ewx: (geek)

Notes from upgrading a couple of machines to Debian wheezy:

  • Dovecot made quite a mess of upgrading itself and needed a lot of configuration file surgery. Fortunately not much had changed in a nonobvious way, things had just moved around and not captured the prior configuration.
  • mediawiki needed some manual database surgery and running a script.
  • mysql seems to have silently terminated at some point in the last 12 hours. I’ll see if it happens again.
  • rpc.nfsd hung during the upgrade of nfs-kernel-server. I killed it, which unwedged the upgrade, and removed the package so I could proceed. Reinstalling after a reboot worked fine.
  • Large chunks of /dev seem to have acquired a sticky bit, which causes swapon to complain (but not to fail). This seems to be a way for udev to record a single bit of information per device.
  • PHP started emitting cron junk mail twice an hour until a removed package was purged.
  • logrotate has got a bit pickier about permissions on /var/log.
  • synaptic now seems to be confining its terminal output to a 31x3 character subwindow. I've not yet found an option to change this.
  • snmpd's reporting of temperature sensors has randomly mutated, leading to even odd temperature graphs than usual until I spotted it.
ewx: (geek)

Before Upgrading

I tried a live CD (well, SD card) of 12.04 to check it worked. It needed help finding firmware for my wireless but with that copied from the existing install it worked fine. It supported my trackpad better than 10.04 did.

Upgrade instructions always tell you to back up first. They have a point but really, it’s the wrong approach: what you should be doing is backing up anything you care about routinely, so that when you come to perform a risky operation you don’t have to make a special backup. So rather than make a backup I just checked that the latest backup of the target machine was recent enough.

Upgrading From 10.04

To get Update Manager to show 12.04 as available you need to have it set to check for only LTS releases and to start it as update-manager -d. The latter at least is deliberate; apparently LTS users are not being automatically offered an upgrade until the first point release.

The upgrade disabled third party sources. (It was easy to restore them after the upgrade, via Update Manager’s settings.) I reviewed the packages to be removed (only two) and “no longer needed” (sixty). It wasn’t clear from this whether the latter would be removed or not, but nothing in the list looked irrecoverably essential, so I went ahead anyway.

It took about four hours to download all the packages, with the download rate going all over the place. I think they were having a busy day.

After this the upgrade only required interaction once that I recall, when Glibc asked which services to restart. (Services ought to be able to advertise their restart-on-upgrade requirements so that there’s no need to get user confirmation.)

During the upgrade a dialog box with unreadable text popped up. Copy + paste revealed that the text said “An error occurred while loading or saving configuration information for evolution-alarm-notify. Some of your configuration settings may not work properly.” I don’t use Evolution so I stopped caring and clicked what I think was “OK”. This happened twice, and it didn’t block the progress of the upgrade; this is obviously some other program complaining about some rug having been pulled from under its feet.

Having finished it announced that it had 14 packages to remove and another 423 that were no longer needed. Since it was mentioning things like gdm I hit “Keep”. (As it turns out, 12.04 uses a different display manager, so I needn’t have worried.) After reboot it took a little longer than I expected to come back up but it did let me log in.

After Upgrading

The guest session was enabled by default. I don’t approve. More worryingly after a wander through the system settings I didn’t encounter a way to disable it! This page describes how. Upstart didn’t seem to be able to restart lightdm so I rebooted instead.

Using the “print screen” key to take a screenshot is unreliable. For instance, it doesn’t work when a drop-down menu is being displayed.

Unity

It’s certainly not as bad as people say it is. Menus seem to be attached to windows again, which IIRC wasn’t the case in earlier iterations. This has its advantages, but is a shame in some ways: putting menus at the edge of the screen makes them easier to aim for.

The “folding up” effect to fit the whole Launcher on screen when not in use is a bit distracting. Rearranging its contents is impeded by the problem that dragging an icon to the top or bottom of the screen doesn’t scroll the launcher - so to move icons a great distance can mean multiple operations. Reducing the icon size helps with this but of course this also reduces the target area. Removing application you don’t need also helps - this requires dragging them to the Rubbish Bin at the bottom. Canonical have a bit more to learn from Apple on this point; the Dock has a right-click menu offering a variety of operations, including removal.

The bias towards occupying all of the available screen is pretty welcome on my netbook’s small display.

The icons at the bottom of the Dash could really do with some tooltips. The Home, Music and Films icons are clear enough but I couldn’t have told you what the Applications icon meant before clicking on it and ditto the Files and Folders icon.

Dragging items from the Dash to the Launcher sort of works - when I tried doing it for the Screenshot program, I ended up with a gap in the Launcher that can be clicked on to start the program but not dragged into the Rubbish bin.

After a restart the problem went away.

The narrowness of the settings/power icon at the top right of the screen causes an ergonomic problem: the menu that drops down from it is wide and the text a long way to the left, and it’s natural to move the pointer down and left to reach the menu items. But it’s too easy to cross the menu to the left of it first, resulting in a switch to that menu instead. If you aim for “System Settings” you risk ending up with “Switch user account”.

System Settings

On going into the Appearance settings, I was informed that “Ubuntu 10.04 has experienced an internal error”. The matter seems to be in hand. The timing may well have been coincidental.

Sliders having a marker at the default position, to make it easy to restore default behavior, is a great idea, and one I don’t think I’ve seen elsewhere.

Language Support takes several seconds to start up even on second and subsequent times, and was ridiculously slow the first time. This is evidently a known problem since you get to spend a while watching a progress bar. Once it’s got its act together, it offers a choice of none, ibus, lo-gtk or hi-gtk for the keyboard input method. There is a help button but only tells you that the recommended choice is ibus (why isn’t it the default then?), and doesn’t offer any hints on how to make good use of it.

The Privacy window doesn’t make it particularly clear what kind of activity is being recorded and what is done with the records. Some kind of documentation is needed here.

The keyboard shortcuts shows a couple of the shortcuts twice, which is a bit weird.

The trackpad supports two-finger scrolling but unfortunately doesn’t support reversing the direction.

Default applications and autorun settings are somewhat oddly under an opaque “Details” settings item, which otherwise tells you about your hardware (and which couldn’t identify my video card, although this didn’t seem to be causing anything else any trouble).

KDE and XFCE

You can install these using the kubuntu-desktop and xubuntu-desktop packages - no need to reinstall the whole system just to switch desktop environment. Both install their own branding which takes precedence over the native Ubuntu branding during startup; you can remove the relevant plymouth-… packages without disturbing anything else.

I bounced off the current iteration of KDE pretty hard but XFCE looked much more tolerable. Unity refugees should take a look.

ewx: (geek)

What do the Vm… entries in /proc/${pid}/status mean?

What I have discovered )
ewx: (geek)
richard@sfere:/usr/doc/debian-0.93$ cat README 
When the "real" release is made, this directory will contain
documentation specific to Debian GNU/Linux: the Installation
and Reference Manual (in text, DVI, and PostScript format), as well
as information about Debian Association, Inc., the Debian GNU/Linux
0.93 release notes, etc.  Due to the fact that the above is currently
in the process of being written, however, it cannot be included yet.

In the meantime, you can find the documentation that will be included
here at
 ftp.cps.cmich.edu:/pub/debian/doc
in whatever form it happens to be in.

I think I’ll leave that file in place.

IPv6

Feb. 6th, 2011 01:06 pm
ewx: (geek)

This weekend I set up an IPv6 tunnel for my home network (using tunnelbroker.net). The only real difficulties were (i) automatic configuration does not happen on hosts with IP forwarding enabled, and this applies to IPv4 forwarding as well as IPv6 forwarding (ii) automatic configuration and Linux's ethernet bridging don't seem to play very together very reliably.

Having IPv6 of course means that programs might actually use it, and sometimes this can be inconvenient. /etc/gai.conf lets you re-order hostname lookup results but this doesn't seem to be enough to actually stop the IPv6 address being used. Therefore I wrote a little LD_PRELOAD-based utility to completely suppress IPv6 addresses in getaddrinfo() results:

$ telnet ftp.uk.debian.org 80
Trying 2001:470:1f08:80b::2...
Connected to debian.hands.com.
Escape character is '^]'.
^]q

telnet> q
Connection closed.
$ noipv6 telnet ftp.uk.debian.org 80
Trying 83.142.228.128...
Connected to ftp.uk.debian.org.
Escape character is '^]'.
^]q

telnet> q
Connection closed.
$ 

Programs that use other APIs to look up hostnames won't be affected.

It includes a noipv4 program as well.

Get it here. Currently only works on Linux but shouldn't be hard to adapt to other Unix platforms.

ewx: (geek)

Debian Squeeze has been released, so have a picture of Squeeze:

ewx: (geek)

For several years, my house router was an old PC with several PCI ethernet cards, running Debian lenny. It took up space, consumed much more power than the job really demanded, and was very noisy. So I wanted to clone the system onto some more appropriate platform.

My first candidate was a second hand Soekris net4501. I got a long way into setting this up before deciding to abandon it (see below for the reasons why), and switched instead to a Fabiatech FX5624. I completed the job using this system and it’s now in service.

( Lots of detail, pictures, etc )

ewx: (geek)

I upgraded a Debian lenny system to unstable. I ran into various issues:

Read more... )
ewx: (geek)

A while back I bought an HP Mini 210. This comes with Windows 71 but I fairly quickly installed Ubuntu 10.04 on it.

This worked pretty well except for two issues. Firstly the wireless networking was very flaky, and secondly the trackpad seemed to be miscalibrated - clicking clearly within the marked button areas produced a cursor move as well as a click.

As of this evening both problems appear to have fixed themselves.

I think that the wireless problem was actually a problem with my WAP. So that’s not especially mysterious (although it might mean getting a new WAP, if it recurs.)

The trackpad is more mysterious on the other hand. I’d got as far as fishing plausible-looking patches to the synaptics driver out of the upstream kernel and rebuilding the kernel with them applied but not as far as actually installed them, only to discover that the trackpad is behaving fine and that the kernel is using the psmouse driver.

My current theory is that [livejournal.com profile] venta’s goblins have a sideline in computer maintenance.


1 Actually it also comes with a Linux install in the firmware, into which it boots by default and lets you run Firefox and some other stuff, not as far as I’ve yet found including a shell.

ewx: (geek)

I want access from my laptop to various services (web proxy and email) on my home network, even when I’m away. A convenient way to do this is to use SSH port forwarding. This is a nuisance to repeatedly initiate manually though; I would rather have my laptop run the SSH command automatically, and restart it after network outages.

How I set it up for Ubuntu, Mac and Windows laptops )

ewx: (geek)

I got tired of the version of Xen in Debian stable being full of bugs, so decided to try KVM instead.

Geekery )
ewx: (geek)

I noticed, on my 64-bit Linux system, that gnome-panel was apparently using an awful lot of virtual memory.

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 3734 rjk       20   0  290m  16m 6668 S    0  0.8   3:22.05 gnome-panel

Virtual memory’s pretty cheap, so that’s not hugely problematic, but it seemed a huge amount for a glorified toolbar. I looked in /proc/3734/maps and found that about 260MB of that space belonged to shared libraries. Now, gnome-panel does use a lot of library, 82 to be precise, but 3MB per library sounded a lot, and the biggest of them is only 4MB. Looking closer I noticed that an awful lot of the libraries had 2MB (0x200000) non-executable mappings associated with them. As an example here are the mappings for GTK+ (with the size in hex added at the start for convenience):

3c7000 7f967efd6000-7f967f39d000 r-xp 00000000 fe:00 3111259  /usr/lib/libgtk-x11-2.0.so.0.1200.12
200000 7f967f39d000-7f967f59d000 ---p 003c7000 fe:00 3111259  /usr/lib/libgtk-x11-2.0.so.0.1200.12
  a000 7f967f59d000-7f967f5a7000 rw-p 003c7000 fe:00 3111259  /usr/lib/libgtk-x11-2.0.so.0.1200.12

The first line is the code segment and the last the data segment. But what’s the strange 0x200000 (2MB) mapping in the middle?

The answer took me a while to figure out.

ewx: (geek)
richard@araminta:~$ cat t.c
#include <stdio.h>
#include <time.h>
#include <sys/time.h>
#include <assert.h>
int main(void) {
  for(;;) {
    time_t t;
    struct timeval tv;

    assert(gettimeofday(&tv, NULL) == 0);
    assert(time(&t) != (time_t)-1);
    if(t < tv.tv_sec)
      return printf("%ld %ld.%06ld\n", t, tv.tv_sec, tv.tv_usec);
  }
}

richard@araminta:~$ gcc -o t t.c
richard@araminta:~$ ./t
1255784018 1255784019.000000
versions )
ewx: (geek)

Steve gave me a Soekris net4501. I've been gradually getting this into shape for use as the house router. This page covers the details in case anyone else attempts something similar; some aspects were not entirely trivial.

Testing reveals that it can route data at (at least) 24Mbit/second, which is comfortably faster than the nominal speed of our Internet connection. It's much slower than the nominal speed of the house wireless but actually marginally faster than the measured speed, so I'm not worried about that either.

(“At least” 24Mbit/s because that could be a limit somewhere other than the Soekris.)

Usefully for the testing it turns out that crossover cables are no longer necessary, at least when connecting the Soekris to a modern Mac (and for all I know any other modern hardware).

Small PCs

Aug. 24th, 2009 05:42 pm
ewx: (geek)

I'm planning to get a Soekris net5501 to the be the house router (so: IP routing, NAT, DHCP client/server, secnet VPN, DNS). Before I do, are there any similar devices I should consider as possible alternatives?

What I need is:

  • Silent or at least very quiet
  • At least three ethernet ports (house LAN, house wireless, upstream)
  • Must be able to run Linux without undue hassle

Nice to have but not necessarily essential:

  • Serial console (but I can faff around with a keyboard and monitor if it comes to it)
  • Compact flash storage (I have a spare 2GB card, which is unrealistically small for my camera)
  • x86 architecture (my plan is to transplant an existing lenny install onto it)
ewx: (geek)

I recently installed Debian lenny on a second-hand PC bought from [livejournal.com profile] fivemack. I think it very well; I ran into a couple of minor installer wrinkles (described in detail in my installation report: in summary, poor feedback about a non-working network, and the partitioner hangs if you confuse it hard enough) but the onboard network, sound and video were correctly detected without any assistance from me, producing a reasonable functional Gnome desktop reasonable time.

lenny isn't quite released yet; however it is ‘frozen’, which I decided was good enough for me to get going with an install rather than put etch on the same machine.

Annoyingly my USB keyboard won't talk to the BIOS (other USB keyboards do though and I have a non-USB keyboard around for emergencies still) and therefore to Grub. It gets on fine with Linux however.

ewx: (geek)

I wrote this a while ago but never got round to posting it. The dust has since settled but it might be interesting to some nonetheless.

1) I try to use valgrind on something that involved OpenSSL. I can't even remember what. The exercise is significantly hampered by numerous false positives.

2) I identify OpenSSL's practice of passing uninitialized data to its RNG as part of the problem. This happens in two places.

(i) When RAND_poll (in crypto/rand/rand_unix.c) collects entropy from /dev/urandom (or an EGD) , it reads data into a buffer called tmp_buf. It might not fill this buffer, but it nonetheless passes the whole buffer into the RNG. The balance of the buffer is uninitialized and valgrind warnings result.

I spotted this one, and my fix was to zero out the buffer before filling it. This may not be entirely obvious from the patch in the bug report but if you read it in context then it is plainly harmless.

(ii)When you ask for a random number, ssleay_rand_bytes adds the output buffer you're going to use for the answer into its calculation of new random data. I didn't spot this one. This is where the PURIFY ifdef can be found.

My fix for (i) was perfectly safe. Also, it does not cost you anything: if you were analyzing the security of OpenSSL you would have to ignore any contribution to entropy from the uninitialized part of the buffer; its uninitialized state means the compiler and language standard don't make any promises, it does not mean its unpredictable on a given implementation. (Early in a program it is relatively likely to be all 0s for instance). So this change would not have removed any security guarantee worth the name.

Since I apparently didn't spot (ii) I didn't make any changes there, though if I had that would have been safe too for the same reason.

3) I send my patch for (i) to Debian. I am after all using a Debian system.

4) Debian's OpenSSL maintainer spots (ii) as well but misunderstands (i), apparently concluding that the problem is not RAND_poll passing (partially) uninitialized data but in ssleay_rand_add reading that data at all. In other words, they've assigned the blame for the valgrind warning to the code that performs the read, rather than the code that fails to do a write.

5) Kurt then mails openssl-dev about it, and gets a positive reaction a member of the development team. openssl-dev is the address the README told you to use:

Development is coordinated on the openssl-dev mailing list (see
http://www.openssl.org for information on subscribing). If you
would like to submit a patch, send it to openssl-dev@openssl.org with
the string "[PATCH]" in the subject. Please be sure to include a
textual explanation of what your patch does.

6) Kurt makes his proposed changes and uploads the new package.

Henceforth anyone who installs this tainted OpenSSL suffers two problems. Firstly there is no longer adequate diversity of keys generated with it. Secondly if they make any DSA signatures, they risk exposing the value of the private key.

(You might want to rethink how much you rely on DSA in the light of this; requiring a source of cryptographic-strength random numbers for key generation is fair enough but additionally requiring it for every signature if you don't want to expose your private key seems a little on the risky side!)

7) Luciano Bello spots the problem. The bug gets fixed and a DSA is issued. There's a great deal of informed and uninformed comment online. A number of people blame me, assuming that the only patch that appears in the bug report is the faulty one, and not bothering to check either what it does or what the actual change was. Obviously this does not make me happy.

(There's a lot of great work done by various people to clean up the mess, too.)

8) Ben Laurie complains that vendors are bad for security.

There's some truth in there: people should indeed not try to change code they don't understand, and coordinating with the people who maintain it is an obvious way to avoid pitfalls. However, Kurt did mail the advertized address, and did get a response from a member of the OpenSSL development team, so even though he screwed up, this safety net failed dismally too.


Some people have criticized the original motivation for any change as putting debugging ahead of security. Not only is this not true - the original change had no impact on security - but it is completely wrong-headed: in general software that is harder to debug is software that is harder to secure, and in particular the kind of bugs valgrind is good at spotting are just the kind that may turn out to be security holes.

August 2017

S M T W T F S
  12345
6789101112
13 141516171819
20212223242526
2728293031  

Syndicate

RSS Atom

Most Popular Tags

Expand Cut Tags

No cut tags