riaschissl

Canon + Scanning: stoneage stupidity

2012-01-26T14:33:00.001+01:00

After my good approx. 6 years old Samsung CLP-550 printer refused to cooperate with me (mechanical troubles), I decided that it was time to buy a new printer.
Now that semi-professional multifunction printers become more and more affordable, I decided to go hunting for such a device and eventually got myself a Canon i-SENSYS MF8330cdn multi-function color laser printer for the decent amount of ca € 400,-

Its features looked promising:

~20ppm in B/W and in color
duplexer unit
ADF
copier function
Ethernet connection
"network scanning" feature.
Linux support

So far so good. Printing is excellent indeed (both in quality and speed terms), the copier is fine as well.

Only scanning seems to be a very weird thing when it comes to interconnectivity with non-Windows systems. Just imagine, the device is a "networking" device yet lacks any possibility to scan neither to a network share nor an FTP or email account.

Even under Windows you have to use an obscure "Computer registration" tool that "registers" this computer with the MF8330cdn, then allowing to choose this computer as a scanning target.

I mean, hey Canon: we have 2012 and the device even has a web interface - what drives you to cripple such a nice device with such a crappy scanning functionality??

Even if only scanning to a network share was possible, that would allow operating the scanner with any "reasonable" operating system at zero cost for Canon because all the required code for accessing network shares (or an FTP or an Email account) is open source these days.

This way, the scanner is just completely useless (and no, I don't want to use "scan to USB stick" on a networking printer, just imagine).

why fedora rules: they provide the best explanations for updates

2011-12-02T11:35:00.001+01:00

Well, I occasionally read the details of updates for packages installed on my fedora 16 box and from time to time they can be quite entertaining.

Yet, the update information given to the users for the latest ql2500-firmware package is just too unique to remain hidden within the depths of fedoras update manager.

So, here comes the best explanation I have ever heard why I should update the ql2500-firmware package:

It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife.

However little known the feelings or views of such a man may be on his first entering a neighbourhood, this truth is so well fixed in the minds of the surrounding families, that he is considered the rightful property of some one or other of their daughters.

"My dear Mr. ql2500-firmware," said his lady to him one day, "have you heard that Beefy Miracle is chosen at last?"

Mr. ql2500-firmware replied that he had not.

"But it is," returned she; "for Mrs. Bergeron has just been here, and she told me all about it."

Mr. ql2500-firmware made no answer.

"Do you not want to know which release has taken it?" cried his wife impatiently.

"You want to tell me, and I have no objection to hearing it."

This was invitation enough.

"Why, my dear, you must know, Mrs. Bergeron says that ql2500-firmware is taken by a young distribution of large fortune from the north of England; that he came down on Monday in a chaise and four to see the name, and was so much delighted with it, that he agreed with Mr. Smith immediately; that he is to take possession before Michaelmas, and some of his servants are to be branded with the logo by the end of next week."

"What is his name?"

"[CENSORED]."

"Is he married or single?"

"Oh! Single, my dear, to be sure! A single component of large fortune; four or five thousand changes a year. What a fine thing for our users!"

"How so? How can it affect them?"

"My dear Mr. ql2500-firmware," replied his wife, "how can you be so tiresome! You must know that I am thinking of his marrying one of them."

"Is that his design in making the update?"

"Design! Nonsense, how can you talk so! But it is very likely that he may fall in love with one of them, and therefore you must visit him as soon as he comes."

"I see no occasion for that. You and the girls may go, or you may send them by themselves, which perhaps will be still better, for as you are as handsome as any of them, Mr. Pangolin may like you the best of the party."

"My dear, you flatter me. I certainly have had my share of beauty, but I do not pretend to be anything extraordinary now. When a woman has five grown-up daughters, she ought to give over thinking of her own beauty."

"In such cases, a woman has not often much beauty to think of."

"But, my dear, you must indeed go and see Mr. Pangolin when he comes into the neighbourhood."

"It is more than I engage for, I assure you."

A little hint for the interested reader: it happens to be an adoption of the first chapter of Jane Austen's "Pride & Prejudice" :)

"BSD vs. Linux" or "what to do when your favourite Linux distro falls appart"

2010-10-01T14:47:00.006+02:00

I am quite frustrated about the things that have been going on around Mandriva in those last weeks and days.

After Mandriva fired most of its' active and vital developers, a major part of the Mandriva community has decided to fork the distribution and restart under the new name "Mageia" [1].

Originally coming from a SuSE friendly company, I've been quite happy using Mandriva for the past 10 years, for many reasons. Now, apparently, Mandriva simply falls apart - for whatever reasons.

For us this means a huge workload on the horizon, because we have deployed quite a lot of Mandriva based servers and desktops, and unfortunately I am not quite sure about the eventual outcome of the new "Mageia" project. Well, I just don't want to base our companies' IT strategy on it.

So, what alternatives are there?

SuSE is simply a no-go, just remembering the devastating effects that "suseconfig" has had so many times on our productions systems makes me shiver even ten years later.

RedHat/Fedora ... yes, we will give it a try, certainly. From my POV its only and major drawback simply is that it is so very US centric.

And then of course there is Debian. I think about half the servers we have deployed are Debian based and indeed I like it very much. Desktop however is another story, many of our test runs have miserably failed due to unsupported graphic cards, malfunctioning wireless support and so on.

Ubuntu tries to make Debian more desktop friendly, but manually changing configuration files broke the desktop tools far too often to give us a supportable desktop system (yes, we like to edit config files manually).

Of course, there are a lot of other linux distributions around, but all of them require quite a lot of changes in our infrastructure and commercial support is limited quite often.

So, I think it's a perfect time to look a bit over one's nose and give something new a try.

My first experience with "UNIX" type operating systems has been i386BSD, delivered on a huge number of 5,25" floppy discs and so I think evaluating the existing *BSD variants will be a funny thing to do.

I will start with FreeBSD [2], continue with the very interesting PC-BSD [3] and finish with OpenBSD [4].

A very good primer covering the academical differences between BSD vs. Linux in general can be found here [5], so be prepared for some brainwashing to come :-)

[1] http://www.mageia.org
[2] http://www.freebsd.org
[3] http://www.pcbsd.org/
[4] http://www.openbsd.org/
[5] http://www.over-yonder.net/~fullermd/rants/bsd4linux/bsd4linux1.php

oracle: unexpire and unlock accounts

2010-07-05T12:17:00.004+02:00

Some of our customers' applications are built around Oracle, so we have to fight the beast from time to time. Unfortunately, some of the surprizes the beast has to offer are quite random and rare, and due to this we tend to simply forget how we fixed and/or circumvented the issues previously.

As usual, google is your friend and one of the most valuable resources on the net we've found is www.orafaq.com and most notably its security FAQs [1]

So this is just an attempt of a small cheat sheat to help our overloaded brains :-)

expired and locked accounts - the basics
Now, as of version 11g, Oracle has enabled account expiration per default for many vital accounts (such as SYSMAN, SYS, ...). Quite a weird idea in my view, but who knows what hyper security things some wise engineer had in mind when doing so.

Beware that we run Oracle under various Linux flavours, so things might be different for you.
- become database admin
  First log into your host running oracle and become the oracle user.
  % sqlplus /nolog SQL> connect / as SYSDBA Connected SQL>
- find out which accounts are expired
  select username, account_status from dba_users where ACCOUNT_STATUS LIKE '%EXPIRED%';
- unexpire an account
  once an account has been expired, it can only be revived by assigning it a new password:
  ALTER USER scott IDENTIFIED BY password;
- unlock an account
  ALTER USER scott ACCOUNT UNLOCK;
- disable default password expiry [2]
  this all depends on the profile a user belongs to, to disable password expiry for all users assigned the default user profile do this:
  ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;
Enterprise Manager: unable to connect to instance
One of the worst things that can happen in that course is if Enterprise Manager reports "Failed to connect to database instance: ORA-28001: the password has expired (DBD ERROR: OCISessionBegin)" and then simply rejects to work with the database.

So far, we've found two accounts to be potential culprits for the problem: SYSMAN and DBSNMP
- unexpire SYSMAN [3]
  Quite tricky, because you have to change things on two sides: First unexpire the account as explained above. And now tweak oracle configuration.
  As oracle user:
  1. unexpire and unlock the account as explained above
  2. % emctl stop dbconsole
  3. change into
    ORACLE_HOME/<HostName_SID>/sysman/config, for us this would be for example:
    % cd /opt/oracle/111/klotho_ABSDEV/sysman/config
  4. edit the emoms.properties file
    and change the oracle.sysman.eml.mntr.emdRepPwd property to the new password you gave the SYSMAN user.
    Then change the oracle.sysman.eml.mntr.emdRepPwdEncrypted property from TRUE to FALSE (sidenote: Oracle will revert to TRUE automagically once it is restarted).
  5. change into
    ORACLE_HOME/<HostName_SID>/sysman/emd, for us this would be for example:
    % cd /opt/oracle/111/klotho_ABSDEV/sysman/emd
  6. edit the target.xml file
    and edit those two properties:
    <Property NAME="UserName" VALUE="SYSMAN" ENCRYPTED="FALSE"/> <Property NAME="password" VALUE="TheNewPassword" ENCRYPTED="FALSE"/>
  7. % emctl start dbconsole
  8. under "normal" circumstances, everything should be fine now :-)

So, as said above this is just a "small" cheat sheet for some annoyances we have met with the great oracle, of course there is much much more to know about the beast ;-)

[1] http://www.orafaq.com/wiki/Oracle_database_Security_FAQ
[2] http://www.odi.ch/weblog/posting.php?posting=520
[3] http://www.articles.freemegazone.com/oracle-sysman-account-locked.php?ref=2

google-chrome or chromium and SSL client certificates

2010-06-24T12:17:00.002+02:00

Many of our restricted services rely on client authentication based on X.509 SSL certificates. And some of the better (say user friendly :-) ones' are accessible using a web interface.

So, with Firefox certificate based authentication is relatively easy to implement, yet when using google-chrome or chromium I was quite lost on how to manage my certificates.

Apparently, both google-chrom and chromium lack a GUI feature allowing to manage one's certificates (at least under linux) because "rather than reinvent the wheel and create another certificate configuration tool, we are going to wait for a system certificate configuration utility to be created and launch that", see [1].

However, it is not too difficult to manage the certificates on the commandline. The process is also described on the same page, some pitfalls exist, however.

Under Mandriva, the required tools are "normally" installed already, you don't need an extra nss-tools or nss-util package, the nss package already provides the required essential certutil binary.

Some examples:

Listing one's certificates:
% certutil -d sql:$HOME/.pki/nssdb -L

adding a trusted root CA:
% certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n certificate nickname -i certificate filename

the -t "C,," actually determines which kind of certificate one wants to import, "C" means a CA certificate good for issuing SSL server certificates. See [2] for a listing of potential other flags.

add a client certificate for authentication:
pk12util -d sql:$HOME/.pki/nssdb -i yourClientCertFile.p12

Further usage examples can be found in [1] and [3]

And finally, before google-chrome or chromium actually uses the client certificates in the store, you have to manually tell it using a command line switch:

% google-chrome --auto-ssl-client-auth

or

% chromium --auto-ssl-client-auth

I did all this using Mandriva 2010.1, so things may be different for other distros.

[1] http://code.google.com/p/chromium/wiki/LinuxCertManagement
[2] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193
[3] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#Examples

an unwanted honeypot for hackers: "y2kupdate"

2010-05-16T23:16:00.005+02:00

Lazyness combined with too much work often causes very bad sideeffects ... The following story happened due to my very own lazyness (or maybe even call it crazyness ...):

After setting up a Debian Lenny KVM guest on one of our servers, I had to do some tests on it before making it available to the very public (or in other words: before I assigned it a public IP address).

So I added a dedicated user named "test" with again a very dedicated password named "test" ... and from now on you know how the story continues: After provisioning the server, I simply forgot to remove the "test" user. And without surprize it didn't take long until some funny people found out about my error and tried to hijack the server by installing some interesting pieces of software.

Obviously they were almost as lazy as I was because they left many traces on the server and in the end they did not come very far in hijaking the server.

Soon after I provisioned the server, I found weird log entries like these:

May 13 06:40:01 ahost /USR/SBIN/CRON[13837]: (test) CMD (/tmp/lib/y2kupdate >/dev/null 2>&1)

Now as a matter of fact I do read log entries and these entries soon got my attention.

Investigating the files in the /tmp/lib folder I quickly found out that the server had become a member of an IRC based bot net (or in fact, a number of IRC based bot nets), probably designated to flood remote victims with useless traffic.

It has been a long time since a hacker successfully broke our security barriers and so I find it quite amusing to dissect the applications found in /tmp/lib and also quite interesting reading the (now deleted) test user's .bash_history file ...

Luckily for me the hackers either did not come too far with hijacking the server or simply were not overly interested in the box, so reverting the changes they made seems doable, but let's see how the story continues :-)

thunderbird's "lightning" plugin and 64bit = ignorance

2010-03-12T15:01:00.002+01:00

For some months now I became quite use to using the "lightning" calendaring plugin for Mozilla Thunderbird in conjunction with our eGroupWare installation. Not all things were perfect, but in general things worked quite well.

Now, at least for the public the lightning project had been quite silent for several months and so I was positively surpized to find a new version available in January.

Disappointment followed shortly after because obviously the lightning developers appear to be quite ignorant when it comes to 64bit versions of their plugin.

The .xpi file offered from the official Mozilla addons page [1] just doesn't work for 64bit Thunderbirds: "Lightning could not be installed because it is not compatible with your Thunderbird build type (Linux_x86_64-gcc3)." Very funny, indeed.

Except very old installations, I don't know any recent Linux installation that is not 64bit these days. 64bit versions of the major distributions have been around for many many years now ...

Even after searching the web I am still not able to find a working 64bit version of the plugin.

Considering that sunbird, lightning's "big sister" is available for 64bit, this is extremely weird and to some extend also very annoying ...

[Update] well, I finally found a working 64bit version of the plugin here [2]

[1] https://addons.mozilla.org/en-US/thunderbird/addon/2313
[2] http://releases.mozilla.org/pub/mozilla.org/calendar/lightning/releases/1.0b1/contrib/linux-x86_64/

Mandriva 2010.0 + KVM + Centos 5.x guest = troubles with the clock

2010-02-22T11:15:00.003+01:00

We are just in the process of completely reinventing our data center and thus are rolling out a number of Mandriva 2010.0 based servers for various tasks. One of those tasks is virtualization, of course.

Now, basically, there is nothing special about virtualization and Mandriva 2010.0 (maybe except this bug [1] that prevents it from giving more than 2G of RAM to KVM guests).

The only trouble I really ran into was with Centos 5.4 and its veryvery old 2.6.18 kernel (despite the fact that many things have been backported). With Centos 5.x getting a stable clocksource is very difficult.

To be honest, perviously I've never thought much about the clocksource, because things have just always worked right out of the box. Now I understand that a stable clocksource is really vital for many applications.

Yet with Centos 5.x the clock became so unstable, that some applications simply crashed, most notably dovecot, dying with a weird "Time has moved backwards by 4398 seconds" message. There is even a dedicated page on the dovecot wiki for this problem [2].

In order to circumvent the problem, the following is essential on the Centos guest:

do not use ntp
running ntp on virtual hosts is a very bad idea, see [3]
do not use kvm-clock as a clock source
use acpi_pm instead

For the latter, using acpi_pm, check the following:


% cat /sys/devices/system/clocksource/clocksource0/available_clocksource
kvm-clock
acpi_pm
kvm-clock

This lists you the available clocksources.

Setting the clocksoure is done by adding a kernel boot parameter. Typically, this can be done either in /boot/grub/menu.lst or in /etc/lilo.conf, depending on which bootloader you have.

There, add clocksource=acpi_pm to the existing kernel parameters and reboot the box. That should be it.

As a reference, I found the following sites on the internet quite useful for debugging the problem:

http://forums.fedoraforum.org/showthread.php?t=211100
http://kb.vmware.com/kb/1006427

[1] https://qa.mandriva.com/show_bug.cgi?id=55909
[2] http://wiki.dovecot.org/TimeMovedBackwards
[3] http://support.ntp.org/bin/view/Support/KnownOsIssues#Section_9.2.2

shell stuff: highlight matches within files

2010-02-05T15:58:00.002+01:00

Sometimes one has to deal with a number of log files where you want to see all the logging lines as they occur, but also highlight certain arbitrary strings within those files.

Say for example, you want to (almost) realtime monitor the following log files:

/var/log/daemon.log
/var/log/auth.log
/var/log/secure.log

The easiest way to monitor those files is to use tail:

% tail -f /var/log/daemon.log /var/log/auth.log /var/log/fooapp.log

Now imagine that you want to highlight certain important keyword as they occur in one of those files. grep will not work in that case because it only displays the lines containing found matches and omits the rest.

So, if you want to see all lines as they appear in the logs and highlight the matches for arbitrary patterns, you can use the small ack tool. Depending on your distribution the tool may have various names, for the distributions used here (Mandriva, debian) installation is simple:

for Mandriva: % urpmi ack
for debian: % apt-get install ack-grep

To highlight something, you can use the --passthru parameter:
% tail -f /var/log/daemon.log /var/log/auth.log /var/log/fooapp.log | ack --passthru attack

==> /var/log/daemon.log <==
Feb 5 15:08:14 artio fooapp: starting up
Feb 5 15:08:27 artio dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Feb 5 15:10:14 artio fooapp: attack in progress, blocking access

==> /var/log/auth.log <==
Feb 5 15:08:14 artio sshd: pam_tcp: login successfull
Feb 5 15:09:36 artio su: pam_tcb(su:auth): Authentication passed for root from fred(uid=500)
Feb 5 15:10:14 artio fooapp: pam_iris: attack detected

==> /var/log/fooapp.log <==
Feb 5 15:08:14 artio fooapp: FooApp Version 1.27b initializing
Feb 5 15:08:14 artio fooapp: starting up
Feb 5 15:08:14 artio fooapp: loaded the following modules:
Feb 5 15:08:14 artio fooapp: * mod_attack
Feb 5 15:08:14 artio fooapp: * mod_strike
Feb 5 15:08:14 artio fooapp: * mod_block
Feb 5 15:08:14 artio fooapp: up and running
Feb 5 15:10:14 artio fooapp: attack in progress, blocking access

Other than that, ack is quite similar to "ordinary" grep.

IBM ServRAID tools and Mandriva Linux 2010.0

2009-10-14T14:59:00.008+02:00

We recently purchased a couple of Lenovo RD120 servers (exellent quality!) coming with an IBM ServRAID-8k SAS/SATA controller.

This RAID controller is well known from the IBM x35xx series and features RAID levels 0,1,5,6,10 and 1e (whateever level '1e' may be :-), 256MB of RAM and a backup battery to finish write operations once power goes down. So in general, a truly excellent controller.

The only thing that proves to be somewhat tricky is to get the fitting tools up and running that allow you for example to hotswap drives (that is, take one drive offline, take another one online and synchronize it).

So, the first thing to do is to download the latest "IBM ServRAID Application CD" from here [1]. What you get from here is a +400Mb ISO, containing the tools for various operating systems, among them is linux and linux-x86_64.

Once you have downloaded it, copy linux_x86_64/cmdline/arcconf and linux_x86_64/manager/RaidMan-9.00.x86_64.rpm to the server.

The arcconf tool first needs to be made executable (chmod +x arcconf), then you can invoke it without parameters and it will list you all possible options. For example, this gives you more information about the raid controller:

% arcconf GETCONFIG 1 AD
Controllers found: 1
---------------------------------------------------------------
Controller information
---------------------------------------------------------------
   Controller                   : Okay
   Channel                      : SAS/SATA
   Controller                   : IBM ServeRAID 8k
[..]

In general, if you prefer command line tools like myself, arcconf allows you to do anything with the raid controller, that you like (decommission defect drives/commissison new ones, ...).

But of course, sometimes GUI applications are not so bad, after all :-)

Installing the manager application proves to be somewhat more tricky, because Mandriva is not officially supported by IBM. However, it is not too difficult:

% urpmi RaidMan-9.00.x86_64.rpm libxp6 libxt6 libxtst6 libstdc++5 libx11-common

The extra packages are required for java to operate correctly and to allow startup of the manager GUI.

Now, finally, you can invoke

% /usr/RaidMan/RaidMan.sh

You will get a couple of errors about "/usr/lib/libstdc++.so.5" not being preloadable, but as far as I found out, you can safely ignore them.

The only thing yet missing is to allow remote access to the raid agent. So far I was not able to connect to the raid agents on the servers for reasons unknown.

[1] http://www-304.ibm.com/jct01004c/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-61707&brandind=5000020

accessing the CLI of Cisco "Small Business" Switches

2009-09-25T19:00:00.005+02:00

Preface: Cisco's "Small Business" network equipment is based on hardware formerly manufactured by Linksys. When Cisco bought Linksys, they incorporated the Linksys hardware as "Cisco Small Business" equipment.

Now, at first glance that doesn't sound too bad. Cisco, being the major player when it comes to network equipment, is well known for its very well designed and quite well supported devices.

However, when the story comes to the formerly Linksys products, Cisco looses everything it has to loose, both in terms of support and also in terms of design.

One example for that failure is documented here [1] for example.

Another story is the completely unuseable web interface of the former managed Linksys switches, like the SRW224G4 [2] for example.

We are unfortunate enough to purchase a couple of those devices, in the hope that the web based management facilities would be useful to some degree.

The truth however is, that the web UI is completely unuseable if you use any other browser than IE6. Neither IE7, IE8, FF2, FF3 or Opera can be used to access the Web UI ...

There are many people complaining about this situation (for example here [3], but obviously - once more - Cisco's support is completely ignorant.

The only thing you can do is to use the command line interface of those switches. In order to do so, you must access the switch like this (taken from here):

- Telnet to the switch & login
- Once you get to the menu, hit ctrl+z, you should now see a ">" (type ? to all available commands from this point on)
- Type lcli, hit enter, and put the user name in again (admin usually)
- now you should see "console#"

How you can configure your script in a similar way known from Cisco's IOS.

A good starting point of how the CLI works can be found here [5].

And what remains for the bottom line is that: just don't buy Cisco's "Small Business" products until they are ready to give real support for them. After all: even those products are business products!

[1] http://www.dslreports.com/forum/r22733060-RVS-4000-Support-email-to-Cisco
[2] http://www.cisco.com/en/US/products/ps9987/index.html
[3] http://davehall.com.au/blog/dave/2007/12/04/linksys-srw224g4-webgui-broken
[4] http://davehall.com.au/blog/dave/2007/12/04/linksys-srw224g4-webgui-broken#comment-393
[5] http://lcli.wikidot.com/

SVN authentication with client SSL X.509 certificates and apache 2.2

2009-09-01T15:27:00.007+02:00

We recently moved our subversion repository to a new, now dedicated server. In that course I found it reasonable to streamline our old configuration how authentication and authorization against the repository is done.

Previously, our users were primarily authorized to access the repository using their X.509 certificates. After authorization took place, they were authenticated and thus being asked for their usernames and passwords.

The goal now was to get rid of the second step, allowing authentication and authorization based purely on the certificates.

To be true, the solution was not so easy to find, because apache's mod_ssl module is not really designed for authentication purposes. It has a pretty useless "FakeBasicAuth" option requiring to manually store each user in a htpasswd style file, containing the hardcoded 'password' string as each users password. Pretty ugly, IMHO.

However, I finally managed to get to a resonable result.

Before doing anything else, ensure that you have mod_ssl and mod_dav_svn up and running. I won't go deeper into those basics.

After the modules are ready, put the following in your apache's config for the relevant (virtual)host:


<Location /theLocationOfYourRepository>
  SSLVerifyClient require
  SSLRequireSSL

  SSLOptions +StdEnvVars
  SSLUserName SSL_CLIENT_S_DN_Email

  DAV svn
  SVNPath /the/absolute/filesystem/path/of/your/repository
  SVNListParentPath on
  AuthzSVNAccessFile /etc/subversion/apache-acl-file
</Location>

In my case, the emailAdress attribute of the certificate's subject DN is used to make up the username ("SSLUserName SSL_CLIENT_S_DN_Email"), useable in the AuthzSVNAccessFile, for example:


[/project1]
fred.flintstone@example.com = rw
wilma.flintstone@example.com = r

[/project2]
wilma.flintstone@example.com = rw

# locking out everybody else
[/]
* =

Instead of the emailAddress attribute, you can choose from a number of alternatives, see here [1] and here [2].

For now, I am quite satisfied how it works.

The only thing to be done in the future will be to map those email addresses against LDAP entries and have the usernames retrieved from the DIT based on the matches. And eventually I want the AuthzSVNAccessFile also being served from our LDAP server, of course. But that will probably be a hard fight.

[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars
[2] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire

capturing videos from your linux desktop

2009-08-26T11:58:00.003+02:00

I recently had to produce some screencasts from my linux desktop and wasn't able to find a "quick" solution for this "problem". Of course, google is your friend, so here are two reasonable possibilities I found:

recordMyDesktop [1]
The most powerful utility I found, coming as a commandline tool and with qt and gtk frontends as well. Furthermore you can also record audio. Its only limitation (if you call this a limitation) is that it can only produce ogg theora for video and ogg vorbis for audio, so no direct mpeg support (but converting theora to whatever is trivial).

XvidCap [2]
An "older" utility (last update is from 2006). Besides capturing as a video including audio, it can also produce a series of jpegs instead. It produces mpeg videos.

So for now I am quite happy with recordDesktop :-)

[1] http://recordmydesktop.sourceforge.net/
[2] http://xvidcap.sourceforge.net/

rescanning the connected SATA/SCSI devices

2009-08-24T17:03:00.005+02:00

Once in a while I stumble upon the problem where I have to attach a SATA or SCSI device to a running Linux box and for some reasons (ie. the device or the interface is not hot plugging capable) it doesn't get recognoized by the system.

Now the solution is very simple, just tell the kernel to rescan the SATA/SCSI bus:

first find out how many SATA/SCSI busses you have:


% ls -l /sys/class/scsi_host/
drwxr-xr-x 2 root root 0 2009-08-24 15:05 host0
drwxr-xr-x 2 root root 0 2009-08-24 15:05 host1
drwxr-xr-x 2 root root 0 2009-08-24 16:26 host2
drwxr-xr-x 2 root root 0 2009-08-24 16:26 host3

So that means 4 host interfaces to query for. Querying or rescanning is very easy:

Find out which hard disks are currently recognoized by the kernel:


% cat /sys/class/scsi_disk/*/device/model
WDC WD1600YS-01S

In other words, a Western Digital WD1600YS hard drive is connected and recognoized by the computer.

Now, if you want the SATA/SCSI bus to rescan all host interfaces for new devices, do this:


% echo "- - -" > /sys/class/scsi_host/*/scan

To theck if any previously unrecognized hard disks have been detected, refetch the list of hard disks:


% cat /sys/class/scsi_disk/*/device/model
WDC WD1600YS-01S
Seagate FreeAgen

So as you see, a new "Seagate FreeAgen" hard disk has been detected.

The procedure is essentially the same for all other types of SATA/SCSI devices such as scanners, tape drives, ...

Linksys/Cisco RVS4000: support madness

2009-08-17T12:36:00.002+02:00

Trying to find further information about some problems we are facing with our Linksys/Cisco RVS4000 router, I stumbled upon this blog entry:

http://www.dslreports.com/forum/r22733060-RVS-4000-Support-email-to-Cisco

The poor guy tells his nightmare with Cisco/Linksys support regarding some problems with his RVS4000 router. Among other things, we are seeing exactly the same problems here as well, but obviously contacting Cisco's support seems to be a waste of time.

I can hardly remember a company with such a support reputation to loose fail so miserably ...

Debian+KVM: proxy_arp for individual ip adresses

2009-08-10T16:47:00.008+02:00

In one of my older posts [1] I described how you can hide the MAC addresses of KVM virtualized guests living in a dedicated, externally reachable subnet.

If however you don't have a dedicated subnet from your hosting provider but only got only a small number of maybe segmented IP addresses instead of an entire subnet, the solution is much simpler.

So, let's say this is what you want:

a host
living under 192.168.10.10 with a netmask of 255.255.255.0

a KVM guest
designated to live under 192.168.10.20

another KVM guest
designated to live under 192.168.10.30

Due to port security, each of the guests must not reveal their (virtual) MAC addresses to any external communication partner.

For a Debian lenny host, the following prerequisites are required

install iproute
install uml-utilities

Using uml-utilities (uml = user mode linux), you can setup virtual network interfaces useable by the KVM guests.

In order to get things going, add the following lines to /etc/network/interfaces

[...]
auto tap0
iface tap0 inet manual
  tunctl_user root
  uml_proxy_arp 192.168.10.20
  uml_proxy_ether eth0
  up ip link set tap0 up
  post-up sysctl -w net.ipv4.ip_forward=1
  post-up sysctl -w net.ipv4.conf.tap0.proxy_arp=1
  pre-down sysctl -w net.ipv4.ip_forward=0
  down ip link set tap0 down

auto tap1
iface tap1 inet manual
  tunctl_user root
  uml_proxy_arp 192.168.10.30
  uml_proxy_ether eth0
  up ip link set tap1 up
  post-up sysctl -w net.ipv4.conf.tap1.proxy_arp=1
  down ip link set tap1 down

The lines above create two to called "tap" devices tap0 and tap1, using the utilites provided by user mode linux (somewhat like an alternative to KVM, vmware, ...). Due to severe Debian magic, the lines also enable proxy_arp for the new devices and tell the kernel to use the MAC address of eth0 instead:

% ifup tap0
[...]
% arp -an
[...]
? (192.168.10.20) at  PERM PUB on eth0
% cat /proc/sys/net/ipv4/conf/tap0/proxy_arp
1

And still better, even a specific device route is created:

% route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.10.20   0.0.0.0         255.255.255.255 UH    0      0        0 tap0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.10.254  0.0.0.0         UG    0      0        0 eth0

If you ifup tap1 as well, you will see further entries like the ones above.

[sidenote]: User mode linux is quite a funny thing to play with, a good starting point for further reading is this link [2].

The only thing remaining for you is to instruct your KVM guests to use their new, dedicated devices. You can do so manually by ensuring that the guests are started with the following options set:

% kvm \
[...] \
-net nic \
-net tap,ifname=tap0,script=no \
[...]

and for the other guest

% kvm \
[...] \
-net nic \
-net tap,ifname=tap1,script=no\
[...]

If you use the libvirt daemon, you can alternatively update the guest's xml definition like this:


[...]
<interface type='ethernet'>
  <target dev='tap0'/>
</interface>
[...]

and for the other guest of course:


[...]
<interface type='ethernet'>
  <target dev='tap1'/>
</interface>
[...]

If you now configure your guests to use once 192.168.10.20 and once 192.168.10.30, you should be able to ping other hosts without revealing the guest's virtual mac addresses. That can be tested using arp again on the targeted hosts, eg.

In the first guest with an ip address of 192.168.10.20, start a ping against 192.168.10.254:

% ping 192.168.10.254
PING 192.168.10.254 (192.168.10.254) 56(84) bytes of data.
64 bytes from 192.168.10.254: icmp_seq=1 ttl=64 time=1.76 ms
[...]

Then log into 192.168.10.254 and use arp to verify the mac address used:

% arp -an
[...]
? (192.168.10.20) at ac:00:00:00:01 [ether] on eth0
[...]

The mac address found (AC:00:00:00:01) should be the same as the KVM hosts physical network card.

Beware once more, that any "proxy_arp" style solution one major drawback: you cannot use DHCP to configure your virtual guests, because a DHCP server has no way to determine their (virtual) mac address.

Happy hacking again :-)

[1] http://riaschissl.blogspot.com/2009/06/port-security-proxying-kvm-mac.html
[2] http://user-mode-linux.sourceforge.net/old/UserModeLinux-HOWTO.html

getting even more information about installed RAM

2009-07-16T23:50:00.005+02:00

In a previous post [1] I wrote that the linux tool to find out details about RAM is dmideocde.

I have, however, just learned that that is not always correct because it effectively relies on BIOS information that may be incorrect (buggy BIOSes are not too uncommon).

So, as a plan B, if you don't get all the information you need (especially information about speed settings), there is the "lm-sensors" package [2]. Every distro I am aware of has it, for Mandriva it is probably already preinstalled, if not, just install it like this:
% urpmi lm_sensors

In Debian >= Lenny you need to install the i2c-tools package instead.

The lm-sensors package usually also contains a nice script called "decode-dimms.pl" (or similar, depending on your distro again).

If you invoke it as root, it may carp like this:

% decode-dimms.pl
[...]
No EEPROM found, are you sure the eeprom module is loaded?

You can circumvent this problem by loading the eeprom module into memory:
% modprobe eeprom

After that, you should get really everything you ever wanted to know about the memory being used, for example on a ASRock G31M-S mainboard with a 2GB Kingston DDR2/800 memory:

Decoding EEPROM: /sys/bus/i2c/drivers/eeprom/1-0050
Guessing DIMM is in                             bank 1

---=== SPD EEPROM Information ===---
EEPROM Checksum of bytes 0-62                   OK (0x7D)
# of bytes written to SDRAM EEPROM              128
Total number of bytes in EEPROM                 256
Fundamental Memory type                         DDR2 SDRAM
SPD Revision                                    1.2

---=== Memory Characteristics ===---
Maximum module speed                            800MHz (PC2-6400)
Size                                            2048 MB
tCL-tRCD-tRP-tRAS                               6-6-6-18
Supported CAS Latencies                         6, 5, 4
Minimum Cycle Time (CAS 6)                      2.5 ns
Maximum Access Time (CAS 6)                     0.4 ns
Minimum Cycle Time (CAS 5)                      3 ns
Maximum Access Time (CAS 5)                     0.45 ns
Minimum Cycle Time (CAS 4)                      3.75 ns
Maximum Access Time (CAS 4)                     0.5 ns

---=== Manufacturing Information ===---
mManufacturer                                    Kingston
Manufacturing Location Code                     0x03
Part Number                                                      
Manufacturing Date                              2009-W09
Assembly Serial Number                          0x9DCCAD2D

[1] http://riaschissl.blogspot.com/2009/06/finding-out-details-about-installed-ram.html
[2] http://www.lm-sensors.org

getting refund for your preinstalled Windows

2009-07-10T12:14:00.004+02:00

As we all know, it can be quite difficult to purchase a computer without a preinstalled version of Microsoft Windows.

However, if for whatever reason you don't want to use the preinstalled software (Windows, Office, Works, ...), you are eligible for a refund as defined in the end users licence agreement that comes with products from Microsoft.

The first thing to do is to check the contents of the actual license. You can do so on this website from microsoft [1].

So for example, the first page of the English Windows Vista Business EULA contains this paragraph in bold:

By using the software, you accept these terms. If you do not accept them, do not use the software. Instead, contact the manufacturer or installer to determine their return policy for a refund or credit.

In other words, you have to contact the manufacturer of your computer and query them about how to get a refund or credit for the unused license.

Typically this should be done as soon as possible after your purchase. How good or how well this works mostly depends on the manufacturer, use google to read some experiences ("windows refund") or read this article on wikipedia [2]. But in general you can expect to get something around EUR 100,- for a preinstalled Windows, so this is certainly worth some effort.

[1] http://www.microsoft.com/about/legal/useterms/default.aspx
[2] http://en.wikipedia.org/wiki/Windows_refund

the not so easy migration from VMWare server to KVM for Windows guests

2009-06-18T12:45:00.008+02:00

As previously written [1], we are currently migrating our existing VMWare Server 2.0 guests to KVM, running on Debian sid [2] installations (yes, sid indeed, for the sake of a KVM installation as up2date as possible).

While things have been really extremely flawless for linux guests, the migration of our Windows guests has more been the cause of an headache:

BEFORE anything else, prepare your any of your Windows guests:
remove VMWare Tools

BEFORE anything else, prepare your Windows >= XP guests:
fix your registry as documented here: http://support.microsoft.com/kb/314082/en-us (load the mergeide.reg found on the page into the registry).

migration of split virtual harddisks:
If you find your virtual hard disks to be split into chunks of files (typically 2GB big), you need to merge the pieces into one big file as written here [3]. It boils down to this AFTER shutting down your guests:
% vmware-vdiskmanager -r "Windows XP Professional.vmdk" -t 0 $THE_NAME_OF_THE_BIG_FAT_FILE.vmdk

further troubles you might see:

Windows 2000 does not start but displays a message about ntoskrnl.exe
see my previous post [1]

Windows XP, Part 1: it starts to boot but reboots during the boot process:
First ensure that you have acpi enabled for the guest (the kvm process must not have the -no-acpi parameter). If it has and you are using libvirtd to control your guests, open the guest XML file and ensure that the <features> element contains acpi and apic subelements:
<features> <acpi/> <apic/> </features>

Windows XP, Part 2: it starts to boot but reboots during the boot process:
If it still doesn't boot, ensure that you have performed step#2 from above

Windows XP, Part 3: it starts to boot but reboots during the boot process:
And if it still doesn't boot, try to boot into safe mode and find out the last driver windows tries to load. If that happens to be agp440.sys, then you are not alone, see this microsoft kb article [4]. You may go with the solution described in here or even delete/rename it like suggested in this FAQ for VirtualBox [5]

Follwing these steps allowed us to migrate most of our installations, some WXP migrations failed however.

[1] http://riaschissl.blogspot.com/2009/06/kvm-windows-2000-does-not-boot-because.html
[2] http://www.debian.org/releases/unstable/
[3] http://blog.bodhizazen.net/linux/convert-vmware-vmdk-to-kvm-qcow2-or-virtualbox-vdi/
[4] http://support.microsoft.com/kb/324764
[5] http://www.virtualbox.org/wiki/Migrate_Windows

kvm: windows 2000 does not boot because ntoskrnl.exe is missing or corrupt

2009-06-17T16:20:00.006+02:00

We are currently in the process of migrating all our VMWare virtual hosts to KVM [1]. Sometimes this can be quite difficult because KVM apparently has some issues with older guest OS such was Windows 2000.

So, if you try to boot Windows 2000, you might fail like this:

Disk I/o error: Status = 00000001
Disk I/o error: Status = 00000001
Disk I/o error: Status = 00000001

Windows 2000 could not start because the following file is missing or corrupt:

<windows 2000 root>\system32\ntoskrnl.exe.

The workaround [2] for that problem is not to mark the primary harddisk as the boot device but the CD-ROM device instead.

Update:
The workaround does not work as expected, unfortunately. It only works until you leave a bootable CD in the CD-ROM drive but don't actually boot from it. However, Windows installation CDs have the feature to tell you "press any key to boot from CD" before the actually boot from the CD, otherwise they continue with the other potential boot devices.

So for the time being, I have created an ISO image of the installation disk, attached it to the guest as a CD-ROM drive and boot from it :-)

[1] http://www.linux-kvm.org/
[2] http://www.mail-archive.com/kvm@vger.kernel.org/msg04157.html

finding out details about installed RAM on a Linux box

2009-06-16T16:15:00.004+02:00

The tool of choice for getting detailled technical hardware information in Linux these days is dmidecode [1].

If you have a compatible BIOS that follows theSMBIOS/DMI [2] and [3] standard (very likely for any modern computer), you can use it to retrieve information about memory, processor, connectors on the mainboard and much more.

Usage is simple:

display information about the available memory slots:
dmidecode -t memory
display information about the processor and its features:
dmidecode -t processor
list the possible types of information:
dmidecode -t
extract specific information (useful for automated processing in shell scripts):
dmidecode -s

but as usual: man dmidecode is your friend :-)

[UPDATE]: there is a follow up article here

[1] http://www.nongnu.org/dmidecode/
[2] http://www.dmtf.org/standards/smbios/
[3] http://www.dmtf.org/standards/dmi/

port security: proxying KVM MAC addresses with Debian Lenny

2009-06-08T14:00:00.015+02:00

Following the desaster that occurred when we tried to install a virtual server on a dedicated Hetzner.com root server [1], we had to find a workaround for the problem.

The problem itself was that the KVM instance would use it's own MAC address and thus port security [2] struck us hard, leaving the physical server offline for (too) many hours.

Essentially there are two types of workarounds to get things working in such a scenario:

use the physical server as a NAT gateway for the virtual server(s)
the main disadvantage here is that NAT has certain problems with certain protocols (FTP or SIP for example)
have the physical server act as a proxy for the MAC addresses of the virtual server(s)
the only drawback I am aware of is that you cannot use DHCP for configuring the network interfaces of the guest systems

So here comes a walkthrough for boxes running at least kernel >= 2.4 (I actually tried with a 2.6.26):

The scenario to build up will be a physical server with one network interface, containing two virtual KVM instances. Each of the KVM instances shall get an externally reachable IP address coming from a dedicated subnet and without revealing their "new" MAC addresses to anyone else but the KVM host system.

If you don't have an entire subnet but only a couple of possibly even segmented individual IP addresses instead, skip this article and proceed to this followup article, dealing with individual IP addresses.

Prerequisites:

install iproute
install bridge-utils
install iputils-arping
not actually a requirement, but very useful when testing if everything is ok

Beware that going on now might cause terrible sideeffects, (ie. rendering your KVM host being unreachable over the network), but if you do everything as explained, you should be safe :-)

so, if you like, action time:

reconfigure your host system's network:
open /etc/network/interfaces and add a br0 section like this:

[...]
auto br0
iface br0 inet static
  address 192.168.80.254
  network 192.168.80.0
  netmask 255.255.255.0
  bridge_ports none
  post-up sysctl -w net.ipv4.conf.br0.proxy_arp=1
  post-up sysctl -w net.ipv4.ip_forward=1
  pre-down sysctl -w net.ipv4.conf.br0.proxy_arp=0
  pre-down sysctl -w net.ipv4.ip_forward=0

apply settings
ifup br0

check your settings:

% ifconfig
br0       Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.80.254  Bcast:192.168.80.255  Mask:255.255.255.0
          inet6 addr: fe80::21c:c4ff:fedb:f3eb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
[...]

eth0      Link encap:Ethernet  HWaddr ac:00:00:00:01
          inet addr:192.168.70.1  Bcast:192.168.70.255  Mask:255.255.255.0
          inet6 addr: fe80::21c:c4ff:fedb:f3eb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
[...]

Yes, scary, a "network card" with a 00:00:00:00:00 MAC address, but don't be afraid, more is to come ;-)

add the virtual devices that the two virtual guests will use, add them to the bridge and make them available:
tunctl -b -u root -t vnet0 tunctl -b -u root -t vnet1 brctl addif br0 vnet0 brctl addif br0 vnet1 ifconfig vnet0 up ifconfig vnet1 up
These are manual steps, in case you have created your virtual machines using libvirtd, modify the guest configuration file in /etc/libvirt/qemu/$NAME_OF_THE_GUEST.xml and ensure that there the "bridge" interface references our br0 bridge:
```
[...]
<interface type='bridge'>
  <source bridge='br0'/>
</interface>
[...]
```
start up your virtual guests:
% kvm \ -boot c \ -drive file=/location/of/virtual/hdu/vhost0.qcow2,if=virtio,index=0,boot=on \ -net nic \ -net tap,ifname=vnet0,script=no
and for the second one:
% kvm \ -boot c \ -drive file=/location/of/virtual/hdu/vhost1.qcow2,if=virtio,index=0,boot=on \ -net nic \ -net tap,ifname=vnet1,script=no
and once more, if you use libvirtd, you might also use virsh or virt-manager to start up the two virtual guests.

configure the network of your guests:
If your guests are Debian based again, open /etc/network/interfaces for each guest and configure it, for the first one:

auto eth0
iface eth0 inet static
  address 192.168.80.1
  network 192.168.80.0
  netmask 255.255.255.0
  # the gateway is the IP of the br0 bridge on the KVM host
  gateway 192.168.80.254

and for the second one:

auto eth0
iface eth0 inet static
  address 192.168.80.2
  network 192.168.80.0
  netmask 255.255.255.0
  # the gateway is the IP of the br0 bridge on the KVM host
  gateway 192.168.80.254

That should be it. Not exactly "extremely simple", but still not too complicated either :-)

You can test your configuration by pinging around on the guest systems. You should be able to ping 192.168.80.254 (the br0), 192.168.70.1 (eth0 on the host). If however you ping other machines, say 192.168.1.123, you would need a route back from it to the 192.168.80.0 subnet. The "router" for that subnet is 192.168.80.254 then. But typically this is handled by your "real" routers (and is beyond the scope of this already far too long posting :-)

Happy hacking!

[1] http://riaschissl.blogspot.com/2009/06/scary-and-incompetent-support-at.html
[3] http://lartc.org/howto/lartc.bridging.proxy-arp.html
[4] http://www.sjdjweis.com/linux/proxyarp/

scary and incompetent support at hetzner.com

2009-06-05T14:12:00.004+02:00

Yesterday we had to install a KVM [1] instance on one of our customers' server hosted at hetzner.com

What seemed to be easy and trivial prooved to be extremely annoying because after activating the KVM instance, the support people at hetzner.com "deactivated the server due to illegal activities".

The entire story goes like this:

A couple of days ago we ordered an additional subnet allowing VPS usage for the server in question and eventually received two emails:

One in the morning, containing one additional IP address within the same subnet that the server was already in and then, on midday, a second email containing information about an entire additional subnet.

Now after receiving the first email in the morning, we started configuring the KVM instance to use it. For that purpose we followed the guide [2] (in German) available on hetzner's wiki.

Then, after starting the KVM instance, it worked for a couple of minutes without problems - until we received an Email from the support at hetzner telling us that we had used an illegal IP address and therefore the entire server had been deactivated.

Bummer! The entire server had been taken offline, leaving our customers very commercial platform completely unaccessible ...

After a first moment of panic we contacted the hetzner support. After sending emails back and forth between their support and us for five hours and finally even sending a FAX to them, the server went online again after being offline for more than five hours.

Now the weird thing is that it seems to be impossible to get reasonable information on what exactly went wrong and how to circumvent it.

So, be warned to perform a KVM installation on hetzner root servers, you will be locked out without reasonable explanations ...

[1] http://www.linux-kvm.org/
[2] http://wiki.hetzner.de/index.php/KVM

unsubscribing from majordomo mailinglists

2009-05-27T19:01:00.009+02:00

If you are like me subscribed to a variety of mailing lists, it can be quite an annoyance when unsubscription information is neither contained in the mail headers nor can be found on the web page you originally subscribed on (or exactly this page is broken).

Fortunately this does not happen too often, but if it happens, I always have forgotten how it worked last time, so here's a little cheat sheet about how to unsubscribe from majordomo mailing lists w/o using a webpage:

Say you have subscribed to very.important.list@example.com and know that it is controlled by a majordomo [1] installation, you have a few "hidden" features that a typically configured majordomo server supports.

In the example above, it is very likely that the majordomo server is reachable by the majordomo@example.com or majordomo-owner@example.com email adresses.

Reachable means that you can send commands to it using an ordinary plain text email. So if you send an email containing the lines below without any (digital) signatures in plain text to the majordomo server, you can do the following:

show information about the list you subscribed:
INFO very.important.list

list all accessible mailing lists:
LISTS
subscribe to one of those mailing lists:
SUBSCRIBE very.important.list your.email.adress@example.com

unsubscribe from a mailing list:
UNSUBSCRIBE very.important.list
some majordomo installations might also require you to add your email address:
UNSUBSCRIBE very.important.list your.email.adress@example.com

unsubscribe from all mailing lists hosted on the same majordomo server:
UNSUBSCRIBE *
some majordomo installations might also require you to add your email address:
UNSUBSCRIBE * your.email.adress@example.com

get some help:
HELP

Depending on the majordomo version and settings, plain text is mandatory.

And finally, it is important of course that you use exactly the same email address for unsubscription that you used for subscription :-)

[1] http://www.greatcircle.com/majordomo/

real time encrypted directories in Mandriva 2009.1

2009-05-07T23:57:00.008+02:00

Data encryption is no obscure thing only secret agents and computer experts should know about but instead be a fundamental precausion against theft of the storage medium or even the entire computer you have stored your personal data upon.

The choices are many in Linux, ranging from creating dedicated partions to encrypted directories and finally single files.

I won't go too deep into the technical alternatives you have (ranging from special file systems to "simple" commandline encrypting/decrypting tools), instead I will focus on LUKS ("Linux Unified Key Storage") [1] and [2], that is the current state of the art in Linux these days.

So what I want to do is to create a new encrypted /encrypted directory that can either mounted manually and optionally also automagically during boot:

As root, ...

create a huge file, as big as you want your directory ever to become:
dd if=/dev/urandom of=/secure bs=1M count=4096
That gives you a 4GB large file named /secure. Beware that the creation of the file will take a couple of minutes (fast SATA disks come in handy here :-)
setup an ordinary loop device pointing to the new file:
losetup /dev/loop0 /secure
load some kernel modules
modprobe dm-mod modprobe dm-crypt
create an encrypted filesystem on the device:
cryptsetup luksFormat /dev/loop0
The password you enter here is crucial for you to continue, so use a resonably "save" one and be sure not to forget it :-)
test if everything is fine
cryptsetup luksOpen /dev/loop0 secure
If the command succeeds, you should have a newly created block device named /dev/mapper/secure
format the new device
mkfs.ext3 /dev/mapper/secure
mount the new device
mount /dev/mapper/secure /encrypted
closing the encrypted directory
If you are finished working with your encrypted data, you need to umount the directory and close the crypto channel for it:
umount /encrypted cryptsetup luksClose /dev/mapper/secure losetup -d /dev/loop0

Now that wasn't too difficult. Optionally, you might also want to have the directory mounted automagically at boot time, but that will have to wait a bit :-)

Caveat:

performance
without surprize, encryption comes with a prize: both read and write access to your encrypted directory are slower of course (you can expect about half the performance compared to an unencrypted directory). But the performance hit is heavly influenced by the CPU & OS architecture you have (64bit noticibly beats 32bit).

disk/file corruption
If your hard disk fails or - for whatever reason - your image file becomes corrupt (bad RAM modules, buggy I/O controllers, ...), then the chances you end up with a complete data loss increase if the problem occurs in the "sensitive" parts of your image file (or let it even be a seperate partition). So encrypting your data increases the need to backup your data!

[1] http://luks.endorphin.org/, seems to be dead right now
[2] http://www.saout.de/tikiwiki/tiki-index.php?page=LUKS

"net anonymity" vs. "fight against child pornography"

2009-05-01T11:08:00.007+02:00

IT security is my daily business and so, amongst other things, I am very interested in state of the art technologies applicable also for the "greater" public.

The torproject [1] provides not only "security for the masses" but also "anonymity for the masses". Anybody using the tor network infrastructure is "safe against eavesdropping", given todays state of technology.

Now as much as I support everybody's right of anonymity and really see it as a very basic human right, as much imporant to me is the protection of children against being sexually abused.

As it seems, the tor network has become a "save heaven" for really the lowest of lowest of lowest kinds of crappy pedophiles.

I mean, I really believe that "the authorities" should not have the general right to interfere with privacy, but it must be possible for them to interfere in case of major criminal actions, when an independent judge or similar has approved it.

The conflict between protecting internet users from countries that have no independent jurisdiction (dictatorships ...) on the one hand and between tracking down people raping children on the other hand should always be resolved in favour of the weaker party, in that case the really innocent, badly hurt children.

I know that the fight against child pornography as well as the fight against terrorism can be a "killer argument" against any kind of anonymity and that it has indeed been misused more than once in the past by many countries around the world, but what is the alternative? Letting pedophiles continue to destroy children and call this "the price of our free societies". No no no, just no.

One might argue that the actual abuse is not done by those sites but by the people physically hurting the children and closing down those sites won't save the children from being hurt. That may be true at first glance, yet it is a known fact that the child pornography industry is huge (see [2] or [3]). And on the other hand, removing the audience for "private" molesters will make it less attractive for them and reduce the stimulus for other potential molesters.

So eventually, I believe that anonymity is no absolute, untouchable right. Every technology not allowing lawfull interception should be banned, with the keyword being lawfull.

[1] http://www.torproject.org/
[2] http://www.crime-research.org/news/22.03.2004/146/
[3] New York Times article on child pornography

ThePirateBay convicted

2009-04-17T12:41:00.004+02:00

what a weird decision ...

So indeed a court in Sweden found the guys from The Pirate Bay guilty for "support for copyright-infringement" and other absurd things.

Besides the court's obvious ignorance of how search engines work and what they do, this is a slap into the face for a whole generation of young people.

How many people of the - I don't know - "below 30 generation" haven't used The Pirate bay at least once? Even I myself, soon hitting the 40 barrier, use it regularly, like I use google.

This entire trial is about the criminalization of an entire generation, about how "bad" todays young people are compared to previous generations. The good thing though is that dinosaurs have died off as well, so there is still hope.

Previous "young generations" had their revolutions about free love and against the stark and stiff societies they lived in, so this revolution is about digital freedom.

databinding in ExtJS sucks

2009-04-14T15:37:00.003+02:00

For some of our Web2.0 projects we are using ExtJS [1] as the client side "framework".

ExtJS applications look very nice, but if you check what's going on below the surface, one is has some doubts about its "enterprise grade".

One of ExtJS's major problems is that most of the time data binding is only one way (from server to the browser) but not the way back.

Usually data binding consists of a number of steps:

both server and client have to agree on a common "language" that describes the data they want to exchange (typically XML along with XSD or just plain JSON)
the client (=ExtJS) calls some service on the server
the server sends the data in the predefined format
the client typically puts the received data into so called "Stores". Such a store contains records, each of them representing something like a "row" as found in "traditional" relational databases
the client displays certain UI elements (a textfield, dropdowns, ...) that are linked to the data received previously
if the user now changes some of the data displayed, it would seem logical that the data in the store is updated according to the users changes - but that is not so. There is no (easy) way back into the store, where the original data is located.

That is one of the reasons, why we are not developing new applications using ExtJS anymore but smartclient [2] instead, but that's another story :-)

However, for existing applications we still need to find new and "fascinating" workarounds to achieve what we need ...

[1] http://www.extjs.com/
[2] http://www.smartclient.com/

minimizing Javascript code

2009-04-08T21:12:00.006+02:00

When using Web 2.0 technologies for creating those wonderful, allmighty browser applications that every customer can be made happy with, the Javascript code on the browser side can easily become thousands of lines.

Newer browers (FF>=3, IE=>7) deal quite nicely with huge Javascript files, but older ones have a hard time dealing with it. Load times ten times longer compared to newer browsers are not seldom.

One way to improve initialization time on those browsers is to crunch the Javascript code to be as small as possible. One easy way for example would be to remove all unnecessary line breaks and white spaces.

However, this is by no means the optimum and removed line breaks and white spaces would render the code almost unreadable for yourself.

The solution is to use one of the many Javascript crunchers, minifiers, packers or whatever they are called.

So here come of the open source crunchers I've tried so far:

JSMin - the JavaScript Minifier [1]
The major drawback I found here is that it is not unlikely to break your code (it broke mine :-) and that the optimization is quite simplistic. Furthermore it is "quite" old (2003).

On the other hand, there is even an apache module making the crunshing process completely transparent [2]
pack:tag [3]
Used as a JSP-Taglib, one can easily have it dynamically crunch JavaScript and CSS files on the fly. It can even configured to combine many files into one and deliver that one to the clients.

Major drawback here is that it is limited to JSP and that it has no commandline interface at all (but one could argue if it requires one of course :-)
jawr [4]
A Servlet oriented approach with many interfaces for the "default" frameworks such as Spring or Struts. One nice feature is that you can split your JS files into human digestable parts and have jawr combine (and crunch and optimize) them for deployment.

The major drawback here is that it is limited to the Java world and once more that it lacks a commandline interface.
Yahoo YUI Compressor [5]
This is one of the first crunchers I've played with - and it is still the one I like most.

It works with both JS and CSS files, can be easily configured on what to optimize using commandline switches (yes, I admit: I like commandline tools :-)

Due to its commandline nature, it can easily be integrated into any deployment process, making it available for any type of project at least I have to deal with.

If you want to compare both resulting size and crunching time of some prominent compression tools, there is a nice comparison service at http://compressorrater.thruhere.net/

[1] http://crockford.com/javascript/jsmin
[2] http://code.google.com/p/modjsmin/
[3] http://www.galan.de/projects/packtag
[4] https://jawr.dev.java.net/
[5] http://developer.yahoo.com/yui/compressor/

removing a passphrase from a X.509 certificate

2009-04-06T17:08:00.003+02:00

If you are running services relying on certificates (mostly encryted onces, like TLS or SSL based ones), you normally don't want to enter any kind of password each time the service starts (like with an externally reachable HTTPS server that is supposed to come up without any user interaction).

Instead what you need after getting a fitting X.509 certificate is to remove the passphrase from the private key.

So in order to do so, you can remove the key using the following simple openssl commands on your certificate file:

openssl rsa -in mycert.pem -out newcert.pem
openssl x509 -in mycert.pem >>newcert.pem

Found on http://madboa.com/geek/openssl/#key-removepass

Linksys RVS4000 telnet madness

2009-03-17T16:46:00.006+01:00

Our company's network access is implemented by an ordinary DMZ style configuration, with one firewall being directly at the outside and one internal firewall shielding the internal net from the DMZ.

For various reasons we had to replace our internal firewall and decided to go with the (affordable) Linksys RVS4000 [1], mostly because it runs Linux and equally imporant it offers QoS and gigabit ethernet.

Due to some problems with getting QoS doing what I wanted, I decided to look for options to directly access the box using telnet or even better ssh.

Telnet access can be easily activated by browsing to
http://$ROUTER_IP/Hidden_telnet.htm but guess what happens after activating it ...

It allows you to log into the box as root without any password and the worst part of all, it even opens the telnet port to the WAN side, leaving the box completely open for any kind of attack - if could be even regarded as an attack then ...

Using some kind of firewall trick you can at least reroute WAN access to nirvana, but having a passwordless telnet running even on the internal side is unacceptable. Absolutely weird for a "business" device.

[1] http://www-at.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=AT%2FLayout&cid=1174609010863&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=1086318843B01

mail notification in Thunderbird only for some accounts

2009-03-12T20:50:00.004+01:00

Thunderbird already comes with a reasonable mail notification popup that tells you when new mail has arrived.

However, if you happen to have more than one email account like me, the default mail notifier by Thunderbird quickly becomes annoying, because I don't want the mail notifier popup each time a mail arrives in any of the accounts but only one particular one.

A good alternative to Thunderbirds notifier is the "Mail Alert" addon [1]. It allows you to trigger changes on any arbitrary mailbox folders and thus is exactly or even better than what I was looking for.

One final hint: you can craft the contents of the popup message by using variables such as sender, subject, ... You can get a listing of those variables by opening the Mail Alert help.

[1] https://addons.mozilla.org/en-US/thunderbird/addon/2610

improving synaptics touchpad tapping behaviour

2009-03-11T22:06:00.009+01:00

[UPDATE]: this post is not entirely correct, because under some cirumstances the synaptics configuration in xorg.conf is completely ignored and thus syndaemon will simply not do what it should. A followup article will come soon.

Occasionally I have to work without having a real mouse and thus am relying on my laptops very ordinary Synaptics touchpad. Now one of the most anoying sideffects of working with the touchpad only is that I permanently seem to unintentionally move around the mouse pointer with some parts of my hands while typing ...

But - there is hope and countermeasures :-) What I want to have is the touchpad being deactivated while I type something and reactivated in a "resonable" time.

Preface: the steps below are valid for Mandriva 2009.1, but are probably not much different for other distributions.

First ensure that SHMConfig has been activated in xorg.conf, eg like this:

Section "InputDevice"
  Identifier "SynapticsMouse1"
  Driver "synaptics"
  Option "SHMConfig" "on"
EndSection

The synaptics man page says that you should be aware that enabling SHMConfig poses some kind of security risk, because enabling it gives any user on your box access to your touchpad's configuration ... well, that seems to be a risk worth taking :-)

Having turned on SHMConfig, you are now able to control your touchpads behaviour using synclient and syndaemon. Both have reasonable man pages, if you want further information.

The next step is to tell syndaemon to deactivate the touchpad while typing and reactivate it afterwards. And, because this is such a nice feature, it should also be available to any user on the system.

As root, create /etc/X11/xinit.d/99syndaemon with any editor of your choice (very likely it does not exist already) and insert the lines below:


#!/bin/bash

syndaemon_is_running=`pidof -c syndaemon`
if [ $? -eq 0 ] ; then
   if [ -f "/usr/bin/syndaemon" ] ; then
       /usr/bin/syndaemon -d -t -i 2 > /dev/null 2>&1
   fi
fi

And finally make the new file executeable:
% chmod 755 /etc/X11/xinit.d/99syndaemon

Log out and in again and that should be it.

Of course there are many ways to have an application autostart upon X11 login, but I personally perfer the xinit style.

All the settings of your touchpad can be queried using the synclient command:
% synclient -l

Installing Torbutton on Mandriva 2009.1

2009-03-11T13:06:00.008+01:00

As it seems we are all about 2 be surveillanced to an extend where it really starts to hurt even me as an "ordinary" user. So one of the possibilities one has is to use Tor [1]. Tor essentially allows you to browse the internet without others eavesdropping you and tracking, what sites you accessed (or at least, it makes it extremely difficult, if not impossible).

The steps to have it up and running on my Mandriva 2009.1 installation are straight forward:

install Tor [1]
% urpmi tor
and then start it
%/etc/init.d/tor start
install Privoxy [2]:
Privoxy is a transparent SOCKS proxy that eventually connects your Firefox with the Tor infrastructure. Basic installation is easy again with urpmi:
% urpmi privoxy
configure Privoxy:
That is a bit "more" tricky, because the default configuration coming with Mandriva's Privoxy is - without suprize - not really suitable for Tor usage. So the easiest way to get things going replacte the contents in /etc/privoxy/config with the following lines of magic, coming mostly from [3]
# Tor listens as a SOCKS4a proxy here: forward-socks4a / 127.0.0.1:9050 . confdir /etc/privoxy logdir /var/log/privoxy actionsfile standard.action actionsfile default.action actionsfile user.action filterfile default.filter # Don't log interesting things, only startup messages, warnings and errors #logfile logfile #jarfile jarfile #debug 0 # show each GET/POST/CONNECT request #debug 4096 # Startup banner and warnings debug 8192 # Errors - *we highly recommended enabling this* user-manual /usr/share/doc/privoxy/user-manual listen-address 127.0.0.1:8118 toggle 1 enable-remote-toggle 0 enable-edit-actions 0 enable-remote-http-toggle 0 buffer-limit 4096
Then start privoxy:
% /etc/init.d/privoxy start

grab Torbutton [4]:
What I ideally wanted was a simple tool integrating nicely and easily with my Firefox 3.x, and Torbutton is exactly that. Installation directly from [4] is hasslefree.
test drive:
Right-Click on the red "Tor Disabled" message in the right bottom of the FF statusbar, choose "Preferences" and in the "Proxy Settings" panel left click "Test Settings". The test may take a while, for me it was 1 minute or so, so be patient.
engage:
If the test from above was successfull, you may turn on Tor by left clicking on the red "Tor Disabled" message in the right bottom of the statusbar and try to access some sites.

If you feel happy enough to use Tor permantently, you should of course not forget to permantently enable the Tor and privoxy services (eg. using chkconfig).

Not too complicated to do, but a huge security improvement.

The major drawback however is that the connection speed is ... "slow" to say at least, but maybe there are still problems on my side.

Next step will be further optimizations and maybe even setting up a Tor relay, but let's see first how things are going.

[1] https://www.torproject.org/
[2] http://www.privoxy.org/
[3] https://wiki.torproject.org/noreply/TheOnionRouter/PrivoxyConfig
[4] https://addons.mozilla.org/en-US/firefox/addon/2275

Debugging JS problems in IE6 and IE7

2009-03-04T19:47:00.008+01:00

There are again a lot of sites dealing with this crappy piece of browser lacking any reasonable way to debug JavaScript errors on it's own.

The options you have are quite a lot:

use the "Microsoft Script Debugger" [1]
the oldest and worst possibility, causing instability for Windows as a whole, making your IE crash and many many more bad sideffects. IMHO - just don't use it, it is absolutely not worth it.
use the "Microsoft Script Editor"
This piece of software comes only with Office 2003, no other office version has it. From what I've read, it is supposed to be quite nice, but ... who has Office 2k3 around - I don't have it.
use "Firebug lite" [2]
At first glance, it looks completely like its big brother, but only at first glance. If you try to debug JavaScript error messages, firebug lite is not able to give you more information that IE itself sparks out. So it is quite useless in that regard, unfortunately :-(
use "Visual Web Developer 2008 Express Edition" [3]
The free version of Visual Studio comes with everything you need to debug JS errors like one is used to in FireFox. The only and main disadvantage here is that you have to install a fully bloated IDE including useful components like MS SQL Server Express ... well, I just wanted to debug JavaScript errors in IE and have to install MS SQL Server, quite weird, IMHO ...

But once you have completed the installation procedure, you can indeed debug JS errors.

The easiest way to do so is by creating a new website, clicking on the "start debugging" icon in the icon bar that opens the default browser (that must be set to IE in that special case). Entering any URL then let's you debug problems on that URL.
use "Companion.JS" [4] - my favourite :-)
At first and second glance this looks quite promising. Prequisite for that piece of software is to install the (crappy) "Microsoft Script Debugger" from above, but the rest seems to be quite OK. JS errors are displayed with the correct filename, the line numbers however are not 100% correct (ie. showing me errors at line 1 where the file comment header starts ...). But certainly the easiest way to get JS debugging.
The only thing I don't seem to find is licensing information for that software.

So quite a long story for such a trivial task as debugging JS in IE ...

Btw, IE8 is "supposed" to improve this situation, coming with a JavaScript console sparking out reasonable error messages, but I haven't tried so far.

[1] http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en
[2] http://getfirebug.com/lite.html
[3] http://www.microsoft.com/express/download/#webInstall
[4] http://www.my-debugbar.com/wiki/CompanionJS/HomePage

VirtualBox: booting from an existing "raw" partition

2009-03-03T19:55:00.006+01:00

The problem when trying to run a guest OS inside VirtualBox that can also be booted physically using grub is that grub will refuse to cooperate if you try to invoke it from within VirtualBox.

There are quite a lot of HOWTOs on the net dealing with this issue, but none made me really happy. So here's my setup:

one HDU /dev/sda
Mandriva 2009.1 on /dev/sda2
Windows XP on /dev/sda1
grub as a boot loader

So what I wanted to do was to have VirtualBox boot my existing Windows installation.

BEFORE you start, boot natively into your Windows installation and create a hardware profile reflecting the native hardware components (Control panel->System->Hardware profiles). That allows you always have a working hardware configuration, not matter if you boot natively or using VirtualBox.

The steps to achieve this are simple:

install syslinux

create a dedicated boot loader (as root):
% dd if=/dev/zero of=dummy.img bs=1M count=50 % losetup /dev/loop0 dummy.img % dd if=/usr/lib/syslinux/mbr.bin of=/dev/loop0

extract the boot loader (as root):
% dd if=/dev/loop0 of=wxp.mbr bs=512 count=1

create a virtual disk pointing to the existing partition (as ordinary user):
% VBoxManage internalcommands createrawvmdk -filename ./wxp.vmdk -rawdisk /dev/sda -partitions 1 -mbr ./wxp.mbr -register

create a new VM using the VirtualBox GUI

choose "existing" in the "virtual hard disk" page

and add the wxp.vmdk file to the list of known hard disks

Complete the creation process and finally boot your WXP installation - that should be it :-)

BES activation with BIS active

2009-03-03T12:13:00.003+01:00

This is driving me almost insane. I am trying to activate a Bold 9000 with the newly installed BES installation, but no matter what I try, the device always quits the activation process with a "server not responding" message.

Whereas BES installation was relatively trivial, BES activation seems to be absolutely weird ...

I've read about the many possibilities why this can fail, starting from the order that the BES components are started [1] to a bug entry for zimbra [2]

All in all this seems to be the point where once more the disadvantages of closed source, proprietary protocols come to light, because the documentation is "limited" so say at most ...

[1] http://thebackroomtech.com/2008/03/05/the-correct-order-to-stop-and-start-bes-services/
[2] http://bugzilla.zimbra.com/show_bug.cgi?id=20668

installing Blackberry Professional Software on Windows XP

2009-02-28T01:13:00.004+01:00

One of our customers wanted to have BPS installed and due to the fact that our company is very OpenSource & linux centric, we did not want to have a full fledged W2Kx server deployed for that purpose but rather utilize an ordinary (old) WXP installation, fitting better into the existing Samba based infrastructure.

Various posts out in the wild indicate that it "should" be possible, but nothing that really shows the winding path needed to get it up and running.

For some time the installer drove me mad because it refused to install with a "enter a valid password" popup. Yet in the end, there isn't much about it except a couple of things to keep in mind:

create a seperate login user for the BPS/BES services
that user must be in the local Administrators group
that user must have the right to run services (check local security policies)
file sharing must be enabled on the WXP box so that BES/BPS can authenticate the user during install (and later on)

The rest ist quite exactly as laid out in the excellent installation manuals provided by RIM [1]

[1] http://www.blackberry.com/knowledgecenterpublic/livelink.exe?func=ll&objId=1382176&objAction=browse&sort=name

what this will be

2009-02-28T01:06:00.004+01:00

so once more a tiny fragment for the world's information waste. In reality I actually don't have the insatible desire to add do this waste, so may the force be with me that it won't all be waste only :-)