Red Hat Enterprise Linux 4 customization

and Scientific Linux 4 customization

Author: L.S.Lowe. File: rhel4custom. This update: 20091111. Part of Guide to the Local System.

This file is intended to be a list of customizations I applied to a Red Hat Enterprise Linux 4 system (RHEL4) and/or a Scientific Linux 4 system (SL4). They should also be appropriate for CentOS and White Box Enterprise Linux. This might have relevance for Fedora installations too. The new or revised customizations are marked +. This file started life based on my RedHat Linux 9 customization page, followed by my RedHat Enterprise Linux 3 customization page, and some left-overs from that may still be present. For my local Linux desktops, it's superseded by my Fedora 12 customization page.

These are the customisations that we apply to our systems after doing a kickstart install, and as needed after that. The files are distributed using rdist. Some files are system configurations which are installed in place: there may be an associated rdist action to restart a corresponding system service. Other files are simply action scripts in the sense that rdist runs them after transferring or updating them: these are mostly installed in /root/conf.

SL4x differences

See this document on Scientific Linux 4x differences.

+ comps package in SL4.8

In SL4.8, both architectures, if you install Everything, then a missing package prevents a successful install. This is because file SL/base/pgkorder lists package comps-48-0.20090709 whereas in directory SL/RPMS it is a later version: comps-48-0.20090728 (i386) or comps-48-0.20090729 (x86_64). Solution 1: use %packages --ignoremissing in the kickstart file. Solution 2: exclude package comps in the kickstart file, and also exclude the following which require it: apt apt-autoupdate apt-devel apt-firstboot apt-scripts apt-sourceslist. In either case, install them later (maybe in %post script) if you want them.

+ /bin/ksh

In SL4 there are two potential versions of the ksh shell: ksh93 and pdksh; in fact if you install Everything, then both RPMs will be on the system, though of course only one binary will be at /bin/ksh! (RHEL4 has just the familiar pdksh). With the ksh93 package then there was (in SL3, and maybe still is in SL4) a potential problem for users who have /bin/ksh as their login shell. That version doesn't appear to work properly, for me, when used in the X login sequence:
   /etc/X11/xdm/Xsession -> /etc/X11/xinit/Xclients -> exec -l $SHELL -c ssh-agent ....
It's at that point that the user's profile should be executed, but it doesn't happen. So instead, use pdksh, which does work, and suppress ksh93.

+ /etc/sysconfig/prelink

Prelinking appears to be on by default, in SL4 anyway, which causes problems with my change distribution system, because prelinking makes binary files different on the different machines. Also it affects binary verification for security purposes. So for me, I've turned it off for the moment, and maybe will re-introduce it in the future with a customised /etc/prelink.conf, to get some performance gain. Turn it off by setting PRELINKING to no in the /etc/sysconfig/prelink file. This is best done as part of installation %post processing, before the cron.daily prelink script gets to run for the first time! Alternatively, if that change is done later, then the prelinking is undone on the next prelink cron job, which takes about a minute real time. However, un-prelinking does not seem to be successful for all binaries (eg mozilla/firefox).

+ kernel module ipw3945

The kernel module version supplied with SL44 for this in the original distro didn't work when setting a WEP key and gave the following error message:
          eth1: could not initialize WEP: load module ieee80211_crypt_wep
	  Error for wireless request "Set Encode" (8B2A) :
	  SET failed on device eth1 ; Operation not supported.

There was a version which worked, tucked away in a non-default directory. However, since kernel-2.6.9-42.0.8, available 2007/02/01, the provided package with name starting kernel-module-ipw3945 works.

A further problem with ipw3945 networking in this distribution is the reliance on an install line in /etc/modprobe.conf to start the /sbin/ipw3945d daemon. Although this works if a modprobe ipw3945 is done after boot, it doesn't work at boot time: investigation shows that /sbin/ipw3945d issues the following message (quietly!) and exits with code 3:

         ERROR: Unable to create pid file '/var/run/' 
At the point in /etc/rc.d/rc.sysinit where networking modules are loaded, the root file system is read-only and other local file systems (if any) have not been mounted, so the pid file cannot be created. A solution to this is to move the starting of /sbin/ipw3945d to the end of /etc/rc.d/rc.sysinit (or later): the following addition at the end of that script works:
         echo $network | grep -q ipw3945 && /sbin/ipw3945d --quiet

Another problem for me when using WEP encryption, with the ESSID and KEY properly set-up in the ifcfg-eth1 file, was that the driver usually failed to kick the ipw3945 wireless interface into action in the start-up sequence for network interfaces. I guess this is a bug in the ipw3945d code or the firmware. This problem was circumvented by arranging to restart the ipw3945d daemon soon after the iwconfig key and essid has been set, and before the dhclient tries to get the IP address. So the following line was added at the end of script /etc/sysconfig/network-scripts/ifup-wireless:

         ipw3945d --isrunning && ipw3945d --kill && nice -n -10 ipw3945d --quiet
With a sufficiently recent version of ipw3945d, in both cases a suitable --timeout option can be added. These changes are intended to be tolerant of other wireless cards (or no wireless card!).

* /etc/X11/Xresources

This update overcomes a problem with sub-pixel rendering of fonts on TFT flat-panel monitors (also known as subpixel font anti-aliasing) when using the KDE interface. In RedHat 9, fonts have nice anti-alias effects using grey pixels around font characters. In RHEL4 and SL4, by default, KDE gives fonts which are anti-aliased using sub-pixel colors. For me, this results in colour fringing round the font characters, which may well not be intended, and which is a bit unpleasant, in my view. This doesn't happen for Gnome. The KDE Control Center Font settings for sub-pixel hinting have no effect. Various ideas off the web of setting rgba:none in /etc/fonts/local.conf also didn't work for me. A comparison of xrdb -q output under KDE and under Gnome shows that Gnome sets a resource Xft.rgba: none if sub-pixel rendering is off, and KDE doesn't. A circumvention then is to add the line Xft.rgba: none to /etc/X11/Xresources, so that it is set for KDE as well as for Gnome.

* /usr/share/apps/kdesktop/DesktopLinks

This directory contains prototype desktop icons for a new KDE user. Add a file USBdisk in the desktop format, which will then appear (along with the other desktop files in this directory) in a new user's Desktop folder. Remove the file starthere.desktop which we don't use. Modify file CD by changing Name=CD/DVD-ROM to something without a slash, so that this file gets copied for a new user - otherwise it's omitted!

* /usr/share/fonts/MSfonts

This directory contains TrueType fonts originally from Microsoft, such as Arial, Comic Sans MS and Verdana. These are/were freely available from Microsoft, which is how I got mine, from their Typography site.

Having created the /usr/share/fonts/MSfonts directory and put the .ttf files there, I ran (in that current directory):

   ttmkfdir > fonts.scale; mkfontdir; fc-cache

Simply adding this directory was sufficient for some applications like Mozilla to find these fonts. For others, I needed to chkfontpath -a /usr/share/fonts/MSfonts which updates the /etc/X11/xfs/config file as well as telling the font server.

Microsoft TrueType fonts are also available as RPMs, which do all the postinstall actions required too, from this site. The ttf files in these RPMs contain more international encodings than mine (and so are quite a bit fatter).

* /etc/yum.conf

Updated to choose which mirrors we use for updating the system with yum. The yum update to the latest RPMs first takes place as a %post-install operation when our desktop PCs and worker nodes are initially loaded.


Customised to include local machines to reduce impact of DNS failure.


Customised to ALL: ALL.


Customised to restrict who can use the crontab command (empty file means nobody).


Provided as an effective alias for ls -l under any shell.


Configures /etc/pine.conf for local conventions. By providing this as a script, we avoid having to re-write every time pine is upgraded.


Loads the openafs RPM if necessary. Already present for SL3.


Configures AFS cell and cache.


Removes /usr/local directories from search PATH in /etc/anacrontab. Don't know why they're there; cron doesn't have them so why should anacron?


Deactivates cron actions in /etc/cron.d/ and /var/spool/cron/ for packages we don't use yet.


Configures local services on or off using /sbin/chkconfig.


Configures hostname in /etc/sysconfig/network to have a consistent case and format across machines.


Changes the order of preference in /etc/X11/fs/config to choose 100dpi fonts before 75dpi ones.

* /etc/sysconfig/desktop

Set the default desktop and display-manager to KDE.


Chooses correct iptables setup for the target host.


The normal configuration for /etc/sysconfig/iptables on our desktops.


Merges local groups into /etc/group.


Merges local users into /etc/passwd.


Static routes for our desktops (if any).


Merges local /etc/fstab.{nfs,usb}* files into /etc/fstab.


NFS entries to be merged into /etc/fstab


USB entries to be merged into /etc/fstab, like /mnt/usbdisk.


Local daily tasks.


Customised so I'm not inundated by emails from logwatch on every desktop PC each morning: just the important bits.


See above. A particular irritation is when logwatch sends information about the sendmail log entries corresponding to the email it sent me about the sendmail log entries yesterday! Removing this file or modifying what it looks for will fix this problem.


Local startup tasks.


Tweak this system script to add the fork option to the mount:
 mount -a -t nfs -F 
Without this, if more than one file-server is not working at boot time, then the mount(s) for each failed file-server causes a wait of 7 minutes 18 seconds (or thereabouts), so four would make about half-an-hour - irritating long! Note that it's for each file-server and not for each file-system. With the -F option, then the mounts for different file-servers are done in parallel, so these long wait times do not accumulate.


See /sbin/dhclient-script.


Customized initial home directory files for new users.


Customized log rotation to keep logs by month and for longer.


Customised /etc/mailcap calls /usr/local/bin/pdfviewer rather than /usr/bin/xpdf for PDF files, allowing a user environment variable to choose between xpdf and acroread. Also customised for OpenOffice equivalents to ms-word, ms-excel and ms-powerpoint.

/etc/mailcap is used by the pine mail client by default. It's also used by mozilla and SeaMonkey, and by Firefox from 2.0 onwards (though not for example by Firefox 1.5, as noted below). For these browsers, the variable which defines this file's location can be found in an about:config listing.


A worthy addition to /etc/profile or /etc/profile.d/something is a check to see if the $HOME file system is full, or if a hard quota limit has been exceeded. A maxed-out $HOME can lead to several insidious errors without necessarily showing any relevant error message. For example, when logging on to a server with a full $HOME file system, ssh X11 forwarding can't be properly set up because $HOME/.Xauthority cannot be updated, and when you later start an X application, you get the message:
   X11 connection rejected because of wrong authentication.
   X connection to localhost:10.0 broken (explicit kill or server shutdown).

If you successfully logon, despite running out of $HOME disk space or quota, but then use an ssh command to somewhere else, you're likely to get the following message from the ssh client command:

  Warning: No xauth data; using fake authentication data for X11 forwarding.


Customized system logging.

+ /etc/updatedb.conf

Updated to say DAILY_UPDATE=yes. Customise which files are included in the default locate/slocate database. For machines which are solely file-servers, add their mount point to PRUNEPATHS so that exported file areas are not included, as users can't see this database anyway. Note that even though this conf file is sourced by the /etc/cron.daily/slocate.cron script, updatedb appears to read it directly as well.

To give users similar info for those exported NFS disks, our file-servers do a twice-weekly updatedb scan of each exported disk, and write the resulting database to a special info directory on that exported disk. Then we have a mylocate script for users, which accesses that database to report on just that user's files. I guess if performance was an issue, one could create an individual slocate database for each user.


Change the font size and heading text on the kdm login panel.

Also comment-out the section headed [Desktop0], because changes in this section here do not work anyway, and the section name gives rise to the syslog error message:

   kdm_config[nnnn]: Unrecognized section name [Desktop0] at /usr/share/config/kdm/kdmrc:42
Instead, put any welcome-screen background changes in the file /etc/kde/kdm/backgroundrc. Note that kdm runs because I have configured DISPLAYMANAGER in /etc/sysconfig/desktop.


For hosts that I want to provide a local X-terminal XDMCP listener service, this configures file /etc/X11/xdm/kdmrc to set Enable=true. Note that kdm runs because I have configured DISPLAYMANAGER in /etc/sysconfig/desktop.


Configured to limit access to XDMCP service to local X-terminals (access also limited by iptables).


This script (amongst other things) creates a new /etc/resolv.conf file when new information is received from the DHCP client daemon. For me, I have customised it to add an extra line to /etc/resolv.conf:
         options timeout:1 rotate 
which sets a query time-out of 1 second (default RES_TIMEOUT is 5 seconds, which is longer than the attention span of some users) and rotate queries amongst the DNS nameservers.


The Postscript-to-PDF utilities (like ps2pdf) all use this ps2pdfwr script. The default in Ghostscript is US-letter size paper. By default, even with an A4 Postscript file, a PDF file created by those utilities crops the top of each A4 page. This can be corrected by the user by specifying the papersize in the environmental variable GS_OPTIONS.

But locally I have added export GS_OPTIONS=${GS_OPTIONS:--sPAPERSIZE=a4} near the top of this script, to save the ordinary user some hassle. This way it's easy enough for the expert user to override, on the odd occasions that A4 is not required.

+ /usr/lib/sasl2/

If the libraries in the cyrus-sasl-sql package are present, then we get two warnings in the system log messages every time a mail is sent, saying:
         sendmail[nnnnn]: sql_select option missing
         sendmail[nnnnn]: auxpropfunc error no mechanism available
The first message is from /usr/lib/sasl2/ and the second from /usr/lib/ Both messages were suppressed by removing the cyrus-sasl-sql package, which contains the first of these libraries, and which we weren't using anyway.


Symbolic link to the macromedia flash plug-in, triggers installation of the flash package for mozilla (download links here).


Customised mozilla by adding a file of pref calls for local printers and a print.printer_list. Also see /opt/Mozilla and /opt/Firefox below.

* /usr/share/applications/redhat-web.desktop

This file defines the desktop action when the web browser front panel icon is clicked on. Even though it is part of the htmlview package (which provides the user with a configurable way of invoking their favourite browser), it is actually a symbolic link to an action that always invokes mozilla! My replacement for the above desktop file instead invokes htmlview. Then the user can configure which browser by setting up a file $HOME/.htmlviewrc: for example, to invoke firefox instead of mozilla, it could contain:

htmlview is also invoked (for example) by mail clients like pine on displaying an html file, because htmlview is defined in /etc/mailcap. So the user gets a consistent browser.

* /usr/share/applnk-local

Directory containing our local KDE applications directories, which are linked in to /var/lib/menu/kde/Applications.


Extra local icons.


Added to configure the artsd sound server: for example to turn off artsd completely by preventing it starting at KDE logon, or to have a shorter suspend idle time. The options can also be configured on a user-by-user basis by using KDE Control Center -> Sound & Multimedia -> Sound System -> ARTs, and the kcmartsrc file so created in $HOME/.kde/share/config could be used as the model for the system-wide file.


Customized to use energy saving DPMS modes on monitors by default. Customized so as not to exportKDEColors by default. The original default gives rise to X11 resources being set up, which appear in a xrdb -query, for applications like nedit and xwp/wordperfect which the user might never use, and sneakily also sets kprinter as the default printer setting for acroread and gv. The user can set the original default back if s/he wishes using KDE Control Centre -> Appearance & Themes -> Colors/Colours -> Apply colors to non-KDE applications. The resource files are in /usr/share/apps/kdisplay/app-defaults.

+ /usr/share/config/kdesktoprc

Customised so that the default Wallpaper during the login session start is as required.

By default, new users get automatic desktop icons for the CD-DVD device, which don't correspond to desktop files in $HOME/Desktop. This appears to be a change of default from previous RHEL versions. We don't for the moment need this automatic icon just for the DVD device, because this and other devices are already defined in our locally-provided desktop files, so it would be confusing. So in the [Devices] section of this file, set enabled=false. On a user-by-user basis, this facility can be controlled in KDE Control Center Desktop -> Behaviour -> Device Icons.

This file also controls whether user desktop icons get file-content icon previews: add section [Desktop Icon] and add Preview=true to override the default (no preview).

+ /usr/share/config/kdeglobals

Customized so that by default a single-click is required to start an application from an icon rather than a double-click. I'm not in favour of this retro double-click!
Also change default Widget style.

Change the shortcut key combination for ending a KDE session from Alt-Ctrl-Delete to Alt-Ctrl-End: Ctl-Alt-Del is used by MS Windows client viewers to terminal servers, and users don't want to have to learn new shortcuts just for when they're viewing from Linux.

[Global Shortcuts]

The file manager konqueror does not generate preview icons by default now (unlike in RHEL3), but may still read files to see if they contain thumbnails. But many users might like to retain a meaningful last access time for files, instead of the last access time being the last time the user used konqueror! So turn konqueror previews and thumbnails off by default, by adding:


+ /usr/share/config/kdeprintrc

It is no longer necessary to change the default Printsystem to CUPS: it seems to be the default (unlike in earlier releases).


Customize our local kicker Panel: demote those OpenOffice applications back to the start menu where they belong. Also in section Buttons, set enableIconZoom=true so that buttons on the kicker panel zoom larger when the mouse hovers over them.

+ /usr/share/config/konsolerc

Remove the Menubar and Toolbar by default from konsole (too confusing for users).

+ /usr/share/config/klaunchrc

When you start an application from the panel, by default the mouse cursor changes to a blinking image associated with the application started. If the application is a screen grabber then sometimes in the past the grabbed image was somehow corrupted by this blinking cursor. More to the point, it can be irritating! To turn the facility off, in the [FeedbackStyle] section of the above file, add BusyCursor=false, and add a [BusyCursorSettings] section, with Blinking=false and Bouncing=false.

+ /usr/share/config/kpartsaverrc

Add customised files for this screensaver to show some pictures rather than "The screen saver is not configured yet", particularly when the screensaver was chosen randomly. It used to be necessary to supply a kslideshowrc as well, but this now has working default images.


Change the default PluginLib to kwin_keramik, and window MoveMode and ResizeMode to Transparent rather than Opaque, by default.

+ /usr/bin/startkde

Customised to add xmessage commands for errors like Not enough free disk space on /tmp, rather than just dropping the user back to the login screen without visible comment.


This renames files in /usr/share/apps/kscreensaver/ScreenSavers/ like KSolarWinds.desktop and KFountain.desktop to a non-desktop suffix, so that they aren't chosen by the random screensaver choice, and don't appear in the screensaver chooser panel. Some screensavers like SolarWinds are just too busy, particularly for multi-user hosts!

* /root/conf/xfreerc

This chooses between several /etc/X11/XF86Config.versions according to the target, depending on the graphics card and whether the PC has a wheel-mouse, to set up the X server, and sets the default runlevel in /etc/inittab to 5.

It may be necessary to configure /etc/X11/XF86Config a bit by hand if the particular keyboard is not our standard layout or language: our default is Option "XkbLayout" "gb", and also /etc/sysconfig/keyboard contains KEYTABLE="uk" for text-mode sessions.


* /etc/rc.d/init.d/sendmail

A tiny modification of the sendmail start/stop script, so that it doesn't start or kill the sendmail port 25 listener if DAEMON=no: there's no reason to run that daemon if nothing arrives in the /var/spool/mqueue queue, as in our configuration: see below.

* /etc/sysconfig/sendmail

Configuration file which sets DAEMON=no and SMQUEUE to 5 minutes (this is the queue retry time for the submit sendmail daemon): see below.

* /etc/mail/

A customized version of the sendmail local submit configuration, so that it has FEATURE(`msp', `[my.mail.relay]') instead of []. It is unnecessary to configure /etc/mail/ see below.

By default in RHEL, SL, and RedHat 9, outgoing email takes an unnecessary extra hop, and there are two sendmail daemons. A mail client (such as pine) invokes /usr/sbin/sendmail which runs under user:group smmsp:smmsp (using configuration to send email to localhost port 25. A sendmail daemon (running under smmsp:smmsp and using configuration runs to retry any mail sitting in the /var/spool/clientmqueue directory that failed to get through to this local port first time. Another sendmail daemon (which uses configuration is configured to listen on localhost port 25 and do the real work of mail relaying: forwarding email to the local mail hub or to the big wide world, first enqueuing it in /var/spool/mqueue. Only if this host is a mailhub would it be configured to listen on to receive email from the big wide world.

For our desktop clients, having a sendmail daemon listening to localhost port 25 and running in root mode is unnecessary and is potentially a security issue if a bug is found in sendmail. So the configuration file (see above) is set up so that the email is forwarded to the local mailhub in one hop. This has the side advantage that mailq -Ac will actually show if mail is for some reason still on the local desktop - not possible for the ordinary user if the mail has disappeared and gone into the port 25 listener. We just then have the one sendmail daemon (non-root, using the configuration to retry emails in /var/spool/clientmqueue which failed first time to the local mailhub.

+ /etc/cups/client.conf

This is customised to define ServerName as the name of our local CUPS server which handles the printer queues. This removes the requirement for us to define all our network printers on every desktop, or to run the cupsd daemon on every desktop either: cups can be left chkconfig'd off.

The cups client commands, like lpr, then communicate with just one server directly.

+ /etc/xinetd.d/cups-lpd

This file is customised on one server only, for our group. We are using the lpd protocol from our few Windows desktops and from laptop Windows systems because it behaves better than ipp. So we need to have xinetd and cups-lpd chkconfig'd on, and /etc/hosts.allow configured to allow cups-lpd for our local subnet, on one of our servers.

The default for cups-lpd is not to produce a banner-page. In order to turn a banner-page on, the /etc/xinetd.d/cups-lpd file needs the following addition:

         server_args = -o job-sheets=standard,none
We substitute our local banner page for standard. This feature now works in RHEL4/SL4: it didn't work in RHEL3/SL3.

* /usr/local

Distributed files for our local desktops.

* /usr/local/bin/acroread

This wrapper script was created to fix several problems with Adobe Acrobat Reader (acroread) at version 5. It is not really necessary for Adobe Acrobat Reader 7 (or later, hopefully). First it unsets the LANG variable to allow acroread 5 to work, avoiding Warning: charset UTF-8 not supported message and abort. Also, mozilla invokes acroread (or our pdfviewer script) without a current directory (this is still true at the time of writing), which causes the acroread version 5 binary to fail, so the acroread wrapper script does a cd "$PWD" which fixes the problem if invoked by mozilla, and is harmless otherwise. Also we have a feature to put debugging into effect (option -DEBUG acrodebug) if the file /tmp/acro.debug exists.

* /opt/Adobe/Acrobat7.0

Acrobat Reader 7 (acroread) installation, and version 5 in a similar directory. These are as downloaded from Adobe.

Version 7 at my current release (7.0.1) has a PostScript printing bug, whereby some PDF files, which display perfectly correctly on the screen, produce print output which is garbled and where characters are replaced by substitute garbage characters like "h" or "x". You would have thought that Adobe could get PostScript right!! This error occurs on any of my printers, and when printing to a disk file, and when using acroread in its -toPostScript non-GUI mode. Analysing the PostScript output with the gs command shows lots of undefined characters - "Substituting .notdef for A", for example - but this is not a ghostscript problem because the gibberish also occurs when printed on any genuine PostScript printer in a direct way which never goes near ghostscript or CUPS or any other such system.

Although some advice on the web is to re-set the LANG or other associated variables, as noted above for the display-time problem with Acrobat Reader 5, this did not work for me with Acrobat Reader 7 when printing.

The circumvention for this, I have found, is to tick the Save Printer Memory tick-box at the bottom of the Print dialogue window. Then the print-out is perfect. For non-GUI invocation with -toPostScript option, add the -saveVM option. Presumably this then causes acroread in its PostScript output to specify font characters in a different way which is not subject to the bug.

The other circumvention is of course to use xpdf.

A further bug with acroread 7 seems to occur when the -toPostScript option is used without further arguments, that is, when used as a filter with output to standard output. The last portion of the PostScript output (a few thousand bytes) was missing: the output size was an exact multiple of 8 kbytes, presumably because of a failure to flush. This does not happen when output is to a disk file.

With the older version Acrobat Reader 5, to avoid an error with some PDFs (message says An error has occurred that may be fixed by installing the latest version of the Korean Language Support package) I installed the Adobe Korean font package.

* /opt/Mozilla-1.x.x/defaults/pref/bham.js

This added file contains additional pref() calls to add more printer command definitions. It also sets the default paper size to A4:
         pref("print.postscript.paper_size", "A4");

* /opt/Mozilla-1.x.x/plugins

This directory has some added symbolic links to Mozilla-compatible plugins for Flash, Java, and RealPlayer. Depends on versions installed: as of March 2005 these links are/were: -> /usr/lib/flash-plugin/ -> /usr/java/jre1.5.0_01/plugin/i386/ns7/ -> /usr/lib/mozilla/plugins/ -> /opt/RealPlayer-10/mozilla/
  nphelix.xpt -> /opt/RealPlayer-10/mozilla/nphelix.xpt

These all work well. It's said, though, that after a browser upgrade, it's possible that a Java page can crash the browser. This doesn't happen for a fresh user, so maybe it would be sufficient to remove the user's pluginreg.dat and/or plugins directory contents. It's also possible to crash the browser on a Java page if the user has set up a spoofed useragent string: this caught me out recently, but it's a known problem in Java initialisation.

+ /opt/Firefox-2.x.x.x

Firefox 2 was installed, initially at version, because Firefox 2 supports settings located in /etc/mailcap, the normal system location for relating mime-types to actual applications. This facility, present in mozilla and later Seamonkey, seemed to have disappeared in Firefox 1.5, as supplied in RHEL4, and FF ignored the file completely: it never seemed to get read, despite being listed in about:config under variable name helpers.global_mailcap_file as that name's default value.

+ /opt/Firefox-3.x

Firefox 3 was installed using the standard tar.bz2 file from Out of the box, this gives the following error message when started:
    error while loading shared libraries: 
    cannot open shared object file: No such file or directory
SL4/RHEL4 does have a pangocairo library, but it's not in the standard location. But it's there as part of the frysk package. So the following addition makes it work:
    export LD_LIBRARY_PATH=/usr/lib/frysk

* /opt/RealPlayer-10

The RealPlayer10 package was downloaded from the Real website. The older RealPlayer8 package, plus RV9 codecs, was previously downloaded via this Netscape/Mozilla plugins web page.

Note it is necessary with KDE to ensure the artsd daemon is disabled or suspended (artsshell suspend) while realplayer is running. Although artsd starts with autosuspend 60 by default, that doesn't mean that it's in the suspend state when you want it to be! (Arts can be configured or turned off in a kcmartsrc file or using Control Center: see above). Alternatively could use the artsdsp command to start realplay - haven't tried that yet myself.

* /usr/lib/ICAClient

Triggers installation of the ICAClient rpm, for our Citrix server.

A customisation I have had to apply in our script which invokes the ICA client is to disable the artsd daemon or suspend it (artsshell suspend) while the ICA client is running (see realplayer comments above). This appears to be necessary even if sound is disabled in the user's ICA client configuration. Otherwise a terminal server session can hang just after the point where the user has logged in but before any desktop icons appear: an strace shows that opening /dev/dsp was the last operation.

* /usr/bin/opera

* /usr/java

packages downloaded from Sun here.

* /usr/bin/gmplayer

packages downloaded starting from the mplayerhq home page.

Also mplayer plugin package (to help with streaming) obtained from this sourceforge site or earlier versions here.

* /usr/bin/X11/xv

* /usr/bin/qdel

The above files trigger installation of the corresponding package RPM(s).

Now some bugs

NFS file status not always updated

In my setup I use NFS version 3 over TCP to some file-servers from my user desktop clients and from general-servers. We've noticed that, if one of the NFS clients is creating a large file, and this file is observed from another NFS client, then the stat information on the observer is not updated: the file-size remains at zero or some reduced value. Also, if the original client changes the mode bits, then these don't get updated on the observing client.

This should all be controlled by the NFS caching parameters (for example, acregmax) but in SL4 these don't seem to be obeyed. The status can be however forced to update by accessing the file, eg cksum filename.

If the observing client is on SL3, then the status is updated regularly, obeying the NFS caching parameters, as it should.

This is a little mystery that remains to be explained.

locate/slocate/mlocate issues

I've set things up so that my file servers create their own locate databases, and then that information is made use of in my own mylocate command. But I now have some file servers which run RHEL5/SL5. I've hit the issue that in RHEL5/SL5 the utility used to create locate databases is now part of the mlocate rather than the slocate package, and the format of the database has changed.

This means that those databases cannot be used from my SL4 desktops.

RAID issues

See this separate document.

Sound issues and ALSA versions

The version of ALSA audio support in RHEL4 is quite old now, version 1.0.6 in RHEL4 compared with 1.0.16 at the time of writing on the ALSA web site. For me, there was an issue with support for the front microphone socket for recent PCs with chip RealTek ALC850 / card Nvidia CK804. So I got a near-latest version of the alsa-lib, alsa-utils, and alsa-kmdl packages from These worked without a hitch, integrating with the existing /etc/modprobe.conf without change. The front microphone socket could then be unmuted using amixer or alsamixer, without problems.

Time-zone GMT incorrect for epoch second conversions

(This issue is fixed in RHEL 5). The timezone GMT is configured incorrectly for dates 1968-10-27 to 1971-10-31. In this period, the date command handles GMT times as if they are UTC+1, which is incorrect: GMT is and always was UTC. Although the UK trialled all-year daylight-saving time UTC+1 in that period, that was called British Standard Time, not GMT. This still matters because when converting present-day epoch-offset seconds (such as in job manager log files) into comprehensible dates, for example:
epochsec=$(date +%s); date -d "1970-01-01 00:00:00 UTC $epochsec seconds" 
then you get the wrong result by an hour if you replace the UTC with GMT. This bug is fixed in RHEL 5.

Now some hardware issues that had to be sorted out:

BIOS settings: legacy USB support

The following applies to RHEL3/SL3 systems. We have not tested it on RHEL4/SL4 yet.

On our Intel blade servers we had occasional problems when rebooting: the boot stalls, and can be stuck forever, soon after the message Hugetlbfs mounted, or the repeated message: pc_keyb: controller jammed (0x1D). For us, this occasional problem can be prevented completely by disabling legacy USB support in the BIOS, though other people suggest an alternative of adding a kernel parameter of usb-handoff. Another (probably related) problem is that keyboard input is sometimes blocked after removing and then re-inserting a PS/2 keyboard lead, which for my blades is connected to a Belkin KVM switch, which then is unable to switch to another blade (even by selector button)! Disabling USB legacy support also seems to stop that problem.

Birmingham Particle Physics Group