linux

Testing Oracle Solaris 11 Express

/ bronto / Leave a comment

I've been testing Oracle Solaris 11 Express recently. For those who don't remember it, Oracle acquired Sun Microsystems :rip: and killed OpenSolaris :rip: with no official statement, the only information about the process was a leaked internal note (I leave it to you to decide whether that that leakage was real, and if it was intentional or not).

Solaris 11 Express is what remains of OpenSolaris after Oracle decided how they should move forward with it.

The immediate change you may notice in case you want to download and test it is that the license has changed, and that you are not allowed to download it unless you explicitly accept the license. Up to my knowledge, the license allows you to use it for free for personal use, otherwise you need to buy some sort of support; I didn't investigate this further because, well, I am interested in it for personal use at the moment. Why? Well, many reasons. … Continue reading

Building a Xen firewall with Firewall Builder

/ bronto / 7 Comments

Original post date: March 30th, 2011
Updated: April 4th, 2011 (missing rule in prolog)

It's a kind of a problem to manage a firewall for a Xen dom0 with firewall builder. Xen itself adds forwarding rules when starting a virtual machines, and these rules are wiped away when fwbuilder scripts install theirs, which is unfortunate.

Summing up everything, the final plan was to install a firewall on dom0, which should a) forward to the VM the packets originating outside and directed to them (and back), and b) protect the dom0 itself.

It took me some time, experiments and advice to get it right, and here's how. … Continue reading

/proc/sys/net/ipv4/conf/all (and source routing in particular)

/ bronto / Leave a comment

I was trying to find out if certain Linux machines allowed source routing or not. To do this, it should be enough to just take a peek into /proc/sys/net/ipv4/conf/*/accept_source_route. But, as it seems, the results are contradictory. Look at what I have on my workstation:

root@brabham:/proc/sys/net/ipv4/conf# for IF in * ; do echo -n "$IF: " ; cat $IF/accept_source_route ; done
all: 0
default: 1
eth0: 1
lo: 1
vboxnet0: 1

Now, if you look up how the settings in the "all" directory actually work, you'll see that a few talk about that, and those who do don't give much detail. This always rings a bell in my head, as it is a symptom that nobody actually knows exactly how it works, and those who do just don't write enough 🙂 E.g., a source writes:

The /proc/sys/net/ipv4/conf/ directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the /proc/sys/net/ipv4/conf/default/ subdirectory) and settings that override all special configurations (in the /proc/sys/net/ipv4/conf/all/ subdirectory).

Now, the last sentence does not make sense if you read it carefully, because that would make the per-interface subdirectories useless. In fact, if this was really the case, you could not, e.g., accept source routing on one interface and disable it on all the others, because the value in "all" would have priority.

So after some research I tried to ask to the most Linux informed person I know, one that I can safely mention without having to check the sources. And he told me that the "all" subdirectory was born as a shortcut to help changing the configuration on all interfaces simultaneously, but then evolved in an incoherent fashion, to the point that different settings work in different way (e.g.: one setting in all may override the per-interface setting, while others will do a boolean OR between all and the interface-specific value, while others again will do an AND). If you want to know how it goes in a specific case, you need to read the kernel code.

OK, now I have the confirmation that /proc/sys/net/ipv4/conf/*/accept_source_route is a minefield, but I did not make a step forward. In my specific case, that is the accept_source_route setting, how does it work?

Well, it turns out that it's a logical AND between "all" and the interface-specific value. Good to know.

Thanks Francesco 😉

locales and Ubuntu 10.10

/ bronto / 2 Comments

Today, during an upgrade of my workstation's 10.10, I noticed that a lot of unneeded EN locales were being generated, and I wanted to get rid of them. Coming from a debian background, I confidently ran dpkg-reconfigure locales, but instead of getting the usual interface I got

root@brabham:~# dpkg-reconfigure --priority=low locales
Generating locales...
  en_AG.UTF-8... up-to-date
  en_AU.UTF-8... up-to-date
  en_BW.UTF-8... up-to-date
  en_CA.UTF-8... up-to-date
  en_DK.UTF-8... up-to-date
  en_GB.UTF-8... up-to-date
  en_HK.UTF-8... up-to-date
  en_IE.UTF-8... up-to-date
  en_IN.UTF-8... up-to-date
  en_NG.UTF-8... up-to-date
  en_NZ.UTF-8... up-to-date
  en_PH.UTF-8... up-to-date
  en_SG.UTF-8... up-to-date
  en_US.UTF-8... up-to-date
  en_ZA.UTF-8... up-to-date
  en_ZW.UTF-8... up-to-date
  it_CH.UTF-8... up-to-date
  it_IT.UTF-8... up-to-date
Generation complete.

Odd, isn't it? Well, it turns out that, in order to get rid of the locales you don't want, you have to manually change the files in /var/lib/locales/supported.d. Oh, dear…

OK, Canonical claims to create "Linux for the human beings". I partially agree with that. But I would like to know how removing the ncurses interface to locales could possibly make the system simpler. I mean: "common" users just won't care if they have 100 locales instead of 10, so it doesn't matter for them. We "advanced users" can edit plan text files, for sure, but is that a good reason to remove a convenient interface from the system?

Ubuntu really puzzles me sometimes…

Renaming digital photos, time-wise

/ bronto / Leave a comment

It happens sometimes… or at least: it happened to me, and maybe it happened to you also 🙂 Well, anyway, it happens that you get a number of digital photos from different people, and of course their filenames don't match their chronological order. Is it possible to rename the files so that they can help sort this mess? Well, it is!

First, you need a small command line utility called exif. I assume you have an idea of what EXIF is.

With this command it is really easy to extract exif information from a digital photo, for example: the date you took the photo:

$ exif -t 0x9003 LD2K10_005.JPG
EXIF entry 'Data e ora (dati originali)' (0x9003, 'DateTimeOriginal') exists in IFD 'EXIF':
Tag: 0x9003 ('DateTimeOriginal')
  Format: 2 ('Ascii')
  Components: 20
  Size: 20
  Value: 2010:10:23 08:29:01

We have all the information we need, and maybe more. Now we need to get the information in the Value field, mangle it to a more "filename-friendly" format, and rename the file. And it's not that hard:

for FILE in *.JPG
do
  NEW=$(exif -t 0x9003 $FILE | awk '/Value/' | sed -e 's/^  Value: //' -e 's/://g' -e 's/ /-/')
  NEW="$NEW-$FILE"
  mv -v "$FILE" "$NEW"
done

The snippet above actually fits a one-liner:

for FILE in *.JPG ; do NEW=$(exif -t 0x9003 $FILE | awk '/Value/' | sed -e 's/^  Value: //' -e 's/://g' -e 's/ /-/') ; NEW="$NEW-$FILE" ; mv -v "$FILE" "$NEW" ; done

Good luck!

Activating XDMCP in Ubuntu (Karmic)

/ bronto / Leave a comment

Once upon a time, there was a small program called gdmsetup that allowed you to fully set-up the graphical login manager. For reasons that it would be too long to explain here, I wanted to enable the XDMCP protocol in my workstation's gdm and… surprise: gdmsetup now is just a single, small, almost useless window…

So, being Ubuntu the "Linux for human beings", how are human beings supposed to enable XDMCP? Editing a configuration file, like we old people used to do. Perfect!!! Let's check: /etc/gdm contains a custom.conf that is the place where you are supposed to write your custom configurations. Ah, it references a sample file, good! What? It doesn't exist??? 😦 And no useful man page?

OK, I have no problem in configuring services by editing a configuration file, that's what I do for living after all 😉 But what about leaving some documentation around to let us human beings learn what to do? Must we really trust Google for things that the Operating System itself should provide?

By the way, it turns out that the [xdmcp] section in custom.conf should look like this:

[xdmcp]
Enable=true
DisplaysPerHost=2

Thanks peppertop, thanks Google, and… $ubuntu– 😦

Update: It turns out that I am very lucky that I was running Ubuntu Karmic, since the GDM that ships with Lucid doesn't support XDMCP at all…

I am starting investigation for my new Linux distro of choice…

Increasing filesystem quotas on Linux

/ bronto / Leave a comment

WOW! It was ages I didn't any quota management on Linux!!! But I needed to today, so a short review was needed.

First, as root I had to check what my quotas looked like:

# quota -u bronto ; echo $?
Disk quotas for user bronto (uid 1158): 
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
/dev/mapper/homes-home
                5089700* 5000000 7000000   6days     309       0       0        
1

Oh, man! Look that "*" and that return code of "1"! I really was over quota (by chance, that was the soft limit only). I needed to increase it, so I checked the man page and did some dry runs with quotatool. After a few attempts, this line looked fine:

# quotatool -n -b -u bronto -q +2000000 -l +2000000 /home

Running it again without the "-n" showed no error, and running the quota command again confirmed everything was now fine:

# quotatool -b -u bronto -q +2000000 -l +2000000 /home
# quota -u bronto
Disk quotas for user bronto (uid 1158): 
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
/dev/mapper/homes-home
                5089700  7000000 9000000             309       0       0

Good, now I have some more space for my backups, and also a blog post to refer to when I'll have to increase it again in 10 years 😉