Posts for Wednesday, May 16, 2012

Dick of the week

https://lists.fedoraproject.org/pipermail/devel/2012-May/167057.html


different runlevels in gentoo

Different default runlevels isn't something which is quite popular because usually one default runlevel is enough. Nonetheless sometimes it's quite useful.
Since i play around with xen it's very handy to have two different default runlevels. One where the xen services xenconsoled and xenstored get started and one without these services.
The reason is, when starting gentoo without xen these services would crash and thus would slow down the boot process.

To create a new runlevel called "xen" you have todo following:

# mkdir /etc/runlevels/xen
# cd /etc/runlevels/default
# for service in *; do rc-update add $service xen; done
# rc-update add xenstored xen
# rc-update add xenconsoled xen

This would copy all services from the default runlevel into xen and would add both xen init scripts too. Next you need to configure the bootloader and add the softlevel parameter to /boot/grub/grub.conf.

title Gentoo Linux XEN
root (hd0,0)
kernel /boot/xen.gz dom0_mem=8192M,max:8192M iommu=1 xsave=1 dom0_max_vcpus=4 dom0_vcpus_pin 
module /boot/gentoo-3.4.0-rc6 root=/dev/md3 softlevel=xen

Finish, that's all. Quite easy and really useful for xen. A more detailed howto about runlevels can be found at gentoo's offical documentation: Link

Posts for Sunday, May 13, 2012

new pc, new toy

It's been already 5 years ago since i bought my last desktop PC. Now i bought a new one. A few months ago i've started to think about my new system. Basically i don't wanted anything special, there was just one thing which i definitely wanted to try out: xen with vga passthrough. Therefore i couldn't choose just anything because you need hardware support for vga passthrough and not every vendor does support it.

Anyway, last month i finally had everything i needed and thus bought my new system.

A big change with the new system was to choose amd over intel. For years now i went with intel, but this time i decided to take amd. The main reason was because amd/ati started to release documentations about their graphic cards years ago. That's something i wanted to support.

Well, this is now my new system:

AMD FX 8150 8-core processor 3,6Ghz
Gigabyte 990FXA-UD5
2x OCZ Vertex 3 120GB
Lian Li PC-6 Aluminium Case
NEC PA301W 30" Display
Scythe Grand Kama Gross CPU Cooler
Seasonic Xseries 760W Power Supply
PowerColor Radeon HD6850 (passiv)
XFX R7970 Radeon H7970 Black Edition
Corsair DDR3 1600MHZ 16GB DIMM

The system runs on gentoo amd64 testing (of course). Since i have two gpu's and xen, there is a virtualized windows 7 64bit for gaming too.
The HD7970 is for windows, while the HD6850 is for gentoo. I also additionally pluged in 2x 22" Lenovo l220x running on the HD6850 on linux (from the old pc). Mouse, keyboard and the audio system is still from the old pc.

This is my desktop right now:

The motherboard supports iommu which is needed for vga passthrough in xen. Nonetheless i updated the bios to the latest version first. On the cpu it's called amd-vi (the cpu flag is called svm) which the amd 8-core also supports. GPU support isn't a hardware feature and has been already implemented for almost every gpu so i didn't had to look for a particular one.

Setting up the system wasn't a big deal. Below are the most important changes while i set up the system.

* i had to change the primary output in the bios so that the system would show the output on my hd6850.

* i also had to enable iommu in the bios (for xen).

* to get eyefinity working i had to download x11-drivers/radeon-ucode and enable the firmwire blobs in the kernel under Device Drivers --> Generic Driver Optinos (howto)

The harddrives running in both raid1 (for the boot partion) and raid0 (for the system/home). Since all the important files are on my server file inconsistency is not  that important. Windows is virtualized and thus just a file on the hard disk.

So far the system is pretty stable. I have a few minor problems with xen but nothing serious. I'll gonna blog about my xen setup anyway.

Posts for Monday, May 7, 2012

ssh with different private keys


SSH is probably one of the most used command line tools on linux. If you want to connect to another linux host it's the best way to go. It's also very secure and since security is really important nowadays many hosts on the Internet choose a public key authentication. This method is really smart because it only let people connect if they know their password AND their public key is in the "authorized_keys" file on the host.

For some time now i started a gitolite services at home. It's just for my own usage and thus not available over the Internet. Every script which i write is stored on the gitolite server.
This is quite handy because i can easily switch back to an older version of a script in case i made a mistake. Besides that I'm also forced to learn git which i really want to learn. 

Gitolite also have a public key authentication (on top of ssh), but since the service just runs on the local network and i don't wanted to enter my password every time, I've created a second key without a password.

Well now my problem was, ssh doesn't choose the right key for the git service so i searched the web for solution of my problem. A few hour later i found what i needed. It's easy. You just need a configuration file for ssh, which looks something like this:

Host tunafix
        Hostname tunafix
        User git
        IdentityFile ~/.ssh/gitolite_rsa

Host tunafix
        Hostname tunafix
        User michael
        IdentityFile ~/.ssh/id_dsa

The configuration is stored in file ~/.ssh/config. As you can see, depending on the username ssh choose different identity files. 

Posts for Sunday, May 6, 2012

Dark Side of Action

On Thursday May 3rd at re:publica Stephan Urbach, Anwen Roberts and me presented a session about depression/burnout in hacker and activist groups titled “Dark Side of Action”.

Looking back we want to thank everyone who attended the talk and the open space discussion afterwards for an intense event. We are glad we could bring a few people together talking and we hope that we could motivate a few people to talk about their own problems as a first step to getting better. This talk can only be a start, one of the first sparks trying to trigger a wide-spread discussion of what we as communities do to prepare the ground for those sorts of problems and obviously which strategies and methods we can implement to keep each other safe.

Our summary slides are available under http://the-gay-bar.com/wp-content/uploads/2012/05/RePublicaTeil3.pdf for those of you who were not able to attend the session or who might want to re-use them for any intents and purposes (do so, we do not put any sort of restriction on your usage!).

The talk was recorded and I’ll update this post with the Link to the recording as soon as it’s available, the German TAZ wrote about the talk on their website. On this year’s SIGINT conference (where I’ll be speaking about something else) Stephan will talk with Jens Ohlig about the same topic but from a different angle, we’d be happy to see more of you there.

Thanks again for all the positive feedback that we got for the talk, now it’s upon all of us to get the word out and try to fix our different environments. Just as a reminder our last slide:

gethelp 300x187 Dark Side of Action

flattr this!

avatar

AthCon 2012 Review

Alternate title: “Being a lamb around a pack of wolves” … A venue full of hackers that are eager to attack your systems…

On 3-4/05/2012 the third AthCon conference was held in Athens. AthCon is an international security conference whose motto is “The First HIGHLY TECHNICAL Security Conference in Greece”.

Even though I am not a security professional, my daily job title is “Systems and Services Engineer” which of course includes various aspects of security but I am certainly not a security researcher, I had decided months ago that I would be attending this year’s AthCon. Since I like messing a lot with IPv6 for the past 2-3 years, I decided that I could try and submit an introductory talk about IPv6 security issues. My talk was accepted, so I was not only attending AthCon this year but I was going to give a presentation as well.

My presentation – Are you ready for IPv6 insecurities ? was during the first day of the conference. I am always worried when I give presentations on IPv6 that the people attending have probably no clue about this ‘not-so-new’ protocol. Most people think that IPv6 is like IPv4 with bigger addresses and ‘:’ instead of ‘.’ to separate the address groups, which is of course a HUGE mistake/misunderstanding. I was hopeful that this wouldn’t be the case in AthCon, so when I started my presentation and I asked the crowd ‘how many of you know what SLAAC is ?’ and I only saw 3-4 hands raised I kinda froze, I was expecting at least a double digit…I was going to give a presentation on IPv6 security concepts to people that have absolutely no idea what I’m talking about. Being prepared for the fact that some people would need some ‘refreshing’ on their IPv6 knowledge, I had prepared around 20 introductory slides explaining some IPv6 concepts before I entered the security details, but I doubt these were enough for most people there. I am hopeful though that some of the attendees might be motivated to read more about the protocol since I think my security slides contained enough details, references and links to get people started. If someone needs more details feel free to contact me.

Enough with my presentation, what about other presentations ?
My personal view is that this year’s AthCon had some great talks, some that were ok and some that I didn’t like. I won’t mention which ones I didn’t like, but I noticed that a LOT of people were gossiping about these in the hallways. I will only mention here the ones that I really liked.

Day 1:
“Packing Heat!” by Dimitrios Glynos
A presentation that every pentester should download/watch somehow. Techniques about packing your executables to avoid detection by anti-virus programs, need I say more ? Great content and very well presented. Congrats Dimitris!

“PostScript: Danger Ahead” by Andrei Costin
How to use PostScript programming language to take advantage of Printers, OS, etc. Very interesting concepts were presented and also the examples/demos shown were pretty cool and easy to understand.

Day 2:
“Apple vs. Google Client Platforms” by Felix ‘FX’ Lindner
I guess mostly everyone reading this blog knows FX and what a great speaker he is. If you don’t then start watching his previous presentations and start reading about his work. His presentation at AthCon, apart from being the best one in terms of “presenting it”, was also extremely interesting. He connected the security concepts behind Apple’s iOS and Google’s Chromebook with their business tactics and policies. Just wait for AthCon to publish the videos and watch it. Probably the best talk at AthCon 2012.

“Advances in BeEF: RESTful API, WebSockets, XssRays enhancements” by Michele Orru
Jaw-dropping. That’s all I have to say about BeEF. Scary. Watch it to see what browsers and IDS have to face and defend against…not in the future but right now.

“Exploitation and state machines” by Halvar Flake
This presentation was about exploitation techniques and why automated exploitation engines don’t work that well. Even though reversing and exploitation is far from my interest topics I enjoyed the talk a lot. Very well structured and very clear points. Too bad this talk did not appear on the schedule and was there as “tbc”, I am sure many more people would come just to listen to this talk and speak to Halvar.

If I were to suggest a couple of things for next year…
a) Please put the CTF in separate slots within the day, not at the same time with the presentations. In a conference of 150-200 people (just guessing here) having 30+ people leaving the presentation room and just attending the CTF all day long leaves the main room a bit empty. I am pretty sure there were people that wanted to attend both the presentations and the CTF, unfortunately they had to make a choice.
b) Send some details/info to the speakers about the conference a few days earlier. Maybe non-greek presenters were given but we weren’t, at least I wasn’t.
c) The venue is really nice, but maybe it would help if the next AthCon was organized somewhere downtown. Yeah I can understand that the cost would be higher but number of people attending would also raise (I think).
d) Give us even more highly technical presentations/speakers! People starve for these kind of talks!

My congratulations fly to AthCon people for organizing the conference. See you next year!

You can find some of the pics I took from the speakers at: AthCon 2012 speaker pics (if any of the speakers wants his pic removed please contact me ASAP)

Posts for Friday, May 4, 2012

avatar

Keeping /selinux

Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version and you switch from /selinux to /sys/fs/selinux as the mountpoint for the SELinux file system, you might get into issues. Apparently, init (which is responsible for mounting the SELinux file system through a call to libselinux) is trying to mount it on – well yes – /sys/fs/selinux but at that time, /sys is not mounted yet.

I haven’t been able to reproduce just yet, because I just recently had to move all my systems to use an initramfs (thank you you-need-an-initramfs-when-you-have-a-separate-usr-partition) which premounts /sys. But the current workaround should be to keep /selinux for now. The utilities support it still, and that gives me some time to look and investigate the issue.

Happy Day Against DRM

Books are 50% off at O'Reilly today, using code DRMFREE. (This includes my book, Clojure Programming, by the way...) I'm a bit late with this, given the offer expires in 9 hours, but there's still time.

Whether you want to buy books today or not, it's worth pointing out that today is International Day Against DRM!

Day Against DRM

Brand Loyalty. Step 1: Make good stuff.

My anti-DRM article is quickly going to turn into a pro-O'Reilly Media infomercial, so you've been warned.

I am not the kind of person to feel any kind of brand loyalty. I'm the kind of person who deliberately buys a different brand of peanut butter every time I go to the grocery store, to try to screw with the store's customer-tracking database.

O'Reilly is probably an exception. I like O'Reilly. Why is that?

First, O'Reilly books tend to be pretty good. At least, I have yet to buy one that wasn't pretty good.

Allow me to digress. My college's CS curriculum was based around C++. Now, I'm the kind of person who thinks that programming is vaguely enjoyable no matter what I'm doing. Computers are fun. But for a new programmer, coding in C++ is like an hours-long shouting match with the compiler where your goal is to try to get the compiler errors to shut up. Producing a working program is an occasional side-effect. C++ doesn't exactly promote explorative, imaginative programming.

The first class I had in college where I actually enjoyed programming was a class that taught Perl. My textbook was Learning Perl, aka the Llama Book1. What a good book. I still have it. I remember feeling like I learned more reading that book that I had in two years of slogging through C++ data structures. And what fun Perl was. <insert analogy="analogy" and="and" between="between" here.="here." nerdy="nerdy" programming="programming" some="some" wizardry="wizardry">

I remember immediately spending a bunch of money I should've saved for food, and getting Programming Perl, aka the Camel Book1. So good! Who knew a book could be witty and fun, and teach you things at the same time. You can tell when a book is written by someone who knows their stuff, and who enjoys talking about their craft.

Not sure if it was Perl itself, or the great Perl books, or probably some combination. But I've been cemented in dynamic, vaguely-Perly, powerful and fun languages since then. First Ruby, then Clojure.

I'm also likely to buy an O'Reilly book, given a choice between alternatives.

Step 2: Be Humans and give a crap.

A second thing that creates brand loyalty is when a company seems to be made of human beings that you can relate to.

When I heard O'Reilly was writing a Lisp book, and what's more, it was a Clojure book, and what's more, I could be involved in writing it... I was pretty excited.

Our book was written in ASCIIDOC, and lived in an SVN repo hosted at O'Reilly.2 We could upload code with a certain string in the SVN commit log, and that'd trigger a rebuild of the ASCIIDOC on O'Reilly's server, which was compiled into PDF, and then we could download the PDF from SVN to see how the final product would look. Turnaround time was about 10 minutes. It was a nice, programmer-friendly setup, to be sure.

Whenever I dealt with people at O'Reilly, I generally got the feeling that I was working with programmers, or people who cared about programming. There aren't a lot of Clojure gurus there, but there were people who knew why wrapping long lines of could needed to be handled just right.

It's a great feeling to work with people whose goal is advancing the craft, as opposed to some kind of Death-Star-like entity whose goal is wringing extra pennies out of customers' bones.

DRM sucks

So does O'Reilly actually give a crap? Well, fiiiiiiiiinally getting to the point: O'Reilly's stance on DRM is pretty much spot-on. O'Reilly books are sold without DRM. DRM is not the way to make good stuff. DRM is a good sign that you don't give a crap. DRM doesn't advance the craft, but rather does the opposite.

I leant a guy my copy of K%R a while back. Now there's one more person in the world with a bit more knowledge of C. This is a really good thing. If my copy of K&R was a DRMed ebook that I couldn't lend out, the world would be a tangibly worse place.

I highly recommend this article by Mike Hendrickson at O'Reilly where he talks about piracy, DRM, and making books. Also this one by Tim O'Reilly where he talks about the same.

Now that my name is on a book, have my opinions about DRM changed? Not really. I'd obviously prefer that people pay for my book. I pay for books. It's only fair.

At the same time, I would be really disappointed if my book was sold with DRM all over it, and I'm glad it isn't.

Treating your customers like thieves a priori is not the way to build brand loyalty. Thinking that DRM is going to stop anyone from pirating a book is pretty much delusional. Using DRM to maintain some kind of iron-fisted control over stuff you're selling to other people is morally sketchy.

DRM is not the way to advance the craft. Advancing the craft is the important thing.

When you make smart decisions like not selling DRMed books, the result could be dorks like me spending an hour or two unprovoked, writing an article about how good your company is. And yeah, this is surely a bit self-serving because I want to sell my book, but I'd have written this same article two years ago too.

  1. One way to tell a good book is if it's widely known by an affectionate nickname or acronym. K&R? TAOCP? SICP? The Camel Book? You probably know what I mean right away.

  2. Obviously I'd have preferred Git, but I'll take what I can get.

newspages, quotability and wikis

Evopedia Icon

for quite some time i use a wiki at lastlog.de, a mediawiki to be precise, and i wonder why there is no wide adaptation towards the wiki principle. with that i don’t mean collaborative editing but, somehow in contrast, the principle to be quotable.

lately, out of curiosity, i scrolled through my diploma thesis and checked the overall link stability. some were broken. however, all wikipedia links worked. as stated in the document itself, i explicitly link to the wikipedia because of its link stability. if i would have liked i could have even linked to a certain revision. but i decided not to, as the reader always has the option to look at an older revision, based on date and time.

the more interesting aspect, that is why i linked to wikipedia articles, is that i don’t want to waste time describing something when there is a different place doing so already. if someone is smart enough to follow my ideas in my diploma thesis i assume the same when it comes to judging about the quality of wikipedia articles. and before linking a keyword (like ‘package manager’) to a certain wikipedia article, which should describe it, i always read the article. the idea is twofold: first i like to see if my conception or understanding matches with what is in the article. second, if that is the case, i would simply link it and forget about the whole thing. but if my understanding does not match with the article i can evaluate my or their version as being better and pick what fits best.

for some online articles i had to link, i wasn’t even able to provide a direct link and therefore added a google search link into the document.

wiki editing has so many benefits, like being able to rollback to a previous version. do collaborative work. why is there no wiki like support, say when editing libre office/word documents? maybe because back in time that was considered a waste of bits&bytes but using compression that can’t be an argument today.

here is a use-case where that would be great: say you write a document and you pass it to someone else for review and corrections. often i would like the other person doing whatever change he wants to do and later be able to rollback this or that change. with a wiki like document structure this would be very easy.

if you don’t follow, just have a look at this link:

http://en.wikipedia.org/w/index.php?title=Linux&diff=490431450&oldid=489027763

and about link stability: this link might even work when this blog is long gone. 

i see so many benefits by using wikis and wiki like concepts but despite of the wiki-web principle and decentralized VCSs there seems to be no wide use of it.

IMHO i think a webpage, even this wordpress blog, which does not implement a wiki principle, is kind of stupid as one can never be certain what is going on. one could say such a page is schizophrenic to some degree.

hopefully this will change in the future.

update: 11.5.2012 – it would be desirable if the mentioned link stability would be independent of a strict TLD (top level domain). for example: if i move this blog to a different location, say to invalidmagic.de then all the articles here stop working and the links from other pages into this article will fail.


Posts for Thursday, May 3, 2012

avatar

AthCon 2012 – Are you ready for IPv6 insecurities ?

My presentation for AthCon 2012 is now available online: Are you ready for IPv6 insecurities ?

Posts for Wednesday, May 2, 2012

notify script for cmus

Recently i bought a new PC and therefore i wanted to switch to a new audio player. Usually i use amarok which is still one of the best audio player out there. But it has a big disadvantage - it uses mysql for its database, and i simple don't wanted mysql.
Though, to choose mysql for the database backend is still a good decision - if you have a really big collection.
And that's amarok's audience - users with a huge audio collection.
Well, actually i have a huge audio collection too, but since i actually just play around ~40 tracks all the time besides mostly listening to streams, i really don't wanted a audio player which depends on mysql.
While looking for a new player i found cmus. A very simple console player. It's perfect. It has all the things which i need (playlists, mp3/flac support, stream support) and also has a really tiny memory footprint.
To make the player really comfortably in kde i wrote a small script which shows me some basic information about the actual track which i'm listening too.

And that's the script:
#!/bin/bash
KDIALOG="/usr/bin/kdialog"
GREP="/bin/grep"
AWK="/bin/awk"
CMUSREMOTE="/usr/bin/cmus-remote"

declare -i duration=$($CMUSREMOTE -Q|$GREP "duration"|$AWK '{ print $2 }')
declare -i position=$($CMUSREMOTE -Q|$GREP "position"|$AWK '{ print $2 }')
percent=$[100*position/duration]

artist=$($CMUSREMOTE -Q|$GREP "tag artist") # ${artist:10}
title=$($CMUSREMOTE -Q|$GREP "tag title") # ${title:9}

$KDIALOG --title "CMUS is playing... ($percent%)" --passivepopup "${artist:10} - ${title:9}" 3
It looks like this:


To make it even more comfortably i put some code into my .bashrc and initab.
.bashrc:
if ! [ "$(pidof cmus)" ];
  then /usr/bin/cmus
fi


inittab:
c8:2345:respawn:/sbin/agetty -a michael 38400 tty8 linux


With that settings, cmus always get started on tty8. And with the alias p="cmus-remote -u" i just have to press "p" after login to play music (just a note: i don't use a login-manager, thats why i always login at the console and start kde/X with startx).



il faut bien falloir de plus

C’est bizarre que “faut/faute” signifie soit avoir besoin de quelque chose soit commetre un acte injuste.

- Il me faut un stylo.
- C’est ma faute.

Ici encore:
- Falta de Morientes. (Morientes a commis une faute.)
- No me falta eso. (Je n’ai pas besoin de ça.)

Qu’en pensez-vous?

avatar

Dell crowbar openstack swift

<html>Learned about Dell Crowbar the other day. It seems to be (becoming) a tool I've wanted for quite a while, because it takes automating physical infrastructure to a new level, and is also convenient on virtual.

::Read more

Posts for Monday, April 30, 2012

cursorcolumn / cursorline slowdown

The cursorcol and cursorline options in Vim are great. Enabling them, and setting up your syntax highlighting correctly, will highlight the line and column that contains the cursor, drawing a sort of "crosshairs", to let you find the cursor easily.

This is especially useful when editing non-sourcecode files, like giant fixed-with data files. Or when you need to keep switching your attention back and forth from Vim to something else; the visual cue to draw your eyes back to the cursor can be useful to prevent a mental page fault.

Cursor crosshairs

Great. However, the help info for cursorcolumn says this, in part:

    Highlight the screen column of the cursor with CursorColumn
    |hl-CursorColumn|.  Useful to align text.  Will make screen redrawing
    slower.

"Will make screen redrawing slower" is an understatement, unfortunately. Over the past who-knows-how-long, I've noticed Vim slowing to a crawl when editing certain files, mostly big Ruby files. Moving the cursor around or scrolling the window became pretty painful. I could never quite figure out why, but today I got sick of it, and eventually found an old message on the Vim mailing list explaining the problem.

Apparently when you have cursorcolumn or cursorline enabled, the whole screen is redrawn every time you move the cursor. That explains a lot. When I disabled these options, editing complex Ruby files once again achieved notepad.exe-level speed.

I guess there's this:

function! CursorPing()
    set cursorline cursorcolumn
    redraw
    sleep 50m
    set nocursorline nocursorcolumn
endfunction

nmap <C-Space> :call CursorPing()<CR>

This will flash the cursor crosshairs for 50 milliseconds when I hit CTRL+Space in normal mode. Better than nothing.

Posts for Sunday, April 29, 2012

avatar

20120215 policies now stable

Today I’ve stabilized the sec-policy/selinux-* packages that provide the 20120215 “series” of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace tools soon (as they are now deprecated). The documentation has been updated to reflect this too.

    Some of the enhancements include

  • support for permissive domains (allowing users to mark one specific SELinux domain, such as mplayer_t, as permissive (even though the rest of the system is running in enforcing mode)
  • support for file context translations, so we can now say “/usr/lib64 (and below) should have the same contexts as /usr/lib”
  • support for role attributes, which means for policy developers, we now have similar freedom as with type attributes
  • support for named file transitions, so a policy rule can say that domain A, if creating a file in a directory labeled B, then that specific file should have label C. Same for directories, btw.

Although some of these enhancements were available as features individually, the policies we had were not aligned with it – and now, that has changed ;-)

Posts for Saturday, April 28, 2012

booting nixos from lvm on top of mdadm using GPT

what is this?

i recently upgraded my hetzner root server and therefore had a system with 2x3tb disks. as fdisk can’t be used to partition disks > 2tb i had to use gpt instead which was quite tricky until it was working. so here is my installation guide. parts of it applies also to other distributions.

this guide uses concepts from the hetzner wiki OpenBSD installation guide [1].

note:

  • gpt is used for both disks
  • there is no extra /boot partition (the system will directly boot from the lvm which is on top of the mdadm); this works since grub2
  • this setup is pretty similar to using fdisk (MBR) partitions
  • this guide still uses BIOS to boot (no EFI/UEFI)
  • /dev/sda1 and /dev/sdb1 are very small partitions (2Mib); they are used to store the grub2 boot stages, see [5]

disk layout

 

the installation

first remove old partitions/mdadm setups

uninstall:

lvremove /dev/myvolgrp/home
lvremove /dev/myvolgrp/system
lvremove /dev/myvolgrp/swap
vgremove myvolgrp
pvremote /dev/md0
mdadm --stop /dev/md0
# to remove the md0 permanently
mdadm --zero-superblock /dev/sda1
mdadm --zero-superblock /dev/sdb1

creating the partitions

parted /dev/sda
mklabel gpt
mkpart non-fs 0 2
mkpart primary 2 3001G
p
Number Start End Size File system Name Flags
1 17.4kB 2000kB 1983kB non-fs
2 2097kB 3001GB 3001GB primary

set 1 bios_grub on
p
Number Start End Size File system Name Flags
1 17.4kB 2000kB 1983kB non-fs bios_grub
2 2097kB 3001GB 3001GB primary

creating the new mdadm softraid device

mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
mdadm: Note: this array has metadata at the start and
may not be suitable as a boot device. If you plan to
store '/boot' on this device please ensure that
your boot-loader understands md/v1.x metadata, or use
--metadata=0.90
Continue creating array? y
mdadm: Defaulting to version 1.2 metadata
mdadm: array /dev/md0 started.

LVM+filesystems

pvcreate /dev/md0
Physical volume "/dev/md0" successfully created

vgcreate myVolGrp /dev/md0
Volume group "myVolGrp" successfully created

lvcreate -n system -L50G myVolGrp
lvcreate -n swap -L8G myVolGrp

mkfs.ext4 -O dir_index -j -L system /dev/myVolGrp/system
mkswap -L swap /dev/myVolGrp/swap

note: the disk layout diagram mentiones a tmp partition which happended to be added later ;-)

using a virtual machine + vnc to boot the iso image

preparing the host system:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

on the hostsystem

#download latest console only 64bit nixos installer
nixos-minimal-0.1pre33860-33874-x86_64-linux.iso

make sure /dev/myVolGrp/system and /dev/myVolGrp/swap are not in use:

apt-get install sudo
qemu-system-x86_64 -enable-kvm -m 1024 -hda /dev/md0 -net nic -net tap -cdrom nixos-minimal-0.1pre33860-33874-x86_64-linux.iso -boot d -vnc localhost:0

note: in contrast to original article [1] i use ‘-enable-kvm’ which speeds things up!

from your homecomputer

execute this two commands (in two different shells):

ssh -L 5900:localhost:5900 root@176.9.99.117
vncviewer localhost

inside the qemu/kvm system via vncviewer

how we have to prepare install the system on the devices we had preparted in the steps before:

inside do:
login as root
mount -L system /mnt

cd /mnt
nixos-option --install
vi /etc/nixos/configuration.nix

stop dhcpcd
ip a add 172.2.0.2/16 dev eth0
ip r add via 172.2.0.1
echo "nameserver 8.8.8.8" > /etc/resolv.conf
# use ping www.google.de to verfy that the routing is working

# example url, configuration.nix is appended to this article
curl http://lastlog.de/configuration.nix
mv configuration.nix /mnt/etc/nixos/configuration.nix
# now the installation, make sure you read the nixos installation guide as well, but in short:
nixos-install
# only the grub2 installation should have failed (as there is no /dev/sda1 in the virtual machine!)
#finally we halt the system
halt

im hostsystem we need to install grub2:

apt-get install grub2
grub-install --no-floppy --root-directory=/mnt --recheck /dev/sda
Installation finished. No error reported.

grub-install --no-floppy --root-directory=/mnt --recheck /dev/sdb
Installation finished. No error reported.

# now we add a ssh key so we can login into this system later on
cd /mnt
mkdir root
cd root
mkdir .ssh
chown 0700 .ssh/
cd .ssh
echo "ssh-rsa AAAAB3Nz.....aU79sGVhyOPRz joachim@ebooK" > authorized_keys

from your homecomputer login into the installed system (reboot the host) and then issue this command:

ssh root@176.9.99.117 -i ~/.ssh/myprivatekey

after the first login, nixos-rebuild switch might fail with this error message:

nixos-rebuild switch --fast
building the system configuration...
updating GRUB 2 menu...
installing the GRUB bootloader on /dev/sda...
/nix/store/iaypdz5mm1qk8izs9412cb28v9vwwcn4-grub-1.99/sbin/grub-probe: error: no such disk.
Auto-detection of a filesystem of /dev/mapper/myVolGrp-system failed.
Try with --recheck.
If the problem persists please report this together with the output of "/nix/store/iaypdz5mm1qk8izs9412cb28v9vwwcn4-grub-1.99/sbin/grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub" to
grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub
grub-probe: info: Cannot stat `/dev/disk/by-id/scsi-35000c5003f556643', skipping.
grub-probe: info: Cannot stat `/dev/disk/by-id/scsi-35000c5003f5363a6', skipping.
grub-probe: info: changing current directory to /dev.
grub-probe: info: changing current directory to pts.
grub-probe: info: changing current directory to shm.
grub-probe: info: changing current directory to myVolGrp.
grub-probe: info: changing current directory to md.
grub-probe: info: changing current directory to disk.
grub-probe: info: changing current directory to by-label.
grub-probe: info: changing current directory to by-uuid.
grub-probe: info: changing current directory to by-partlabel.
grub-probe: info: changing current directory to by-partuuid.
grub-probe: info: changing current directory to by-path.
grub-probe: info: changing current directory to by-id.
grub-probe: info: changing current directory to snd.
grub-probe: info: changing current directory to mapper.
grub-probe: info: opening myVolGrp-system.
grub-probe: error: no such disk.

so what is inside this device.map anyway?

cd /boot/grub
cat device.map
(hd0) /dev/disk/by-id/scsi-35000c5003f556643
(hd1) /dev/disk/by-id/scsi-35000c5003f5363a6

Jordan_U#grub@irc.freenode.net recommended to remove the device.map. that made it work:

rm /boot/grub/device.map

summary

took quite some time to figure all this out so i guess someone else might have interested in this guide as well. i also tried to install, using EFI, but soon discovered that this might be a very complicated road to go and therefore skipped that.
it is cool to see that there is a very helpful community surrounding key projects required to get this installation done. i would have had to spend much more time if i wouldn’t have had someone to ask from time to time.

links

[1] http://wiki.hetzner.de/index.php/OpenBSD
[2] https://wiki.archlinux.de/title/Gpt
[3] https://wiki.archlinux.org/index.php/GRUB2#GPT_specific_instructions
[4] http://www.wensley.org.uk/gpt
[5] http://en.wikipedia.org/wiki/GNU_GRUB#GRUB_version_2

configuration.nix

# Edit this configuration file which defines what would be installed on the
# system. To Help while choosing option value, you can watch at the manual
# page of configuration.nix or at the last chapter of the manual available
# on the virtual console 8 (Alt+F8).

{config, pkgs, ...}:

{
require = [
# Include the configuration for part of your system which have been
# detected automatically.
./hardware-configuration.nix
];

boot.initrd.kernelModules = [
# Specify all kernel modules that are necessary for mounting the root
# file system.
#
# "ext4" "ata_piix"
"af_packet" "snd_pcm_oss" "snd_mixer_oss" "rtc_cmos" "rtc_core" "rtc_lib" "snd_hda_codec_via" "i915" "joydev" "drm_kms_helper" "snd_hda_intel" "rng_core" "drm" "snd_hda_codec" "thermal" "i2c_algo_bit" "button" "snd_hwdep" "intel_agp" "psmouse" "i2c_i801" "evdev" "snd_pcm" "video" "agpgart" "pcspkr" "serio_raw" "iTCO_wdt" "i2c_core" "snd_timer" "output" "e1000e" "snd" "soundcore" "snd_page_alloc" "sg" "loop" "ipv6" "kvm" "freq_table" "processor" "thermal_sys" "hwmon" "ext4" "mbcache" "jbd2" "crc16" "raid456" "async_pq" "async_xor" "xor" "async_memcpy" "async_raid6_recov" "raid6_pq" "async_tx" "md_mod" "sd_mod" "crc_t10dif" "sata_sil" "ata_piix" "dm_mod" "usb_storage" "usb_libusual" "usbhid" "hid" "ohci1394" "ieee1394" "ahci" "libata" "scsi_mod" "ehci_hcd" "uhci_hcd" "usbcore" "nls_base" "scsi_wait_scan" "unix"
];

boot.loader.grub = {
# Use grub 2 as boot loader.
enable = true;
version = 2;

# Define on which hard drive you want to install Grub.
devices = [ "/dev/sda" "/dev/sdb" ];
};
boot.extraKernelParams = [ "vga=normal" "nomodeset" ];

networking = {
hostName = "nix9000"; # Define your hostname.
# wireless.enable = true; # Enables Wireless.
};

# Add file system entries for each partition that you want to see mounted
# at boot time. You can add filesystems which are not mounted at boot by
# adding the noauto option.
fileSystems = [
# Mount the root file system
#
{ mountPoint = "/";
#device = "/dev/sda2";
label = "system";
}
#{ mountPoint = "/boot";
# label = "boot";
#}

# Copy & Paste & Uncomment & Modify to add any other file system.
#
# { mountPoint = "/data"; # where you want to mount the device
# device = "/dev/sdb"; # the device or the label of the device
# # label = "data";
# fsType = "ext3"; # the type of the partition.
# options = "data=journal";
# }
];

swapDevices = [
# List swap partitions that are mounted at boot time.
#
{ label = "swap"; }
];

# Select internationalisation properties.
# i18n = {
# consoleFont = "lat9w-16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };

# List services that you want to enable:

# Add an OpenSSH daemon.
services.openssh.enable = true;

# Add CUPS to print documents.
# services.printing.enable = true;

# Add XServer (default if you have used a graphical iso)
# services.xserver = {
# enable = true;
# layout = "us";
# xkbOptions = "eurosign:e";
# };

environment.systemPackages = with pkgs; [
zsh wget wgetpaste vimprobable2
];

# Add the NixOS Manual on virtual console 8
#services.nixosManual.showManual = true;
}


Posts for Friday, April 27, 2012

New KVM Ohai Plugin

I wrote a new KVM plugin for Ohai which gives a ton of important information about KVM guests, which is stored in the node attributes for the host.  This makes it easy to find out which guests are currently on a host and other information about the guest, such as: cpu allocation, memory usage, persistence, autostart, etc.

One of the things you can do once you have this plugin installed and running on the host is have the guest perform a search to find it’s host and then save that information somewhere on the guest.  This is very convenient if you’re on a kvm guest and you want to know right away what it’s host is.

In you Chef code, just use something like this to find the current guest’s host:

parent_host = search(:node, "virtualization_kvm_guests:#{node[:hostname]}").first

This plugin uses the same naming scheme for listing guests as my Linux VServer Ohai plugin, so it’s easy to search for the host of a guest, regardless of virtualization type. I often find myself using knife to search for the host of a guest using this:

knife search node "virtualization_*_guests:<myguestname>"

I think of this as a poor man’s KVM management system. ;)

Posts for Thursday, April 26, 2012

quantium cracking

i just finished listening to “Episode 176: Quantum Computing” [1] and this is really a great podcast. like the whole SE-Radio btw!

this podcast really inspired me and on the way back from work, i was thinking about the possibility to exploit software using quantum computing.

quantum cracking that is. it would work like this: assume you have a program or function which gets input. the ultimate goal is to find some input which will crash the program. using a quantum computer this is probably not that hard to compute.
i could imagine that quantum computing could also be used for software verification, which is actually quite the opposite of what quantum cracking would be.

so when quantum computers arrive we do not only lose AES/RSA but our computers will be open to everyone with such a system. hopefully such systems spread soon, which might compensate the negative effect, maybe with quantum cryptography.

but as martin laforest says: at the end of the day i still don’t know when this technique will arrive. but when it arrives it will turn security upside down.

the most promising aspect of quantum computing, which is mentioned in the podcast, is that it will enable detailed quantum research which i consider a very cool thing as it will help to understand what goes down there.

links

http://www.se-radio.net/2011/06/episode-176-quantum-computing-with-martin-laforest/


avatar

Greek AdblockPlus Filter on github

For the past months Greek AdblockPlus Filter has steadily been growing in subscribers. I recently did a change in the metadata so that clients fetch/check the list every 2 days instead of the default 7, and the daily subscriber count has surpassed 10.000 unique IPs.

The following graph shows this increase over time:

In order to help people contribute to the project I’ve created a repo on github: greek-adblockplus-filter. So now, if you want to help filter out ads from the greek web just get fork the project via git, make your changes and send me a pull request on github :)

reSource event 001

On May 12th I’m gonna be at the reSource event 001 in Berlin talking about Postprivacy with Gregor Sedlag (@gregorsedlag) and Michael Seemann (@mspro). Session will be in English and I think it’s gonna be fun, smart (well I’ll try not to drag the level down too much icon wink reSource event 001 ) and inspiring. Looking forward to seeing you there!

flattr this!

Posts for Wednesday, April 25, 2012

Paludis 0.74.1 Released

Paludis 0.74.1 has been released:

  • Compilation fix for certain compilers.
  • Fixed a segfault when encountering blockers inside || ( ) dependencies.

Filed under: paludis releases Tagged: paludis

Posts for Tuesday, April 24, 2012

Split page vertically in CSS (minus pixels)

I was designing an online database application recently. The layout I wanted was, I thought, fairly simple:

  • N pixel header at the top
  • The rest of the page split vertically into two panes
  • Each pane should scroll independently

Super easy to do in CSS, right? Of course not! You can't do this:

#header {  height: 50px; }

#panels {  height: 100% - 50px; }

#top, #bottom { overflow: auto; }

This is because (of course) you can't do simple arithmetic in CSS.

I can't think of a reason why it's not supported. My browser knows the height of the window at any given point in time. The browser can surely subtract two numbers. If someone knows of a solid reason why we can't do this in CSS, please clue me in.

I can think of many reasons why I would want to do it though. The above use case is just one of them.

I really dislike resorting to this (which does work, as seen here):

#header {  height: 50px; }

#panels {
    position: absolute;
    top: 50px;
    left: 0px;
    right: 0px;
    bottom: 0px;
}

#top, #bottom { overflow: auto; }

Whenever I start using absolute positioning, I know something went off the rails somewhere.

The worst part isn't that CSS doesn't support this, it's that even if CSS did suddenly support it, I couldn't use it until sometime in 2023 when all the major browsers implemented it and everyone using the old browsers switched or died of old age.

Posts for Friday, April 20, 2012

Why do I publish so much of myself?

As some of you may know I am a somewhat outspoken critic of privacy in the way we handle it today and do even call myself somewhat of a post-privacy advocate (when I do call myself anything; self-descriptions are the hardest!).

If you look to the right of this text you can see where I checked in last, my Foursquare profile is public, looking at my twitter feed you know when I am awake and usually even what I do. On this site  you can see me legal name and address as well as my phone number. If you invest a few minutes with your search engine of choice you can find out a lot about me, my family, my upbringing: I live in the open.

Looking at how I advocate a very open lifestyle and try to lure people away from the false promises privacy offers you  could consider me being very open just “eating one’s own dogfood”. On the other hand I have gotten quite some criticism about how dangerous my position is and what a bad sort of advice it might be to people living under oppressive governments, people who are being discriminated against or people with little political or economical power. And that criticism is true. And also misses the point.

I live an extremely privileged life. I am a white, healthy, heterosexual male in Europe. I have a good education and a well-paid and interesting job. It’s actually hard to find any aspects in my life that open me up for the sort of sexist, racist or otherwise-ist attacks and discrimination so many other people face every day even in the so-called “first world”. And if I compare my situation to people living in poorer parts of the world the difference becomes even more grotesque.

But in my perspective, my privileged life commits me to this open lifestyle. Not because I know that it will never have negative consequences but because I see it as an experiment.

Who if not me, a super privileged individual, can test these ideas in the real world? The dangers for me are marginal compared to most people on this planet, hell even in this rich country! I run my life as a test case for my theories, try to reflect upon why a certain aspect works for me and what the preconditions for that success were, try to explicitly trace dangers down to their causes.

Post-privacy is not a utopia you just slap on our world today for everyone and it would work. Like every big social change it takes a lot of time (or probably a catastrophe which is nothing I want to see happen to anyone, anywhere for whatever good it may do) for a society to change in that fundamental way . But in order to even properly discuss it, we need to determine the terms and conditions for a post-private society. What economical or political environment is necessary? What new or changed rights does the individual need?

I life my life in this extremely open way to determine said conditions. It’s not a way of living I can recommend for every individual today. But with a lot of work maybe in a few (probably many, probably many more than I have left on this planet icon wink Why do I publish so much of myself? ) years there will be a world, a society where everybody can live this open and this freely. And if I can just nudge mankind a little bit in that direction, the few risks I take are really nothing I can invest more than a shrug into. And move on.

flattr this!

avatar

Linux Sea now in ePub

On request of Matthew Marchese, I now automatically build an ePub version of Linux Sea for those that like to read such resources on a digital reader. Thanks to the use of DocBook, this was simply a matter of using its xsl-stylesheets/epub/docbook.xsl stylesheet against the DocBook sources and zip the created directory structures (OEBPS and META-INF) to get to the ePub file.

Posts for Sunday, April 15, 2012

Paludis 0.74.0 Released

Paludis 0.74.0 has been released:

  • The way || dependencies are handled has changed to allow upgrades in certain situations that would previously be blocked.
  • Previously file descriptors would be leaked when adding certain types of files to a tar being created for a pbin. This is now fixed.
  • We now strip certain kinds of trailing garbage from tar files, to deal with upstreams who insist upon distributing corrupted tarballs.
  • We now define ${T} to something usable in pkg_pretend.
  • The order of arguments passed to econf has been tweaked, to make it easier to override defaults.
  • cave print-ids etc now have a ‘%u’ format, for a uniquely identifying spec.
  • Added cave print-checksum, for convenience.
  • We now use metadata/md5-cache if it exists.
  • We now ignore self-blockers for Gentoo EAPIs, to avoid problems with developers screwing up package moves.
  • Compilation with GCC 4.7 should now work.

Filed under: paludis releases Tagged: paludis
avatar

Why both chroot and SELinux?

In my previous post, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?

Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate an application so it only has access to those resources it needs. Chroot does this on file-level basis (and a bit more with grSecurity), SELinux on more general resources. However, things that make SELinux strong (flexible and detailed policy language, fine-grained authorizations) are also its weakness (consolidating files into groups having the same file label), and chroot does have an advantage on this.

Suppose that a flaw exists in BIND through which an attacker can read files on the host (through BIND). With SELinux, the domain in which BIND runs is prohibited from accessing and reading files whose label is not one of the labels that the policy thinks BIND should be able to read. More specifically, the BIND policy in the reference policy (which is what both Gentoo and RedHat base their policies on, and generally policies are only enlarged, never really shrinked):

  • etc_runtime_t (read) means access to the files in /etc that are modified at runtime (like mtab, profile.env, gentoo’s /etc/env.d)
  • named_var_run_t (read) is access to /var/run/bind and /var/run/named (and a few other related locations)
  • named_checkconf_exec_t (read/execute) is access to read and execute /usr/sbin/named-checkconf
  • named_conf_t (read) to read the BIND-related configuration files
  • dnssec_t (read) to read the DNSSEC keyfiles
  • locale_t (read) to access /etc/localtime, /usr/share/locale/*, /usr/share/zoneinfo/*
  • etc_t (read) to read the general configuration files in /etc (including passwd, fstab, …)
  • proc_t (read), proc_net_t (read) and sysfs_t (read) to access those pseudo filesystems
  • udev_tbl_t (read) to access /dev/.udev and /var/run/udev (but I have no idea yet why this is in)
  • named_log_t (read/write) for the log files of BIND
  • net_conf_t (read) to access /etc/hosts (including deny/allow), resolv.conf, …
  • named_exec_t (read/execute) the BIND executables
  • named_zone_t (read) to access the zone files, also write access in case of slave system
  • cert_t (read) to read certificate information
  • named_cache_t (read/write) to access its cache
  • named_tmp_t (read/write) to work with temporary files

Isolation provided by SELinux is as powerful as the width of its labeling. For instance, by giving the named daemon read access to /etc files like passwd, fstab, group, hosts, resolv.conf and more, a malicious user who can exploit this hypothetical vulnerability can obtain information that might help him in his further attempts. By chrooting BIND, the files placed in the chroot itself should not offer the information he might be looking for (for instance, the passwd file, if needed at all, is limited to just the named and root accounts, etc.)

Chrooting, but not enabling SELinux, could lead to escalation. A chroot cannot restrict what a process is allowed to do beyond the regular access privileges that are given on the user. If a user can upload an exploit through BIND and have BIND execute it, he can use this as an attack vector for further activities. SELinux here prohibits BIND to write stuff it can also execute (there is no write and execute privilege defined here). It also ensures that the BIND daemon never exists his security domain (transitioning towards another domain with perhaps other privileges) as there are no transition rules from named_t to any other domain.

Another MAC system that would be better suited to fit both is grSecurity’s RBAC model. Iirc, it uses path definitions to say which files are allowed to access and which not. The weakness SELinux here has (aggregation into sets of files with the same label) doesn’t exist for grSecurity. This debate on path-based versus label-based access controls have been going on for very long time now – just google it ;-)

So, Alexander, in short: chroot further limits the SELinux-allowed privileges to a more fine-grained set of file system resources (files/directories).

Posts for Saturday, April 14, 2012

avatar

Chrooted BIND for IPv6 with SELinux

BIND, or Berkeley Internet Name Domain, is one of the Internet’s most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I’ll give a quick intro on how to use it in Gentoo Hardened (with PaX)… chrooted… for IPv6… with SELinux ;-)

Installing is of course, as usual, dead easy on Gentoo (Hardened/SELinux). Make sure you have USE=”ipv6″ set, and then emerge bind. Also install bind-tools as they contain some great tools to help with DNS troubleshooting. Then we’re editing /etc/conf.d/named to set the CHROOT variable. I also set CHROOT_NOMOUNT so that Gentoo doesn’t bind-mount the information in the chroot but instead uses the files in the chroot.

CHROOT="/var/named/chroot"
CHROOT_NOMOUNT="1"

Now we need to either temporarily add some privileges in SELinux, or run the portage_t domain in permissive mode. If you go for privileges, then add the following:

allow portage_t var_t:chr_file { create getattr setattr };

If you however want to temporarily run the portage_t domain in permissive mode, do that as follows:

~# semanage permissive -a portage_t

We are doing this because we are now going to ask the BIND ebuild to prepare the chroot for us. Doing so however requires portage to work on our live file system (and not in the regular “sandbox” mode). SELinux however forces portage in the portage_t domain and only gives it the privileges it needs for building and installing software.

~# emerge --config bind

When done, remove the previous SELinux allow rules again (or set the portage_t domain back in enforcing mode, through semanage permissive -d portage_t). Next we need to relabel the files in the chroot. By default, all files are labeled by SELinux as var_t in that location because it isn’t aware that it needs to see /var/named/chroot as a “root” location.

~# setfiles -r /var/named/chroot /etc/selinux/strict/contexts/files/file_contexts /var/named/chroot

So far so good. Now let’s create a simple named.conf file (in /var/named/chroot/etc/bind):

options {
  directory "/var/bind";
  pid-file "/var/run/named/named.pid";
  statistics-file "/var/run/named/named.stats";
  listen-on { 127.0.0.1; };
  listen-on-v6 { 2001:db8:81:21::ac:98ad:5fe1; };
  allow-query { any; };
  zone-statistics yes;
  allow-transfer { 2001:db8:81:22::ae:6b01:e3d8; };
  notify yes;
  recursion no;
  version "[nope]";
};

# Access to DNS for local addresses (i.e. genfic-owned)
view "local" {
  match-clients { 2001:db8:81::/48; };
  recursion yes;
  zone "genfic.com" { type master; file "pri/com.genfic"; };
  zone "1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "pri/inv.com.genfic"; };
};

The zone files referenced in the configuration file are located in /var/named/chroot/var/bind (in a subdirectory called pri – which I use for “primary”). The regular one would look similar to this:

$TTL 1h ;
$ORIGIN genfic.com.
@       IN      SOA     ns.genfic.com. ns.genfic.com. (
                        2012041101
                        1d
                        2h
                        4w
                        1h )

        IN      NS      ns.genfic.com.
        IN      NS      ns2.genfic.com.
        IN      MX      10      mail.genfic.com.
        IN      MX      20      mail2.genfic.com.

genfic.com.     IN      AAAA    2001:db8:81:80::dd:13ed:c49e;
ns              IN      AAAA    2001:db8:81:21::ac:98ad:5fe1;
ns2             IN      AAAA    2001:db8:81:22::ae:6b01:e3d8;
www             IN      CNAME   genfic.com.;
mail            IN      AAAA    2001:db8:81:21::b0:0738:8ad5;
mail2           IN      AAAA    2001:db8:81:22::50:5e9f:e569;
; (...)

while the one for reverse lookups looks like so:

$TTL 1h ;
@       IN      SOA     1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa ns.genfic.com. (
                        2012041101
                        1d
                        2h
                        4w
                        1h )

        IN      NS      ns.genfic.com.
        IN      NS      ns2.genfic.com.

$ORIGIN 1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

1.e.f.5.d.a.8.9.c.a.0.0.0.0.0.0.1.2.0.0         IN      PTR     ns.genfic.com.
8.d.3.e.1.0.b.6.e.a.0.0.0.0.0.0.2.2.0.0         IN      PTR     ns2.genfic.com.
; (...)

We can now start the init script:

~# rc-service named start

On the slave, don’t set the allow-transfer directive and set its type to “slave”. In each zone, you will need to tell where the master is:

zone "genfic.com" {
  type slave;
  masters { 2001:db8:81:21::ac:98ad:5fe1; }
  file "sec/com.genfic";
};

By default, the SELinux policy for BIND does not allow BIND to write stuff in its directories. On the slave system, you will need to change this. A SELinux boolean here does the trick:

~# setsebool -P named_write_master_zones on;

There ya go ;-) Okay, all very condensely written, but it should give some feedback on how to proceed. I’m adding this information to the new online resource I’m writing – A Gentoo Linux Advanced Reference Architecture. Nothing really ready yet, just writing as I go forward with exploring these technologies…

Posts for Thursday, April 12, 2012

avatar

Documentation updates for initramfs needed?

A quick help request from the community: if you know of any Gentoo documents that need updates in order for end users to know when and how to use initramfs, please file bugreports and have them block bug #407959. Currently, we have updated the Gentoo Handbook, Gentoo Quickinstall guides and added an Initial ramfs Guide.

The tracker bug is also used to check if and when the eventual roll-out of software can happen, and we want to make sure that we do not forget documentation (something we learned from the openrc migration). Not that the change is as large as was the case with openrc, but it is still nice to have updated documentation in time ;-)

Posts for Wednesday, April 11, 2012

VBA oddities

Riddle me this.

If I create two strings in VBA (Visual Basic for Applications) like so

Dim string1 As String
Dim string2 As String

When I turn a watch on for them, both variables are listed as type “String.” If I were to use the following code though, which I understand to be the exact same thing just with different sytnax,

Dim string1, string2 As String

string1 will be listed as type “Variant/Empty” but string2 will still be listed as type “String.”

I’m using Excel 2007 is that makes a difference. Can anyone please explain to me what on earth is going on here?


Kitten

Image courtesy of Place Kitten


Posts for Tuesday, April 10, 2012

Thoughts on HTML5′s <time> element and other semantic info on the web

I just read about the <time> HTML5 element, and how it was introduced, then removed, and then re-introduced. While I think proper syntax, consistency, etc. are important, I am more concerned with what such new “semantic” elements will actually mean for the web and its users. This is not limited to <time>, but here it should be easy to explain my general concern, using an example:

It’s March 2012
Joe from the U.S. writes on his blog: “I’ll be on vacation in Europe starting 5/4/12, looking forward to meeting you there!”
Pierre from France reads the blog, and, knowing Joe is from the U.S., he will have the following thoughts: “Cool, Joe will be around… what’s that date… ah, Americans with their month/day/year format… ok, I interpret this as 4th of May, i.e. 4/5/12 in proper French format”

It’s March 2015, HTML5 and <time> are starting to get used
Joe from the U.S. writes on his blog: “I’ll be on vacation in Europe starting <time>2015-05-04</time>, looking forward to meeting you there!”
Pierre from France reads the blog, and having set his browser language to French, it shows “I’ll be on vacation in Europe starting 4/5/15, looking forward to meeting you there!”. Not knowing about is browser being clever, and showing him the date in the format he is used to, he thinks: “Cool, Joe will be around… what’s that date… ah, Americans with their month/day/year format… ok, I interpret this to 5th of April, i.e. 5/4/15 in proper French format”

Of course, with proper highlighting of automatically localised dates this could be mitigated to some extent, but I can imagine lots of cases where our current assumptions, coupled with technology that is trying to help, will cause even more confusion than we have now. When communicating, lots of information is “out of band” or just assumed known context. Therefore we need to be very careful when programming our machines to help us communicate, otherwise we achieve the opposite.

avatar

CellProfiler and Gentoo

CellProfiler is free open-source software designed to enable biologists without training in computer vision or programming to quantitatively measure phenotypes from thousands of images automatically. See our papers on analyzing cell images and non-cell images.

First we need to install the dependecies ( as root):
dev-python/matplotlib wxwidgets>>/etc/portage/package.use
echo "dev-python/h5py">>/etc/portage/package.keywords

dev-python/numpy lapack >>/etc/portage/package.use
emerge -1 lapack-atlas scipy

atlas will take long to merge but will not take up much space so there is not to worry if portage dir is on tmpfs

emerge -av cython numpy setuptools matplotlib decorator mysql-python nose h5py

now we have to select the atlas libraries and reemerge some packages

for x in blas cblas lapack; do eselect $x set atlas; done
emerge -1 numpy scipy

Next , as user, we can create a directory (in my case /opt/CellProfiler) and clone the CellProfiler git repository in it

git clone https://github.com/CellProfiler/CellProfiler.git /opt/CellProfiler/

Now we need sun jdk, which is a resctriced package, just check the log at “var/tmp/portage/dev-java/sun-jdk-version/temp/build.log” and follow the instructions.

emerge sun-jdk
eselect java-vm list
select java-vm set user 3

Substitute “3″ with the actual number corresponding to sun-jdk

We can now run Cellprofiler

cd /opt/CellProfiler/
python CellProfiler.py

Posts for Monday, April 9, 2012

booting nixos from lvm on top of mdadm

what is this

since i might require such an setup more often i post it here, so i don’t forget it (see [1]).

this guide works great for fdisk+mdadm+LVM but it did not work for parted lately using ubuntu server. i don’t know why, maybe because of the raid controller?

in case someone removes the commands from the nixos wiki, here are the commands again:

  mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1

  pvcreate /dev/md0
  vgcreate myvolgrp /dev/md0
  lvcreate -L 1G -n boot myvolgrp
  lvcreate -L 5G -n system myvolgrp

  mkfs.ext4 -n boot /dev/myvolgrp/boot
  mkfs.ext4 -n system /dev/myvolgrp/system

  mount -L system /mnt
  nixos-option --install

  cat /etc/nixos/configuration.nix
  ...
    { mountPoint = "/";
      label="system";
    }
    { mountPoint = "/boot";
      label="boot";
    }
  nixos-install

advantages of this setup

  • no special partition required either something like /dev/sda1 or /dev/sdb1 where /boot would be placed on
  • LVM can be used for anything
  • still mdadm is below, which is a good thing
reminds me though that i should check if /etc/nixos/configuration.nix is capable of installing grub in several partitions already. usually it is only installed in /dev/sda given by this example:

   boot.loader.grub = {
    # Use grub 2 as boot loader.
    enable = true;
    version = 2;

    # Define on which hard drive you want to install Grub.
     device = "/dev/sda"; # here is only one partition given
  };

links

[1] https://nixos.org/wiki/Soft-RAID_mdadm_(/dev/md0),_LVM_(PVs,VGs,LVs)

[2] https://nixos.org/wiki/Encrypted_Root_on_NixOS


Posts for Sunday, April 8, 2012

Using Vala and GLib.Math

This took me a while to figure out but for some annoying reason if you want to use the GLib.math library with Vala you’ll have to add the -lm option to your GCC compile flags. If you happen to be using the Waf build system you can add it to your wscript file like so:

def build(bld):
	bld.add_post_fun(post_build)
	
	bld.env.append_value('CFLAGS', ['-O2', '-g'])
	bld.env.append_value('LINKFLAGS', ['-O2', '-g', '-lm'])
	bld.env.append_value('VALAFLAGS', ['-g', '--enable-checking', '--fatal-warnings'])


Posts for Saturday, April 7, 2012

avatar

Get your devtmpfs ready

If you are using stable profiles, you might want to verify if you are already running a kernel with devtmpfs support enabled. Why? Well, currently you might not need it, but the upcoming openrc/udev packages require it and they currently do not fail at install time if you have it enabled or not. As a result, upgrading these packages might give you a system that might fail to boot (if you have no initramfs but separate /usr partition) or gives many errors (if you have an initramfs).

To verify if it is enabled, check your kernel configuration:


# zgrep DEVTMPFS /proc/config.gz
# CONFIG_DEVTMPFS is not set

If you get the output as described above, best update your kernel configuration to include it. The second devtmpfs-related option (to automatically mount it on /dev) is not needed afaik.

And for those that have been with Gentoo for a while – devtmpfs is not devfs. Well, it is. But it isn’t. Somewhat. Oh well, there’s discussion on that which I’m not going to elaborate on. Safe to say that we’re getting older if we start feeling “Been there, done that, got the t-shirt” ;-)

Edit: as Robin mentioned in the comments, the udev ebuild does check at it. However, it doesn’t fail an installation so you could miss the message. Apologies for the lies, Robin ;-) Post updated.

avatar

GetKDE.org – the workspace, and what’s going on.

Some updates. Both for newcomers to GetKDE.org and those who have seen this project before, see the homepage, the explore page, and then finally, the page I’m writing about.

Homepage has been updated too:

And explore page updated too.

Hope you like it.

I have to apologise for only having the time to work on this very sporadically. Next in the to-do list is the apps page.

Related posts:

  1. GetKDE.org progress – Discover KDE!
  2. What’s up with KDE.org & Hello GetKDE.org
  3. The kde-www war: part 4

exit yes, but not too quickly

It’s a weekday. It’s morning. The train arrives at the destination full of commuters. The platform is mingling with commuters waiting to get on the train to go where we just came from. We disembark. A sea of people as these two streams conflate and confuse. As we head to the exits and they board the train we slowly disentangle. There are so many of us that a long line forms before the escalator down from the platform. Not even a line, more of a V-shaped traffic jam that extends to nearly the whole width of the platform. Slowly we converge on the escalator that shall deliver us from this overcrowded place. We could only wish the line were moving faster. Then, at last, we’ve made it, we step onto the escalator and… just stand there. All this waiting just to be able to stand in line some more? Yes, the escalator is moving, but why not walk down it? Especially since there are so many people, we’d be able to exit the platform quicker that way. But that isn’t the custom. Apparently, if something moves us we must not move ourselves, we must appreciate and make it last as long as possible.

avatar

I love whiteboards.

Although it might seem like an awkward title (perhaps even shit-worthy), but I have felt the need to profess how amazing they are.

A long time back when I was still in Malaysia, I owned a little corkboard panel which I used to pin up those important forms I would always lose, and occasionally use it to map out ideas for projects. After moving to Australia, where their customs wasn’t too happy about bringing over wood, it was a while until I used such a board again. When I did, however, it had taken up a newer purpose – as a pin-up of my half-finished, terrible works that were going to be binned. I called it the “motivation-board” – something I would look at and realise which projects had potential and which didn’t, and drive myself towards completing the ones that did. I added stuff quite frequently to that board – which shows a little bit about the easy come, easy go nature of some of my micro projects.

After an academic year was over, I spent the winter in Shanghai where I again lost access to such a board. As I slowly found time to slip into my “work on my projects” groove, I picked up a slightly distorted square A4 book which served as a journal to jot down ideas and work out design problems. It was better than nothing, but lacked the “overview” quality that boards have.

However after moving again early this year back in Australia, I decided to get my board back. I walked over to an Officeworks, right past the chipboards and into the whiteboards section. I bought a decently large one and took it home.

That was when I realised the differences between these boards.

  • The pin-up board is good as a consumption device – a long-term overview of your work.
  • The journal is an on-the-go device, but divides your ideas into very linear and isolated chunks.
  • The whiteboard, at least when I use it, is a absolute gold device for short-term brain-dribble visualisation which makes it a dedicated creation device. There is no consume on a whiteboard. It’s a develop and iterate tool. It’s what I really needed from the very beginning.

So much for noteslate and courier.

No related posts.

Posts for Thursday, April 5, 2012

programming with serial ports in linux

what is this?

i bought an UPS with two ports: serial and usb. and because i did not know much about the UPS (AEG – PROTECT HOME VA 600) i started to look at the communication protocol. turns out there are lots of good tools for serial line interception but nearly none for the usb stuff. sadly the driver i wrote isn’t needed at all as an email to the nut-ML revealed that this UPS uses the Q1 protocol which is already supported pretty well using the blazer_usb and blazer_ser module.

anyway it was pretty interesting to hack on NUT using debian and later nixos. so here is a guide how to log/analyze serial traffic and how to write a simulator for either side.

and not to forget: thanks to Arnaud Quette for his ups/nut support. there is also a brief nut setup introduction, see [1].

sniff serial port data between UPS and PC

  1. set serial settings to:
    enable serial port
    - port number com 1 irq 4 io port 0x3f8
    - port mode: host device
    - port/file path: /tmp/interceptty
  2. maybe correct the permissions to /tmp/interceptty
  3. interceptty -s ‘ispeed 2400 ospeed 2400′ -l /dev/ttyS0 | tee mylog | interceptty-nicedump
  4. on the linux host:
    tail -F mylog | grep “<”
  5. start virtualbox vm with a windows xp installed
    note:
     ignore this virtualbox warning: ”Ioctl failed for serial device ‘/tmp/interceptty’ (VERR_INVALID_PARAMETER). The device will not work properly.”. it works anyway, at least on my system (using ubuntu 10.10 with standard virtualbox).

using the virtual python UPS

  1. on the server side open /dev/remserialVM
    remserial -d -p 23000 -s “2400 raw” -l /dev/remserialVM /dev/ptmx 
  2. on the client side (same host), do:
    remserial -d -r 127.0.0.1 -p 23000 -s “2400 raw” -l /dev/remserialPY /dev/ptmx
  3. chmod 0777 /dev/remser*
  4. change the virtualbox serial settings:
    - port mode: host device
    - port/file path: /dev/remserialVM
  5. then format a ‘message’ with a hexeditor also called “hexeditor”
  6. start the vm
  7. then send the formated message:
    cat message > /dev/remserialPY
  8. if the message was received by the windows ups monitoring software (it will think that the message it received originated from the UPS and not that it was crafted manually)
note: instead of manually sending messages, i also used the script: ./simulate-ups.py which does that automatically.
note: simulate-ups-monitor.py can be used in an analog way but simply using the ups with a real serial port. i should mention btw, that i was using both a usb2serial adapter and an old computer which still contains one of those ancient serial ports.

simulate-ups.py

#!/usr/bin/python
import serial
ser = serial.Serial('/dev/remserialPY', 2400)

line = ''
count=0

def process_command(cmd):
        print " < incomming: " + cmd
        if cmd == "Q1":
                print "REQUEST FOR DATA FROM USV"
                n = ("20").decode("hex")
                d = ("0d").decode("hex")
                a = ("28").decode("hex") + \
                    "000.0" + n + \
                    "000.0" + n + \
                    "000.5" + n + \
                    "005" + n + \
                    "00.0" + n + \
                    "00.6" + n + \
                    "25.0" + n + \
                    "00000001" + d
                ser.write(a)

while True:
        ch = ser.read(1)
        if ch == "\x0d":
                process_command(line)
                line = ''
        else:
                line = line + ch

simulate-ups-monitor.py

#!/usr/bin/python
import serial
import re
import time
import sys

ser = serial.Serial('/dev/ttyS0', 2400)
#, serial.EIGHTBITS, serial.PARITY_NONE, serial.STOPBITS_ONE, 0)

line = ''
count=0
status="unknown"

def write(cmd):
        #print "sending " + cmd;
        ser.write(cmd)

def print_status(status):
                print "status is: Unknown|LostCom|Normal|ScheduledShutdown|60SecsShutdown|ActiveShutdown|CriticalPowerFail: " + status

def process_command(cmd):
        valid = re.compile(r"\([0-9][0-9][0-9].[0-9] [0-9][0-9][0-9].[0-9] [0-9][0-9][0-9].[0-9] [0-9][0-9][0-9] [0-9][0-9].[0-9] [0-9][0-9].[0-9] [0-9][0-9].[0-9] [01][01][01][01][01][01][01][01]")
        if valid.match(cmd):
                #print status + " : VALID REPLY FROM USV   ->    " + cmd
                #(239.5 239.5 235.6 000 49.9 13.6 25.0 00001001
                netz_eingang=cmd.split(' ')[0].lstrip('(')
                netz_unknown=cmd.split(' ')[1]
                netz_ausgang=cmd.split(' ')[2]
                percent=cmd.split(' ')[3]
                hz=cmd.split(' ')[4]
                bat_voltage=cmd.split(' ')[5]
                temperature=cmd.split(' ')[6]
                bits=cmd.split(' ')[7]
                bit1=bits[0]
                bit2=bits[1]
                bit3=bits[2]
                bit4=bits[3]
                bit5=bits[4]
                bit6=bits[5]
                bit7=bits[6]
                bit8=bits[7]
                print status + " " + cmd
        else:
                print "invalid reply detected: " + cmd
                sys.exit(1)

write( ("51310d").decode("hex"))

while True:
        ch = ser.read(1)
        if ch == "\x0d":
                process_command(line)
                time.sleep(1)
                write( ("51310d").decode("hex"))
                line = ''
        else:
                line = line + ch

simulate the UPS monitor

# ./simulate-ups-monitor.py
VALID REPLY FROM USV -> (241.5 241.4 237.5 000 49.9 13.5 25.0 00001001
VALID REPLY FROM USV -> (241.5 241.4 237.5 000 49.9 13.5 25.0 00001001
VALID REPLY FROM USV -> (241.4 241.4 237.5 000 49.9 13.5 25.0 00001001

summary

so would i buy a AEG Protect Home VA 600 again? currently there is no ‘time left’ estimation and therefore i shutdown the system either after 25 seconds or on LB (low battery) but after reloading the batteries the shutdown usually is triggered by the 25 seconds rule after a state change to OB (on battery). i think this is a decent setup and therefore i would probably buy that UPS again. but i don’t really have a clue about UPS devices so there might be much better ones in the same price range, maybe someone on the NUT/UPS ML can make a better recommendation.

what i really dislike is that this product ships with linux support BUT not with NUT support. i later realized that they created their own linux software. what a waste of time, i would rather love to get the specification and then use NUT instead – probably this is the case for nearly all the users seeing that this devices has linux support. but my request to get the specification was simply ignored, so i think there are better vendors out there.

another interesting aspect of nut is how complex the integration in the system is.

links

[1] https://nixos.org/wiki/How_to_setup_UPS/NUT


Posts for Wednesday, April 4, 2012

I don't have cancer

2011 was an interesting year. A year of firsts!

  • I worked on my first book, Clojure Programming (soon to be released, in fine bookstores near you).
  • I bought my first house.
  • The first of my maternal grandparents died.

Hmm, kind of took a turn for the worst there. Then, one fine sunny day in 2011, sitting at my favorite pub, enjoying my favorite beer, I started coughing up blood. Another first!

More firsts:

  • First Emergency Room visit.
  • First bronchoscopy.
  • First CT scan.

Coughing up blood1 is caused by a huge number of things, from nose bleeds to lung cancer to food going down the wrong pipe to cocaine use. It turns out that 30-year-old non-smokers with no other symptoms tend not to have lung cancer. That didn't stop me from fearing the worst.

Canadian Health Care

This was my first chance to experience the Canadian health care system first-hand after immigrating here. "Free health care" is not entirely accurate, but is very close. I pay some small amount of money monthly ($30-40 I think) to be included in the government-provided Medical Services Plan (MSP). Many employers pay this fee for their employees, but mine doesn't. No big deal.

Once in this system, every "essential" form of health care is paid for completely by the government. Emergency room visit, bronchoscopy, blood test, x-ray, visit with my family doctor, visit with my pulmonologist, all of it was 100% paid for. Show them a government "Care Card" and you're set.

Prescriptions are not covered. Things like eyeglasses, non-emergency dentistry, and elective procedures are not covered. I can get private health insurance to pay for some of those things, but I never bothered, because the cost of that stuff is so low.

I'd hesitantly call this a step up from the US system of huge numbers of people being uninsured, and of insurance not actually covering all of your medical expenses even if you have it.

The one bad thing about Canadian health care is the wait times. It's often a month or longer to get an appointment to see my pulmonologist. I'm currently scheduled for another medical test... in June. This was scheduled about 4 weeks ago. Thank God I didn't have cancer, or I'd probably have been dead before I got to see a doctor.

I never went through a similar experience in the US, so I'm not sure what the wait times are like in comparison. I do remember my father waiting for over a month (in severe pain) to have a surgery performed because his insurance company dragged their feet in approving it, or something like that. So yeah. I probably can't complain much.

Now what?

After months of waiting and months of not knowing, and then having a few cameras shoved into my lungs, it turns out I probably don't have cancer. So that's pretty good news. I still don't know what's causing me to sporadically cough up blood, but as more and more "serious" things are ruled out by tests, I find myself in much better spirits.

2011 will go down in my biography2 in as the Year of Lost Productivity. I didn't handle the stress very well, to put it very mildly. It's unfortunate that the act of worrying about dying and not having time to do things I want to do ended up hindering me from doing many things I wanted to do.

I sometimes hear about people who actually have terminal illness showing bravery in the face of their illness. By contrast, it didn't even take terminal illness to essentially blow me out of the water. Just the real threat of it. I feel a lot of shame and regret at how poorly I handled myself. I'm trying to use that regret as motivation. I have a lot of things I need to accomplish, and who knows, maybe not as much time to accomplish them as I'd like to imagine.

So I have a lot of plans for this year. Old projects need to be dusted off and brought up to speed. Step one is probably kicking some life back into this old blog.

  1. Hemoptysis. From Greek hemo (blood) + ptýsis (spitting). A word I'm now intimately familiar with.

  2. I'm not actually writing a biography.

Posts for Tuesday, April 3, 2012

avatar

Limiting IRB output

Below is a snippet from my .irbrc file on our production servers, which we access over SSH. It has saved so much frustration by truncating IRB output to 3000 characters. It will, of course, potentially break any code using printf…

module Colours
  Reset = "\e[0m"
  Red = "\e[0;31m"
  Green = "\e[0;32m"
  Yellow = "\e[0;33m"
  Blue = "\e[0;34m"
  Magenta = "\e[0;35m"
  Cyan = "\e[0;36m"
  White = "\e[0;37m"
  BrightRed = "\e[1;31m"
  BrightGreen = "\e[1;32m"
  BrightYellow = "\e[1;33m"
  BrightBlue = "\e[1;34m"
  BrightMagenta = "\e[1;35m"
  BrightCyan = "\e[1;36m"
  BrightWhite = "\e[1;37m"
end

# Only print the first 3000 characters using printf().
#
# It would be nicer to only do this for instances of IRB::Irb, but I can't work
# out how to do that in .irbrc or files required there.
module Kernel
  alias_method :old_printf, :printf

  def printf(*args)
    if args.last.length > 3000
      args.last.slice! 3000...args.last.length
      args.last << "#{Colours::BrightCyan} ...\n  ... etc#{Colours::Reset}"
    end
    old_printf *args
  end
end

I don't understand why something like the snippet below isn't the default:

require "bigdecimal"

class BigDecimal
  def inspect
    "#{Colours::BrightMagenta}#{to_s}#{Colours::Reset} (BD)"
  end
end

Posts for Monday, April 2, 2012

FalconPL vim updates

The vim files for the Falcon programming language have been accepted into the official Vim repository. The next release of Vim should include the updates. 

By the way, if you’re using GetLatestVimScripts, while the falcon scripts do have the line there to make them compatible I have not updated the Vim site so that’s either not going to work for you or it’s going to update to an old version. Why is this? Because I forgot my password and I have not gone through the trouble to get it reset.

See the latest change to falcon here.


Posts for Sunday, April 1, 2012

los compañeros

- Bonjour, monsieur. Qu’est-ce que vous voulez manger?

- Bom dia.

- Non non non, Roberto, fais pas ça! Il faut toujours parler français avec les gens du pays quand on est en France. Sinon ils deviennent fous.

- Por qué? El portugués no es un idioma muy complicado. Yo entiendo fácilmente los turistas en Madrid cuando me preguntan el camino por algún lugar.

- Eu não falo francês, Michel. Só sei falar inglês.

- No, ça c’est pire encore!

- Ma rilassati, Michel. Che possono farci se non parliamo francese? Ci capiamo benissimo tra di noi. Questo basta per intenderci.

- Eu entendo tudo o que dizem os franceses. Assim eles podem entender-me também.

- Sí, esto me parece muy lógico.

- Alors, avez-vous choisi?

- Per favore, signore, non stia lì a spiarci facendo finta di non capire. O partecipi alla discussione o si allontani. Se non ordiniamo è perché non siamo pronti.

- Mas eu estou pronto, só que não posso pedir na língua justa!

- Yo también estoy listo para pedir.

- Guys, what the hell are you talking about?? I don’t understand a damn word of what you’re saying.

- Les mecs, nous avons oublié que David est avec nous!

Posts for Tuesday, March 27, 2012

avatar

Joining Vimeo

<html>Working on scalable information retrieval systems at the university of Ghent has been very fun: interesting and challenging work, smart team, and an environment that fosters growth and innovation. I could definitely see myself continuing there...
However, Vimeo got in touch and told me about their plans... specifically what's going into the new version and what other stuff they have on their roadmap. I can honestly say vimeo is the most beautiful web property I've ever seen [*], not just that, they also provide a top product/service, and host a great community of passionate people who create some of the most beautiful online videos I've ever seen. (examples: Vietnam travel report, Sabian cymbals taking advertising to a whole new level in this video with my musician hero Mike Portnoy, a city time lapse video)
From what I can tell, they also do product management well: they know what their territory is, and how to cultivate it through stellar community management. They are not a general purpose video site and hence do not compete directly with YouTube or Facebook.

And now, I have the opportunity to be a part of that. After much pondering I decided to go for it. Resigning at the university was hard but smooth, I felt I had to take this chance and they were very supportive.
I'll be working on the infrastructure/backend side of things, I'm actually working on transcoding infrastructure right now. Working from my place in Ghent, a move to NYC at some point in the future might happen, but we'll see...

[*] When they told me the new version would be more appealing than the old, I couldn't believe that's possible. but to my own surprise they succeeded.

</html>

Posts for Sunday, March 25, 2012

WordPress Android app

So I figured that, instead having this Blog idle around so much lately, I could test the WordPress Android app to write quick posts every once in a while when I don’t have time or a real computer with me for real posts.

wpid 1332711427582 Wordpress Android app

The app even supports pictures so let’s see how that goes.

flattr this!

avatar

Lighttpd socket Arch Linux /var/run tmpfs tmpfiles.d

<html>On Arch Linux, and probably many other distros /run is a new tmpfs, and /var/run symlinks to it. With Lighttpd you might have a fastcgi socket defined something like "/var/run/lighttpd/sockets/mywebsite.sock". This won't work anymore as after each reboot /var/run is an empty directory and lighttpd won't start, /var/log/lighttpd/error.log will tell you:
2012-03-16 09:21:34: (log.c.166) server started 
2012-03-16 09:21:34: (mod_fastcgi.c.977) bind failed for: unix:/var/run/lighttpd/sockets/mywebsite.sock-0 No such file or directory 
2012-03-16 09:21:34: (mod_fastcgi.c.1397) [ERROR]: spawning fcgi failed. 
2012-03-16 09:21:34: (server.c.945) Configuration of plugins failed. Going down.
That's where this new tool tmpfiles.d comes in. It creates files and directories as described in the configs, and gets invoked on boot. Like so: <html><style>.highlight .hll { background-color: #ffffcc } .highlight { background: #f8f8f8; } .highlight .c { color: #408080; font-style: italic } /* Comment */ .highlight .err { border: 1px solid #FF0000 } /* Error */ .highlight .k { color: #008000; font-weight: bold } /* Keyword */ .highlight .o { color: #666666 } /* Operator */ .highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */ .highlight .cp { color: #BC7A00 } /* Comment.Preproc */ .highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */ .highlight .cs { color: #408080; font-style: italic } /* Comment.Special */ .highlight .gd { color: #A00000 } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .gr { color: #FF0000 } /* Generic.Error */ .highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */ .highlight .gi { color: #00A000 } /* Generic.Inserted */ .highlight .go { color: #808080 } /* Generic.Output */ .highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */ .highlight .gt { color: #0040D0 } /* Generic.Traceback */ .highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */ .highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */ .highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */ .highlight .kp { color: #008000 } /* Keyword.Pseudo */ .highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */ .highlight .kt { color: #B00040 } /* Keyword.Type */ .highlight .m { color: #666666 } /* Literal.Number */ .highlight .s { color: #BA2121 } /* Literal.String */ .highlight .na { color: #7D9029 } /* Name.Attribute */ .highlight .nb { color: #008000 } /* Name.Builtin */ .highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */ .highlight .no { color: #880000 } /* Name.Constant */ .highlight .nd { color: #AA22FF } /* Name.Decorator */ .highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */ .highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */ .highlight .nf { color: #0000FF } /* Name.Function */ .highlight .nl { color: #A0A000 } /* Name.Label */ .highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */ .highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */ .highlight .nv { color: #19177C } /* Name.Variable */ .highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */ .highlight .w { color: #bbbbbb } /* Text.Whitespace */ .highlight .mf { color: #666666 } /* Literal.Number.Float */ .highlight .mh { color: #666666 } /* Literal.Number.Hex */ .highlight .mi { color: #666666 } /* Literal.Number.Integer */ .highlight .mo { color: #666666 } /* Literal.Number.Oct */ .highlight .sb { color: #BA2121 } /* Literal.String.Backtick */ .highlight .sc { color: #BA2121 } /* Literal.String.Char */ .highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */ .highlight .s2 { color: #BA2121 } /* Literal.String.Double */ .highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */ .highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */ .highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */ .highlight .sx { color: #008000 } /* Literal.String.Other */ .highlight .sr { color: #BB6688 } /* Literal.String.Regex */ .highlight .s1 { color: #BA2121 } /* Literal.String.Single */ .highlight .ss { color: #19177C } /* Literal.String.Symbol */ .highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */ .highlight .vc { color: #19177C } /* Name.Variable.Class */ .highlight .vg { color: #19177C } /* Name.Variable.Global */ .highlight .vi { color: #19177C } /* Name.Variable.Instance */ .highlight .il { color: #666666 } /* Literal.Number.Integer.Long */</style>
$ cat /etc/tmpfiles.d/lighttpd.conf 
d /run/lighttpd/sockets 0700 http http
</html>
</html>
avatar

More on initramfs and SELinux

With the upcoming udev version not supporting separate /usr locations unless you boot with an initramfs, we are now starting to document how to create an initramfs to boot with. After all, systems with a separate /usr are not that uncommon.

As I’ve blogged about before, getting an initramfs to work well with SELinux has not been an easy drift. In effect, I’m going to push out the FAQ (the Gentoo wiki already has it) that the user will need to boot in permissive mode, and have an init script in the boot runlevel that will reset the contexts of /dev and then switch to enforcing mode. And those that want to make sure SELinux stays on can then also enable the secure_mode_policyload SELinux boolean so that you cannot go back to permissive mode (without rebooting).

For those interested, this is the init script I use on my guest systems (which are for development purposes, so they do not toggle the SELinux boolean):


#!/sbin/runscript
# Copyright (c) 2007-2009 Roy Marples <roy>
# Released under the 2-clause BSD license.

description="Switch into SELinux enforcing mode"

depend()
{
need localmount
}

start()
{
ebegin "Restoring file contexts in /dev"
restorecon -R /dev
eend 0

ebegin "Switching to enforcing mode"
setenforce 1
eend $?
}

I call it selinux_enforce for a lack of imagination (and to make it more clear, because if I’d name it “wookie” I’ll be scratching my head in a few weeks trying to figure out why I did that in the first place).

With that enabled, I cannot provide a “denial-free” boot-up anymore (you’ll see many denials from the init_t domain, amongst others, which are best not hidden). That is to say, until I take some time to patch the initramfs to handle SELinux.

Oh, btw, this is for both dracut-generated as well as genkernel-generated initramfs’s. At least the technologies are consistent there.

Posts for Friday, March 23, 2012

documentaries revisited

documentaries

purple_podcasts from harenome razanajato

here is another bunch of documentaries which i forgot in the last posting…

space science related documentaries

energy related


developing software using nixos

i’ve just finished a wiki page on how to develop arbitrary software on nixos [1] (thanks to viric!). as this is fundamentally different to all other linux and non linux operating systems i think this is worth a posting about this subject in my blog.

the interesting aspect is that nix/nixos provides such a development environment per project so one is not forced to pollute the system environment with the ongoing changes which always lead to horrible side effects as regression (you know when old habits stop working as a tiny update of libX breaks tool Z).

the way it is used is covered by [1] already.

a slightly more complex example

config.nix

     1  {
     2    packageOverrides = pkgs : with pkgs; rec {
     3      # example environment from viric
     4      sdlEnv = pkgs.myEnvFun {
     5        name = "sdl";
     6        buildInputs = [ stdenv doxygen SDL SDL_image SDL_ttf SDL_gfx cmake SDL_net pkgconfig ];
     7      };
     8
     9      # a custom library NOT included in nixpkgs (maybe later it is but assume for this example it is not)
    10      libnoise = callPackage ./libnoise.nix {};
    11
    12      # this is the needed environment for development of my spring random map generator
    13      # type 'load-srmg-env' to load it after installing it using 'nix-env -i env-srmg'
    14      srmgEnv = pkgs.myEnvFun {
    15        name = "srmg";
    16        buildInputs = [ stdenv doxygen cmake libnoise qt4 ];
    17      };
    18    };
    19  }

in the ~/.nixpkgs/config.nix expression i added a custom library which is then available with nix-env, this way it can be installed using (nix-env -i libnoise).

the interesting point is that line 2 contains the rec keyword indicating that all 3 attributes in the attribute set (line 2 to 18) may recursively reference each other. this is required as the the srmgEnv on line 14 where the buildInputs lists libnoise.

the libnoise expression is outsourced (line 10) into the file libnoise.nix (listed below).

libnoise.nix

     1  {stdenv, doxygen, fetchgit, cmake}:
     2
     3  stdenv.mkDerivation rec {
     4    name = "libnoise-1.0.0";
     5
     6    # i also change bits in the library and therefore i like to have it local
     7    # in case i change anything this needs to be done to reflect the change
     8    # 1. make the change 
     9    # 2. use 'git add file_which_has_changed'
    10    # 3. use 'git commit'
    11    # 4. use 'git log' to find the most recent rev
    12    # 5. paste the copied rev in the rev field below
    13    # 6. reinstall the libnoise 
    14    src = fetchgit {
    15      url = /home/joachim/Desktop/projects/libnoise;
    16      rev = "8b5b89b7241a112dfe0b387f7589ea9a2df00b02";
    17      sha256 = "";
    18    };
    19
    20    buildInputs = [ cmake doxygen ];
    21
    22    meta = {
    23      description = "libnoise";
    24      homepage = "http://www.github.com/qknight/libnoise";
    25      license = "LGPL2";
    26      maintainers = with stdenv.lib.maintainers; [qknight];
    27    };
    28  }
    29

the libnoise.nix file is interesting as it references a local git repository. it also lists what to do in order to alter the package.

once the srmg-env is installed (nix-env -i env-srmg) it can be used using: load-srmg-env. as mentioned in [1] this environment will then behave as if one had used ubuntu linux and then installed all the required libraryies.

future

as i noted in [1] nix will soon get a toggle (nix-build –run-env ‘<nixpkgs>’ -A xterm, see [2]) which will clone the environment of virtually any sourceScription on the system. this means one can hack on any software easily by injecting code into the build chain on an arbitrary position – still, this changes won’t be persistent, meaning:

  • after reinstallation of the sourceScription the former version will be installed
  • the environment will not last a reboot of the system (not 100% sure about this)

still it is one step towards the concept of the midstream platform (mentioned in my diploma thesis) and is a great way to test a quick hack.

another interesting potential property is that tools like kdevelop could be patched to automatically see all the include paths of a complete project and therefore are able to provide automatic code completion without having too much manual effort.

links

[1] https://nixos.org/wiki/Howto_develop_software_on_nixos

[2] https://github.com/NixOS/nix/commit/7f38087f35e6f74a73bfdb28da8acd8930565d51


Posts for Tuesday, March 20, 2012

On changing one’s opinion

A few weeks ago a person I am loosely associated with publicly changed their opinion: Where they had said A before (quite vocally) they now were going for B. You’d think that in our oh-so-civilized world this wouldn’t be a big deal, people would just take notice of it and move on.

But most people are not really wired that way. A change in positions is perceived as contradictory, as something compromising a person’s integrity and credibility. In the case I hinted at in the beginning, people started taking old quotes of that person and confronting them with these quotes: “How can it be that you said A when you now say B? What’s the truth?”

This is an interesting question, but luckily I don’t really have to do the hard work here all by myself. I’m just gonna do what any lazy pseudo-intellectual does when he or she wants to look smart and knowledgeable: I’ll just fallback on quoting other, smarter people than me.

The first quote is by one of my favorite British Rap Artists, Scroobius Pip from his song “Broken Promise

“But is a lie really a lie if you mean it at the time?”

Here Mr. Pip outlines the basic principle that some people seem to have a hard time understanding: “Truth” and “Opinion” are not timeless, they always require a temporal context in order to exist. If I write about “my opinion” that implicitly means “my opinion right now“. And opinions do in fact change and they do so a lot with any thinking, reflecting and open person!

One of my favorite thinkers in history, Bertrand Russel, did change his opinion quite a few times. In fact he changed his view on a few rather fundamental philosophical principles during his lifetime. Does that make him a bad philosopher?

In the preface to his Book The Bertrand Russell Dictionary of Mind, Matter and Morals (1952) he said it perfectly (highlights by me):

“I have been accused of a habit of changing my opinions … I am not myself in any degree ashamed of having changed my opinions. What physicist who was already active in 1900 would dream of boasting that his opinions had not changed during the last half century? In science men change their opinions when new knowledge becomes available; but philosophy in the minds of many is assimilated rather to theology than to science. … The kind of philosophy that I value and have endeavoured to pursue is scientific, in the sense that there is some definite knowledge to be obtained and that new discoveries can make the admission of former error inevitable to any candid mind. For what I have said, whether early or late, I do not claim the kind of truth which theologians claim for their creeds. I claim only, at best, that the opinion expressed was a sensible one to hold at the time when it was expressed. I should be much surprised if subsequent research did not show that it needed to be modified. I hope, therefore, that whoever uses this dictionary will not suppose the remarks which it quotes to be intended as pontifical pronouncements, but only as the best I could do at the time towards the promotion of clear and accurate thinking. Clarity, above all, has been my aim.”

To the rational, scientific mind, changing opinions happens a lot. Whenever new data or new arguments appear, opinions need to be reevaluated and potentially adapted or, sometimes, even abandoned completely.

A person publicly changing opinions does not show their weakness, they show their strength. Not always obviously. There are changes in opinion that have no reasonable cause, no new argument presented, no new data. Some opinions are changed to suit a new employer, to charm a person or create a different sort of perception of oneself for some other reason. Those changes do obviously show a lack of character and honesty – something we all would probably consider a personal flaw.

But especially when it comes to politicians or other people with any sort of power or influence I’d pick someone able to see through their own bullshit and to openly and rationally think about new ideas over someone just feeding me my own ideas as dogma any day.

flattr this!

Planet Larry is not officially affiliated with Gentoo Linux. Original artwork and logos copyright Gentoo Foundation. Yadda, yadda, yadda.