The day of the mold-your-own OS has come, and Linux is the clay.
Linux provides free and open access to the source for the OS itself. Developers are free to tailor a custom Linux -- even down to the level of the kernel itself. You can trim away drivers, services, and other OS components unneeded by the task for which the custom distribution will be targeted.
[ Check out InfoWorld Test Center's previous roundup of specialized Linux distributions and killer open source monitoring tools. Read about the very best open source software products in InfoWorld's Best of Open Source Software Awards 2008. ]
In addition, because Linux thrives on a universe of free software, developers can be choosy about the pre-installed packages they supply with their custom system. One can easily construct a user environment tuned to a specific application.
The specialized Linuxes in this roundup showcase the advantages of customizing both OS components and user-level software. I look at a pair of firewall Linuxes, IPCop and m0n0wall; a Linux SAN/NAS appliance, OpenFiler; two Linuxes for musicians, Ubuntu Studio and Musix; and a final duo of distributions, Ubuntu Christian Edition and Ubuntu Muslim Edition, targeted at members of those corresponding religions.
The firewall system IPCop is a fork of SmoothWall Linux (now called SmoothWall Express), which, in turn, is based on Red Hat Linux. The most recent releases of IPCop, however, have been created via LFS (Linux From Scratch).
On a typical Linux system, your interaction with the OS is either through an X-Windows based graphical desktop or a text-based shell. Not so with IPCop. Once started, it launches a Web server, which IPCop uses to host a management GUI. The first time you boot IPCop and enter the management GUI, you must configure the topological details of the intranet that IPCop will protect.
IPCop partitions your network into three color-coded zones. The Green zone is the most secure: IPCop insulates devices on the Green zone from all other zones. Green zone devices must be connected to the IPCop server via hardwired network connections. The next outward ring of protection is the Blue zone, which consists of wireless network devices. Blue zone devices are also insulated by IPCop's firewall system, but because this zone admits wireless access, it is necessarily less secure than the direct-wired Green zone. The outermost security ring is the Orange zone, which is that part of the local network exposed to the wider internet. The "outside world" is actually its own zone: Red. Naturally, Red zone traffic is completely uncontrolled by IPCop. Each zone attaches to the IPCop server through a dedicated Ethernet card. (A minimal IPCop system will have a Red zone and a Green zone.)
Web traffic can pass only from less secure to more secure zones through tightly controlled channels referred to as "pinholes." Basically, a pinhole is a set of rules (configured in the management console) that determines which packets are permitted into zones of higher security. Typically, the rules allow packets to be delivered to specific ports on specific machines in the secure zone. The underlying packet-routing decision-making in IPCop is performed by the iptables Linux application.
IPCop has no specific hardware requirements other than that the host be i386 based. (An earlier release supported the Alpha processor.) Documentation even boasts that obsolete hardware is frequently used to host an IPCop system. The system comes with a number of services: intrusion detection via Snort, the IPSec VPN system, and Web caching via squid. Perhaps its strongest feature is its wide range of status and logging information. IPCop produces real-time scrolling graphs of CPU usage and memory usage, as well as traffic statistics on each of the colored networks. You can also view a table of all connections established on each network.
Setup time is less than a half hour (depending on the complexity of your network), and the online documentation is sufficient even for someone setting up a firewall for the first time.
With m0n0wall Linux, the hardware platform of choice is an embedded x86 PC, so it's no stranger to small memory spaces and modest processor power. The system officially supports embedded PCs from Soekris Engineering and PC Engines. Nevertheless, m0n0wall can run on a stock x86 PC. Documentation indicates that m0n0wall will live happily on a 486 with only 64MB of RAM.
When m0n0wall boots, the host system's screen displays a rudimentary text-based menu good only for setting fundamental parameters such as network cards' IP addresses, the administration GUI's password, and so on.
m0n0wall assumes two networks, WAN and LAN, each on its own NIC. The WAN is the unprotected, outside world; the LAN is the protected, private network. As with IPCop, interaction with m0n0wall is via the administration Web user interface, webGUI, available at a pre-defined IP address on the LAN side. The webGUI is well arranged in a two-frame format: The left frame holds the navigation pane, while editing takes place in the right frame.
From the webGUI, you have complete control over the system. This includes operations such as creating VPN and PPTP tunnels (m0n0wall comes with a PPTP server); configuring the DHCP server; and defining firewall and traffic shaping rules
The last item is the most interesting. You define firewall rules through a fill-in-the-blanks-style Web page form. Select the action (Pass, Block, Reject), the associated network interface, and the protocol to which the rule applies. You then enter filtering restrictions. For example, you can specify that a particular rule block packets coming from a range of source IP addresses or bound for a range of destination IP addresses.
Defining rules for packet shaping is a little more involved and requires an understanding of entities m0n0wall refers to as "pipes" and "queues." Basically, a pipe is a restriction on bandwidth. A queue lets you specify how "flows" -- packets with a common characteristic, such as the same source IP address -- share that bandwidth. The online documentation points to a short essay on the subject, which is worth reading before you try your hand at building shaping rules.
The creators of m0n0wall envisioned a straightforward firewall system and therefore deliberately kept the distribution small. Currently, m0n0wall can fit on a 16MB CompactFlash card. This means that some facilities have been omitted. For example, you won't find a proxy server, intrusion detection, an FTP server, a Web server, and so forth. On a m0n0wall-protected intranet, such services would run on separate hardware.
Nevertheless, m0n0wall's simplicity is its strength. It is easy to set up and maintain. Documentation boasts setup times of less than 15 minutes, which is about how long it took me.
OpenFiler is a SAN/NAS appliance based on rPath Linux. According to its creator, OpenFiler actually began life atop Fedora Linux, moved to CentOS, and final settled on rPath, attracted by that Linux's impressive package-management environment. OpenFiler can operate at either the SAN or NAS level -- or both simultaneously.
OpenFiler's feature set is impressive. It provides drivers for a wide array of peripheral busses: It can talk to disk drives on IDE, SAS, SATA, SCSI, or iSCSI interfaces. If you need RAID, OpenFiler is compatible with hardware from Adaptec, LSI Logic, Intel, and others. Further, it can handle file systems up to 60TB in size. Its supported Ethernet controllers include Fast, Gigabit, and 10 Gigabit controllers from Intel and Broadcom. In spite of these bounteous capabilities, its actual processor and memory requirements are modest. A standard x86 system with 256MB of RAM, 1GB of disk space for the OS image, and at least one Ethernet card is all you need to get going.
There's not much to see in the console when you boot an OpenFiler system. You can log in to the console or through SSH and execute Linux commands in case you need to modify boot scripts and configuration files. But as with m0n0wall and IPCop, management of OpenFiler is through the administration user GUI hosted on a built-in Web server. (If you need access to shell commands, the GUI provides a secure shell terminal via a Java applet.)
The tabbed administration GUI leads you to sections wherein you can configure several components. Among them are users and groups. This requires you to select either LDAP or Windows as the authentication system. If you don't have a Windows server available, OpenFiler comes with the open source OpenLDAP server.
You also have the ability to configure volumes. Here you identify the attached disk drives, select the file system type with which they will be formatted (XFS or ext3; future versions hope to provide ext4 and btrfs), define volume groups, and -- finally -- create actual volumes that users can access.
Additionally, you can configure quotas, which control user group consumption of disk resources; you can establish shares, which makes named file system locations accessible by SMB and NFS; and you can manage mirrors, backups, and snapshots.
There's much more; consequently, OpenFiler's administration and management system requires some learning time. (This is less a fault of OpenFiler and more the simple fact that OpenFiler can support so many different configurations.) The online installation instructions will get you started, but if you don't feel up to a bout of self-education and need additional guidance, you can purchase an OpenFiler support package from the product's Web site. In any case, if you need either a SAN or a NAS system, OpenFiler is well worth the time you'll spend getting it installed and tuned.
Ubuntu Studio targets three broad categories of media support: audio, graphics, and video. During the installation of the system, you choose one or more of those three categories. So, for example, you could have an installation of Ubuntu Studio geared solely to audio -- the configuration I chose -- or you could install a mixed audio/video workstation.
Installation of Ubuntu Studio is identical to the process for standard Ubuntu Linux. Online documentation provides some instructions, as well as information for upgrading from earlier versions of Ubuntu. You can, for example, install Ubuntu Studio over an existing Ubuntu instance by using the APT application to pull in packages over the Net. However, Ubuntu Studio's documentation is spotty and appears to be a work in progress. Several links led to "not yet written" pages.
There is no LiveCD installation option for Ubuntu Studio, so you cannot try it before you commit it to your system. (According to Ubuntu Studio's project lead, the system is far too memory-intensive to allow for a LiveCD version.) You can, however, install it on a virtual machine, as I did using Sun's freeware VirtualBox. This was sufficient for tire-kicking only, as high-throughput video and audio suffer noticeably on a virtualized system.
Though I created an audio-only instance of Ubuntu Studio, applications in the other two categories (graphics and video) are worth mentioning. A graphics installation gives you the celebrated GIMP image-editing application, the equally well-regarded Blender 3-D rendering system, the InkScape vector graphics editor, the Scribus desktop publishing application, and others. Choosing the video category gives you PiTiVi video editing system (which is actually a Python front end to the GStreamer collection of video processing modules), the Kino nonlinear video editor, the Stopmotion movie creator, and more.
Ubuntu Studio's selection of audio applications is impressive in both quantity and quality. There are at least three audio recording/editing applications: the solid and reliable Audacity; Time Machine, which has the unique capability of recording before you hit the record button (in case you make a really cool sound but are so involved that you forget to record what you're doing); and Ardour, which boasts features that rival those of commercial products.
MIDI processing and music-performance software includes the indispensable JACK system, a kind of Swiss Army Knife for routing audio and MIDI data. Software synthesizers include the Bristol analog synthesizer simulator and the multi-engine ZynAddSubFx. You'll also find several SoundFont-based systems, such as FluidSynth and Qsynth (the latter acts as a GUI front end to the former), as well as the GENPO (GENeral Purpose Organ) application. Ubuntu Studio also installs the robust Hydrogen drum machine, a percussion synthesizer and pattern-based sequencer.
Rounding out the musical performance software are BEAST (BEdevilled Audio SysTem) -- which is really a modular synthesizer engine and musical composition system in one package -- and the Pure Data (Pd) graphical programming environment, which can do everything from process MIDI and audio data to execute FM synthesis modules.
There's lots more, but available space cannot do justice to the full range of audio applications found in Ubuntu Studio. Even better, given that it is an Ubuntu distribution, you can use the Synaptic package manager to download all the standard Ubuntu applications you'll need when you're not using Ubuntu Studio to produce the next electro-trance hit.