and those other factors instead? And what are they? real-world stories for the magazine. An author’s guide, a list of topics and due dates can be found on-line: I don’t yet know, but I do invite readers to check out http://www.linuxjournal.com/author. our guest EOF this month by Susan Sons, who does FREE e-NEWSLETTERS: Linux Journal editors publish newsletters on both a great job of moving this conversation forward. a weekly and monthly basis. Receive late-breaking news, technical tips and tricks, an inside look at upcoming issues and links to in-depth stories featured on http://www.linuxjournal.com. Subscribe WRITE LJ A LETTER for free today: http://www.linuxjournal.com/ enewsletters. We love hearing from our readers. Please ADVERTISING: Linux Journal is a great send us your comments and feedback via resource for readers and advertisers alike. http://www.linuxjournal.com/contact. Request a media kit, view our current editorial calendar and advertising due dates, or learn more about other advertising and marketing opportunities by visiting PHOTO OF THE MONTH us on-line: http://ww.linuxjournal.com/ advertising. Contact us directly for further Remember, send your Linux-related photos to information: [email protected] or [email protected]! +1 713-344-1956 ext. 2.

14 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 14 1/21/14 7:52 PM LinuxFest Northwest 15th Anniversary

Bellingham, WA April 26th & 27th

)PTUFE
#Z

linuxfestnorthwest.org

LJ238-Feb2014.indd 15 1/21/14 7:52 PM UPFRONT NEWS + FUN diff -u WHAT’S NEW IN KERNEL DEVELOPMENT

Recently, Aldo Iljazi suggested opposition to ditching menuconfig. removing the venerable It’s interesting that certain parts menuconfig build target, on the of the kernel—for example, config grounds that nconfig was an targets that don’t themselves improvement, and there didn’t need bloat the compiled binary (though to be two menu-based configuration they may help select features that systems in the kernel tree. do)—are much easier to get into nconfig is actually based on the the kernel source tree than actual menuconfig code, and they both kernel features. And once in, rely on ncurses to present menus. they are harder to remove. There But nconfig tries to look more was no particular need for nconfig, modern and gives the user a bit given that it performs a similar more control using the keyboard. function to menuconfig, but there The idea went nowhere—perhaps it is in the kernel source tree. These it was just too soon, because helper projects come and go fairly nconfig has a tiny user base easily, probably because there’s not relative to that of menuconfig. much cost to having them, and by But, it was surprising to see how including them in the tree, they get much resistance there was. At the chance to show whether they one point, Alexander Holler really actually may be better than raised the objection that nconfig the alternatives. relied on the Fn keys for its Recently, Jim Lieb tried to operation, which were not simplify the interface that allowed available on software keyboards file servers to impersonate their on smartphones, for example. client user for write operations. But, even after Randy Dunlap This is standard procedure, without pointed out that the regular which files would have the wrong number keys worked just as well, owners, and things like quotas and there still was overwhelming access controls would not be able

16 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 16 1/21/14 7:52 PM [ UPFRONT ]

to tell whether a user violated a as the primary maintainer of the given constraint. But the existing TPM (Trusted Platform Module) implementation used a combination device driver. TPM is a hardware of various system calls, including authentication system that allows setfsuid(), setfsgid(), setgroups() third-party services to confirm and others to accomplish this. Jim that only a trusted operating wanted to replace the mess with a system and set of software is single switch_creds() system call. running on the device. As it turned out, there was Many other maintainers were support for the general idea listed, several of whom had not of cleaning up the existing been responsive for a while and interface, but no agreement on there was general agreement exactly how it should be done. that the list should be pruned Al Viro, for example, offered and kept accurate. his own implementation that A number of folks tried to avoided some of the complexities contact the various maintainers of Jim’s approach. But both to ask if they were still interested approaches turned out to have in working on the project. significant security gaps, as Eric Ultimately, several folks, such as W. Biederman and Tetsuo Handa Rajiv Andrade and Ashley Lai, pointed out at various times during said they still were interested in the conversation. helping out, but they recognized %VERYONE SEEMS AGREED ON Peter as the project leader. A the fact that the current number of other folks asked to be implementation is a bit messy removed from the maintainers list, and could use a cleaning. But as they had moved on to other apparently the security issues projects or other companies. are devious and need to be Jason Gunthorpe inaugurated gotten right. The current messy the new maintainer hierarchy by implementation also may turn out submitting a set of TPM patches to be the best way to deal with that had been waiting for inclusion those issues—in which case, it and remarking, “there are still really couldn’t be considered lots of patches to go before the messy in the first place. subsystem meets the current kernel Recently, Peter Huewe took over standard.”—ZACK BROWN

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 17

LJ238-Feb2014.indd 17 1/21/14 7:52 PM [ UPFRONT ]

Okay, Google

My favorite scene in Star Trek IV is when Scotty tries to use the computer in the 1980s. When he’s told he must use the mouse, he responds, “how quaint”, and then proceeds to try speaking into the mouse for the computer to respond. With the advent of Siri on iOS and voice recognition on Android, it’s beginning to feel like the voice interface portrayed in Star Trek isn’t too far away. But it’s not here just yet. I set up my Nexus 7 tablet with the most recent tools from Google (technically, they’re not yet available for the Nexus 7, but I’m a nerd, so I was able to find a way). I set my now always-responsive tablet on the window ledge in my office, just out of reach but in easy earshot. I went through the entire day, trying to use the tablet as often as possible without touching it. I discovered a few things: Q Outside that small list of things Google is really good at answering, Q Google is really good at giving it doesn’t do anything more than certain types of feedback. If I asked give search results on the tablet. about the time in London, the I was hoping for something like, current weather or the stock price “would you like me to read you the of a popular stock, I’d get a visual most popular search result?” But response along with a voice telling alas, it didn’t even audibly tell me it me the answer. heard my question.

18 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 18 1/21/14 7:52 PM [ UPFRONT ]

Q Sending texts and e-mail messages is possible, but frustrating and scary. If you’ve ever They Said It tried to use voice calling with a Bluetooth headset, you’ve probably had the awkward However beautiful experience of your phone accidentally trying the strategy, you to call an ex-boyfriend or girlfriend instead should occasionally of calling the plumber. If you’re lucky, you look at the results. can stop it before it rings on their end, but —Winston Churchill thanks to caller ID, you’re likely in for a very uncomfortable followup call. I found Google’s Don’t bother just voice-based messaging more cautious than to be better than my Bluetooth headset, but still potentially your contemporaries bad. This is especially true because the tablet or predecessors. was across the room, making it hard to dive Try to be better and press cancel. than yourself. —William Faulkner So, although we may not be to the point where If women are we can ask Jarvis to order us a pizza while we’re expected to do the flying around in an Ironman suit, we’re definitely same work as men, taking a step in the right direction. The advent of we must teach them Google Glass will make verbal commands more the same things. AND MORE COMMON %VEN IF YOU HATE 'OOGLE —Plato Glass, you can rejoice in the voice interface improvements it doubtlessly will cause. Never read a book Is voice interface more than a novelty for you? through merely Do you successfully send messages to people on because you have a regular basis by dictating only to your smart begun it. device? Did you think Star Trek IV was awesome —John Witherspoon too? I’d love to get feedback on your thoughts concerning voice interfaces, Google Glass and Avoid the crowd. Do the future of interfaces in general. Send me an your own thinking e-mail at [email protected]. I, for one, independently. Be look forward to my first cranial implant. (I’d like the chess player, to wait for version 1.1 though—nobody wants a not the chess piece. buggy brain implant!)—SHAWN POWERS —Ralph Charell

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 19

LJ238-Feb2014.indd 19 1/21/14 7:52 PM [ UPFRONT ]

Anubis, the God of Dead Bitcoin Miners

with high-end graphics cards, chances are you’re using the cgminer program to do your mining. Although cgminer provides a nice console- based screen for monitoring your miner, there’s no easy way to see how all Figure 1. Anubis gives a nice overview of all the problems with your miners are my mining farm. doing at once. %NTER !NUBIS With the recent resurgence of Anubis is a Web-based program that Bitcoin and the subsequent vitality interacts over the network to all your of other cryptocurrencies (Litecoin, miners. It then combines the data it for instance), I’ve been receiving lots collected into a simple monitoring of e-mail messages asking how to screen so you can check temperature, mine. I’ve discussed cryptocurrencies errors, efficiencies and even change in LJ quite a bit during the past few configurations on the fly. If you’re years. Recently, a friend introduced running more than one instance of me to Anubis, so I want to mention cgminer in your mining farm, you it briefly here. likely will benefit from Anubis. Check Whether you’re mining for Bitcoins it out at https://github.com/pshep/ with ASIC hardware or Litecoins ANUBIS.—SHAWN POWERS

20 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 20 1/21/14 7:52 PM [ UPFRONT ]

Full SteamOS Ahead!

Although its timetable may not always be ideal, Valve has come through for Linux users lately. Not only has it released a native Linux version of Steam (with many native games!), it also has expanded (Image from http://www.steampowered.com) its Linux support as the basis for its standalone gaming consoles too. SteamBox. The first step toward If you haven’t tried SteamOS yet, a Steam-powered console is the and if you have an NVIDIA graphics operating system. Thankfully for nerds card, I urge you to go try it out like me, Valve released its operating (store.steampowered.com/steamos/ system (SteamOS) to the public. buildyourown). Will the SteamBox SteamOS is in beta testing right finally bridge the gap between PC now, and unfortunately at the time of gaming and console gaming? Will this writing, it supports only NVIDIA its open-source roots help SteamOS graphics cards. That limits who become the dominant living room can test the OS, but releasing the device? It’s been a number of years, operating system at all is extremely but Valve definitely has invested into exciting! Geeks have been creating the Linux community. Now if you’ll their own XBMC boxes for years, and excuse me, I need to go shoot some now we’ll be able to create our own zombies.—SHAWN POWERS

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 21

LJ238-Feb2014.indd 21 1/21/14 7:52 PM [ UPFRONT ]

Linux Help for Neuroscientists

In past articles, I have looked at classical sense. The people behind distributions that were built with NeuroDebian began by working on some scientific discipline in mind. PyMVPA (http://www.pymvpa.org), In this article, I take a look at yet a Python package to do multivariate another one. In this case, I cover pattern analysis of neural data. To what is provided by NeuroDebian make this package easy to deploy, (http://neuro.debian.net). NeuroDebian was created. Over time, I probably should start by more and more packages were added clarifying that NeuroDebian is not to NeuroDebian to try to create the strictly a Linux distribution in the ultimate integrated environment

Figure 1. The Main Page for NeuroDebian

22 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 22 1/21/14 7:52 PM [ UPFRONT ]

Figure 2. You can get NeuroDebian further down on the main page.

for neuroscience. All of this work is use as your desktop and the mirror described in a scientific paper, “Open from which you want to download. is not enough. Let’s take the next You then get a couple commands that step: an integrated, community-driven you need to run on your system. The computing platform for neuroscience” first one is a wget command meant to (http://www.frontiersin.org/ download an entry for APT and store it Neuroinformatics/10.3389/ in a source file in the directory /etc/apt/ fninf.2012.00022/full). This paper sources.list.d/. The second command is available at the “frontiers in uses apt-key to go out to the MIT PGP .%52/).&/2-!4)#3v 7EB SITE key server to download and install the Installing NeuroDebian is a bit key used to verify the NeuroDebian different from other distributions. packages. Once these two commands On the main home page, there is a have been run, you then can do: section called Get NeuroDebian. Here you can select which distribution you sudo apt-get update

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 23

LJ238-Feb2014.indd 23 1/21/14 7:52 PM [ UPFRONT ]

to download the package definitions for If you select either Windows or Mac everything provided by NeuroDebian. OS X as the operating system in This works well if you already are the download section, you will be running some version of Debian, provided with a link to download an or a derivative like Ubuntu, as OVA file. This type of file is a standard your desktop operating system. file format for virtual machines. For But, what can you do if you are example, you can import this file into running Windows or Mac OS X? The Virtual Box (Figure 3). This virtual NeuroDebian project provides a virtual machine uses Debian 7, or Wheezy, as machine option for those situations. the core operating system. The main

Figure 3. The OVA file can be imported in Virtual Box to get a complete environment.

24 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 24 1/21/14 7:52 PM [ UPFRONT ]

7EB SITE SAYS THAT './-% IS USED AS right-hand corner and go down to the desktop environment. the NeuroDebian menu entry. Here However, when I actually installed you will find all of the particular the latest version of the virtual applications specifically selected for machine, the desktop environment neuroscience. They are broken down THAT IS USED IS 8&#% 9OU EVEN COULD into categories for electrophysiology, use this on your Linux desktop in a medical imaging, psychophysics and a virtual machine. This way, you always section of support links to access the have a stable, complete computing relevant mailing lists. There is also an environment for neuroscience that you entry to re-run the setup wizard for know will not change or be broken. the virtual machine. When you first start up this virtual Now that you have NeuroDebian machine, you will be presented with installed and set up, let’s take a quick some configuration steps. The first look at some of the provided tools. step is to do an update of the installed packages. After this, you will be asked whether you want to take part in an application survey. If you are LINUX JOURNAL using NeuroDebian regularly, you may on your want to take part in order to provide feedback to the team. Several tools Android device require environment variables to be Download set. The next step asks you whether app now in you want these to be set automatically the Android in the default profile settings. The Marketplace next step allows you to select several EXTRA PACKAGES LIKE %MACS A 0Y-60! tutorial and R. Be prepared for a bit of a wait, as there are several packages to be downloaded. In my case, I ended up with a download of 625MB of extra packages. After all of the configuration steps are completed, you can click on the Applications Menu button in the top www.linuxjournal.com/android

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 25

LJ238-Feb2014.indd 25 1/21/14 7:52 PM [ UPFRONT ]

The core reason for the creation of Software is not the only thing NeuroDebian was to deploy PyMVPA, provided by the NeuroDebian so let’s start there. PyMVPA provides a distribution. There is also a rather set of tools to do multivariate pattern large set of data packages available, analysis on large data sets. This is all in one location. These include very useful in neuroimaging. Several items like brain atlases, fMRI data processing steps are usually involved from face and object processing in in this type of work flow, such as the ventral temporal cortex, and an data preparation, classification, MRI-based brain atlas of the anatomy feature selection and generalization of a normal human brain. testing. PyMVPA provides high-level There are tutorials for PyMVPA abstraction of these processes. and MRI analysis that require sample A tutorial is available at the data sets. These also are available PyMVPA project Web site that walks from NeuroDebian. Additionally, you through the core concepts and there is a blog on the NeuroDebian processes involved in using it. A full Web site where you can find articles description of what you can do would on specific tools and help with require a whole article on its own. particular techniques. PyMVPA isn’t the only software If you do work in computational included, however. Going to the neuroscience, you could do worse package list at the NeuroDebian than starting with NeuroDebian. home page gives a full listing, This distribution gives you a full broken down into the following set of tools to get you started. categories: distributed computing, There even are further derivatives electrophysiology, magnetic of NeuroDebian, built to support resonance imaging, modeling of classwork or to have a specific subset neural systems, neuroscience datasets of the tools available for well-defined and psychophysics. work flows. Maybe other research An interesting piece of software is communities might be tempted to under the educational category: do a similar project? If you have the virtual-mri-nonfree. This package ability, you should consider offering provides a virtual MRI scanner to some of your skills back to the project simulate running an MRI. This way, you in order to help it grow. Of course, can learn about how scanner parameters this is true of all-open source projects. affect your images—a very cool tool. —JOEY BERNARD

26 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 26 1/21/14 7:52 PM Linux Journal_Layout 1 1/6/14 10:58 AM Page 1

The Best SharePoint Training in the World! Choose from more than 80 classes and tutorials!

April 22-25, 2014 “This is the place to be if you want to know about SharePoint. Not just technical, but business-related San Francisco Hilton information as well.” —David Pileggi, Lead Consultant, Portal Solutions Bolster your career by “SPTechCon has lots of excellent real-world knowledge, becoming a SharePoint Master! bonding opportunities and the ability to interface with leaders in the space.” • Learn from SharePoint experts, including dozens of —David Miller, Director, IT, Cubic Transportation Systems SharePoint MVPs and Certified SharePoint Professionals • Master document management • Study SharePoint governance • Find out about SharePoint 2013 • Learn how to create applications for SharePoint that solve real business problems

• Exchange SharePoint tips and tricks with colleagues • Test-drive SharePoint solutions in the Exhibit Hall If you or your team needs Microsoft SharePoint training, come to SPTechCon San Francisco!

Register Early and SAVE! www.sptechcon.com

SPTechCon™ is a trademark of BZ Media LLC. SharePoint® is a registered trademark of Microsoft. A BZ Media Event @SPTechCon

LJ238-Feb2014.indd 27 1/21/14 7:52 PM

[ EDITORS' CHOICE ]

™

EDITORS’ A Look at CHOICE Warzone 2100 ★

I’m not really much of a computer gamer. That said, I’m both ashamed and oddly proud of the hours (probably thousands!) I spent playing Dune 2000 back when it was cutting- edge gaming technology. There’s just something about real-time strategy games that appeals to those of us old RTS game I spent so much time lacking the reflexes for the more playing. Warzone 2100 is far better action-packed first-person shooters. than Dune 2000 ever was, however, If you also enjoy games like Dune thanks to its amazing set of features: 2000, Starcraft, Warcraft, Civilization or other RTS classics, Warzone 2100 Q Cross-platform, supporting will be right up your alley. Windows, Mac and Linux. Warzone 2100 reminds me very much of my beloved Dune 2000. The Q Single-player missions. landscapes, the missions and even the look of the game pieces resemble that Q Multiplayer gameplay.

28 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 28 1/21/14 7:52 PM Q Network and Internet were released. Now the game is hosting/playing. under active development, and it has a healthy community releasing Warzone 2100 truly excels at maps and mods. being a fun, easy-to-learn game. The game is available for direct The coolest part, at least in my download either at SourceForge or its opinion, is its history. Warzone Web site: http://www.wz2100.net. 2100 started as a commercial game. It’s also available using Desura, the Much like the Quake engine was Linux-native game manager (similar open-sourced, Warzone 2100 to Steam) that we’ve covered before was released to the public as an in Linux Journal. Due to its fun and OPEN SOURCE PROJECT BACK IN  relevant gameplay, cross-platform Then, in 2008, the rights of that availability and awesome history, license were clarified, and the Warzone 2100 is this month’s in-game videos and soundtrack also %DITORS #HOICE—SHAWN POWERS

Powerful: Rhino Tablet: Raven

Rhino M4700/M6700 Raven X230/X230 Tablet r Dell Precision M4700/M6700 r ThinkPad X230/X230 tablet by Lenovo w/ Core i7 Quad (8 core) r 12.5" HD LED w/ X@1366x768 r 15.6"-17.3" FHD LED r 2.6-2.9 GHz Core i7 w/ X@1920x1080 r Up to 16 GB RAM r NVidia Quadro K5000M r 750 GB hard drive / 180 GB SSD r 750 GB - 1 TB hard drive r Pen/finger input to screen, rotation r Up to 32 GB RAM (1866 MHz) r Starts at $1920 r DVD±RW or Blu-ray r W530, T430, T530, X1 also available r 802.11a/b/g/n r Starts at $1375 r E6230, E6330, E6430, E6530 also available Rugged: Tarantula

r High performance NVidia 3-D on an FHD RGB/LED Tarantula CF-31 r High performance Core i7 Quad CPUs, 32 GB RAM r Panasonic Toughbook CF-31 r Ultimate configurability — choose your laptop's features r Fully rugged MIL-SPEC-810G tested: r One year Linux tech support — phone and email drops, dust, moisture & more r Three year manufacturer's on-site warranty r 13.1" XGA TouchScreen r Choice of pre-installed Linux distribution: r 2.4-2.8 GHz Core i5 r Up to 16 GB RAM r 320-750 GB hard drive / 512 GB SSD r CF-19, CF-52, CF-H2 also available

EmperorLinux www.EmperorLinux.com ...where Linux & laptops converge 1-888-651-6686

Model specifications and availability may vary.

LJ238-Feb2014.indd 29 1/21/14 7:53 PM COLUMNS AT THE FORGE

Split Testing REUVEN M. LERNER Adding split testing to your Web application is easy, fun and potentially quite profitable.

It’s nice to have many people visit effectiveness of your copy is to do your Web site. It’s even better when “split testing”, sometimes known as people don’t just come to your site, “A/B testing”. Although I heard about but also enjoy your content. But, best A/B testing years ago, I have only of all is when visitors to your site do recently actually started to apply it. what you would like them to do—sign In this article, I describe a simple up for your newsletter, register for way to run split tests on your Web your SaaS application or buy one of pages. The examples I show here are your products. written in Ruby, but there are A/B The rate at which visitors become testing libraries for many different customers is called the “conversion languages. There also are third-party rate”, and it’s probably the top businesses that can help you with A/B priority for Web-based businesses. If testing, either on your own Web site you can convert 10% of your visitors or on your mailing lists, lead pages into customers, you’re doing twice as and other products. well as the person who can convert 5% of visitors into customers. It’s All about Conversion What leads people to convert more The most important thing to keep in often? That’s a question to which I’m mind when you’re doing split testing still learning the answer, as is an entire is that you’re trying to get users to industry of Internet marketers and do something. What that something “conversion optimization” experts. is depends on your site. The goal at The thing is, it’s often difficult to know Amazon is to get you to buy things. what will work. Should you use a green The goal at Google is to get you button or a red one? Should your to click on ads. And the goal for a headline be a question or a statement? mailing-list subscription form is to get One of the most popular, and people to sign up. effective, ways to check the Once visitors have achieved your

30 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 30 1/21/14 7:53 PM COLUMNS AT THE FORGE

goal, they have been “converted” into Q Wait for enough users to see both. customers. The goal is to increase the number of such conversions—giving Q Analyze the numbers. you more customers, subscribers or users of your system. The key insight Introducing Split with split testing is that by changing the Regular readers of this column know text, graphics and even layout of your that I tend to use Ruby on Rails for most page, the number of conversions will of my Web development work. Rails isn’t change as well. The question is, which the only Web framework written in Ruby, of your various ideas will work best? although it certainly is the most widely Split testing uses the scientific used. All modern Ruby-based Web method, backed by simple statistics, to frameworks use “Rack” to communicate try to answer that question. In science, with the HTTP server software that you can test a hypothesis by using invokes them. This is analogous to the a control and an experiment. Split Python world’s WSGI. The idea in both testing works the same way. You take of these cases is that the HTTP server your existing text and an alternate text, doesn’t need to know much about and display them to your users. One of the Ruby or Python application (or them probably will work better than framework) and vice versa. This means the other. You analyze the numbers libraries that know how to work with to understand which worked better, Rack can operate with any framework, and then you use the best one. Then not just with Rails. In the specific case of you start all over again, trying to find Ruby, Rack-sensitive gems thus can work another improvement via split testing. with Rails, Sinatra or anything else that In order for split testing to work, you follows the Rack API. need to do several things: The Split gem, written by Andrew Nesbitt (with a number of contributors), Q Define what counts as a is one such package of code, able conversion. This often is described to provide split-testing execution in terms of the user arriving at a and analysis to any Rack-compatible particular page on the site, such as application server. It is based on a a “thank you” for shopping that number of earlier split-testing gems, appears after a successful sale. including the well-known A/Bingo gem by Patrick Mackenzie. The idea behind Q Define the control and alternate texts. Split is you identify your conversion

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 31

LJ238-Feb2014.indd 31 1/21/14 7:53 PM COLUMNS AT THE FORGE

target, automatically try two or more need to do so. variations on users, collect statistics After installing the gem, you also on which of them actually managed will need to install and start Redis, to achieve more conversions, and then an extremely fast and popular start to test things again. key-value store. I have used Redis in a Split takes care of much of this work number of projects through the years, for you, allowing you to concentrate and I never cease to be amazed by its on the portion of your site you want to utility for caching. In the case of Split, change, rather than the mechanics of Redis is used to keep track of the setting up experiments and reporting experiments you are running. You can their results. Split also implements a start Redis by executing: number of features that ensure the statistical power of your results. For redis-server example, it will involve each participant in only a single experiment at a time, Running a Split Test and it will compare results only after Now that you have installed the gem at least 30 people have seen it. These and Redis, you’re ready to perform options can be changed, of course, but the defaults are more than good enough for most basic tests that you’ll Listing 1. linksplit.rb, the Main Sinatra Application want to run. You install split as you would any #!/usr/bin/env ruby other Ruby gem: class LinkSplit < Sinatra::Base enable :sessions gem install split -V helpers Split::Helper

Note that I use rvm, the Ruby version get '/foo' do manager, which allows me to work with erb :foo multiple versions of Ruby at any given end

time. One side effect of using rvm is get '/bar' do that gems are installed in my own home finished('click_text') directory, rather than on the system. As erb :bar a result, I don’t need to preface the gem end command with sudo; depending on end your system configuration, you might

32 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 32 1/21/14 7:53 PM COLUMNS AT THE FORGE

some experiments. Let’s create a external HTTP server, you can use the simple Web site using Sinatra, in rackup command: which the page displays a link. While Sinatra has a reputation for rackup config.ru being simple and for allowing you to create a single-page application, I’ve Rack then will run an HTTP server generally gone for a configuration DEFAULTING TO THE BUILT IN 7%"RICK that uses several files: the application server that comes with Ruby), acting itself, a Rack configuration file as the glue between the server (setup.ru) and a Gemfile to list all and your application. The config.ru the Ruby gems I want to use (via the basically bootstraps your application, “Bundler” management gem). These loading the gems listed in the Gemfile are shown in Listings 1, 2 and 3. (thanks to Bundler), then loading Let’s review them briefly. The your application and the special code setup.ru file is the way that Rack needed to run the Split dashboard. runs your application. If you want Then you do something interesting. to run the application without any Rather than simply running your

Listing 2. config.ru, the Rack Configuration File for LinkSplit

Bundler.require

require './linksplit.rb' require 'split/dashboard'

run Rack::URLMap.new("/" => LinkSplit.new, "/split" => Split::Dashboard.new)

Listing 3. Gemfile, Used by Bundler

source 'https://rubygems.org'

gem "sinatra" gem 'split', github: 'andrew/split'

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 33

LJ238-Feb2014.indd 33 1/21/14 7:53 PM COLUMNS AT THE FORGE

application, you tell Rack that it should that you’re testing whether “Click route requests to different places. on me!” (the control) converts more Anything starting with a / should go to frequently than “Click here!” (the LinkSplit.new, meaning a new instance experiment). You then pass a block of the Sinatra application. But, to the ab_test method. The block can anything starting with /split will be contain any text you want, and it can routed to a completely separate Sinatra be as long or short as you want. The application, Split::Dashboard.new, part key thing to realize is that the block of the Split gem. parameter (click_text in this case) The Sinatra application defines will contain one of the two text strings. two different URLs, both of which The above split test, thus, will ARE AVAILABLE VIA (440 '%4 REQUESTS compare the efficacy of two different The first, /foo, displays the contents links. But, you easily could switch of the foo.erb file (located in the class of an HTML tag (thus giving VIEWSFOOERB AS SHOWN IN ,ISTING  different styles, including colors While this file seems, on the surface, and fonts), a different location, the to be no different from any other addition of a picture or anything else. %2B EMBEDDED 2UBY DOCUMENT IT Once this is in place, the Split gem contains the telltale sign of a split test: will produce an experiment, displaying one of these text strings to each of <% ab_test("click_text", "Click on me!", your users. Typically, you’ll want to ´"Click here!") do |click_text| %> show them equally. There are ways <%= click_text %> to change the ratios, so that you’re <% end %> showing your experimental text to only a small proportion of your users. The ab_test method, loaded by However, showing these different the line: texts isn’t quite enough. You also need to be able to tell Split when helpers Split::Helper visitors have “converted”—that is, when they have achieved the goal in linksplit.rb does several things at that you set out. In this particular once: it defines a split test (the first case, you want to know which text parameter), and it provides the two is more effective at getting users to alternatives that you are interested in click on the link. So, you should report testing. In this example, you can see a conversion back to Split when the

34 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 34 1/21/14 7:53 PM COLUMNS AT THE FORGE

Listing 4. views/foo.erb

Foo

<% ab_test("click_text", "Click on me!", ´"Click here!") do |click_text| %> <%= click_text %> <% end %>

user has clicked on the link. In other Rack. It will show the percentage of words, in the Sinatra application’s users who responded to each of your handler for the “/bar” method, you experimental texts, so you can see invoke the “finished” method, passing which was more effective. Split also will it the name of the experiment you tell you the confidence that it has in the want to indicate was finished: results of this test. As a general rule, the more people you test, the more finished('click_text') confident you can be in the results. But, statistics also show that even a Once you have put a split test in (surprisingly) small sample size can give place, you can sit back and wait for you interesting and meaningful results. users to come to your site. Some will The dashboard is useful in several get the first test, and some will get ways. First, it allows you to look at the second. How do you know which your various experiments, seeing how was more effective? By using the Split many people are viewing each of your dashboard, which you connected to experimental texts, and how many /split when you set up routing for did and didn’t complete the test.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 35

LJ238-Feb2014.indd 35 1/21/14 7:53 PM COLUMNS AT THE FORGE

It also allows you, after examining it extremely easy to implement the data, to use one of the two and then act on your optimization experimental texts permanently. This experiments. I encourage you to is useful in several ways. It means that try some experiments on your a nonprogrammer can control and own Web applications and see decide on each text. But, it also means if you can find ways to get your that you don’t have to go back into users to convert into customers. the code and remove your experiment If so, congratulations! You’ve when it is over. You can take some discovered that modern, on-line time, letting the Split system handle marketing requires an understanding it for you. You also can reset the of programming as much as an statistics, allowing you to try new understanding of the customer.Q ideas or throw out old ones. Reuven M. Lerner, a longtime Web developer, consultant and Conclusion trainer, is completing his PhD in learning sciences at Northwestern Split testing is a powerful tool for University. You can learn about his on-line programming courses, helping ensure that your goals are subscribe to his newsletter or contact him at http://lerner.co.il. met—whether those goals are selling something on-line or just getting people to sign up for your mailing Send comments or feedback via list. The Split gem works with any http://www.linuxjournal.com/contact Rack-powered Web site, and it makes or to [email protected].

Resources

The Split gem described here is at https://github.com/andrew/split. As indicated in this article, Split works with any Rack-based Web application, which basically means Ruby on Rails and Sinatra.

You can read more about Sinatra at http://sinatrarb.com.

Patrick Mackenzie, the author of the A/Bingo gem, has written extensively on the subject of conversion optimization. You can read his articles on the subject at http://www.kalzumeus.com. In particular, look for the “conversion optimization” heading on his “greatest hits” page.

36 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 36 1/21/14 7:53 PM LJ238-Feb2014.indd 37 1/21/14 7:53 PM COLUMNS WORK THE SHELL Framing DAVE TAYLOR Images with ImageMagick For the final article in his series on ImageMagick, Dave shows how to add a fancy 3-D frame to images, resize them to fit a certain size and add a very attractive caption, all in a quick, succinct script.

I’ve come to the end of my journey existing images in bulk. All are with ImageMagick, and in this article, useful tasks, particularly when you I show some really slick techniques can apply the transformation to for creating attractive frames around a set of images or even a folder images, and then I’m done. I’m not (oops, sorry, “directory”) full of done with the column—don’t get too images too. excited—but with this topic. Which This time, I’m first going to look means, yes, you need to communicate at simply pushing the edges of the with me on ideas and suggestions image with empty space, then I for future columns (send e-mail via explore some of the slick capabilities http://www.linuxjournal.com/contact). of ImageMagick’s convert Right. Now let’s proceed. command. The basic image file I’m For the past few months, I’ve dug using is shown in Figure 1. into the many amazing capabilities of The image you’re seeing, by the the ImageMagick command-line image way, is the “Submarine” Spitfire MK manipulation suite, open-source XVI fighter plane from WWII. This software you can download from particular image was taken in 2006 http://www.imagemagick.org. and is of a carefully restored replica, I’ve described analyzing, resizing featured on Wikipedia UK. and even adding watermarks to The most basic form of adding a

38 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 38 1/21/14 7:53 PM COLUMNS WORK THE SHELL

Figure 1. The Base Image for Manipulation

border is to specify the size of the image, and it would overpower border in horizontal and vertical a tiny thumbnail. ImageMagick’s pixels and the border color. This is got that covered though, because done like so: in addition to specifying pixel size for a border with -border 10x10, $ convert spitfire.jpg -bordercolor black -border 10x10 you also can specify -border ´spitfire-with-border.jpg 10%x10%. Neat! But really, that is one boring frame, This creates a new version of the so let’s do something more interesting spitfire.jpg file with a black 10-pixel and switch from the -border wide and 10-pixel high frame, as parameter to the -frame parameter. shown in Figure 2. For example, here’s a nice The only problem with what I’ve framing effect: done here is that the 10px frame would be barely visible in a huge $ convert spitfire.jpg -frame 25x25+5+5 spitfire-3d.jpg

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 39

LJ238-Feb2014.indd 39 1/21/14 7:53 PM COLUMNS WORK THE SHELL

Figure 2. A black 10px frame has been added.

Figure 3. A 3-D frame greatly improves the image presentation.

40 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 40 1/21/14 7:53 PM COLUMNS WORK THE SHELL

The results are shown in Figure 3— $ convert spitfire.jpg -mattecolor grey -background grey

very nice. ´-frame 20x20+0+3 -gravity South -splice 0x15 -pointsize

Want to change the color of the ´33 -annotate 0x0 "Spitfire MK XVI" -frame 6x6+3+0

frame from the default gray? Use ´spitfire-frame-caption.jpg -mattecolor followed by a color name. Try using -mattecolor You’ve seen much of this already, DarkBlue as a parameter. but here’s what’s new: -gravity, One more interesting which indicates where on the image combination lets you add a frame the subsequent elements should be and a text caption. Name the file positioned; -splice, which adds the smartly, and you can use its name current background color into the as the caption automatically too. image, making space for the label; Here’s a considerably more -pointsize, which specifies using complicated example: 33pt type, not the default (18pt, I believe); and -annotate, which as

Figure 4. Image with 3-D Frame and Label Too

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 41

LJ238-Feb2014.indd 41 1/21/14 7:53 PM COLUMNS WORK THE SHELL

you can see takes the legend desired. “Spitfire-MK-XVI.jpg”? And, how Then, there’s a second frame to ensure about removing the filename suffix that there’s a beveled edge on the top and any dashes or underscores in the of the area with the text and, finally, the filename as well? That’s easily done: OUTPUT 4HE RESULT IS SHOWN IN &IGURE  Confusing? Yeah, this stuff confuses label=$(echo $name | sed 's/.jpg//;s/-/ /g;s/_/ /g') me too, truth be told, but the good thing about ImageMagick is that tons So, given a filename like of examples are available on-line “Spitfire-Mk-XVI.jpg”, the resulting that show all sorts of complicated image label will be the far more transformations, and you can tap into visually pleasing “Spitfire Mk XVI”. those to get the formula you need for Now, what else could you do with this your own work. sort of script? Well, for one thing, you With that last example in mind, can combine a few months’ worth let’s write a script that creates a new of ideas and have a script that first version of every .jpg file it finds in a normalizes the size of the image if it’s given directory that includes the name bigger than, say, 800 pixels in width, of the file too: then applies these transforms. That code snippet would be:

#!/bin/sh

for name in *jpg width=$(identify $name | cut -d\ -f3 | cut -dx -f2)

do if [ $width -gt 800 ] ; then

newname=$(echo $name | sed 's/.jpg/-new.jpg/') smaller=$(echo $name | sed 's/.jpg/-800.jpg/')

convert $name -mattecolor grey -background grey -frame convert $name -resize 800 $smaller

´20x20+0+3 -gravity South -splice 0x15 -pointsize 33 name=$smaller

´-annotate 0x0 "$name" -frame 6x6+3+0 $newname fi

done

exit 0 Let’s use the ImageMagick identify command to ascertain That’s pretty easy, but the resulting the width of the current image (with label isn’t very attractive. What if some fiddling to extract just the the filenames were created with datum needed), then test to see if it’s the intention of making useful greater than 800. If it is, then you use and informative labels? So instead convert to resize it to exactly 800 of “spitfire.jpg”, it could be pixels wide, knowing that the program

42 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 42 1/21/14 7:53 PM COLUMNS WORK THE SHELL

automatically will reduce the height convert $name -resize 800 $smaller

proportionally at the same time. The name=$smaller # caption smaller image, not larger

challenge here is source integrity. As echo "(reduced original image $name to 800px wide)"

with most scripts, you never want to fi

touch the original file. It’s not only echo "Adding caption to $name, saved as $newname"

a smart policy, it’s also a life-saver, convert $name -mattecolor grey -background grey

because it’s quite easy to mess up ´-frame 20x20+0+3 -gravity South -splice 0x15

a script when you’re developing it, ´-pointsize 33 -annotate 0x0 "$name" -frame 6x6+3+0 $newname

and this way, you’re sure that it’s not ´rm $smaller # we don't need it anymore

completely destructive. done

In the previous code block, notice that exit 0 yet another temp version of the file is created in the $smaller variable, a See how that all fits together? version that has the “.jpg” replaced It’s neat and succinct, thanks to the by “-800.jpg” to differentiate itself. amazing powers of the ImageMagick Then, that’s the one to which the suite. And in this case, I’m using only caption is added, producing yet identify to ascertain width and another file called “-new.jpg”. At that convert to reduce, as needed, and point, you really won’t want three add the annotated frame. versions of your file, so the last step That’s it for the journey into is to remove the $smaller interim ImageMagick. Next month, I’ll version at the tail end. delve into some other interesting All told, here’s the resize-to-800px scripting project. Have an idea for and add-filename-based-caption script: something cool? Drop me a note here at the magazine!Q

#!/bin/sh

# Caption images, reducing to max 800px wide as needed Dave Taylor has been hacking shell scripts for more than 30 years.

Really. He’s the author of the popular Wicked Cool Shell Scripts

for name in *.jpg and can be found on Twitter as @DaveTaylor and more generally

do at http://www.DaveTaylorOnline.com.

newname=$(echo $name | sed 's/.jpg/-new.jpg/')

# first, let's shrink it if it's more than 800px wide

width=$(identify $name | cut -d\ -f3 | cut -dx -f2) Send comments or feedback via

if [ $width -gt 800 ] ; then http://www.linuxjournal.com/contact

smaller=$(echo $name | sed 's/.jpg/-800.jpg/') or to [email protected].

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 43

LJ238-Feb2014.indd 43 1/21/14 7:53 PM COLUMNS HACK AND /

Own Your KYLE RANKIN DNS Data Why make it easy for people to capture your complete Internet browsing history?

I honestly think most people simply doesn’t capture all of the sites you visit are unaware of how much personal outside Google searches either directly, data they leak on a daily basis as they via RSS readers or via links your friends USE THEIR COMPUTERS %VEN IF THEY HAVE send you. That’s why the implementation some inkling along those lines, I still of Google’s free DNS service on 8.8.8.8 imagine many think of the data they AND  IS SO GENIUSˆSEARCH QUERIES leak only in terms of individual facts, are revealing, but when you capture all such as their name or where they ate of someone’s DNS traffic, you get the lunch. What many people don’t realize complete picture of every site they visit is how revealing all of those individual, on the Internet and beyond that, even innocent facts are when they are every non-Web service (e-mail, FTP, P2P combined, filtered and analyzed. traffic and VoIP), provided that the service Cell-phone metadata (who you uses hostnames instead of IP addresses. called, who called you, the length Let me back up a bit. DNS is one of the call and what time the call of the core services that runs on the happened) falls under this category, Internet, and its job is to convert a as do all of the search queries you hostname, like www.linuxjournal.com, enter on the Internet (more on how to into an IP address, such as secure that in a future column).  7ITHOUT $.3 THE For this column, I discuss a common Internet as we know it today would but often overlooked source of data that cease to function, because basically is far too revealing: your DNS data. You every site we visit in a Web browser, see, although you may give an awful lot and indeed, just about every service of personal marketing data to Google we use on the Internet, we get to via with every search query you type, that still its hostname and not its IP. That said,

44 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 44 1/21/14 7:53 PM COLUMNS HACK AND /

the only way we actually can reach a you are sending it through a VPN, or host on the Internet is via its IP address, maybe that kind of line tapping simply so when you decide to visit a site, its requires more legal standing), if they hostname is converted into an IP address can get access to your DNS logs (I could to which your browser then opens up a see some arguing that this qualifies connection. Note that via DNS caching as metadata), they would have a fairly and TTL (Time To Live) settings, you complete view of all the sites you visit may not have to send out a DNS query without your ever knowing. every time you visit a site. All the same, This is not just valuable data from these days TTLs are short enough (often a surveillance standpoint, or a privacy ranging between one minute to an hour standpoint, but also from a marketing or two—www.linuxjournal.com’s TTL is STANDPOINT %VEN IF YOU MAY BE FINE 30 minutes) that if I captured all your with the government knowing what DNS traffic for a day, I’d be able to tell porn sites you browse, where you shop, you every Web site you visited along where you get your news and what with the first time that day you visited e-mail provider you use, you may not it. If the TTL is short enough, I probably want a marketing firm to have that data. could tell you every time you went there. Most people tend to use whatever DNS Recursive DNS vs. DNS Caching servers they have been provided. On a The key to owning your DNS data and corporate network, you are likely to get a keeping it private is to run your own set of DNS servers over DHCP when you DNS server and use it for all of your connect to the network. This is important outbound DNS queries. Although many because many corporate networks have people already run some sort of DNS internal resources and internal hostnames caching programs, such as dnsmasq to that you would be able to resolve only if speed up DNS queries, what you want you talked to an internal name server. isn’t simply a DNS cache, but something Although many people assume that can function as a recursive DNS very little privacy at work, home is a resolver. In the case of dnsmasq, it is different matter. At home, you are most configured to use upstream recursive likely to use the DNS servers your ISP DNS servers to do all of the DNS heavy provided you, while others use Google’s lifting (the documentation recommends DNS servers because the IPs are easy to you use whatever DNS servers you remember. This means even if others currently have in /etc/resolv.conf). can’t intercept your traffic (maybe Thus, all of your DNS queries for

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 45

LJ238-Feb2014.indd 45 1/21/14 7:53 PM COLUMNS HACK AND /

www.linuxjournal.com go to your DNS so that’s what I prefer, but any of those caching software and then are directed would do the job. The nice thing about to, for instance, your ISP’s DNS servers BIND, particularly in the case of the before they do the traditional recursive Debian and Ubuntu packages, is that all DNS procedure of starting at root name you need to do is run: servers, then going to com, then finally to the name servers for linuxjournal.com. $ sudo apt-get install bind9 So, all of your queries still get logged at the external recursive DNS server. and after the software installs, BIND What you want is a local DNS service automatically is configured to act as that can do the complete recursive a local recursive DNS server for your DNS query for you. In the case of a internal network. The procedure also request for www.linuxjournal.com, would be the same if you were to it would communicate with the root, set this up on a spare Raspberry Pi com and linuxjournal.com name servers running the Raspbian distribution. On directly without an intermediary and other Linux distributions, the package ultimately cache the results like any may just be called bind. other DNS caching server. For outside If BIND isn’t automatically parties to capture all of your DNS logs, configured as a local recursive DNS they either would have to compromise server on your particular Linux your local, personal DNS server on your distribution and doesn’t appear to home network, set up a tap to collect work out of the box, just locate the all of your Internet traffic or set up a options section of your BIND config tap at all the root name servers. All (often in /etc/bind/named.conf, three of these options are either illegal /etc/bind/named.conf.options or or require substantial court oversight. /etc/named/named.conf, depending on the distribution), and if you can’t Install and Configure Your seem to perform recursive queries, DNS Server add the following line under the So, even when you rule out pure DNS options{} section: caching software, there still are a

number of different DNS servers you can options {

choose from, including BIND, djbdns and allow-recursion { 10/8; 172.16/12; 192.168/16; 127.0.0.1; };

unbound, among others. I personally . . .

have the most experience with BIND, }

46 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 46 1/21/14 7:53 PM COLUMNS HACK AND /

This change allows any hosts on the IP address of your Raspberry Pi those networks (internal RFC1918 or whatever machine on which you IP addresses) to perform recursive installed BIND. To use this name queries on your name server without server for all of your requests, update allowing the world to do so. your /etc/resolv.conf file so that Once you have BIND installed, it contains: you’ll want to test it. If you installed BIND on your local nameserver 127.0.0.1 machine, you could test this out with the dig command: as its only nameserver line. Replace 127.0.0.1 with the IP address of

$ dig @localhost www.linuxjournal.com the machine you installed BIND

; <<>> DiG 9.8.1-P1 <<>> @localhost www.linuxjournal.com on if it isn’t on the same machine.

; (1 server found) On some modern distributions,

;; global options: +cmd there are external tools that tweak

;; Got answer: /etc/resolv.conf for you, so in those

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17485 cases, you may have to edit your

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 dhclient.conf or other network

configuration files so that you can

;; QUESTION SECTION: override the provided list of name

;www.linuxjournal.com. IN A servers. Once you do that though,

really that’s all there is to it. Now you

;; ANSWER SECTION: can use DNS knowing that all of your

www.linuxjournal.com. 1800 IN A 76.74.252.198 DNS search data sits on a machine

under your control.Q

;; AUTHORITY SECTION:

linuxjournal.com. 30479 IN NS ns66.domaincontrol.com. Kyle Rankin is a Sr. Systems Administrator in the San Francisco

linuxjournal.com. 30479 IN NS ns65.domaincontrol.com. Bay Area and the author of a number of books, including The

Official Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks.

;; Query time: 31 msec He is currently the president of the North Bay Linux Users’ Group.

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Wed Dec 18 09:37:13 2013

;; MSG SIZE rcvd: 106 Send comments or feedback via http://www.linuxjournal.com/contact Otherwise, replace localhost with or to [email protected].

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 47

LJ238-Feb2014.indd 47 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

BirdCam, SHAWN POWERS Round Two BirdCam is back—now with HD video and archives.

In the October 2013 issue, I number of folks have been doing, described the hardware and software you’ll notice quite a few changes I used to create my “BirdTopia (Figure 1). In this article, I describe the Monitoring Station”, more commonly upgrades, the changes and some of called BirdCam. If you’ve been visiting the challenges along the way. If you BirdCam recently, which a surprising like fun projects like these involving

Figure 1. BirdCam has changed a lot. Here, the biggest changes are highlighted. Also, look at all those birds!

48 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 48 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

Linux, please read on and join in my later), a 1920x1080-size snapshot birdy obsession! is really ideal. Unfortunately, when I crop the photo, it leaves out the Slicing and Dicing birdbath. Because I spent the money One of the first changes I wanted to on a heated birdbath this winter, I make to BirdCam was to zoom in a didn’t want to miss out on any candid bit on the feeders. Yes, the enormous water shots. You can see in Figure photo provided by the Galaxy S2 2 how I planned to zoom in on the phone mounted in the window is bird feeders and then relocate the nice, but for displaying on a computer birdbath onto what was left of the screen (or HDTV, as I’ll talk about photo. Although it took a bit of trial

Figure 2. My old cell phone takes really high-resolution photos. I was able to clip out the birdbath and overlay it nicely to get a closeup of the feeders.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 49

LJ238-Feb2014.indd 49 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

and error, the code for doing this was added sunrise and sunset information remarkably easy. I used the convert to the annotation, and made it a little program from the ImageMagick more readable. (Figure 1 shows the suite. It might be possible to include annotation in the upper-left corner.) the crop and relocate into a single Although the method for overlaying command, but I just created a temp the information isn’t much different file and then overlayed that temp (you can check it out in the final file later on: script—see Resources for the link), getting the temperature and convert /dev/shm/original.jpg -crop 640x360+1800+1425 \ sunrise/sunset information was /dev/shm/birdbath.jpg challenging. To get the current convert /dev/shm/original.jpg -crop 1920x1080+220+130 \ temperature, I use a little command- /dev/shm/birdbath.jpg -gravity southeast line program called weather-util, -composite \ available in most distro repositories. /dev/shm/final.jpg The program actually gives much more information than is required, so to In the code snippet above, I crop extract just the temperature, you need out the small birdbath photo from to do a little grep-fu: the original camera photo and save it

as birdbath.jpg. Then, with another weather-util -i KPLN | grep Temperature | awk '{print $2}' convert command, I crop the original photo to that 1080p size I mentioned This requires a bit of explanation. earlier and overlay the birdbath onto You need to figure out what the photo with the -composite your four-letter weather ID is. flag. In this little example, I use the The best place to find that is at -gravity flag to put the birdbath in http://weather.noaa.gov. Find the the corner. You can be more precise closest location to you, and then look with the -geometry flag, which you’ll in the URL at the top for the four-letter see in my final script (see Resources). code (usually an airport). For example, the Pellston Regional Airport is my Time and Temp closest, so my ID is KPLN. If you’re The original BirdCam article showed thinking it would be better to get the how to add a timestamp to the top actual temperature from my backyard, I of the photo, but I didn’t mention agree. In fact, I’ll be working on setting how I got the temperature. I’ve since up my own weather station in the

50 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 50 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

months to come for that very reason. values into a text file that gets used The rest of the code does two during the annotation of the final things. Grepping for “Temperature” BirdCam graphic. Once I get a local returns the line of the weather-util weather station from which I can pull results containing the temperature, information, I might add wind speed and then the awk command extracts and such. For now, I think it’s a useful just the Fahrenheit temperature from bit of information. that line. I set up a cron job to save the temperature into a text file every The WindowCam few minutes, and I use that file to If you’ve been following my blog annotate the BirdCam photo. The or my Twitter feed, you may have sunrise/sunset information is similar, seen a few different iterations of but for that, I use the Yahoo weather WindowCam. I tried weatherproofing INFORMATION 9OULL NEED YOUR 7/%)$ a USB Webcam (Figure 3), which information, which again is available worked until the wind packed snow in the URL when you go to into the “hood” I created with a Dixie http://weather.yahoo.com and cup. For a long time, I leaned an old enter your location information. iPhone against the window and just For example, my weather URL is extracted a photo to embed into the http://weather.yahoo.com/united- final BirdCam photo. The iPhone’s states/michigan/indian-river-2426936, RESOLUTION WAS ONLY X SO IT SO MY 7/%)$ IS  4HE REST IS was fairly simple to embed that image fairly easy using more grep-fu. Here’s (downloaded directly from the iPhone) the code for sunrise: using convert. But of course, I wanted more. My

echo `l=2426936;curl -s http://weather.yahooapis.com/ current window camera is a Logitech

´forecastrss?w=$l|grep astronomy| awk -F\" '{print $2}'` C-920 USB Webcam connected to a computer running Linux. At first I And the code for sunset: connected it to a Raspberry Pi, but the RPi couldn’t do more than five frames

echo `l=2426936;curl -s http://weather.yahooapis.com/ per second. I wanted 15 frames per

´forecastrss?w=$l|grep astronomy| awk -F\" '{print $4}'` second, full HD, so I’m using a full- blown computer. See, not only do I Much like the temperature, I want to embed the window camera have a cron job that stores these into BirdCam, but I also want to have

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 51

LJ238-Feb2014.indd 51 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

Figure 3. My Dixie-cup weatherproofing did an okay job, until the snow flew. Now it’s inside looking through the window.

an archive video of the birds that visit pick whatever makes sense for you. my feeder every day. Motion is a frustratingly powerful program. By that, I mean it will do The Magic of Motion so many things, it’s often difficult Much of the feedback I got about to know where to begin. Thankfully, my original BirdCam article included the default configuration file is hWHY DIDNT YOU USE MOTION v 1UITE commented really well, and very few simply, I didn’t have a computer tweaks are required to get things nearby I could attach to a camera. going. For my WindowCam, I have Now I do. Like I mentioned earlier, motion do three things: I started with a Raspberry Pi. If you have simple needs, or a low- 1. Save a snapshot every second. resolution camera, the RPi might This is for BirdCam, so that be plenty of horsepower. Since the it can embed a thumbnail of procedures are the same regardless WindowCam in the corner. (See of what computer you’re using, just Figure 1, with the huge Mourning

52 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 52 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

Dove in the corner.) model to see if other folks have used it, or you can check an 2. When motion is detected, save on-line database before buying. See full-resolution images, 15 frames http://www.ideasonboard.org/uvc every second. Note, this is a lot for a list of devices known to work, of photos, especially with a busy but if you’re getting an off-brand WindowCam. I easily get 100,000 model, you might just have to try it photos or more a day. to find out. Interesting to note, if you see a “Certified for Windows Vista” 3. Record videos of motion detected. sticker, the camera is UVC-compliant, I actually don’t do this anymore, as that’s a requirement for Windows because it’s hard to deal with Vista certification. hundreds of short videos. I just take I chose the Logitech C920 USB the photos saved in step two and camera, which supports 1920x1080 create a daily archival video (more (1080p) video at 30fps. By default, on that later). the camera autofocuses, which sounds like a great idea. Unfortunately, Motion will do much, much more. I found the camera almost never It will support multiple cameras. focuses on what I want, especially if It can handle IP cameras. It can it’s very close to the camera, which fire off commands when motion is the birds tend to be. If you have issues detected (turn on lights, or alarms, with autofocusing, you might want or text you and so on). But I’ll leave to try tweaking the camera on the those things for BirdCam 3.0! Let’s command-line. I have the following configure motion. added to my startup scripts to turn off autofocus, and I set the manual Motion: Choosing a USB Camera focus to just outside my window: You want a camera that is UVC (USB Video-Compatible). It would be nice uvcdynctrl -s "Focus, Auto" 0 if cameras had a nice “USB Video- uvcdynctrl -s "Focus (absolute)" 25 Compatible!” sticker on the box, but sadly, they never do. The good news You’ll need to play around with is that many cameras are compatible, the focus value to get it just right, even if they don’t brag about it. You but if your camera supports manual can google for a specific camera focus, you should be able to tweak it

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 53

LJ238-Feb2014.indd 53 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

for sharp images that don’t need to Next, open the config file (as autofocus every time a bird lands. root), and make some changes. I’ll name the directive to search Motion: Configuring the Config for below, then talk a bit about Installing motion is usually nothing the settings. These configuration more than finding it in your directives should all be in your repositories and installing. You’ll /etc/motion/motion.conf file. You’ll probably have to edit a file in order just need to modify these values: to get it to start at boot (like the /etc/default/motion file in Ubuntu), Q width: I use width 1280 for but it’s not too painful. It’s important MY CAMERA %VEN THOUGH IT to understand a few things about the supports 1080p, I actually only default config: record at 720p (1280x720). It saves space and still produces 1. Usually the “root” folder motion HD quality content. uses by default is in the /tmp folder. This could cause issues on Q height: in order to get the your system if you just leave it proper aspect ratio, I set this to alone and let it run—it could fill height 720. Note, my camera your /tmp partition and make your will take photos only with the system break. 16x9 aspect ratio, even if I set it to something else. 2. Motion uses /dev/video0 by default. This is good, as it most likely is the Q framerate: this is how many device name of your USB camera. If frames are captured per second. I you have a funky camera though, use framerate 15, which provides you might need to change the fairly smooth motion while saving device setting. the most disk space. With the Raspberry Pi, I could get around 3. When you make a change to the FPS WITH A X CAMERA BEFORE configuration file, you need to the CPU load maxed out. restart motion for it to take effect. That generally means running Q threshold: this is how many sudo service motion restart pixels must change before the or something similar. program triggers a motion event.

54 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 54 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

I left the default, then tweaked Q target_dir: this setting is very it later. My setting currently is important. This directory will be the threshold 2500. “root” directory of all files created by motion. Both photo and video Q minimum_motion_frames: by files are kept in this directory, so default, this is set to 1. I found although using the ramdisk might that occasional camera glitches sound like a good idea, it probably would fire off a motion event, will fill up quickly. even if nothing moved. Setting this to 2 or 3 will make sure Q snapshot_filename: this will be there’s actual motion and not the periodic snapshot filename. a camera glitch. Mine is I set it to a single filename so minimum_motion_frames 2. that it is overwritten constantly, but you can leave it with the Q quality: the default quality of datestring stuff so it will keep all 75 is probably fine, but I really the files. This filename is relative wanted a sharp image, especially to target_dir, so if you try to since I spent almost $100 on a set an absolute path, it still will camera. I set this to quality 95. be relative to target_dir. You can, however, add a directory Q ffmpeg_cap_new: this is the name. On my system, target_dir setting that will tell motion to is /home/birds, and I have a record videos. I had this “on” at symbolic link inside /home/birds first (it defaults to “off”), but named ram, which points to a I ended up with hundreds of folder inside the /dev/shm ramdisk. short little videos. If you turn it I then set snapshot_filename on, fiddle with the other ffmpeg ram/windowcam, and it overwrites options as well. the windowcam.jpg file in my ramdisk every second. This saves Q snapshot_interval: this will wear and tear on my hard drive. capture a single image every N seconds. I have it set to Q jpeg_filename: this directive is snapshot_interval 1 and similar to snapshot_filename, use the image for embedding but instead, it’s where the 15 into BirdCam. images per second are stored. This

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 55

LJ238-Feb2014.indd 55 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

is one you don’t want to redirect to see motion, but it doesn’t tax to a ramdisk, unless you have the server. an enormous ramdisk. I kept the default string for naming the Q webcam_localhost: by default, files. My setting puts the photos this is set to “on”, which means in a separate folder, so it looks only the localhost can view the like this: jpeg_filename Webcam stream. If you want to photos/%Y-%m-%d_%H.%M.%S-%q. view it remotely, even from other computers on your LAN, you’ll need Q movie_filename: this is what to change this to “off”. determines the name and location of the ffmpeg videos. I’m not Although that seems like a huge saving ffmpeg videos anymore, number of options to fiddle with, so my setting is moot, but this many of the defaults will be fine for is where you assign folder and you. Once you’re happy with the NAME LOCATION %VEN THOUGH settings, type sudo service motion mine isn’t used anymore, my restart, and the server should setting from when I did record re-read your config file and start video is movie_filename doing what you configured it to do. movies/%Y-%m-%d_%H.%M.%S. 100,000 Photos? Q webcam_port: by default, this is I probably could talk about the fun set to 0, which means the Webcam things I do with my BirdCam server is disabled. On a Raspberry Pi, I for two or three more articles. Who don’t recommend turning this on, knows, maybe I’ll visit the topic but on my Intel i5-based system, I again. Before I close this chapter have it set to port 8081. It creates though, I want to share a cool thing A LIVE -*0%' STREAM THAT CAN I do to archive the bird visits for a be viewed from a browser or IP given day. I mentioned that I end camera-viewing software (like from up with more than 100,000 photos an Android tablet). a day from detected motion, and quite honestly, looking through that Q webcam_maxrate: this determines many photos is no fun. So at the end frames per second. I have this OF EVERY DAY ) CREATE AN -0 VIDEO set to 10, which is fast enough using the images captured. I’ve tried

56 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 56 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

a few different tools, but the easiest accounts, it means I can upload a to configure is mencoder. If you get three-hour archive video of birds at mencoder installed (it should be in my window to YouTube, and have your repositories), you can turn those them store and display my video in the photos into a movie like this: cloud—and for free! Because this is Linux, I wanted to

mencoder "mf:///home/birds/photos/*.jpg" \ find a way to script the uploading

-o /home/birds/archive/`date +"%Y-%m-%d"`-WindowCam.avi -fps 15 \ and naming of my daily video.

-ovc lavc -lavcopts vcodec=mpeg4:mbd=2:trell:vbitrate=7000 Thankfully, there’s a really cool program called ytu, which stands I run that command from cron every for YouTube Uploader. It’s simple, evening after sundown. Then I delete but very powerful. Download the images, and I’m ready for the next it at http://tasvideos.org/ day. What I end up with is a 2–3 hour YoutubeUploader.html. video every day showing all the bird The most difficult part of running visits at my window. It might seem ytu is that you need a developer like a lame video, but I usually scrub key. You can become a developer through it the next morning to see and get a developer key at if there are any new or exotic birds https://code.google.com/apis/ VISITING 4HE VIDEOS ARE n'" EACH youtube/dashboard/gwt/index. so if storage space is an issue for you, html. It’s not difficult, but the URLs it’s something to keep in mind—which keep changing, so I can’t give you a brings me to the next, and final, cool more specific link. Once you have your addition to BirdCam. developer key (a long string of letters and numbers), you can fill out the The Most Boring YouTube credentials.txt file with: Channel Ever I want to be able to watch my Q Google e-mail address. archived video from anywhere. It’s possible to stream my local media via Q Google password in plain text. Plex or something direct like that, but it would mean I had to connect to Q Developer key. my home network in order to see the birds. Now that YouTube has removed Make sure only the account the 10 or 15 minute limit on YouTube executing the ytu binary has access to

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 57

LJ238-Feb2014.indd 57 1/21/14 7:53 PM COLUMNS THE OPEN-SOURCE CLASSROOM

the file, as your password is stored in quirks. With this article, and my plain text. If this security problem isn’t last BirdCam article, hopefully you acceptable, you can, of course, upload can figure out a way to adapt the videos to YouTube manually. I actually power of Linux to scratch that video- have a separate Google account for capturing itch you have. If you do uploading BirdCam videos, so I’m not end up with something similar, or as concerned with the security. even something drastically different Once the credentials file is set, (dogcam on the local fire hydrant?), you invoke ytu from the command I’d love to hear about it! Well, maybe line, or in my case, from the same not the fire-hydrant cam...that’s a cron job that creates the video. After little too strange, even for me.Q the video is created, I immediately start ytu to upload it to YouTube. Shawn Powers is the Associate Editor for Linux Journal. After several hours of uploading He’s also the Gadget Guy for LinuxJournal.com, and he has and processing, the video is ready an interesting collection of vintage Garfield coffee mugs. to watch. If you’d like to see my Don’t let his silly hairdo fool you, he’s a pretty ordinary guy archived videos, just surf over to and can be reached via e-mail at [email protected]. http://snar.co/windowcam and Or, swing by the #linuxjournal IRC channel on Freenode.net. see all the past videos.

It Doesn’t Have to Be Birds! Send comments or feedback via Obviously, I have a mild obsession http://www.linuxjournal.com/contact with birdwatching. We all have our or to [email protected].

Resources

BirdCam: http://birds.brainofshawn.com

BirdCam Script: http://snar.co/birdcamscript

WindowCam Archive Channel: http://snar.co/windowcam

YTU Program: http://tasvideos.org/YoutubeUploader.html

YouTube Developer Dashboard: https://code.google.com/apis/youtube/dashboard/ gwt/index.html

58 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 58 1/21/14 7:53 PM The Web Platform San Francisco, CA | March 11!13, 2014

"Fluent is one of the best informational and networking events in technology. From the keynote presentations to the after-hours meet and greets, every event was well thought out and executed. I will be back next year." !Aaron Biggs, University of Oklahoma

Does Your Future Depend on the Web Platform?

You bet it does. If you’re building web applications, Q Front End Frameworks and Libraries

designing for mobile devices, or working with the web’s Q HTML5, CSS3, and Browser Technologies evolving infrastructure, you need to keep up with the Q Node.js enormous proliferation of web technologies. At Fluent, Q you’ll ! nd workshops, tutorials, and sessions on all aspects Pure Code and JavaScript of the Web Platform, including JavaScript, HTML5, WebGL, Q The Leading Edge

CSS3, mobile APIs, Node.js, AngularJS, ECMAScript 6, and Q The Server Side more. We’re even partnering with WebPlatform.org and Q Tools, Platforms, and APIs hosting a Document Sprint. It’s everything you need to Q User Interface / User Experience stay competitive. Q HTML5 Gaming Don’t miss your chance to be a part of the web’s evolution. Build your custom Fluent schedule around Fluent is closer than you think. exciting talks on topics like: Save 20% with code LINUX20

©2014 O’Reilly logo is a registered trademark of O’Reilly Media, Inc. #14136 ! uentconf.com

LJ238-Feb2014.indd 59 1/21/14 7:53 PM NEW PRODUCTS

PiixL’s Jetpack The Jetpack, says its maker PiixL, is an open gaming hardware platform designed for gamers who value both performance and interior design. With Jetpack, raw, unprecedented—and hackable—gaming power meets living-room ENTERTAINMENT WITH A BEAUTIFUL DESIGN !FTER RELEASING ITS %DGE#ENTER PRODUCT 0IIX, HAS become an expert at designing TV-centric PC hardware and is now set to break new ground with this latest release. With more than 500 watts of thermal capacity available to house the fastest components, Jetpack promises to be the most powerful machine offered in such a compact package, asserts PiixL. Designed around PiixL’s leading-edge cooling architecture, Jetpack uses a new generation of centrifugal fans to stay ultra-quiet at all times while being able to host factory overclocked Core i7 processors, up to one Terabyte of SSD storage, and the latest graphics cards from NVIDIA, including Titan and GTX780s. Jetpack is optimized to complement Linux and Windows, with a special focus on SteamOS, which combines the rock-solid architecture of Linux with a gaming experience built for the big screen. http://www.piixl.com

Linutop PC Packing additional punch into a more petite package is the new Intel Atom-based Linutop 5 miniature, energy- efficient PC. Linutop 5 is a ready-to-use small PC, designed to reduce maintenance costs. Compact and powerful with a 1.6GHz fanless Intel ATOM processor, Linutop 5 is designed for applications, such as no-maintenance professional use, public Internet access, office applications and digital signage. 4HE '" OF INTERNAL &LASH MEMORY REPLACES THE HARD DRIVE AND ENERGY CONSUMPTION HAS DROPPED TO A MERE  7ATTS THE SAME AS A COMPACT mUORESCENT LIGHT BULB ! NEW SECURITY feature can lock the Linutop Operating System and protect the Flash memory from wearing out by limiting write cycles. Once set up, the Linutop software is protected. In lock mode, Linutop can recover its state at each startup, minimizing maintenance costs. Linutop 5 is powered by the NEW ,INUTOP /3 BASED ON THE LATEST LONG TERM SERVICE 5BUNTU VERSION  http://www.linutop.com

60 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 60 1/21/14 7:53 PM NEW PRODUCTS

The Hello World Program Learning about computer science and programming tends to be dry and not all that accessible to kids. In an effort to make Linux and computer programming more accessible for young people—not to mention really fun—a pair of LA-based brothers have developed The Hello World Program, a kid-friendly educational video puppet show that covers tech topics as diverse as Python, Linux, Web design, video editing, 3-D modeling and animation, graphic design and, of course, puppet making! Hello World is the creative effort of brothers Jared and JR Nielsen who grew up in a rural area and made their own fun by staging puppet shows, making their own toys and shooting short stop-motion videos. “We don’t want a boring future, and we think the best way to avoid that is by encouraging and educating the young and old to actively produce their own media”, says Jared Nielsen. At the time of this writing, the Nielsen bothers are pitching Hello World on Kickstarter in order to leapfrog it to the next level. “We will definitely be continuing with the project whether or not we reach our funding goal”, commented JR Nielsen. “Our time line and distribution may change as a result”, he added, “but we are still set to produce the same content regardless of the Kickstarter outcome.” A boring future has indeed been preempted. http://www.thehelloworldprogram.com

Undo Software’s UndoDB As devices and systems become more capable, the software becomes ever more important and complex. As such, software developers bear an ever-growing burden in terms of both quality and time to market. An updated—and groovy— SOLUTION TO THESE ISSUES IS VERSION  OF 5NDO 3OFTWARES 5NDO$" A REVERSIBLE DEBUGGER FOR Linux. UndoDB allows Linux software developers to record their program’s execution and then “wind the tape” back and forth in real time to get a clear picture of their program’s execution, significantly reducing the cost of bugs to software vendors. The most notable new features in THE NEW VERSION  ARE SUPPORT FOR !2- PROCESSORS AND !NDROID .ATIVE 5NDO ALSO NOTES THAT Linux developers have an alternative way to utilize its solution: ARM recently integrated UndoDB INTO ITS mAGSHIP SOFTWARE DEVELOPMENT STUDIO !2- $3  0ROFESSIONAL %DITION http://undo-software.com

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 61

LJ238-Feb2014.indd 61 1/21/14 7:53 PM NEW PRODUCTS

Axios Systems’ assyst

Because this latest update of the assyst IT Service Management (ITSM) solution makes it more akin to social media, the folks at Axios Systems believe that it is now destined to revolutionize the ITSM industry. assyst is a purpose-built solution, designed to transform IT departments from technology-focused cost centers into profitable business-focused customer service teams. Axios says that assyst enables faster, less costly delivery and support of IT services, allowing its clients to offer unparalleled multichannel support. This latest release of assyst now offers guided help, ENHANCED REPORTING ENHANCEMENTS TO THE ASSYST.%4 SELF SERVICE PORTAL AND MOST NOTABLY )4 Resource Performance Management (IT RPM). IT RPM promotes collaboration and innovation within IT, helping to establish IT as a business driver while reducing incoming calls to the service desk. It also allows a business to leverage staff as a valuable asset through rapid capture and transfer of knowledge as an integrated part of the service management processes through the aforementioned social-media tools, namely crowdsourcing, leaderboards and social profiles. http://www.axiossystems.com

University of Applied Science Rapperswil’s Muen Separation Kernel

As initiatives like the new Muen Separation Kernel mature, open source is destined to play an ever greater role in the development of safe and secure systems. To this end, the Institute for Internet Technologies & Applications at the University of Applied Science Rapperswil (Switzerland), together with corporate partner AdaCore, announced a preview release of the Muen Kernel, which enforces a strict and robust isolation of components. The isolation shields security-critical functions from vulnerable software running on the same physical system. To achieve the necessary level of trustworthiness, the Muen team used the SPARK language and toolset to prove the absence of runtime errors formally. The Muen developers used SPARK with a zero-footprint runtime, a mode where no runtime environment, and only a minimum of supporting code, is required. The name “Muen” is a Japanese term that means “unrelated” or “without relation”, reflecting the main objective for a separation kernel: ensuring the isolation between components. http://muen.codelabs.ch, http://www.adacore.com

62 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 62 1/21/14 7:53 PM NEW PRODUCTS

Rami Rosen’s Linux Kernel Networking (Apress)

Because Linux-kernel networking is a complex topic, you don’t want to be bothered with extraneous miscellanea. This is the approach you’ll find in Rami Rosen’s Linux Kernel Networking: Implementation and Theory. Publisher Apress says that readers will not be overloaded with cumbersome line-by-line code walk-throughs not directly related to the topic at hand. Readers will find exactly what they need, with in-depth explanations in each chapter and a quick reference at the end of each chapter. Apress also claims that the title is the only up-to-date reference guide to understanding how networking is implemented in the latest version of the Linux kernel. In years to come, the book is sure to be indispensable, because so many devices now use Linux or operating systems based on Linux, and because Linux is so prevalent in the data center, for example, due to Xen. http://www.apress.com

Eric Redmond’s Programming Google Glass (Pragmatic Bookshelf) If the government frantically regulates a widget before it’s even out, you know you gotta’ get your hands on one. Today’s widget in question is Google Glass, a programmable, wearable Android- powered computer with an optical head-mounted display. The new book Programming Google Glass: The Mirror API BY %RIC 2EDMOND exists to kick-start users’ Glassware development. Core topics include exploring interfacing with Glass, developing a Glass application via the Mirror API, tracking a Glass’s geolocation, creating rich interactions by responding to user inputs and capturing or serving up user images and videos. This is the book to read for a shortcut to this brave new world. Now, says publisher Pragmatic Bookshelf, is the best time to be an early adopter of a technology that quickly will become more advanced, nuanced and ubiquitous. http://www.pragprog.com

Please send information about releases of Linux-related products to [email protected] or New Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 63

LJ238-Feb2014.indd 63 1/21/14 7:53 PM FEATURE A Shining Ruby in Production Environments

A Shining Ruby in Production Environments Rails, the popular Ruby framework, is straightforward in development but hard to manage. Read on to learn how to set up Ruby hosting and automatically deploy a Rails application.

FABRIZIO SOPPELSA

64 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 64 1/21/14 7:53 PM ven the most beautiful Rails platform is, as a rule, easy, fast and application can lose its everything tends to work (almost) E elegance if not deployed immediately. But there are at least two correctly. Like other Ruby frameworks cases when PaaS won’t fit your needs: or languages, such as Sinatra, Rails when applications must be kept in is based on the Rack interface. This the customer’s private infrastructure article provides a basic introduction or when applications have superior to Rack hosting and Rack-based hardware or software requirements— application deployments. for instance, when you need a specific When Rails first was released in software service not supported by 2005, developers exulted. Finally, your PaaS provider. a comprehensive open-source In such situations, you must framework for Web applications implement custom virtual server was available, packed with a set of configurations and custom tools making Web development fast, deployment procedures. You productive and fun. Rails has the can deploy Rails applications on reputation of being a “heaven for servers or on virtual machines. The developers”, but despite the many availability of entire cloud services facilities it provides for avoiding like Amazon Web Services (AWS), typical and repetitive tasks, there which allow you to create complex is still a weak spot: deployment. infrastructures made of several Deploying a Rails application is not Web servers, database servers and A SMOOTH MATTER %VERYONE KNOWS front-end balancing machines, is that Rails applications will be hugely growing in popularity. This published on-line one day, but not approach is very flexible, although precisely how. you must access, install and manage the operating system and the Platform as a Service (PaaS) distribution packages, configure the Developers often choose to purchase network, activate the services, and hosting space as Platform as a Service so on and so forth. In this article, (for example, Heroku, OpenShift or I describe the Rack-based hosting %NGINE9ARD  0AA3 IS MARVELOUS AS IT software requirements and some provides a ready-to-use environment basic example configurations to containing a full stack of software implement automated Ruby hosting dependencies. Publishing on a PaaS on a GNU/Linux server.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 65

LJ238-Feb2014.indd 65 1/21/14 7:53 PM FEATURE A Shining Ruby in Production Environments

RVM comes packed with a set of scripts that helps you install and update the Ruby ecosystem.

RVM that helps you install and update the First, if you want to host Ruby Ruby ecosystem. software, you must install the Ruby Download RVM by issuing the platform. You can install Ruby and following command as root: gems with apt-get or yum. It’s easy, but when your application # \curl -L https://get.rvm.io | bash -s stable requires specific gem versions or specific interpreter versions, you Despite the fact that it’s will face a common problem. How recommended that you work with can you satisfy these requests if RVM using security facilities as sudo, your GNU/Linux distribution doesn’t the rvm executable must be available package those specific versions? in your root $PATH environment, so Furthermore, how can you maintain install it as root. For a multiuser RVM multiple Ruby versions in a clean installation, typical for servers, the and repeatable manner? software is kept by default in the /usr/ You may think you can just local/rvm directory, so you can remove download the Ruby platform and the whole distribution safely with an compile it manually. It’s guaranteed rm -fr /usr/local/rvm command. that you can install the interpreter Before proceeding with the Ruby versions and the gem versions installation, make sure your system you need. Unfortunately, this is is ready to compile Ruby. Check totally inconvenient. This kind of that you have the rvm command software management makes your available in your PATH (if not, log configuration hard to update. out and log in again or reload your There are several solutions for shell with bash -s), and execute overcoming these common issues. the following command: The one I find more reliable for server environments is named Ruby $ sudo rvm requirements enVironment Manager (RVM). RVM comes packed with a set of scripts RVM will install, through yum or

66 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 66 1/21/14 7:53 PM apt-get, the required packages to the system users. If not, it’s commonly compile the Ruby distribution. In this a $PATH problem, so adjust it in article, I use the stable official Ruby the /etc/profile.d, and also to avoid distribution called MRI, Matz Ruby deployment pitfalls, verify that the Interpreter (derived from the name of '%-?(/-% VARIABLE IS EXPORTED TO Ruby’s creator, Yukihiro Matsumoto). the correct gem path. In practice, if Now, you’ll likely need to add something is not working properly, set to your future Rubies some basic the following variables like this: libraries typically needed by some

complex gems or software. Setting if [ -d "/usr/local/rvm/bin" ] ; then

up such libraries immediately will PATH="/usr/local/rvm/gems/ruby-2.0.0-p353@global/bin:

guarantee that the Ruby software ´/usr/local/rvm/bin:$PATH"

will never complain that the system GEM_HOME="/usr/local/rvm/gems/ruby-2.0.0-p353@global"

libraries are old or incompatible, fi generating annoying errors. Previously, you would have installed You can list the available Ruby these extra packages via the rvm pkg versions with this command: install command, but now RVM deprecates this. Instead, simply $ rvm list known enable autolibs to delegate to RVM the responsibility to build coherent On a system running multiple and not-buggy distributions: Rubies, users and system processes may load other environment versions $ sudo rvm autolibs enable with a command like this:

You finally are ready to provide your $ rvm use jruby-1.7.1 environment a full Ruby distribution. For example, let’s install the latest And set the default system stable version of the official MRI distribution in this way: interpreter, the 2.0.0 version: $ rvm --default use 2.0 $ sudo rvm install 2.0.0 The Web Server If everything goes well, the Ruby on Rails, like Sinatra and many distribution is available for root and other popular Ruby frameworks

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 67

LJ238-Feb2014.indd 67 1/21/14 7:53 PM FEATURE A Shining Ruby in Production Environments

or Domain Specific Languages, which includes commercial support is based on an interface named and advanced features. Rack. Rack provides the minimal If you chose to install Ruby through abstraction possible between Web packages, Passenger is conveniently servers supporting Ruby and Ruby AVAILABLE THROUGH 20- OR $%" frameworks. Rack is responsible repositories, and yum or apt-get will for invoking the main instance of install all the required software. your application as specified in the On an RVM-customized system, to startup file, config.ru. install the free version of Passenger, So, a Web server hosting Ruby Web you need to add the gem through applications will have to understand Ruby gems: how Rack talks. With a stable and clean Ruby environment, you’re ready $ sudo gem install passenger to build your Web server that is capable of speaking Rack. Now you can install the server With Ruby, you can choose module (the latest version at the time between many Web servers. You OF THIS WRITING IS  BY EXECUTING may have heard of Mongrel, a script provided by the gem: Unicorn, Thin, Reel or Goliath. For typical Rails deployments, # passenger-install-apache2-module Passenger is one of the most popular choices. It integrates well Let’s select Ruby only, and let’s with Apache and Nginx, so in this skip Python, Node.js and Meteor EXAMPLE LETS SET UP AN !PACHE support. If your system misses Passenger configuration. software requirements, the script will give you a tip to the exact Passenger Installation command line for yum or apt-get to Passenger, developed by Phusion, meet those dependencies. also formerly known as mod_rails or After some compile time, you mod_rack, is a module that allows will be introduced to Passenger you to publish Ruby applications in configuration with useful and self- the popular Web server containers explanatory output. Specifically, copy Apache or Nginx. Passenger is to the directives that load Passenger available as a “community” free into Apache in your main Apache edition and as an enterprise release, configuration file (apache2.conf

68 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 68 1/21/14 7:53 PM If your goal is to host one or more Ruby applications on the same server, you should activate each instance as a virtual host.

or httpd.conf): ServerName kolobok.example.com

LoadModule passenger_module DocumentRoot /srv/www/kolobok/public

/usr/local/rvm/gems/ruby-2.0.0-p353/gems/passenger-4.0.33/

´buildout/apache2/mod_passenger.so # This relaxes Apache security settings.

PassengerRoot /usr/local/rvm/gems/ruby-2.0.0-p353/gems/ AllowOverride all

´passenger-4.0.33 # MultiViews must be turned off.

PassengerDefaultRuby /usr/local/rvm/wrappers/ruby-2.0.0-p353/ruby Options -MultiViews

Finally, restart Apache. Et voilà, now you can host Ruby Web applications. Now, if you have put your Virtual Hosts application in /srv/www/kolobok, and If your goal is to host one or more it’s well configured (configured and Ruby applications on the same server, binded to the database and so on), you should activate each instance as enable the virtual host, reload Apache, a virtual host. The most significant and your application is published. directive with Ruby hosting is the DocumentRoot. It’s mandatory that it Automating Software Deployments points to the public/ directory in the Ages ago, it was common to deploy application’s root project directory. Web applications by doing a bulk copy The public/ directory is the default of files via FTP, from the developer’s public path of a Rails application. desktop to the server hosting So let’s say you have a Kolobok space, or by downloading through application made in Rails, and Subversion or Git. Although this you have to deploy it to the DNS approach still works for simpler PHP zone kolobok.example.com on the applications, it won’t fit more complex kolobok.example.com server. Here projects made using more complex is an example VirtualHost: frameworks, such as Rails.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 69

LJ238-Feb2014.indd 69 1/21/14 7:53 PM FEATURE A Shining Ruby in Production Environments

In fact, a Rails application is not required and, if yes, running them; made only of the source code files. 5) checking if assets precompile is To make a Rails application ready, required and, if yes, precompiling; and you have to download and compile 6) checking other Rake tasks you have its dependencies as gems (by running defined and running them in order. bundle), safely manage database If the whole recipe fails, Capistrano access and other configurations, will keep the current software release migrate the database (create in production; otherwise, it will the database and the schema by substitute the latest release with the EXECUTING A LIST OF FILES CONTAINING 31, one you’ve just deployed. Capistrano instructions in the Ruby language), is a largely tested and very reliable adjust paths for shared content (like tool. You definitely can trust it. images, videos and so on), precompile the assets (that is, optimizing static Configuring Capistrano content, such as JavaScript and CSS), To use Capistrano, you just need to and perform many other steps in a install it through Ruby gems on the large and complex work flow. You can system where the deploy will be done execute these steps by writing your (not on the server): own scripts, maybe in Ruby or bash, but this task is tedious and wastes $ gem install capistrano your time. You should instead invest your time by writing good tests. When Capistrano is available, you’ll The Ruby community provides have two new binaries in your PATH: several ways to accomplish the whole capify and cap. With capify, you build deploy task, and one very popular your deploy skeleton. So, cd to the method uses Capistrano. Capistrano project directory and type: lets you write a set of “recipes” that will “cook” your application in the $ capify . production environment. Common tasks executed by Capistrano are: This command creates a file named 1) pulling the source code from a git Capfile and a config/deploy.rb file. or svn repository; 2) putting it in the Capfile tells Capistrano where the right location; 3) checking if a bundle right deploy.rb configuration file is needed and, if yes, bundling your is. This is the file that includes your GEMS  CHECKING IF MIGRATIONS ARE recipes, and typically it’s kept in the

70 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 70 1/21/14 7:53 PM project’s config/ directory. The user that will deploy the Next, verify that Capistrano is application will need valid SSH access installed correctly, and see the many to the server (in order to perform useful tasks it comes with: remote commands with Capistrano) and write permissions to the directory

$ cap -T where the project will be deployed.

cap deploy # Deploys your project. The directory structure created on

cap deploy:check # Tests deployment dependencies. the server in this directory allows

cap deploy:cleanup # Cleans up old releases. you to maintain software releases.

cap deploy:cold # Deploys and starts a 'cold' application. In the project’s document root,

cap deploy:create_symlink # Updates the symlink to the most recently Capistrano keeps two directories, one

# deployed... that contains the released software

cap deploy:migrations # Deploys and runs pending migrations. (releases/, by default it keeps the

cap deploy:pending # Displays the commits since your last latest ten releases), and another

# deploy. that contains shared or static data

cap deploy:pending:diff # Displays the 'diff' since your last (shared/). Moreover, Capistrano

# deploy. manages a symbolic link named

cap deploy:rollback # Rolls back to a previous version and current that always points to the most

# restarts. recent successfully deployed release.

cap deploy:rollback:code # Rolls back to the previously deployed In practice, each time Capistrano is

# version. invoked to deploy an application, it

cap deploy:setup # Prepares one or more servers for connects via SSH, creates a temporary

# deployment. release directory named with the

cap deploy:symlink # Deprecated API. current timestamp (for example,

cap deploy:update # Copies your project and updates the RELEASES AND RUNS

# symlink. the process (pull, bundle, migrate

cap deploy:update_code # Copies your project to the remote and so on). If it finishes with no

# servers. errors, as final step, Capistrano

cap deploy:upload # Copies files to the currently deployed links the symlink “current” to

# version. RELEASES

cap invoke # Invokes a single command on the remote Otherwise, it keeps “current”

# servers. symlinked with the latest directory

cap link_shared # Link cake, configuration, themes, upload, where the deploy was successful.

# tool So with Capistrano, the system

cap shell # Begins an interactive Capistrano session. administrator will set the virtual

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 71

LJ238-Feb2014.indd 71 1/21/14 7:53 PM FEATURE A Shining Ruby in Production Environments

server DocumentRoot directive to gem 'factory_girl_rails' the current directory of the released end application version:

DocumentRoot /srv/www/kolobok/current/public group :production do gem 'execjs' The Anatomy of a deploy.rb File gem 'therubyracer' A deploy.rb file is virtually made of two gem 'coffee-rails', '~> 3.1.1' parts: one that defines the standard end configurations, like the repository server or the path to deploy files physically, Only the gems common to all and another that includes custom tasks environments and included in the defined by the developer responsible for :production group are bundled. Gems deploying the application. belonging to :development and :test Let’s deploy the Kolobok environments are not. And the first application. Open the time you deploy your application, a kolobok/config/deploy.rb file with bundle install is executed to bundle all your favourite editor, delete the the requirements as specified. The next example configuration and begin to time you deploy the software, gems code it from scratch. A deploy.rb file is are downloaded, compiled or removed programmed in Ruby, so you can use only if the Gemfile and the Gemfile.lock Ruby constructs in your tasks, beyond have changed. The complete bundle is the Capistrano “keywords”. installed in shared/ and soft-linked into Let’s start by requiring a library: the current instance. By following this approach, less disk space is required. require "bundler/capistrano" Then, from Rails 3.1, it’s common to release applications with the assets This statement orders Capistrano pipeline. The pipeline is active if in to do the gem bundle each time it’s config/environments/production.rb the necessary. Good gem files separate following variable is set to true: required dependency gems in this way: config.assets.compile = true group :test do gem 'rspec-rails' If your application will use the gem 'capybara' pipeline, you need to precompile

72 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 72 1/21/14 7:53 PM it. The Rake task to precompile Finally, set the server names: assets is bundle exec rake assets:precompile. To insert this role :web, "kolobok.example.com" task into your work flow and keep the role :app, "kolobok.example.com" generated assets pipeline in shared/ role :db, "mydb.example.com", :primary => true and linked into the current release, load the standard assets functionality: web is the address of the responding Web server, and app is where the load "deploy/assets" application will be deployed. These roles are the same if the application runs on After loading the main requirements, only one host rather than on a cluster. specify the application name, the db is the address of the database, path on the server where it will be and primary => true means that deployed, and the user allowed to SSH: migrations will be run there. Now you have a well-defined set :application, "kolobok" deploy.rb and the right server set :deploy_to, "/srv/www/kolobok" configurations. Begin by creating the et :user, "myuser" structure tree (releases/ and static/) on the server, from the desktop host: With Rails > 3, it’s recommended to invoke Rake (it’s used to do the $ cap deploy:setup database migrations and to precompile the assets pipeline) with the correct Releasing Software bundled Rake version in the bundle. After having set up the project directory So, specify the exact rake command: on the server, run the first deploy:

set :rake, 'bundle exec rake' $ cap deploy:cold

Now it’s time to configure the The actions performed by Capistrano repository from which to pull the follow the standard pattern: git project source code: checkout, bundle, execute migrations, assets precompile. If everything is fine,

set :scm, :git your application is finally published

set :branch, "master" as a reliable versioned release, with a

set :repository, "git://github.com/myusername/kolobok.git" current symlink.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 73

LJ238-Feb2014.indd 73 1/21/14 7:53 PM FEATURE A Shining Ruby in Production Environments

The actions performed by Capistrano follow the standard pattern: git checkout, bundle, execute migrations, assets precompile.

Normal deploys (skipping the first fly before modifying the database or Rails app configuration, such as performing your tasks. creating the database) will be done in In Capistrano, you can define the future by invoking: hooks to actions to force the tool to execute required actions before or $ cap deploy after other actions. It might be useful, for instance, to link a directory where If you notice that some errors users of kolobok have uploaded files. occurred with the current application If you move the current directory in production, you immediately can to another release path, you might roll back to the previous release by discover that those files are no longer calling Capistrano like this: available to users. So, you can define a final task that, after having deployed $ cap deploy:rollback code, links the shared/uploads into your current release in public/uploads %ASY RELIABLE AND SMART ISNT IT directory. Notice how this can be managed with ease by exploiting Custom Tasks the presence of the shared_path and When you deploy a more complex release_path paths variables: application, you’ll normally be handling more complex recipes than the standard desc "Link uploaded directory" Capistrano procedure. For example, task :link_uploads do if you want to publish an application run "ln -nfs #{shared_path}/uploads on GitHub and release it open source, ´#{release_path}/public/uploads" you won’t put configurations there end (like credentials to access databases or session secret tokens). Rather, it’s Finally, another common task to preferable to copy them in shared/ perform is to restart the application on the server and link them on the instance into the server container.

74 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 74 1/21/14 7:53 PM In case of Passenger, it’s enough to your application faster, you should touch the tmp/restart.txt file. So, involve several technologies and you can write: engineering patterns, like setting intermediate caching services, desc "Restart Passenger" serving static and dynamic content task :restart do with different server containers and run "cd #{current_path} && touch tmp/restart.txt" monitoring the application with tools end like New Relic to find bottlenecks. After having set up the right You execute these two tasks environment to host the application, automatically by hooking them this is the next challenge— at the end of the deploy flow. So optimizing. Happy deploys!Q add this extra line just before the tasks definitions: Fabrizio Soppelsa works as a sysadmin for an Italian provider. His areas of interest include Ruby hosting, automated Ruby

after "deploy:update_code", :link_uploads, :restart deployments, Ruby application performance in production environments, Platform as a Service, and scalable and Performance Issues? event-driven Web patterns. He is passionate about espresso People often complain of Rails’ coffee and lives in Italy with his cat. He is a Red Hat-certified performance in production engineer, and you can follow him on Twitter: @f_soppelsa. environments. This is a tricky topic. Tuning servers and application responsiveness are rather hard tasks Send comments or feedback via that cannot be discussed briefly, so http://www.linuxjournal.com/contact I don’t cover them here. To make or to [email protected].

Resources

Rack: http://rack.github.com

RVM: https://rvm.io

Phusion Passenger: https://www.phusionpassenger.com

Capistrano: https://github.com/capistrano/capistrano

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 75

LJ238-Feb2014.indd 75 1/21/14 7:53 PM FEATURE Simple Ways to Add Security to Web Development

SIMPLE WAYS TO ADD SECURITY TO WEB DEVELOPMENT

Can’t afford to lose time in code refactoring for security? Why not make everything secure in the first place? Read on!

NITISH TIWARI

76 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 76 1/21/14 7:53 PM s a software developer developers’ coding styles and make myself, I have seen developers them write code that is inherently A rushing to finish the feature secure. Also, following simple they are assigned to, with little or policies related to application no consideration for security in the security can make a lot of difference. code—no security guidelines, no This is sometimes not a very easy coding standards, just a mad dash thing to do, but if the practices to to finish the feature. Next comes the follow are simple and easy to adopt, security review, in which the software it is not very difficult. obviously fails, and then comes the Let’s look at some security security-hardening phase. concerns/flaws typically found in Although trying to improve code’s software and the corresponding security obviously is a nice thing security mechanisms and policies to do, the time when it commonly that can be applied to counter them. is done is often in the final code These mechanisms generally can be development phase, and as with implemented in all programming the basic nature of software languages and follow the OWASP development, changing the code code development guidelines. But, almost always leads the software for the sake of open-source culture, away from maturity. So, the I use PHP as the language for the software that has almost ended examples in this article. its development phase is again pushed to instability during the SQL Injection security-hardening phase. Is this Let’s start with the most famous really necessary? of the lot. It is also one of the most Why can’t developers make the widely used and one of the most code secure in the first place? simple for unleashing attacks on the What can be done to make Web. What many people don’t know, developers more aware of however, is that it’s easy to prevent application security policies, so they as well. Let’s first consider what an are more informed and alert when 31, INJECTION ATTACK IS they develop their next application? Suppose you have a text box in your In this article, I discuss how application for a user name field. As developers can do so effectively. the user fills it in, you take the data to One simple way is to change the back end and fire a query to the

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 77

LJ238-Feb2014.indd 77 1/21/14 7:53 PM FEATURE Simple Ways to Add Security to Web Development

database—something like this: queries result in exactly the same WAY AS NORMAL 31, QUERIES BUT THE

difference is that here you need to

DEFINE THE 31, CODE FIRST AND THEN

pass the parameters to the query later. So, even if someone tries to 4HEN THE 31, QUERY attack by passing malicious data to the query, the query searches for the SELECT * FROM table WHERE name = '" + $username + '" exact match of whatever is sent as input. For example, if someone tries A simple way to attack this system to pass ’ or ’1=1 as the data, the would be to type “’” or “’1’=’1” in query will look up the DB for a literal the text box. The resulting database match of the data. query now will be: Here is an example of how to write parameterized queries SELECT * FROM table WHERE name = ' ' or '1'='1' in PHP (see your programming language manual for more about As you can see, this condition parameterized queries): always is true and when executed,

the query will just split out all the /* Prepared statement, stage 1: prepare */

rows in the table. This was a simple if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) {

example, but in real-life scenarios, echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;

such attacks are very severe and }

can take down a whole application

in a few seconds, because they are /* Prepared statement, stage 2: bind and execute */

targeted directly at the database. $id = 1;

So, how can you prevent this?

Simple logic is that instead of if (!$stmt->bind_param("i", $id)) {

passing the input taken from the echo "Binding parameters failed: (" . $stmt->errno . ") " .

front end directly, it should be $stmt->error;

checked thoroughly and only then }

sent to the database as a part of the

query. Here are the most common if (!$stmt->execute()) {

and effective ways to do that: echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;

Parameterized Queries: such }

78 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 78 1/21/14 7:53 PM So, the next time you need This approach is equally effective to look up the database, use a IN PREVENTING 31, INJECTION AS THE parameterized query for it. But parameterized queries method I beware, this approach has a mentioned earlier, so you can decide downside as well. In some cases, which is better for your situation. doing this can harm performance, Escaping user supplied input: in because parameterized queries need this approach, user input is manually server resources. In situations where (or sometimes with the help of DBMS an application is performance- escaping mechanisms) escaped for critical, there are other ways to valid strings, thus minimizing any COUNTER 31, INJECTION ATTACKS CHANCE OF 31, INJECTION ATTACKS Stored procedures: this is Although it is bit weaker than other another commonly used method for approaches, it can be useful in cases COUNTERING 31, INJECTION ATTACKS )T where you want better performance works the same as parameterized or are rewriting legacy code and want queries, the only difference being that to finish with lesser effort. the procedure or the method is itself PHP provides an automatic stored in the database and called by input escape mechanism called the application when required. Here’s magic_quotes_gpc that you can use how to write a stored procedure in before sending the input to the back 0(0 FOR -Y31, end. But, it would be better to use the escaping mechanism provided by your

/* Create the stored procedure */ database, because in the end, the

if (!$mysqli->query("DROP PROCEDURE IF EXISTS p") || query comes to the database, and the

!$mysqli->query("CREATE PROCEDURE p(IN id_val INT) database will know better about what

´BEGIN INSERT INTO IS A VALID QUERY -Y31, PROVIDES THE

test VALUES(id_val); END;")) { mysql_real_escape_string() method to

echo "Stored procedure creation failed: (" . $mysqli->errno . ") " . escape the input. Check your database

$mysqli->error; documentation to find which escape

} function is supported.

/* Call the stored procedure */ Session Handling

if (!$mysqli->query("CALL p(1)")) { As soon as legitimate users log in to

echo "CALL failed: (" . $mysqli->errno . ") " . $mysqli->error; a site with their credentials, a session

} is started and maintained until they

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 79

LJ238-Feb2014.indd 79 1/21/14 7:53 PM FEATURE Simple Ways to Add Security to Web Development

log out. The problem begins when HttpOnly, because this ensures that someone impersonating a genuine the cookie always is sent only via an user tries to sneak in. Obviously, the HTTPS connection and doesn’t allow results can be very severe—users’ scripts to access the cookie. These two money or even their identities can attributes will reduce the chances of be stolen. Let’s explore how you can cookies being intercepted. change your coding style so that the Other attributes like domain and session is handled safely. path always should be set to indicate Session management to the browser where exactly the implementation: you always should cookie should be sent, so that it use the built-in session management reaches only the exact destination and feature that comes out of the not anywhere else. box with your Web development Last but definitely not least, the framework. Not only does this save expire and max age attributes should critical development time and cost, be set in order to make the cookie it generally is safer as well, because nonpersistent, so it is wiped off once many people are using and testing it. the browser instance is closed. Another thing to take care Session expiry management: of while implementing session a timeout should be enforced over management is keeping track of and above the idle time out, so that what method the application uses to if users intend to stay longer, they send/receive the session ID. It may should authenticate themselves be a cookie or URL rewriting or a again. This generates a new session mixture of both, but you generally ID, so attackers have less time to should limit it and accept the session crack the session ID. ID only via the mechanism you chose Also, when the session is being in the first place. invalidated, special care should be Cookie management: whenever taken to clear the browser data and you plan to use cookies, be aware cookie, if used. To invalidate a cookie, that you are sending out data about set the session ID to empty and the the user/session, which potentially expires date to a past date. Similarly, can be intercepted and misused. the server side also should close and So, you need to be extra careful invalidate the session by calling proper while handling cookies. Always add session handling methods, for example the cookie attributes securely with session_destroy()/unset() in PHP.

80 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 80 1/21/14 7:53 PM Web Service Security because such payloads generally can In layman’s terms, a Web service be malicious. can be defined as a software system designed to support communication Safe URL Redirects between two electronic devices over Many times you will need to redirect the Internet. In real-life scenarios, to a new page based on user however, things are not that simple. input. But, the redirects can take a As the Internet grows, the threat dangerous turn if not done properly. of misuse of these services grows. For example, if attackers get to Let’s look at some important tips you redirect the application to a URL of should keep in mind while developing their choice, they then can launch a Web services. phishing attack and compromise user Schema validation: whatever data. A safe URL redirect is one where SOAP payloads you expect your Web you have hard-coded the URL in the service to handle, they should be code like this: validated against the associated XML schema definition. The XSD should at least define the maximum length and character set of every parameter Cases like the following where you allowed in the Web service. Also, if have to go to a URL passed by the you expect a fixed-format parameter, user should be avoided: such as e-mail ID, phone numbers and so on, define the validation XML denial of service prevention: denial of service attacks try flooding If you can’t avoid this, keep reading. the Web server with a large number Don’t use the URL as the input: of requests so that it eventually even if you want to redirect to crashes. To protect your Web a URL based on user input, it is service from such attacks, be sure better not to allow the user to to optimize the configuration for enter the URL. Instead, you can maximum message throughput use other input mechanisms like and limit SOAP message size. a button or a direct link. This Also, validate the requests against way you can prevent users from recursive or oversized payloads, entering any random link.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 81

LJ238-Feb2014.indd 81 1/21/14 7:53 PM FEATURE Simple Ways to Add Security to Web Development

Validate the input before the several components—for example, redirect: in cases where you simply JavaScript, HTML or CSS. For each can’t avoid user input, make sure component, there are preventive you validate the input against measures that help make sure exactly the same site or a list of others can’t inject their code. Let’s hosts or a regex. Also notify users look at all the rules. with an indication of the site they First, you need to define the are being redirected to. slots that should be present in the Web page. Then, make sure Cross-Site Scripting you don’t allow any untrusted Such attacks are targeted to the end data into the document, unless user’s browser. A common way to it is within one of the slots you attack is to inject a malicious script, already defined. in the form of JavaScript, Flash or Untrusted data in HTML tags even HTML to a genuine Web site. and attributes: when you need to When the user accesses that site, insert untrusted data in HTML tags the browser has no clue whether like div, p, b, td and so on, make script is genuine and just executes sure it is escaped before being used. it. Such scripts, once executed, can This way, even if attackers somehow access the cookies, session data or manage to send in their code, other sensitive information stored in escaping the untrusted data will the browser, because they are sent ensure that the code doesn’t cause via a genuine Web site that the user much harm. For example, characters tried to access. like <, >, & and so on should be To counter such attacks/injections changed to <, > and &, in your Web site, OWASP suggests respectively. Also attribute fields in treating the Web pages as templates HTML tags like name, id, width and with certain slots for the untrusted so on sometimes can be required data. For example, say you are to take variable values, so you may creating a home page, and on the need to pass untrusted data to top left, you have a slot for the such fields. In this case, make sure user name, which is retrieved by to escape the data before using it the application and displayed to the AS WELL 4AKE A LOOK AT THE %3!0) user while the Web page renders. reference implementation of HTML These slots can be for one of entity escaping and un-escaping.

82 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 82 1/21/14 7:53 PM Here is a sample usage of the API: Untrusted data in JavaScript data values: if you want to place String safe = ESAPI.encoder().encodeForHTMLAttribute( untrusted data in JavaScript, the only ´request.getParameter("input" ) ); safe place is inside the quoted data value. Because otherwise it is very easy Untrusted data in CSS: in to change the execution context and situations where you need to execute the statement, which actually is put untrusted data in CSS, it is meant to be data. Again, the escaping important to take care that it is mechanism to follow is the same as in done only in a property value and previous cases—that is, escape all the NOWHERE ELSE %SPECIALLY WHEN YOU characters with an ASCII value less than need to pass a URL, check if it  4HE %3!0) FOR THIS IS starts with “http”. Then, except for alphanumeric characters, escape String safe = ESAPI.encoder().encodeForJavaScript( all the other characters with an ´request.getParameter("input" ) ); !3#)) VALUE LESS THAN  THE %3!0) also supports CSS escaping and Conclusion un-escaping): Finally, it is best to acquaint yourself with the OWASP security guidelines if you String safe = ESAPI.encoder().encodeForCSS( are a Web developer or plan to become ´request.getParameter( "input" ) ); one. This not only will save you a lot of work in design changes and security Untrusted data in an HTTP GET hardening, but it also makes sure your parameter: URLs like “http:www. end users’ data and identity are safe.Q mysite.com/value=data” can be POSSIBLE TARGETS OF ATTACK IF THE '%4 Nitish Tiwari is based out of Bangalore, India. He currently is parameter is not being escaped before working as a developer in a FOSS-based startup. He also helps execution. In such cases, make sure enterprises implement open-source tools based on their needs. to escape all characters with an ASCII In his free time, he likes to try out and test open-source tools. You value less than 256 with the %HH can reach him at [email protected]. ESCAPING FORMAT 4HE %3!0) FOR 52, validation looks like this: Send comments or feedback via String safe = ESAPI.encoder().encodeForURL( http://www.linuxjournal.com/contact ´request.getParameter( "input" ) ); or to [email protected].

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 83

LJ238-Feb2014.indd 83 1/21/14 7:53 PM FEATURE Using Django and MongoDB to Build a Blog Using Django and MongoDB to Build a Blog

MongoEngine is an ORM for working with MongoDB from Python.

MIHALIS TSOUKALOS

84 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 84 1/21/14 7:53 PM This article shows how to create a simple Similarly, you can stop the running blog site using the MongoDB Document MongoDB server with: Database and the Django Web framework. # service mongodb stop Mongo Basics MongoDB is an open-source After installation, type mongo document-oriented database, not a --version in your UNIX shell to traditional relational database, written find the MongoDB version you are IN # BY $WIGHT -ERRIMAN AND %LIOT using, and type mongo to enter the Horowitz. Being a document database MongoDB shell and check whether the does not mean storing Microsoft Word MongoDB server process is running. documents, but rather it means storing By default, the MongoDB server semi-structured data. You can input process listens to localhost using the arbitrary binary JSON objects (BSON) 27017 port. You can change it if you into a MongoDB database. It runs on want, but if both the MongoDB server UNIX machines as well as Windows and the Django installation are on the and supports replication and sharding. same machine, it is more secure to Your Linux distribution probably leave it as it is. includes a MongoDB package, so go The configuration file for MongoDB ahead an install it if you have not is /etc/mongodb.conf. Nevertheless, done so already. Alternatively, you if you want to run multiple MongoDB can download a precompiled binary servers on the same UNIX machine, or get the MongoDB source code you can bypass the /etc/mongodb.conf from http://www.mongodb.org file and utilize command-line options and compile it yourself. that allow you to use a different On a Debian 7 system, you port number, a different IP or even a can install MongoDB with the following command:

# apt-get install mongodb

After installing MongoDB, start the MongoDB server process with:

# service mongodb start Figure 1. MongoDB Terminology

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 85

LJ238-Feb2014.indd 85 1/21/14 7:53 PM FEATURE Using Django and MongoDB to Build a Blog

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

different MongoDB configuration file. ´close sockets...

Figure 1 shows the most useful Fri Sep 27 23:21:33 [initandlisten] shutdown: waiting

MongoDB terms in relation to their ´for fs preallocator...

RESPECTIVE 31, TERMS Fri Sep 27 23:21:33 [initandlisten] shutdown: lock for

Starting the MongoDB server ´final commit...

process (mongod) on a Linux machine Fri Sep 27 23:21:33 [initandlisten] shutdown: final commit...

without any parameters and without Fri Sep 27 23:21:33 [initandlisten] shutdown: closing all files...

root privileges should generate output Fri Sep 27 23:21:33 [initandlisten] closeAllFiles() finished

similar to the following: Fri Sep 27 23:21:33 dbexit: really exiting now

$ mongod Django Basics

mongod --help for help and startup options Django is a high-level Python

Fri Sep 27 23:21:33 [initandlisten] MongoDB starting : Web framework that encourages

´pid=7991 port=27017 dbpath=/data/db/ 64-bit host=mail rapid development and clean,

Fri Sep 27 23:21:33 [initandlisten] db version v2.0.6, pragmatic design. It allows you

´pdfile version 4.5 to build Web applications quickly.

Fri Sep 27 23:21:33 [initandlisten] git version: nogitversion Instagram, Mozilla and Pinterest

Fri Sep 27 23:21:33 [initandlisten] build info: Linux z6 use Django.

´3.8-trunk-amd64 #1 SMP Debian 3.8.3-1~experimental.1 Simply put, Django is a collection

´x86_64 BOOST_LIB_VERSION=1_49 of libraries written in Python. In

Fri Sep 27 23:21:33 [initandlisten] options: {} order to create a site using Django,

Fri Sep 27 23:21:33 [initandlisten] exception in initAndListen: you basically write Python code

´10296 dbpath (/data/db/) does not exist, terminating that uses the Django libraries. If

Fri Sep 27 23:21:33 dbexit: you already have a good working

Fri Sep 27 23:21:33 [initandlisten] shutdown: going to close knowledge of Python, you have to

´listening sockets... understand only how the Django

Fri Sep 27 23:21:33 [initandlisten] shutdown: going to libraries work.

´flush diaglog... Django follows a slightly changed

Fri Sep 27 23:21:33 [initandlisten] shutdown: going to version of the MVC (Model View

86 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 86 1/21/14 7:53 PM Controller) design pattern called The following NEW packages will be installed:

Model Template View (MTV). The python-bson python-bson-ext python-gridfs python-pymongo

MTV handles the Controller work ´python-pymongo-ext

by the core, and all the other 0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.

work is done in Models, Templates Need to get 212 kB of archives.

and Views. According to Django’s After this operation, 928 kB of additional disk space will be used.

philosophy, what is truly important Do you want to continue [Y/n]? is not terminology but getting things done. The following instructional On a Debian 7 system, you can install Python code (saved as connect.py) Django with the following command: connects to a MongoDB database, prints the available databases of the # apt-get install python-django mongodb://localhost:27017 server and closes the MongoDB connection: To make sure that everything works

as expected, type the following import pymongo

Django command, which prints the # Open the MongoDB connection

version of Django: connMongo = pymongo.Connection('mongodb://localhost:27017')

# Print the available MongoDB databases

# django-admin version print connMongo.database_names()

1.5.1 # Close the MongoDB connection

connMongo.close() How Python and Django Communicate with MongoDB You can run the small Python script You will need a Python module called as follows: PyMongo to talk to MongoDB from Python. On a Debian 7 system, you $ python connect.py can install it as follows: [u'LJ', u'local', u'test']

# apt-get install python-pymongo The output shows that at the time

Reading package lists... Done of running the script, three databases

Building dependency tree exist called LJ, local and test.

Reading state information... Done Although PyMongo will not be used

The following extra packages will be installed: directly in the rest of the article, it is

python-bson python-bson-ext python-gridfs python-pymongo-ext useful to know about it for testing

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 87

LJ238-Feb2014.indd 87 1/21/14 7:53 PM FEATURE Using Django and MongoDB to Build a Blog

Generally speaking, Django has a wrapper for every relational database it supports, but Mongo is a non-relational database, so you need some external help.

and troubleshooting purposes. syncdb command. Losing the Django Generally speaking, Django has Admin panel is a major drawback, a wrapper for every relational but MongoDB offers features that database it supports, but Mongo is relational databases cannot provide. a non-relational database, so you need some external help. You need The Problem THE -ONGO%NGINE 0YTHON PACKAGE Imagine you registered a new domain in order to utilize MongoDB. Other to host your personal site. The site options are Ming, MongoKit, also will have a blog. Instead of using django-mongodb and django-nonrel. a CMS, such as Joomla! or WordPress, )N MY OPINION -ONGO%NGINE IS for creating the blog, you want more the best option. control over the site, so you decide to -ONGO%NGINE IS AN OBJECT use Django for creating the blog and document mapper made for MongoDB for storing the blog data. MongoDB, following Django’s The nice thing about this solution ORM style. You can install it by is that if you already are familiar with executing this command: Django, it will not take more than two hours to develop, test and deliver a # apt-get install python-mongoengine complete version of the blog site. Note: the solution presented here -ONGO%NGINE IS BASED ON 0Y-ONGO tries to be as Django-“native” as and that’s why you need to know possible. The only thing different some basic things about PyMongo. from the usual Django way is the For those of you who are familiar use of MongoDB. with Django, you should know that WHEN YOU ARE USING -ONGO%NGINE The Solution you lose both the Django Admin If you try to access a MongoDB that panel and the python manage.py does not already exist, MongoDB

88 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 88 1/21/14 7:53 PM will create it. The same happens The test development server restarts if you try to write to a MongoDB automatically every time you make collection (table) that does not exist. changes to the Django project. So, you do not need to execute any 3) Create the app for the blog commands on MongoDB, but you called LJblog: should be very careful not to have any typos in your code. $ python manage.py startapp LJblog Do the following steps on Django. 1) Create a new project called LJ:  !DD THE NAME OF THE ,*BLOG APP TO THE LIST OF THE ).34!,,%$?!003 IN THE $ django-admin.py startproject LJ LJ/settings.py file. If you do not “install” $ cd LJ the app, you will not be able to use it. So, the INSTALLED_APPS variable The manage.py script is created for should have the following values: every Django project and is a wrapper around django-admin.py. You do not INSTALLED_APPS = ( need to make any changes to it. 'django.contrib.auth', 2) Run the test development Web 'django.contrib.contenttypes', server to see if everything is okay: 'django.contrib.sessions', 'django.contrib.sites', $ python manage.py runserver 'django.contrib.messages', 'django.contrib.staticfiles', By going to http://localhost:8000/ 'LJblog', (or http://127.0.0.1:8000/), you will 'django_extensions', see Figure 2. )

Figure 2. The Test Development Web Server

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 89

LJ238-Feb2014.indd 89 1/21/14 7:53 PM FEATURE Using Django and MongoDB to Build a Blog

As you can see here, it also ---

is required to install a package > MEDIA_ROOT = ''

called django-extensions. If 49c58

your Linux distribution does not < MEDIA_URL = '/media/'

provide a ready-to-install package, ---

VISIT THE $JANGO %XTENSIONS SITE FOR > MEDIA_URL = ''

instructions about installing it. 55c64

 -ANY OTHER CHANGES HAD TO < STATIC_ROOT = os.path.join(PROJECT_ROOT, '..', 'static')

be made in the LJ/settings.py file. ---

The following diff output shows > STATIC_ROOT = ''

the changes: 63d71

< os.path.join(PROJECT_ROOT, 'static'),

$ diff settings.py{,.orig} 103d110

3,5d2 < os.path.join(PROJECT_ROOT, 'templates'),

< import os 148,159d154

< PROJECT_ROOT = os.path.abspath(os.path.dirname(_ _file_ _)) <

< < AUTHENTICATION_BACKENDS = (

14a12,23 < 'mongoengine.django.auth.MongoEngineBackend',

> DATABASES = { < )

> 'default': { <

> 'ENGINE': 'django.db.backends.', # Add 'postgresql_psycopg2', < SESSION_ENGINE = 'mongoengine.django.sessions'

# 'mysql', 'sqlite3' or <

# 'oracle'. < MONGO_DATABASE_NAME = 'LJ_blog'

> 'NAME': '', # Or path to database file if using sqlite3. <

> # The following settings are not used with sqlite3: < from mongoengine import connect

> 'USER': '', < connect(MONGO_DATABASE_NAME)

> 'PASSWORD': '', <

> 'HOST': '', # Empty for localhost through domain sockets

# or '127.0.0.1' for localhost through TCP. Note: the name of the MongoDB

> 'PORT': '', # Set to empty string for default. database is defined and stored in the

> } MONGO_DATABASE_NAME variable.

> } 5) The contents of the LJ/urls.py file

> should be the following:

44c53

< MEDIA_ROOT = os.path.join(PROJECT_ROOT, '..', 'media') from django.conf.urls import patterns, include, url

90 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 90 1/21/14 7:53 PM from django.conf import settings ´bootstrap.css

from LJblog.views import PostListView -rwxr-xr-x@ 1 mtsouk staff 103314 Jan 5 2013

´bootstrap.min.css

urlpatterns = patterns('',

url(r'^$', PostListView.as_view(), name='list'), static//bootstrap/img:

url(r'^post/', include('LJblog.urls')) total 56

) -rwxr-xr-x@ 1 mtsouk staff 8777 Jan 5 2013

´glyphicons-halflings-white.png

6) Inside the LJ/LJ directory, you -rwxr-xr-x@ 1 mtsouk staff 12799 Jan 5 2013 need to create two directories, called ´glyphicons-halflings.png static and templates, and copy some files and directories inside them. The static//bootstrap/js: project uses the Twitter Bootstrap total 184 set of tools for creating Web sites -rwxr-xr-x@ 1 mtsouk staff 58516 Jan 5 2013 and Web applications. ´bootstrap.js The following output shows the -rwxr-xr-x@ 1 mtsouk staff 31596 Jan 5 2013 full contents of the static directory: ´bootstrap.min.js

$ ls -lR static/ The templates directory contains total 0 two files, as the output of the ls -lR drwxr-xr-x@ 6 mtsouk staff 204 Sep 21 14:13 bootstrap command shows:

static//bootstrap: $ ls -lR templates/

total 0 total 16

drwxr-xr-x@ 6 mtsouk staff 204 Jan 5 2013 css -rwxr-xr-x@ 1 mtsouk staff 1389 Sep 25 21:25 base.html

drwxr-xr-x@ 4 mtsouk staff 136 Jan 5 2013 img -rwxr-xr-x@ 1 mtsouk staff 148 Jan 5 2013 messages.html

drwxr-xr-x@ 4 mtsouk staff 136 Jan 5 2013 js

The base.html file contains static//bootstrap/css: project-specific information that total 544 you can change. -rwxr-xr-x@ 1 mtsouk staff 21751 Jan 5 2013 7) The connection to the ´bootstrap-responsive.css MongoDB database happens -rwxr-xr-x@ 1 mtsouk staff 16553 Jan 5 2013 inside the LJ/settings.py file. ´bootstrap-responsive.min.css Django needs the following -rwxr-xr-x@ 1 mtsouk staff 124223 Jan 5 2013 two commands to connect to a

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 91

LJ238-Feb2014.indd 91 1/21/14 7:53 PM FEATURE Using Django and MongoDB to Build a Blog

MongoDB database: url(r'^(?P[\w\d]+)/delete/$', PostDeleteView.as_view(),

´name='delete'),

from mongoengine import connect ) connect(MONGO_DATABASE_NAME) 10) Next, you need to edit the 8) Next, you should create four models.py file. This file is where data HTML files inside the templates/LJblog models are defined. directory. They are the displayed Web Using Django’s ORM (Object- pages for the Create, Read, Update Relational Mapper) is one of the and Delete operations: project’s goals. ORM allows the Python classes that were defined inside Q create.html models.py to access the selected database without requiring you to Q detail.html deal with the database directly. ORM is a major advantage of Django. Q list.html The Post Python class is defined as follows: Q update.html

class Post(Document):

The selected filenames must user = ReferenceField(User, reverse_delete_rule=CASCADE)

match the parameters found inside title = StringField(max_length=200, required=True)

the LJblog/urls.py file. text = StringField(required=True)

9) The contents of the LJblog/urls.py text_length = IntField()

file are the following: date_modified = DateTimeField(default=datetime.now)

is_published = BooleanField()

from django.conf.urls import patterns, url

from views import PostCreateView, PostDetailView, As you will see later in this article,

´PostUpdateView, PostDeleteView the Post MongoDB table has a direct

connection to the Post Python class.

urlpatterns = patterns('', 11) Then, you need to edit the forms.py

url(r'^add/$', PostCreateView.as_view(), name='create'), file. The forms.py file allows Django to

url(r'^(?P[\w\d]+)/$', PostDetailView.as_view(), access user-submitted form data.

´name='detail'), 12) Last but not least, you should

url(r'^(?P[\w\d]+)/edit/$', PostUpdateView.as_view(), edit the views.py file. This file includes

´name='update'), the functions that handle data as well

92 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 92 1/21/14 7:53 PM as various other things. The directory structure of the project as well as the included files are shown in Figure 3. You also will notice files ending with .pyc. These are byte-code files created by the Python interpreter that are executed by the Python virtual machine. You can examine the contents of the LJ_blog collection using MongoDB commands:

> use LJ_blog;

switched to db LJ_blog

> show collections;

post

system.indexes

> db.post.find();

{ "_id" : ObjectId("523d83de8491973b242e2772"), "title" :

´"First blog entry!", "text" : "This is my first

´blog entry.\r\Mihalis Tsoukalos", "text_length" : 47,

´"date_modified" : ISODate("2013-09-21T06:32:46.289Z"),

´"is_published" : true }

{ "_id" : ObjectId("523d83f88491973b242e2773"), "title" :

´"Another post", "text" : "Just another blog post!",

´"text_length" : 23, "date_modified" :

´ISODate("2013-09-21T06:33:12.321Z"), "is_published" : true }

{ "_id" : ObjectId("523d86f58491973b9e3c8c78"), "title" :

´"Just another test!", "text" : "Just another test!\r\nLJ",

´"text_length" : 22, "date_modified" :

´ISODate("2013-09-21T06:45:57.092Z"), "is_published" : true }

>

Note: every time you insert a Figure 3. The Directory Structure of the BSON document in MongoDB, Django Project

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 93

LJ238-Feb2014.indd 93 1/21/14 7:53 PM FEATURE Using Django and MongoDB to Build a Blog

MongoDB automatically generates Development server is running at http://127.0.0.1:8000/ a new field called _id. The _id Quit the server with CONTROL-C. field acts as the primary key and is always 12 bytes long. If everything is okay, you will see Now, you should check that SOMETHING SIMILAR TO &IGURE  AFTER everything is fine by running the test visiting http://127.0.0.1:8000/ or development server and trying to http://localhost:8000/. connect to http://localhost:8000/: While using the application, the output from the test development $ python manage.py runserver server is updated and will look similar Validating models... to the following:

0 errors found [25/Sep/2013 12:18:28] "GET / HTTP/1.1" 200 1320

September 21, 2013 - 07:25:07 [25/Sep/2013 12:18:28] "GET /static/bootstrap/css/bootstrap.min.css

Django version 1.5.1, using settings 'LJ.settings' ´HTTP/1.1" 200 103314

Figure 4. The LJblog application is up and running.

94 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 94 1/21/14 7:53 PM [25/Sep/2013 12:18:28] "GET /static/bootstrap/js/bootstrap.min.js 1) Turn off Debug mode inside

´HTTP/1.1" 200 31596 LJ/settings.py:

[25/Sep/2013 12:18:28] "GET /static/bootstrap/css/

´bootstrap-responsive.css HTTP/1.1" 200 21751 DEBUG = False

[25/Sep/2013 12:18:32] "GET / HTTP/1.1" 200 1320 TEMPLATE_DEBUG = DEBUG

[25/Sep/2013 12:18:33] "GET /post/add/ HTTP/1.1" 200 1823

[25/Sep/2013 12:18:34] "GET /?all_posts HTTP/1.1" 200 1320 2) Change the ADMINS setting inside

[25/Sep/2013 16:01:10] "GET /post/5243295f8491976bd8f016d0/edit/ LJ/settings.py to something useful:

´HTTP/1.1" 200 1841

[25/Sep/2013 16:01:18] "GET /post/5243295f8491976bd8f016d0/delete/ ADMINS = (

´HTTP/1.1" 302 0 ('Mihalis', '[email protected]'), ) The output is useful for debugging purposes, especially when you don’t 3) Install and activate the get the expected results on your mod_python Apache module. Web browser.  9OU CAN USE MOD?WSGI INSTEAD If you want to delete the LJ_blog of mod_python. collection in order to start your blog from scratch, use the following Why Use MongoDB Instead of a command with care: Relational Database? You may wonder why you should use > db.post.drop() A .O31, DATABASE SUCH AS -ONGO$" true instead of a traditional DBMS like > db.post.find(); -Y31, OR 0OSTGRE31, !LTHOUGH IT > show collections; would be possible to use a relational system.indexes database, here are the reasons for preferring MongoDB: Deploying the Django Web Site to a Production Server Q MongoDB is generally faster. %XPLAINING THE FULL DEPLOYMENT PROCESS is outside the scope of this article, but Q MongoDB is better for high-volume I want to give some useful tips. When traffic sites. you try to run your Django project on a production server, keep the Q MongoDB supports sharding. following things in mind: Sharding (aka horizontal

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 95

LJ238-Feb2014.indd 95 1/21/14 7:53 PM FEATURE Using Django and MongoDB to Build a Blog

partitioning) is the process of be 100% Django-native: support for separating a single database the Django Admin Panel and support across a cluster of machines. for the syncdb command. A link to the full code for this Q MongoDB supports replication. project is listed in the Resources section of this article. Q Your data schema may change without downtime when using MongoDB. Acknowledgement I would like to thank Josh Ourisman Q Depending on the application, it for answering some questions that I may feel more natural to develop in had while writing this article.Q a document-oriented database. Mihalis Tsoukalos is a UNIX administrator who also focuses on Q MongoDB has an easy-to-use programming, databases and mathematics. You can reach him protocol for storing large files and at [email protected] and @mactsouk (Twitter). Contact him if file metadata called GridFS. you are looking for a UNIX system administrator.

Summary As I’ve explained here, MongoDB and Send comments or feedback via Django can indeed work together. http://www.linuxjournal.com/contact However, two things are missing to or to [email protected].

Resources Code for This Article: http://www.mtsoukalos.eu/FILES/MongoDjango.zip MongoDB: http://www.mongodb.org Pymongo: http://api.mongodb.org/python/current BSON: http://bsonspec.org Django Web Page: https://www.djangoproject.com MongoEngine: http://mongoengine.org Django Extensions: https://django-extensions.readthedocs.org/en/latest The Django Book: http://www.djangobook.com/en/2.0/index.html Twitter Bootstrap: http://en.wikipedia.org/wiki/Twitter_Bootstrap MongoKit: http://namlook.github.io/mongokit mod_wsgi: http://code.google.com/p/modwsgi

96 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 96 1/21/14 7:53 PM LINUX JOURNAL ARCHIVE DVD

NOW AVAILABLE

Save $10.00 by using discount code DVD2013 at checkout. Coupon code expires 2/3/2013 www.linuxjournal.com/dvd

LJ238-Feb2014.indd 97 1/21/14 7:53 PM KNOWLEDGE HUB

WEBCASTS Learn the 5 Critical Success Factors to Accelerate IT Service Delivery in a Cloud-Enabled Data Center Today's organizations face an unparalleled rate of change. Cloud-enabled data centers are increasingly seen as a way to accelerate IT service delivery and increase utilization of resources while reducing operating expenses. Building a cloud starts with virtualizing your IT environment, but an end-to-end cloud orchestration solution is key to optimizing the cloud to drive real productivity gains.

> http://lnxjr.nl/IBM5factors

Modernizing SAP environments with minimum risk—a path to Big Data Sponsor: SAP | Topic: Big Data Is the data explosion in today’s world a liability or a competitive advantage for your business? Exploiting massive amounts of data to make sound business decisions is a business imperative for success and a high priority for many firms. With rapid advances in x86 processing power and storage, enterprise application and database workloads are increasingly being moved from UNIX to Linux as part of IT modernization efforts. Modernizing application environments has numerous TCO and ROI benefits but the transformation needs to be managed carefully and performed with minimal downtime. Join this webinar to hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the benefits of turning data into actionable insights with exciting x86 technology.

> http://lnxjr.nl/modsap

WHITE PAPERS White Paper: JBoss Enterprise Application Platform for OpenShift Enterprise Sponsor: DLT Solutions Red Hat’s® JBoss Enterprise Application Platform for OpenShift Enterprise offering provides IT organizations with a simple and straightforward way to deploy and manage Java applications. This optional OpenShift Enterprise component further extends the developer and manageability benefits inherent in JBoss Enterprise Application Platform for on-premise cloud environments.

Unlike other multi-product offerings, this is not a bundling of two separate products. JBoss Enterprise Middleware has been hosted on the OpenShift public offering for more than 18 months. And many capabilities and features of JBoss Enterprise Application Platform 6 and JBoss Developer Studio 5 (which is also included in this offering) are based upon that experience.

This real-world understanding of how application servers operate and function in cloud environments is now available in this single on-premise offering, JBoss Enterprise Application Platform for OpenShift Enterprise, for enterprises looking for cloud benefits within their own datacenters.

> http://lnxjr.nl/jbossapp

98 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 98 1/22/14 10:12 AM KNOWLEDGE HUB

WHITE PAPERS Linux Management with Red Hat Satellite: Measuring Business Impact and ROI Sponsor: Red Hat | Topic: Linux Management

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to de- ploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

> http://lnxjr.nl/RHS-ROI

Standardized Operating Environments for IT Efficiency Sponsor: Red Hat

4HE 2ED (ATš 3TANDARD /PERATING %NVIRONMENT 3/% HELPS YOU DEFINE DEPLOY AND MAINTAIN 2ED (AT %NTERPRISE ,INUXš AND THIRD PARTY APPLICATIONS AS AN 3/% 4HE 3/% IS FULLY ALIGNED WITH YOUR REQUIREMENTS AS AN EFFECTIVE AND MANAGED process, and fully integrated with your IT environment and processes.

Benefits of an SOE:

3/% IS A SPECIFICATION FOR A TESTED STANDARD SELECTION OF COMPUTER HARDWARE SOFTWARE AND THEIR CONFIGURATION FOR USE ON COMPUTERS WITHIN AN ORGANIZATION 4HE MODULAR NATURE OF THE 2ED (AT 3/% LETS YOU SELECT THE MOST APPROPRIATE solutions to address your business' IT needs.

SOE leads to:

s $RAMATICALLY REDUCED DEPLOYMENT TIME

s 3OFTWARE DEPLOYED AND CONFIGURED IN A STANDARDIZED MANNER

s 3IMPLIFIED MAINTENANCE DUE TO STANDARDIZATION

s )NCREASED STABILITY AND REDUCED SUPPORT AND MANAGEMENT COSTS

s 4HERE ARE MANY BENEFITS TO HAVING AN 3/% WITHIN LARGER ENVIRONMENTS SUCH AS

s ,ESS TOTAL COST OF OWNERSHIP 4#/ FOR THE )4 ENVIRONMENT

s -ORE EFFECTIVE SUPPORT

s &ASTER DEPLOYMENT TIMES

s 3TANDARDIZATION

> http://lnxjr.nl/RH-SOE

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 99

LJ238-Feb2014.indd 99 1/21/14 7:53 PM INDEPTH Cloud Computing Basics—Platform as a Service (PaaS) PaaS is a cloud service model that allows you to develop, deploy and run business applications swiftly. MITESH SONI

Generally, good programming environment, specific algorithms, is considered to be the measured programming languages and application of an art form, craft proper logic. or discipline, with the objective In addition, developing and of producing a competent and deploying applications is a complex, evolving business solution. In expensive and time-consuming traditional environments, computer task. Business applications require programming is a practice that has hardware resources, operating multiple phases, such as designing, systems, databases, middleware, developing, testing, debugging Web servers and other software. and maintaining application code. Once the technology stack and We programmers use programming hardware resources are available, LANGUAGES LIKE # # # *AVA a team of developers needs to Python and Smalltalk to create navigate frameworks, such as business applications. The process *%% AND .%4 FOR DEVELOPMENT of writing code often requires A dedicated team of network, proficiency in many diverse database and IT management subjects, including knowledge of experts keeps resources and the application domain, runtime applications available.

100 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 100 1/21/14 7:53 PM INDEPTH

Figure 1. Programming

Inevitably, business requirements used to power the servers as well as will require changes in the to keep them cool. application, which results in a If you think the complexities end lengthy development, testing and here, then wait. A failover site holds re-deployment cycle. Furthermore, significant importance to mirror large organizations need specialized the data center so that information facilities to house their data centers and resources can be replicated in and a team to maintain them. A case of disaster. Applications built gigantic amount of electricity is with these complexities are difficult

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 101

LJ238-Feb2014.indd 101 1/21/14 7:53 PM INDEPTH

to scale for usage spike demands, logic errors, such as division by fragile to update, and difficult to zero. Anticipating errors, such as make mobile and social as business incorrect or compromised data and needs change. unavailability of resources, increases robustness. How well application Modern Application Programming developers and IT teams manage and Its Challenges robustness holds more significance Modern programming has changed in achieving the application’s in a different manner due to the OBJECTIVES %FFICIENCY PERFORMANCE EXPLOSION OF DEVICES %XPANDING maintainability, portability and data and new business requirements availability of an application are need different approaches from the equally important in modern previous era. Considering either environments. Cloud computing the traditional approach or modern is a revolutionary approach approach, business applications must that provides a ray of hope for satisfy some fundamental properties, organizations dealing with these such as automation, reliability, modern challenges. robustness, performance and availability. Unfortunately, even in Introducing PaaS modern times, automated build and Cloud computing is still an evolving test environments don’t exist in many paradigm, but it is one of the organizations, and best practices most disruptive innovations in the are not applied everywhere in the past few years. According to the software development life cycle. definition from NIST, it is the model It is important to understand to enable convenient and on-demand that an application’s reliability network access to a shared pool of depends on the accuracy of configurable computing resources, algorithms, fewer programming such as compute, storage and mistakes, the implementation of network, that can be provisioned security best practices, and avoiding rapidly and released with minimal

PaaS providers manage underlying infrastructure resources, such as operating systems, virtual servers, networks, Web servers, application servers, databases, backup and disaster recovery.

102 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 102 1/21/14 7:53 PM INDEPTH

Figure 2. NIST Definition of Cloud Computing

management effort. maintenance rather than having to Cloud computing is composed of worry about managing resources, three service models: Software as a platforms and software versions. Service (SaaS), Platform as a Service PaaS resides within the space (PaaS) and Infrastructure as a Service between SaaS and IaaS. IaaS provides (IaaS). This article focuses on PaaS. network, storage and compute With PaaS, you can deploy PROCESSING CAPABILITIES %XAMPLES applications into the cloud of IaaS offerings include Amazon infrastructure using supported %# 7INDOWS !ZURE 6- 2OLE AND programming languages (such as Java, RackSpace Cloud Servers. SaaS PHP, Ruby and .Net) and platforms/ delivers business software capabilities, tools (such as Web servers/application such as CRM. servers and databases). This enables PaaS includes not only the PaaS users or organizations to focus deployment environment, but it on their business and application also includes repositories, build

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 103

LJ238-Feb2014.indd 103 1/21/14 7:53 PM INDEPTH

to develop applications that provide real business value. PaaS is driving a new era of innovation and business agility. Development and IT teams use PaaS to design, experiment, build, test and deliver customized applications. Hence, application developers and IT teams can focus on application and domain expertise for their business, rather than managing complex hardware and software resources.

Figure 3. PaaS Benefits of PaaS Two significant benefits of using environments, testing environments, PaaS are cost benefits and faster performance management, mail development and deployment services, log services, database cycles. PaaS provides agility, services, big data services, search flexibility and faster time to market services, enterprise messaging to the development, testing and services and application deployment cycles and, hence, focus performance management for remains on the application and not modern application architectures in managing resources. It ensures and code inspection services. access to resources from anywhere PaaS is becoming popular because it in the world. By using PaaS, user eliminates the cost and complexity of satisfaction increases, and at the same acquisition, installation, configuration, time, resource utilization improves. evaluation, experimentation and It provides underlying software and management of all the hardware hardware resources on a pay-as-you- and software resources needed to go billing model, so it reduces the run business applications. PaaS capital expenditure associated with provides the infrastructure and large amounts of server and storage platform needed to develop and space, power, cooling, management run applications. By using PaaS, and maintenance of software organizations can utilize budgets updates and changes, and skilled

104 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 104 1/21/14 7:53 PM INDEPTH

Figure 4. PaaS Benefits

personnel. With almost zero capital improves collaboration between the expenditure, horizontal or vertical development and testing teams. scaling features can increase the PaaS offers surprising benefits application’s performance. It does not in deployment and management involve local installation, so adoption tasks considering the fact that speed is usually high. The PaaS most organizations opt for PaaS platform ensures that consumers solutions based on the environment don’t need to keep investing in OS that is already standardized in their upgrades and maintenance. It is internal environment. the PaaS provider’s responsibility to manage infrastructure and platform How to Deploy Applications resources so organizations don’t need in PaaS to worry about licenses, versions Here are the basic steps: of software, patch management and so on. Furthermore, flexibility Q Select the application type, and availability of resources programming language for

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 105

LJ238-Feb2014.indd 105 1/21/14 7:53 PM INDEPTH

developing the application, brand building and strengths. To platform to run the application, prepare for the PaaS, cloud providers build environment and so on. are developing flexible cloud platforms to support a variety of Q Create business or Web functions for the cloud environment APPLICATIONS USING AN )$% SUCH AS AND PROCESSES %XAMPLES OF 0AA3 %CLIPSE .ET"EANS OR ANY OTHER )$% include, but are not limited to, &ORCECOM -ICROSOFT !ZURE %NGINE Q Create a database using available Yard, Heroku, CloudBees and Google database products. !PP %NGINE Red Hat OpenShift Red Hat Q Change the database configuration OpenShift is a PaaS with Apache accordingly in the application. License 2.0. It has built-in support for Java, Python, PHP, Perl, Node.js, Q Create an archive file—for example, Ruby and extensible functionality to A 7!2 OR %!2 FILE add languages. OpenShift supports -Y31, 0OSTGRE31, AND -ONGO$" )T Q Upload the archive file to the supports Web-application frameworks, PaaS Portal. such as Rack for Ruby, WSGI for Python and PSGI for Perl. For Java, Q Configure log, e-mail, backup and it covers end-to-end support for scaling services. *AVA %% #$)7ELD 3PRING ,IFERAY 3CALA0LAY
*"OSS !3 *"OSS %!0 Q Access your application. 4OMCAT  AND  *"OSS %73  AND 2.0), Glassfish as DIY, Jetty as DIY, Major PaaS Providers and %CLIPSE *"OSS 4OOLS *ENKINS #LOUD Offerings in Cloud Services )$% !PPCELERATOR 4ITANIUM 'IT PaaS services provide an opportunity SSH access, Maven 3 and Ant. Three to increase customers, boost revenue, versions are available: OpenShift add value to existing services and /NLINE /PEN3HIFT %NTERPRISE AND gain broader adoption of cloud OpenShift Origin. A free tier is services among business customers. available for OpenShift Online Application development is a core with 512MB of RAM and 1GB disk. capability, while additional capabilities /PEN3HIFT %NTERPRISE IS A PRIVATE CLOUD often play to the cloud provider’s version from Red Hat.

106 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 106 1/21/14 7:53 PM INDEPTH

CloudBees CloudBees supports Python, Go or PHP applications on *AVA 3% AND *AVA %% )T ALSO INCLUDES THE 'OOGLE INFRASTRUCTURE )N '!% 4OMCAT -Y31, COMMERCIAL applications run within a secure relational databases, BIG data— environment with limited access to MongoDB and CouchDB in its the underlying operating system; stack. CloudBees brings quite a few thus, existing applications may unique features into the Java PaaS require significant changes—for landscape, especially continuous example, applications can’t write integration—an entire development/ to the filesystem. It provides native testing/deployment management in SUPPORT FOR 'OOGLE #LOUD 31, AND the cloud. Application deployment Google Cloud Storage. It supports requires no special framework, and automatic scaling and load balancing. it is easy to migrate applications in 4HE 'OOGLE !PP %NGINE 3$+ FOR *AVA or out and to or from CloudBees. Python, PHP and Go are available. Developers can use the Jenkins service Users can use the Google plugin to have CloudBees automatically and FOR %CLIPSE TO DEVELOP AND DEPLOY continuously build, test, check in APPLICATIONS !PP %NGINE $ATASTORE and check out code in the repository. PROVIDES A .O31, DATASTORE WITH A CloudBees supports command-line query engine and atomic transactions. TOOLS )$% TOOLS SUCH AS %CLIPSE A 'OOGLE #LOUD 31, PROVIDES A Web-based console, Web access to relational database service based on logs, third-party developer/testing THE -Y31, 2$"-3 WHILE 'OOGLE services and API access. New Relic Cloud Storage provides a storage monitoring is a part of the CloudBees service for objects and files. For free ecosystem. Users can turn monitoring usage, applications can use up to on for any of the applications with 1GB of storage and adequate CPU a few clicks. In CloudBees, the New and bandwidth to support a capable Relic monitoring agent is deployed application, which can serve around automatically into your application at 5 million requests a month. It also the time of deployment. CloudBees provides simulation of Google App also supports sending mail from %NGINE ON YOUR COMPUTER applications with the SendGrid Service Cloud Foundry Cloud Foundry for RUN@cloud. is an open-source PaaS developed Google App Engine Google App by VMware and released under the %NGINE '!% IS DESIGNED TO RUN *AVA Apache License 2.0. It is written

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 107

LJ238-Feb2014.indd 107 1/21/14 7:53 PM INDEPTH

in Ruby. Cloud Foundry supports Windows Azure Windows Azure the Java, Ruby, Node.js and Scala is a PaaS offering from Microsoft. languages with runtime environments Microsoft released it in February 2010. Java 6, Java 7, Ruby 1.8, Ruby 1.9, Application developers can write Node.js, Spring Framework 3.1, code for it in different programming Rails and Sinatra. Cloud Foundry languages; there are definite SDKs SUPPORTS THE -Y31, AND V&ABRIC started by Microsoft for Java, Python, Postgres relational databases and the .ODEJS AND .%4 -ICROSOFT PUBLISHES MongoDB document-based database. the source code for the client libraries 5SERS CAN USE 2ABBIT-1 A RELIABLE ON 'IT(UB &OR DATA STORAGE 31, scalable and portable messaging Azure is a cloud-based scalable and system for applications. Micro Cloud highly available database service built Foundry is a downloadable version ON 31, SERVER 7INDOWS !ZURE "LOBS of Cloud Foundry that can run on a provide storage for unstructured developer’s machine. binary data. AppFabric simplifies Heroku Heroku is a polyglot cloud connecting to cloud services and application platform that supports on-premise applications. For queued Clojure, Facebook, Java, Spring, Play, messaging, queues and service bus Node.js, Python, Django, Ruby on features are available. With the use 2AILS AND 3CALA )T SUPPORTS 0OSTGRE31, of the caching and content delivery AND -ONGO$" AS 31, AND .O31, network, application performance can databases, respectively. Heroku be enhanced. Broadcasters successfully aggregates three categories of logs: used Windows Azure Media Services app logs, system logs and API logs. It to stream the London 2012 Olympics. IS AVAILABLE IN THE 53 AND %5 5SERS Windows Azure Active Directory can use the maintenance mode to manages user information similar to disable access to their applications Windows Server Active Directory. for some duration of time, where it Amazon Elastic Beanstalk %LASTIC will serve a static page to all users. Beanstalk is a PaaS offering from AWS Users can enable SSL to ensure that to deploy and manage applications all information is transmitted securely. QUICKLY IN THE !73 CLOUD %LASTIC Its production check feature is useful Beanstalk manages auto-scaling, load to verify application configuration balancing and application monitoring. against recommended criteria to !73 %LASTIC "EANSTALK SUPPORTS *AVA ensure maximum uptime. 0(0 0YTHON .ODEJS 2UBY AND .%4

108 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 108 1/21/14 7:53 PM INDEPTH

Web applications with the Apache as well as in secure design principles. Tomcat, Apache HTTP Server, Nginx, Unlike traditional application Passenger and Microsoft IIS 7.5 development, PaaS offers a shared development stacks, respectively. development environment, so It runs on the Amazon Linux AMI, authentication, authorization and Windows Server 2008 R2 AMI and the access control can be combined Windows Server 2012 AMI. Consumers to ensure consumers’ data and can create 25 applications and 500 application security. It is also important application versions. The application to scan Web applications for common size can be up to 512MB. Users can security issues, such as cross-site USE %CLIPSE AND 6ISUAL 3TUDIO TO DEPLOY SCRIPTING 833 AND 31, INJECTION 4O APPLICATIONS TO !73 %LASTIC "EANSTALK refine development efforts to produce Users can leverage the AWS Toolkit for secure and robust applications, %CLIPSE AND THE !73 4OOLKIT FOR 6ISUAL application threat modeling is critical. 3TUDIO FOR *AVA APPLICATIONS AND .%4 OWASP threat modeling can be used applications, respectively. Application to create secure applications. files and optionally server log files are stored in Amazon S3. Amazon Future of PaaS RDS, DynamoDB and SimpleDB can Many IaaS providers are moving up in be used as a datastore, or users can the stack of service models. AWS is one USE /RACLE -ICROSOFT 31, 3ERVER of the examples. Today, the market for or any other relational databases PaaS may be the smallest proportion RUNNING ON !MAZON %# of the overall public cloud. But, it will have huge implications in application Security in PaaS developers’ roles and responsibilities. It is essential that application .EARLY HALF OF RESPONDENTS  developers are thoroughly experienced to the 2013 TechTarget Cloud Pulse in application security best practices. Survey said they chose the PaaS they This can include secure coding did because it was part of a cloud practices in the proffered language ecosystem they already were using.

According to 451 Research, PaaS is the fastest growing area of cloud computing and is projected to attain a 41% compound annual growth rate (CAGR) through 2016—24% of total cloud revenues.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 109

LJ238-Feb2014.indd 109 1/21/14 7:53 PM INDEPTH

3IMILARLY  OF RESPONDENTS SAID Mitesh Soni has been associated with the Cloud Services Team they based their decision on how well for the past three years, which is a part of the Research and the PaaS would integrate with existing Innovation Group of iGATE. Currently, he is working there in the architecture. Now, PaaS providers have capacity as Technical Lead. He loves to write on technical and realized that it will be more beneficial social subjects, and he also enjoys photography. His technical from a market and competition point blog is at https://abcdofcloud.wordpress.com, and his of view to run services across several photography blog is at http://myvividvisions.com. IaaS providers’ architectures. Some providers are providing private versions of their PaaS offering, so organizations can use the same services in their Send comments or feedback via existing facilities to utilize existing http://www.linuxjournal.com/contact resources in a better manner.Q or to [email protected].

Resources

The NIST Definition of Cloud Computing, version 15: http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf

Peeling Back the Layers of the Platform as a Service Market: http://searchcloudcomputing.techtarget.com/tip/ Peeling-back-the-layers-of-the-Platform-as-a-Service-market

451 Research: Platform-as-a-Service Fastest Growing Area of Cloud Computing: http://www.cloudcomputing-news.net/blog-hub/2013/aug/23/451-research- platform-as-a-service-paas-fastest-growing-area-of-cloud-computing/ ?utm_medium=referral&utm_source=t.co

OpenShift: https://www.openshift.com

AppEngine: https://developers.google.com/appengine/docs

Heroku: https://www.heroku.com

Windows Azure: http://www.windowsazure.com

Amazon Elastic Beanstalk: http://aws.amazon.com/elasticbeanstalk

Cloud Foundry: http://www.cloudfoundry.com

CloudBees: http://www.cloudbees.com

110 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 110 1/21/14 7:53 PM Instant Access to Premium Online Drupal Training

Instant access to hundreds of hours of Drupal training with new videos added every week!

Learn from industry experts with real world H[SHULHQFHEXLOGLQJKLJKSURȴOHVLWHV

Learn on the go wherever you are with apps for iOS, Android & Roku

We also offer group accounts. Give your whole team access at a discounted rate!

Learn about our latest video releases and RIIHUVȴUVWE\IROORZLQJXVRQ)DFHERRNDQG 7ZLWWHU #GUXSDOL]HPH 

Go to http://drupalize.me and get Drupalized today!

LJ238-Feb2014.indd 111 1/21/14 7:53 PM EOF

Girls and SUSAN SONS Software December 2013’s EOF, titled “Mars Needs Women”, visited an interesting fact: that the male/female ratio among Linux Journal readers, and Linux kernel developers, is so lopsided (male high, female low) that graphing it would produce a near-vertical line. I was hoping the piece would invite a Linux hacker on the female side of that graph to step up and move the conversation forward. And sure enough, here we have Susan Sons aka @HedgeMage. Read on.—Doc Searls

ep, I said “girls”. Since men radios. Some of them built pumpkin were once boys, but women LAUNCHERS OR ,%'/ TRAINS ) STARTED Y sprang from the head of coding when I was six years old, :EUS FULL GROWN AND FIGHTING LIKE sitting in my father’s basement office, modern-day Athenas, you can start on the machine he used to track flaming me now for using that nasty inventory for his repair service. After a word...unless you’d like to see the summer of determined trial and error, industry through the eyes of a girl I’d managed to make some gorillas who grew up to be a woman in throw things other than exploding the midst of a loose collection of bananas. It felt like victory! open-source communities. When I was 12, I got my hands on Looking around at the hackers a Slackware disk and installed it on I know, the great ones started my computer—a Christmas gift from BEFORE PUBERTY %VEN IF THEY LACKED my parents in an especially good year computers, they were taking apart for my dad’s company—and I found a alarm clocks, repairing pencil bug in a program. The program was in sharpeners or tinkering with ham C, a language I’d never seen. I found

112 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 112 1/21/14 7:53 PM EOF

my way onto IRC and explained the conversation, I was sold on open predicament: what was happening, source. As a little girl from farm how to reproduce it and where I country who’d repeatedly been thought I’d found the problem. excluded from intellectual activities I was pretty clueless then—I because she wasn’t wealthy or urban hadn’t even realized that the reason or old enough to be wanted, I could I couldn’t read the code well was not believe how readily I’d been that there was more than one accepted and treated like anybody programming language in the world— else in the channel, even though I’d but the channel denizens pointed been outed. I was doubly floored me to the project’s issue tracker, when I found out that coder0 was explained its purpose and helped me NONE OTHER THAN %RIC 3 2AYMOND file my first bug report. whose writings I’d devoured shortly What I didn’t find out about until after discovering Linux. later was the following private Open source was my refuge message exchange between one of because it was a place were nobody the veterans who’d been helping cared what my pedigree was or me and a channel denizen who what I looked like—they cared only recognized my nickname from a about what I did. I ingratiated myself mailing list: to people who could help me learn by doing dull scutwork: triaging coder0: That was a really well- issues to keep the issue queues neat asked question...but why do I get and orderly, writing documentation the feeling he’s a 16yo boy? and fixing code comments. I was the helpful kid, so when I needed coder1: Because she’s a 12yo girl. help, the community was there. I’d never met another programmer in coder0: Well...wow. What do real life at this point, but I knew her parents do that she thinks more about programming than some like that? college students.

coder1: I think she’s on a farm It Really Is about Girls (and Boys) somewhere, actually. Twelve-year-old girls today don’t generally get to have the experiences When coder1 told me about the that I did. Parents are warned to

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 113

LJ238-Feb2014.indd 113 1/21/14 7:53 PM EOF

keep kids off the computer lest they Unfortunately, our society get lured away by child molesters or has set girls up to be anything worse—become fat! That goes doubly but technologists. My son is in for girls, who then grow up to be elementary school. Last year, his liberal arts majors. Then, in their late school offered a robotics class for teens or early twenties, someone who girls only. When my son asked why feels the gender skew in technology he couldn’t join, it was explained communities is a problem drags them to him that girls need special help to a LUG meeting or an IRC channel. to become interested in technology, Shockingly, this doesn’t turn the and that if there are boys around, young women into hackers. the girls will be too scared to try. Why does anyone, anywhere, think My son came home very confused. this will work? Start with a young You see, he grew up with a mom woman who’s already formed her who coded while she breastfed and identity. Dump her in a situation that brought him to his first LUG meeting operates on different social scripts at age seven weeks. The first time than she’s accustomed to, full of he saw a home-built robot, it was people talking about a subject she shown to him by a local hackerspace doesn’t yet understand. Then tell member, a woman who happens her the community is hostile toward to administer one of the country’s women and therefore doesn’t have biggest supercomputers. Why was his enough of them, all while showing her school acting like girls were dumb? off like a prize poodle so you can feel Thanks so much, modern-day good about recruiting a female. This is “feminism”, for putting very a recipe for failure. unfeminist ideas in my son’s head. Young women don’t magically There’s another place in my life, become technologists at 22. Neither besides my home, where the idea of do young men. Hackers are born technology being a “guy thing” is in childhood, because that’s when totally absent: my hometown. I still the addiction to solving the puzzle visit Sandridge School from time to or building something kicks in to time, most recently when my old those who’ve experienced that math teacher invited me in to talk “victory!” moment like I had when TO STUDENTS ABOUT 34%- CAREERS )M I imposed my will on a couple fairly sure I’m the only programmer electronic primates. anyone in that town has met in

114 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 114 1/21/14 7:53 PM EOF

person...so I’m something of the we mean he’s a programmer, system archetypal computer geek as far as administrator, electrical engineer they are concerned. If anything, some or something like that. The same folks assume that it’s a “girl thing”. used to be true when we called a Still, I don’t see the area producing woman a “technologist”. However, a bunch of female hackers. The according to the new breed, a poverty, urbanization and rising crime female technologist might also be aside, girls aren’t being raised to hack a graphic designer or someone who any more in my hometown than they tweets for a living. Now, I’m glad are anywhere else. When I talked to that there are social media people those fifth-grade math classes, the out there—it means I can ignore that boys told me about fixing broken end of things—but putting them video game systems or rooting their next to programmers makes being a phones. The girls didn’t do projects— “woman in tech” feel a lot like the they talked about fashion or seeking Programmer Special Olympics. popularity—not building things. It used to be that I was comfortable standing side by side with men, What’s Changed? and no one cared how I looked. I’ve never had a problem with old- Now I find myself having to waste school hackers. These guys treat me time talking about my gender rather like one of them, rather than “the than my technology...otherwise, woman in the group”, and many are there are lectures: old enough to remember when they worked on teams that were about one Q The “you didn’t have a woman third women, and no one thought on the panel” lecture. I’m on the that strange. Of course, the key word panel, but I’m told I don’t count here is “old” (sorry guys). Most of the because of the way I dress: t-shirt, programmers I like are closer to my jeans, boots, no make-up. father’s age than mine. The new breed of open-source Q The “you desexualize yourself to fit programmer isn’t like the old. They’ve in; you’re oppressed!” lecture. I’m changed the rules in ways that have told that deep in my female heart put a spotlight on my sex for the first I must really love make-up and time in my 18 years in this community. fashion. It’s not that I’m a geek who When we call a man a “technologist”, doesn’t much care how she looks.

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 115

LJ238-Feb2014.indd 115 1/21/14 7:53 PM EOF

Q The “you aren’t representing told I should be loyal and spend my women; you’d be a better role time working on women’s groups model for girls if you looked the instead of technology. I’m not young part” lecture. Funny, the rest of or impressionable enough to listen the world seems very busy telling to the likes of the Ada Initiative girls to look fashionable (just (http://adainitiative.org) who’d pick up a magazine or walk down have me passive-aggressively the girls’ toy aisle). I don’t think redcarding (http://singlevoice.net/ someone as bad at fashion as I am redyellow-card-project) anyone should worry about it. who bothers me or feeling like every male is a threat, or that every social With one exception, I’ve heard conflict I have is because of my sex. these lectures only from women, Here’s a news flash for you: except and women who can’t code at that. for the polymaths in the group, Sometimes I want to shout “you’re hackers are generally kind of socially not a programmer, what are you inept. If someone of any gender does doing here?!” something that violates my boundaries, I’ve also come to realize that I have I assume it was a misunderstanding. an advantage that female newcomers I calmly and specifically explain don’t: I was here before the sexism what bothered me and how to avoid moral panic started. When a dozen crossing that boundary, making it a guys decide to drink and hack in point to let the person know that I am someone’s hotel room, I get invited. not upset with them, I just want to They’ve known me for years, so I’m make sure they’re aware so it doesn’t safe. New women, regardless of happen again. This is what adults do, competence, don’t get invited unless and it works. Adults don’t look for I’m along. That’s a sexual harassment ways to take offense, silently hand out accusation waiting to happen, and “creeper cards” or expect anyone to no one will risk having 12 men alone read their minds. I’m not a child, I’m with a single woman and booze. So an adult, and I act like one. the new ladies get left out. I’ve never been segregated into My Boobs Don’t Matter a “Women in X” group, away from I came to the Open Source world the real action in a project. I’ve got because I liked being part of a enough clout to say no when I’m community where my ideas, my skills

116 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 116 1/21/14 7:53 PM and my experience mattered, not my boobs. That’s changed, and it’s Advertiser Index changed at the hands of the people Thank you as always for supporting our who say they want a community advertisers by buying their products! where ideas, skills and experience matter more than boobs. There aren’t very many girls who ADVERTISER URL PAGE # want to hack. I imagine this has a Drupalize.me http://www.drupalize.me 111 lot to do with the fact that girls are given fashion dolls and make-up EmperorLinux http://www.emperorlinux.com 29 and told to fantasize about dating Fluent Conference http://fluentconf.com 59 and popularity, while boys are given ,%'/S AND TOOL SETS AND TOLD TO DO LinuxFest Northwest http://linuxfestnorthwest.org 15

something. I imagine it has a lot to New Relic http://newrelic.com 2, 3 do with the sort of women who used SCALE https://www.socallinuxexpo.org/scale11x/ 37 to coo “but she could be so pretty if only she didn’t waste so much time Silicon Mechanics http://www.siliconmechanics.com 7

with computers”. I imagine it has a SPTechCon http://www.sptechcon.com 27 lot to do with how girls are sold on ephemera—popularity, beauty and fitting in—while boys are taught to revel in accomplishment. Give me a young person of any ATTENTION ADVERTISERS gender with a hacker mentality, and The Linux Journal brand’s following has I’ll make sure they get the support grown to a monthly readership nearly they need to become awesome. one million strong. Encompassing the magazine, Web site, newsletters and Meanwhile, buy your niece or much more, Linux Journal offers the daughter or neighbor girl some ideal content environment to help you ,%'/S AND TEACH HER TO SOLDER ) LOVE reach your marketing objectives. For more information, please visit seeing kids at LUG meetings and http://www.linuxjournal.com/advertising. hackerspaces—bring them! There can never be too many hackers. Do not punish the men simply for being here. “Male privilege” is a way to say “you are guilty because you

WWW.LINUXJOURNAL.COM / FEBRUARY 2014 / 117

LJ238-Feb2014.indd 117 1/21/14 7:53 PM EOF

don’t have boobs, feel ashamed, even me would pounce with a resounding if you did nothing wrong”, and I’ve “How dare you be mean to someone wasted too much of my time trying to we like!” Now, if a man behaves defend good guys from it. Yes, some badly, we’re bogged down with a people are jerks. Call them out as much more complex thought process: jerks, and don’t blame everyone with “Did this happen because she’s a the same anatomy for their behavior. woman?” “Am I white knighting if Lumping good guys in with bad I step in?” “Am I a misogynist if I doesn’t help anyone, it just makes don’t?” “What does this say about good guys afraid to interact with women in technology?” “Do I really women because they feel like they want to be part of another gender can’t win. I’m tired of expending politics mess?” It was so much simpler time and energy to protect good when we didn’t analyze so much, and men from this drama. just trounced on mean people for Do not punish hackers for non- being mean.Q hackers’ shortcomings. It is not my fault some people don’t read man pages, Susan Sons’ passion for education has driven her open-source nor is it my job to hold their hand step- efforts with Debian Edu, Edubuntu and her own initiative Frog by-step so they don’t have to. It is not and Owl, which helps technologists connect with educators to my place to drag grown women in build more useful educational tools. She co-authored the first chains to LUG meetings and attempt edition of The Edubuntu Handbook and The Definitive Guide to to brainwash them to make you more Drupal 7. Susan has served as a staff member for the Freenode comfortable with the gender ratio, and network and founding president of Drupal Group Indianapolis. doing so wouldn’t work anyway. She designed and implemented a program to help preteens and Most of all, I’m disappointed. I had teens from under-resourced rural communities learn computer a haven, a place where no one cared science through experimentation and open-source contribution. what I looked like, what my body was When not coding or writing, Susan can be found studying Shorei like or about any ephemera—they Goju-Ryu Karate, backpacking and geocaching with her son, cared about what I could do—and and volunteering with abuse victims and at-risk populations. this culture shift has robbed me of my She is also an amateur radio operator. haven. At least I had that haven. The girls who follow me missed out on it. I remember in those early days, in Send comments or feedback via my haven, if someone was rude or http://www.linuxjournal.com/contact tried to bully me, the people around or to [email protected].

118 / FEBRUARY 2014 / WWW.LINUXJOURNAL.COM

LJ238-Feb2014.indd 118 1/21/14 7:53 PM