The day of the mold-your-own OS has come, and Linux is the clay. Linux provides free and open access to the source for the OS itself. Developers are free to tailor a custom Linux — even down to the level of the kernel itself. You can trim away drivers, services, and other OS components unneeded by the task for which the custom distribution will be targeted.
In addition, because Linux thrives on a universe of free software, developers can be choosy about the pre-installed packages they supply with their custom system. One can easily construct a user environment tuned to a specific application.
The specialized Linuxes in this roundup showcase the advantages of customizing both OS components and user-level software. I look at a pair of firewall Linuxes, IPCop and m0n0wall; a Linux SAN/NAS appliance, OpenFiler; two Linuxes for musicians, Ubuntu Studio and Musix; and a final duo of distributions, Ubuntu Christian Edition and Ubuntu Muslim Edition, targeted at members of those corresponding religions.
IPCop
The firewall system IPCop is a fork of SmoothWall Linux (now called SmoothWall Express), which, in turn, is based on Red Hat Linux. The most recent releases of IPCop, however, have been created via LFS (Linux From Scratch).
On a typical Linux system, your interaction with the OS is either through an X-Windows based graphical desktop or a text-based shell. Not so with IPCop. Once started, it launches a Web server, which IPCop uses to host a management GUI. The first time you boot IPCop and enter the management GUI, you must configure the topological details of the intranet that IPCop will protect.
IPCop partitions your network into three color-coded zones. The Green zone is the most secure: IPCop insulates devices on the Green zone from all other zones. Green zone devices must be connected to the IPCop server via hardwired network connections. The next outward ring of protection is the Blue zone, which consists of wireless network devices. Blue zone devices are also insulated by IPCop's firewall system, but because this zone admits wireless access, it is necessarily less secure than the direct-wired Green zone. The outermost security ring is the Orange zone, which is that part of the local network exposed to the wider internet. The “outside world” is actually its own zone: Red. Naturally, Red zone traffic is completely uncontrolled by IPCop. Each zone attaches to the IPCop server through a dedicated Ethernet card. (A minimal IPCop system will have a Red zone and a Green zone.)
Web traffic can pass only from less secure to more secure zones through tightly controlled channels referred to as “pinholes.” Basically, a pinhole is a set of rules (configured in the management console) that determines which packets are permitted into zones of higher security. Typically, the rules allow packets to be delivered to specific ports on specific machines in the secure zone. The underlying packet-routing decision-making in IPCop is performed by the iptables Linux application.
IPCop has no specific hardware requirements other than that the host be i386 based. (An earlier release supported the Alpha processor.) Documentation even boasts that obsolete hardware is frequently used to host an IPCop system. The system comes with a number of services: intrusion detection via Snort, the IPSec VPN system, and Web caching via squid. Perhaps its strongest feature is its wide range of status and logging information. IPCop produces real-time scrolling graphs of CPU usage and memory usage, as well as traffic statistics on each of the colored networks. You can also view a table of all connections established on each network.
Setup time is less than a half hour (depending on the complexity of your network), and the online documentation is sufficient even for someone setting up a firewall for the first time.
m0n0wall
With m0n0wall Linux, the hardware platform of choice is an embedded x86 PC, so it's no stranger to small memory spaces and modest processor power. The system officially supports embedded PCs from Soekris Engineering and PC Engines. Nevertheless, m0n0wall can run on a stock x86 PC. Documentation indicates that m0n0wall will live happily on a 486 with only 64MB of RAM.
When m0n0wall boots, the host system's screen displays a rudimentary text-based menu good only for setting fundamental parameters such as network cards' IP addresses, the administration GUI's password, and so on.
m0n0wall assumes two networks, WAN and LAN, each on its own NIC. The WAN is the unprotected, outside world; the LAN is the protected, private network. As with IPCop, interaction with m0n0wall is via the administration Web user interface, webGUI, available at a pre-defined IP address on the LAN side. The webGUI is well arranged in a two-frame format: The left frame holds the navigation pane, while editing takes place in the right frame.
From the webGUI, you have complete control over the system. This includes operations such as creating VPN and PPTP tunnels (m0n0wall comes with a PPTP server); configuring the DHCP server; and defining firewall and traffic shaping rules
The last item is the most interesting. You define firewall rules through a fill-in-the-blanks-style Web page form. Select the action (Pass, Block, Reject), the associated network interface, and the protocol to which the rule applies. You then enter filtering restrictions. For example, you can specify that a particular rule block packets coming from a range of source IP addresses or bound for a range of destination IP addresses.
Defining rules for packet shaping is a little more involved and requires an understanding of entities m0n0wall refers to as “pipes” and “queues.” Basically, a pipe is a restriction on bandwidth. A queue lets you specify how “flows” — packets with a common characteristic, such as the same source IP address — share that bandwidth. The online documentation points to a short essay on the subject, which is worth reading before you try your hand at building shaping rules.
The creators of m0n0wall envisioned a straightforward firewall system and therefore deliberately kept the distribution small. Currently, m0n0wall can fit on a 16MB CompactFlash card. This means that some facilities have been omitted. For example, you won't find a proxy server, intrusion detection, an FTP server, a Web server, and so forth. On a m0n0wall-protected intranet, such services would run on separate hardware.
Nevertheless, m0n0wall's simplicity is its strength. It is easy to set up and maintain. Documentation boasts setup times of less than 15 minutes, which is about how long it took me.
OpenFiler
OpenFiler is a SAN/NAS appliance based on rPath Linux. According to its creator, OpenFiler actually began life atop Fedora Linux, moved to CentOS, and final settled on rPath, attracted by that Linux's impressive package-management environment. OpenFiler can operate at either the SAN or NAS level — or both simultaneously.
OpenFiler's feature set is impressive. It provides drivers for a wide array of peripheral busses: It can talk to disk drives on IDE, SAS, SATA, SCSI, or iSCSI interfaces. If you need RAID, OpenFiler is compatible with hardware from Adaptec, LSI Logic, Intel, and others. Further, it can handle file systems up to 60TB in size. Its supported Ethernet controllers include Fast, Gigabit, and 10 Gigabit controllers from Intel and Broadcom. In spite of these bounteous capabilities, its actual processor and memory requirements are modest. A standard x86 system with 256MB of RAM, 1GB of disk space for the OS image, and at least one Ethernet card is all you need to get going.
There's not much to see in the console when you boot an OpenFiler system. You can log in to the console or through SSH and execute Linux commands in case you need to modify boot scripts and configuration files. But as with m0n0wall and IPCop, management of OpenFiler is through the administration user GUI hosted on a built-in Web server. (If you need access to shell commands, the GUI provides a secure shell terminal via a Java applet.)
The tabbed administration GUI leads you to sections wherein you can configure several components. Among them are users and groups. This requires you to select either LDAP or Windows as the authentication system. If you don't have a Windows server available, OpenFiler comes with the open source OpenLDAP server.
You also have the ability to configure volumes. Here you identify the attached disk drives, select the file system type with which they will be formatted (XFS or ext3; future versions hope to provide ext4 and btrfs), define volume groups, and — finally — create actual volumes that users can access.
Additionally, you can configure quotas, which control user group consumption of disk resources; you can establish shares, which makes named file system locations accessible by SMB and NFS; and you can manage mirrors, backups, and snapshots.
There's much more; consequently, OpenFiler's administration and management system requires some learning time. (This is less a fault of OpenFiler and more the simple fact that OpenFiler can support so many different configurations.) The online installation instructions will get you started, but if you don't feel up to a bout of self-education and need additional guidance, you can purchase an OpenFiler support package from the product's Web site. In any case, if you need either a SAN or a NAS system, OpenFiler is well worth the time you'll spend getting it installed and tuned.
Ubuntu Studio
Ubuntu Studio targets three broad categories of media support: audio, graphics, and video. During the installation of the system, you choose one or more of those three categories. So, for example, you could have an installation of Ubuntu Studio geared solely to audio — the configuration I chose — or you could install a mixed audio/video workstation.
Installation of Ubuntu Studio is identical to the process for standard Ubuntu Linux. Online documentation provides some instructions, as well as information for upgrading from earlier versions of Ubuntu. You can, for example, install Ubuntu Studio over an existing Ubuntu instance by using the APT application to pull in packages over the Net. However, Ubuntu Studio's documentation is spotty and appears to be a work in progress. Several links led to “not yet written” pages.
There is no LiveCD installation option for Ubuntu Studio, so you cannot try it before you commit it to your system. (According to Ubuntu Studio's project lead, the system is far too memory-intensive to allow for a LiveCD version.) You can, however, install it on a virtual machine, as I did using Sun's freeware VirtualBox. This was sufficient for tire-kicking only, as high-throughput video and audio suffer noticeably on a virtualized system.
Though I created an audio-only instance of Ubuntu Studio, applications in the other two categories (graphics and video) are worth mentioning. A graphics installation gives you the celebrated GIMP image-editing application, the equally well-regarded Blender 3-D rendering system, the InkScape vector graphics editor, the Scribus desktop publishing application, and others. Choosing the video category gives you PiTiVi video editing system (which is actually a Python front end to the GStreamer collection of video processing modules), the Kino nonlinear video editor, the Stopmotion movie creator, and more.
Ubuntu Studio's selection of audio applications is impressive in both quantity and quality. There are at least three audio recording/editing applications: the solid and reliable Audacity; Time Machine, which has the unique capability of recording before you hit the record button (in case you make a really cool sound but are so involved that you forget to record what you're doing); and Ardour, which boasts features that rival those of commercial products.
MIDI processing and music-performance software includes the indispensable JACK system, a kind of Swiss Army Knife for routing audio and MIDI data. Software synthesizers include the Bristol analog synthesizer simulator and the multi-engine ZynAddSubFx. You'll also find several SoundFont-based systems, such as FluidSynth and Qsynth (the latter acts as a GUI front end to the former), as well as the GENPO (GENeral Purpose Organ) application. Ubuntu Studio also installs the robust Hydrogen drum machine, a percussion synthesizer and pattern-based sequencer.
Rounding out the musical performance software are BEAST (BEdevilled Audio SysTem) — which is really a modular synthesizer engine and musical composition system in one package — and the Pure Data (Pd) graphical programming environment, which can do everything from process MIDI and audio data to execute FM synthesis modules.
There's lots more, but available space cannot do justice to the full range of audio applications found in Ubuntu Studio. Even better, given that it is an Ubuntu distribution, you can use the Synaptic package manager to download all the standard Ubuntu applications you'll need when you're not using Ubuntu Studio to produce the next electro-trance hit.
Musix
Musix Linux is a labor of love by Argentinean musician Marcos Guglielmetti. Musix's heritage is a mixture of Knoppix, Kanotix, and Debian. The Synaptic package manager is installed, which opens Musix to the same wealth of downloadable applications available to any Debian system. Installation is tricky, however; I was unable to successfully install Musix on my test system, though I could run the OS in LiveCD form. Being a Knoppix-based system, however, it does have a boot option that will copy system files to a directory on the hard disk. This provides better performance than a LiveCD system, without requiring a full install that would otherwise erase what's already on the disk.
Though the name Musix implies an operating system bent solely on musical applications, Musix is pre-installed with tools, utilities, and packages that make it as usable as a standard desktop Linux. That is, you won't lack for a browser, a word processor, chat applications, graphics packages, and so on.
The Musix user interface is organized as a set of eight “desktops” (also referred to as “pinboards”), each providing a view of a select subset of the full complement of available applications. You can choose a desktop by clicking on one of a set of colored buttons in the taskbar. The desktops include: General, comprising KDE's Konqueror file manager/Web browser, a link to XCHat, and an Xterm window; Help, consisting of manuals and tutorials in a variety of languages; as well as Office, which includes word processors Abiword, kwrite, and leafpad, a PDF reader, the gnumeric spreadsheet, and several calculators. Root is another desktop, presenting primarily configuration applications — everything from wireless configuration and sound-card configuration to the KDE control panel. It also offers directory links to boot scripts.
Additional desktops include MIDI, which, as the name suggests, comprises MIDI-related tools, including Timidity, Bristol, Qsynth, Rosegarden, and much more. The Internet desktop serves up Iceweasel, aMSN (MSN chat), BitTorrent, Konquerer, amule (peer-to-peer file sharing), KDE mail, and more. Finally, the Graphics desktop offers xine, gimp, xaos (fractal calculation and display), the kuickshow image viewer, and others.
MIDI is the most densely populated desktop. Musix's selection of audio production and music performance software seems to go on forever. Though an exact package count would be difficult, Musix appears to provide more musically related software than does Ubuntu Studio (though I imagine that an intrepid user could download and install whatever is needed to make the two equivalent).
The crown jewel of the Musix MIDI desktop appears to be the Rosegarden music composition environment. Rosegarden has its own submenu, loaded with links to about 20 different startup configurations. Each configuration loads a different set of plug-ins: one with the Hydrogen drum machine, another with Qsynth, another with the ZynaddsubFX synthesizer, and so on. Rosegarden is a massively capable composition package that can juggle a mixture of MIDI and audio and can even serve as a score-writing system. It's no wonder Musix devotes menu space to it.
Another important characteristic of Musix is that it employs a low-latency kernel referred to as the “–rt patch,” (It is called a patch because, until recently, it has been available as a patch for Linux kernels. However, its capabilities have been slowly working their way into the standard Linux kernel.) The –rt patch gives Musix's kernel deterministic behavior and a superior responsiveness to asynchronous events (as compared to a similar kernel without the –rt patch). In short, Musix's kernel is particularly suited to audio-processing applications, whose performance quality degrades with increased application and kernel thread latencies.
Musix is still rough around the edges. Although you can configure English as the system's primary language, various alert and informational screens will still pop up in Spanish. And as described above, installation is less than straightforward. Nevertheless, Musix is such a fine environment for musicians that we will be watching it with nothing but enthusiasm.
Ubuntu Christian Edition
Ubuntu Christian Edition is an Ubuntu foundation topped with applications geared toward the practice of the Christian religion. The primary focus of Ubuntu CE's applications is, of course, Bible study. Heading up the list is the GnomeSword 2 Bible Guide, an elaborate front end for modules from the Sword Project (the work of the CrossWire Bible Society) that creates what amounts to the Biblical study equivalent of an IDE.
You can load Bible texts, commentaries, and dictionaries into GnomeSword. It comes pre-loaded with three English-language Bibles, a Spanish-language Bible, three commentaries, and three dictionaries, including Strong's Greek and Hebrew dictionaries/lexicons. You can search by book, chapter, and verse, and GnomeSword provides windows synchronized to the selected location for each Bible or commentary. Select a word, and you can search for it in one of the dictionaries.
BibleTime is another Bible navigation application that uses the Sword Project library. Its three-paned user interface provides navigation in the upper left, Bible verses in the right, and a dictionary in the lower left. Hover over a word in the scripture pane, and Strong's reference appears in the dictionary. BibleTime is not as powerful as GnomeSword, and it seems to be a work in progress: Several of the toolbar icons were missing in the version I tested, but it was otherwise usable.
Another work in progress is BibleMemorizer, which is a tool for creating lists of Bible verses for memorization. You create and name categories, then populate each category with verses. When it's time for memorization, you click a category and are shown the book, chapter, and verse of the entries you've placed in that category. The actual text is hidden until you click the entry, at which point you can verify how good (or bad) your memory is.
Bible software is not all that Ubuntu CE's developers pre-installed. They added a parental control system as well. From the System | Administration menu, select Configure Parental Controls, and a window opens into a front-end GUI for the pre-installed DansGuardian content-filtering system. From this interface, you can set criteria whereby incoming Web content is rejected: file extensions, URLs, phrases, and more. You can also set the “naughtiness limit” applied to browser sessions. DansGuardian maintains a library of “bad” phrases (which can be edited), and applies a weight to each phrase. When a page is loaded, it is scanned for unfit phrases, and the weights are tallied. If the page exceeds the naughtiness limit, the page is rejected.
Ubuntu CE sits atop the rock-solid Ubuntu base, so there's little fear of misbehavior on the OS' part. And if you're not satisfied with the mixture of applications provided, you can always connect to the vast Ubuntu and Debian repositories.
Ubuntu Muslim Edition
Ubuntu Muslim Edition is the Islamic faith's counterpart to Ubuntu CE. Where Ubuntu CE provides Bible study software, Ubuntu ME offers applications that aid in reading the Quran, as well as assisting in the daily religious duties of a practicing Muslim.
Ubuntu ME's Quranic study package is Zekr, which presents a two-paned window: navigation on the left, and text on the right. Select a sura (chapter), and a drop-down list is populated with the aya (sections) in the sura. Select the aya and the right-hand pane navigates to the proper verses. Below the navigation pane, you're shown details of the sura. For example, the Muslim faith teaches that each sura was originally given to Mohamed at one of two locations, Mecca or Medina. The detail pane shows the “descent” (or location) of the sura. Zekr also provides audio recitation of the Quran. Select a phrase, choose from a list of over a dozen qari (reciters) — most well-known imams — and Zekr will play the associated audio of the recitation.
Ubuntu ME also includes a pair of prayer-time reminder programs. One is Minbar, a stand-alone application that lets you select from a long list of world cities (pick the one nearest to your location) and from your choice will determine your latitude and longitude, the direction to Mecca, and the time until the next prayer. A similar program — called simply Prayer Times — is also provided as a Firefox plug-in. Meanwhile, Monajat is a small application that sits on the taskbar and pops up a window a predetermined times to display Islamic azkar (supplications).
Like Ubuntu CE, Ubuntu Muslim Edition uses DansGuardian as its content control system. The creators of Ubuntu ME have built a Java-based user front end to DansGuardian. Called WebStrict, the front end provides easy access — in the form of pop-up editing windows — to DansGuardian's configuration files. You'll need to know a bit about the structure of those files before you wade into modifying them; they are more or less structured text files, and WebStrict's editors are basic text editors. Nothing stops you from entering mal-formatted data.
Unlike Ubuntu CE, Ubuntu Muslim Edition pre-installs numerous educational packages. These include a selection of KDE-based applications such as Kalzium (a periodic table), KBrunch (which teaches calculating with fractions), Kig (an interactive geometry application), and others.
As with any Ubuntu-based distribution, Ubuntu ME is easy to install and dependable, and it enjoys access to enough free software to overflow even the biggest hard drives.
As you like it
These distributions are outstanding examples of flexibility of the Linux OS; it sits at the heart of systems as small as a firewall running on an embedded PC, or as large as a multigigabyte musical performance workstation running virtual analog synthesizers and drum machines. No less important is the abundance of open source applications whose quality rivals most commercial counterparts.
Finally, hats off to the designers and developers who build these specialized distributions and make the fruits of their enthusiasm available to all.