Tuesday, 7 March 2017

Compiling xdrfile library by using PGI C compiler (fast and dirty way)

Content:

1. Introduction.

2. Downloading the code of xdrfile library.

3. Compiling and installing the code.

4. Testing the compilation.


The xdrfile library is a side-project of GROMACS and provides an easy to use universal interface for reading XTC and TRR trajectories from within python, C/C++, and Fortran code based applications.

The library code could be easily compiled by using GNU C and Intel C compilers, but the attempt to use PGI compilers collection through the configure script will fail. One of the reasons for that failure is that PGI compilers do not support invocation with GNU style parameters. Of course, that might be solved by changing the configure script and thus matching the PGI C compiler set of input parameter, but unless you wanna pack the compilation as RPM, DEB, or other package, it is not worth to do it. The code might be compiled directly from command line without any automation in seconds, and the goal of this document is to show how to.

 

The source code tarball of xdrfile library could be downloaded from the download page of GROMACS project (scroll down the page - the xdrfile links are in the bottom of the page):

http://www.gromacs.org/Downloads

The current version is 1.1.4. Create a separate folder, download and unzip the tarball into it, and enter the folder:

$ mkdir ~/tmp/xdrfile
$ cd ~/tmp/xdrfile
$ wget ftp://ftp.gromacs.org/contrib/xdrfile-1.1.4.tar.gz
$ tar zxvf xdrfile-1.1.4.tar.gz
$ cd xdrfile-1.1.4/src

 

Before start compiling the code one need to realize that both shared or static library might be needed build because some of the applications which will use the library might follow different model of compilation - some of them might need the shared version of the library, another ones might need the static version. So the example bellow shows how to compile both of them:

The compilation of shared library (using position independent code (PIC) model):

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src
$ pgcc -fastsse -fPIC -c xdrfile_xtc.c xdrfile_trr.c xdrfile.c -I../include
$ pgcc -fastsse -fPIC -shared -o libxdrfile.so xdrfile.o xdrfile_trr.o xdrfile_xtc.o
$ sudo cp ~/tmp/xdrfile/xdrfile-1.1.4/src/libxdrfile.so /usr/local/lib

To compile the static version of the library, create first the object files (as shown above) and use the GNU ar tool to pack them:

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src
$ pgcc -fastsse -fPIC -c xdrfile_xtc.c xdrfile_trr.c xdrfile.c -I../include
$ ar rcs libxdrfile.a xdrfile_xtc.o xdrfile_trr.o xdrfile.o
$ sudo cp ~/tmp/xdrfile/xdrfile-1.1.4/src/libxdrfile.a /usr/local/lib

Note that using the static version of the library is not recommended, unless you are very certain about what you want to achieve by compiling your code statically.

 

The xdrfile library is supplied with two test tools - one written in C and another one - in Python. Because the test requires some TRR and XTC trajectories to exist, the C tool should be run first to generate them, after its successful execution, of course.

To execute xdrfile_c_test we need to have it compiled from the C-source. The compilation with respect the shared library libxdrfile.so (for the example it is installed locally in /usr/local/bin) follows the recipe:

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src
$ pgcc -fastsse -o xdrfile_c_test xdrfile_c_test.c -L/usr/local/lib -lxdrfile -I../include

To check the if the shared library compiled before works as expected and generate sample TRR and XTC trajectories to test the tools on, execute xdrfile_c_test (presume the libxdrfile.so is in /usr/local/bin):

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src
$ export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
$ ./xdrfile_c_test

If the library libxdrfile.so is successfully compiled, loaded, and works as expected the following output will appear on the display:

Testing basic xdrfile library: PASSED
Testing xtc functionality: PASSED
Testing trr functionality: PASSED

and these new trajectory files will be created:

$ ~/tmp/xdrfile/xdrfile-1.1.4/src/test.trr
$ ~/tmp/xdrfile/xdrfile-1.1.4/src/test.xtc

Execute the tool xdrfile_test.py (have Python 2.7, presume the libxdrfile.so is in /usr/local/bin):

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src/python
$ export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
$ ./xdrfile_test.py

If the execution is successful the displayed result will look like:

../test.trr OK
../test.xtc OK

Compile trr2xtc from its C-source (for the example the shared library libxdrfile.so is installed locally in /usr/local/bin):

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src/python
$ pgcc -fastsse -o trr2xtc trr2xtc.c -L/usr/local/lib -lxdrfile -I../include

Execute it to convert the sample TRR trajectory into XTC one (if libxdrfile.so is in /usr/local/bin):

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src/python
$ export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
$ ./trr2xtc -i test.trr -o converted.xtc

To be sure that the conversion is successful, compare the SHA256 checksums of the produced converted.xtc and the sample test.xtc (that will work in case test.xtc has not been modified after its creation):

$ cd ~/tmp/xdrfile/xdrfile-1.1.4/src/python
$ sha256sum converted.xtc
$ sha256sum test.xtc

They must match!

Friday, 3 February 2017

Using LDAPS (LDAP+TLS) from within the Sendmail configuration file

 

Content:

1. Introduction.

2. Installing and configuring OpenLDAP certificate database

3. SELinux configuration.

4. LDAP+TLS in sendmail.mc/sendmail.cf.

 

1. Introduction.

If one need to implement LDAP+TLS to securely connect sendmail daemon to the LDAP directory server, they need to enable and use the existing OpenLDAP integration of Sendmail. Most of the modern Linux distributions provide as a part of their package collections Sendmail compiled with OpenLDAP integration. But when it comes to configure Sendmail to connect to LDAP server by securing the TCP session with TLS it is very hard to find online an useful example. Almost all examples available explain how to configure Sendmail to use LDAP server through a plain TCP session. The goal of this document is to explain how to do that configuration. The explanations bellow are 100% compatible to Sendmail setup based on CentOS 7 or Red Hat Enterprise Linux 7, but they might be implemented to any other modern Linux distribution as well.

 

2. Installing and configuring OpenLDAP certificate database.

In CentOS 7 and Red Hat Enterprise Linux 7 the OpenLDAP clients configuration used by default the configuration and certificated based located in the directory /etc/openldap. That folder is supplied to the system by the package named openldap. In most cases, but also depend on the type of the installation, the package openldap should be presented in the system by default. Nevertheless one must check and verify that the package exists and it is up to date (not keeping your system up to date is risky). If the package openldap is not presented, install it by using yum:

# yum install openldap

If the installation is successful the package will create the folders /etc/openldap and /etc/openldap/certs. That last folder contains NSS database:

/etc/openldap/certs/cert8.db
/etc/openldap/certs/key3.db
/etc/openldap/certs/password
/etc/openldap/certs/secmod.db

There the file named "password" contains the password for unlocking the NSS database when accessing the stored private keys and passwords. The NSS base is created empty by default which means that one must add there at least the CA certificate that helps to verify the validity of the LDAP server X.509 certificate (the LDAP server Sendmail will be connected to). For example, if the CA X.509 certificate "COMODO RSA Certification Authority", stored in PEM format in the file /tmp/COMODO_RSA_Certification_Authority.crt, should be added to the NSS database and trusted, that can be done in the following way:

# cd /etc/openldap/certs # certutil -A -d . -n "COMODO RSA Certification Authority" -a -i /tmp/COMODO_RSA_Certification_Authority.crt -t "CT,c,"

Please, note that the use of NSS libraries with OpenLDAP is specific to CentOS and Red Hat Enterprise Linux 7. Another Linux distributions might use OpenSSL libraries instead of NSS ones.

 

3. SELinux configuration.

By default the Sendmail OpenLDAP client process cannot access the NSS certificate database of OpenLDAP. In order to make the access possible, one need to set the SELinux boolean authlogin_nsswitch_use_ldap to true:

# setsebool -P authlogin_nsswitch_use_ldap 1

 

4. LDAP+TLS in sendmail.mc/sendmail.cf.

The LDAP+TLS can be configured by using a specific URI format "-H ldaps://hosname:port", where the port number is optional. Bellow is a detailed example in m4 format which need to become part of the m4 Sendmail configuration file sendmail.m4:

define(`confLDAP_DEFAULT_SPEC', `-H ldaps://directory.example.com -b "o=example.com" -d "cn=sendmail,ou=Special Users,o=example.com" -M simple -P /etc/mail/password-sendmail.ldap')dnl

If one need to specify the LDAP client settings directly in sendmail.cf the following configuration line should be added there:

O LDAPDefaultSpec=-H ldaps://directory.example.com -b "o=example.com" -d "cn=sendmail,ou=Special Users,o=example.com" -M simple -P /etc/mail/password-sendmail.ldap