Systems administration archived articles

Subscribe to the RSS feed for this category only

Military and Security and Systems administration15 Jun 2013 at 9:28 by Jean-Marc Liotier

In a message I got through Glyn Moody, Mikko Hypponen noticed this claim from German intelligence agencies :

Ist die eingesetzte Technik auch in der Lage, verschlüsselte Kommunikation (etwa per SSH oder PGP) zumindest teilweise zu entschlüsseln und/oder auszuwerten?“

„Ja, die eingesetzte Technik ist grundsätzlich hierzu in der Lage, je nach Art und Qualität der Verschlüsselung

My rough translation of these sentences of the article he linked :

„Are the current techniques capable of at least partially deciphering encrypted communications such as SSH or PGP ?“

„Yes, the current techniques are basically capable of that, depending on the type and quality of the encryption“

Of course, the weakness of weak keys is not exactly news… But it is always interesting when major threats brag about it openly – so this is nevertheless a pretty good refresher to remind users to choose the most current algorithms at decent key length and expire old keys in due time.

It is also a reminder that today’s cyphers will be broken tomorrow: encryption is ephemeral protection… Secret communications require forward secrecy & anonymity – for example, XMPP chat may use a server available as a Tor hidden service, with the clients using Off The Record messaging.

Meta and Systems administration28 May 2013 at 15:25 by Jean-Marc Liotier

I fixed the comments form today – it had been inoperative for two months. Thanks to Loïc for reporting the malfunction – fixing a problem is usually not difficult as long as someone reports it… If you like the software you use, reporting problems is an easy and doubly self-gratifying way to give back : good bug reports are  not only valuable contributions for altruistic reasons, they are also  rewarded by improvements !

Anyway, this is yet another lesson in keeping WordPress plugins up to date – or maybe a hint that more WordPress plugins really should be packaged in my favorite distribution

Systems administration02 Mar 2013 at 11:27 by Jean-Marc Liotier

Chrome isolates the content of each domain’s tabs in a separate process – which lets the user manage each of them with the operating system’s native process management tools. Firefox does not – so when it starts hogging 100% CPU, users are clueless.

Among the usual suspects is Flash, but Flash is innocent on my workstation’s Iceweasel : I entirely removed any Flash interpreter from it and I am now clean from this filth.

Next in the suspect row is misbehaving Javascript, unless you are my friend Lerouge and surf with NoScript buttoned-up. But how to identify it ?

As I expected, the answer was awaiting me among debugging tools – but it took longer than I estimated because it laid in the misleadingly named Javascript Deobfuscator extension… It does deobfuscate somewhat but as a commenter suggested it should really be named Javascript Execution Monitor because its major value addition is actually telling you what runs and when.

In the Javascript Deobfuscator dialog’s second tab, watch the “Number of calls” field – that is all you need. It is not a direct measure of CPU usage, but a close enough proxy : find the function with a runaway number of calls and you will likely have caught the culprit.

And that’s it – Iceweasel’s CPU usage is back to near zero, where it belongs. In my case, among the ocean of open tabs in on my virtual desktop’s many open windows, the culprit was this page to whose incompetence I grant some Pagerank as a token of appreciation for having led me to discover a solution to this problem !

Now, what I would love the Javascript Execution MonitorDeobfuscator to acquire is a list of the top call rates, by page and by script – updated every second. Make that a separate extension and call it the Javascript Execution Monitor !

Networking & telecommunications and Systems administration and Unix06 Jun 2012 at 11:48 by Jean-Marc Liotier

Today is IPv6 party time so let’s celebrate with a blog post !

Reliable IPV6 connectivity is no longer just nice to have – it is a necessity. If your Internet access provider still does not offer proper native IPv6 connectivity, your next best choice is to use an IPv4 tunnel to an IPv6 point of presence. It works and on the client side it only requires this sort of declaration in /etc/network/interfaces :

auto ipv6-tunnel-he
  iface ipv6-tunnel-he inet6 v4tunnel
  address 2001:170:1f12:425::2
  netmask 64
  endpoint 216.66.84.42
  gateway 2001:170:1f12:425::1

Of course, the same sort of configuration is required at the other endpoint – which means that, among other parameters, you must inform the IPv6 tunnel server of the IPv4 address of the client endpoint. Hurricane Electric, my tunnel broker lets me do that manually through its web interface – which is fine for a static configuration done once, but inadequate if your Internet access provider won’t supply you with a static IPv4 address. By the way, even if, after a few weeks of use, you believe you have a static address, you might just have a dynamic address with a rather long DHCP lease…

But Hurricane Electric also provides a primitive HTTP API that lets you inform the tunnel broker of IPv4 address changes – that is all we need to do it automatically every time our Internet access goes up. Adding this wget command to the uplink configuration stanza in /etc/network/interfaces does the trick :

auto eth3
iface eth3 inet dhcp
  up wget -O /dev/null https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=34764

That’s it – you now can count on IPv6 connectivity, even after a dynamic IPv4 address change.

And after you are done, go test your IPv6 configuration and your IPv6 throughput !

Debian and Networking & telecommunications and Systems administration and Unix17 Oct 2011 at 11:03 by Jean-Marc Liotier

I just wanted to create an Apache virtual host responding to queries only over IPv6. That should have been most trivial considering that I had already been running a dual-stacked server, with all services accessible over both IPv4 and IPv6.

Following the established IPv4 practice, I set upon configuring the virtual host to respond only to queries directed to a specific IPv6 address. That is done by inserting the address in the opening of the VirtualHost stanza : <VirtualHost [2001:470:1f13:a4a::1]:80> – same as an IPv4 configuration, but with brackets around the address. It is simple and after adding an AAAA record for the name of the virtual host, it works as expected.

I should rather say it works even better than expected : all sub-domains of the second-level domain I’m using for this virtual host are now serving the same content that the new IPv6-only virtual host is supposed to serve… Ungood – cue SMS and mail from pissed-off users and a speedy rollback of the changes; the joys of cowboy administration in a tiny community-run host with no testing environment. As usual, I am not the first user to fall into the trap. Why Apache behaves that way with an IPv6-only virtual host is beyond my comprehension for now.

Leaving aside the horrible name-based hack proposed by a participant in the Sixxs thread, the solution is to give each IPv6-only virtual host his own IPv6 address. Since this server has been allocated a /64 subnet yielding him 18,446,744,073,709,551,616 addresses, that’s quite doable, especially since I can trivially get a /48 in case I need 1,208,925,819,614,629,174,706,176 more addresses. Remember when you had to fill triplicate forms and fight a host of mounted trolls to justify the use of just one extra IPv4 address ? Yes – another good reason to love IPv6 !

So let’s add an extra IPv6 address to this host – another trivial task : just create an aliased interface, like :

auto eth0:0
    iface eth0:0 inet6 static
    address 2001:470:1f13:a4a::1
    netmask 64
    gateway 2001:470:1f12:a4a::2

The result :

SIOCSIFFLAGS: Cannot assign requested address
Failed to bring up eth0:0.

This is not what we wanted… You may have done it dozens of time in IPv4, but in IPv6 your luck has ran out.

Stop the hair pulling right now : this unexpected behavior is bug – this one documented in Ubuntu, but I confirm it is also valid on my mongrel Debian system. Thanks to Ronny Roethof for pointing me in the right direction !

The solution : declare the additional address in a post-up command of the main IPv6 interface (and don’t forget to add the post-down command to kee things clean) :

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2001:470:1f12:a4a::2
    netmask 64
    endpoint 216.66.84.42
    local 212.85.152.17
    gateway 2001:470:1f12:a4a::1
    ttl 64
    post-up ip -f inet6 addr add 2001:470:1f13:a4a::1 dev he-ipv6
    pre-down ip -f inet6 addr del 2001:470:1f13:a4a::1 dev he-ipv6

And now the IPv6-only virtual hosts serves as designed and the other virtual hosts are not disturbed. The world is peaceful and harmonious again – except maybe for that ugly post-up declaration in lieu of declaring an aliased interface the way the Unix gods intended.

All that just for creating an IPv6 virtual host… Systems administration or sleep ? Systems administration is more fun !

Free software and Mobile computing and Systems administration and Technology and Unix09 Aug 2011 at 11:17 by Jean-Marc Liotier

Oh noes – I’m writing about a Google product, again. The omnipresence of the big G in my daily environment is becoming a bit excessive, so I’m stepping up my vigilance about not getting dependent on their services – though I don’t mind them knowing everything about me. In that light, acquiring another Android communicator may not seem logical, but I’m afraid that it is currently the choice of reason : I would have paid pretty much any price for a halfway decent Meego device, but Nokia’s open rejection of its own offspring is just too disgusting to collude with. The Openmoko GTA04 is tempting, but it is not yet available and I need a device right now.

Android does not quite mean I have to remain attached to the Google tit : thanks to CyanogenMod there is now an Android distribution free of Google applications  – and it also offers a variety features and enhancements… Free software is so sweet !

As a bonus, CyanogenMod is also free of the hardware manufacturer’s pseudo-improvements or the carrier’s dubious customizations – those people just can’t keep themselves from mucking with software… Please keep to manufacturing hardware and providing connectivity – it is hard enough to do right that you don’t have to meddle and push software that no one wants !

So when I went shopping for a new Android device after my one year old daughter disappeared my three year-old HTC Magic, I made sure that the one I bought was compatible with CyanogenMod. I chose the Motorola Defy because it is water-resistant, somewhat rugged and quite cheap too. By the way, I bought it free from access provider SIM lock – more expensive upfront, but the era of subsidized devices is drawing to an end and I’m going to enjoy the cheaper subscriptions.

On powering-on the Defy, the first hurdle is to get past the mandatory Motoblur account creation – not only does Motorola insist on foisting its fat supplements on you, but it won’t let you access your device until you give it an email address… In case I was not already convinced that I wanted to get rid of this piece of trash, that was a nice reminder.

This Defy was saddled with some Android 2.2.2 firmware – I don’t remember the exact version. I first attempted to root it using Z4root, but found no success with that method. Then I tried with SuperOneClick and it worked, after some fooling around to find that USB debugging must not be enabled until after the Android device is connected to the PC – RTFM !  There are many Android rooting methods – try them until you find the one that works for you : there is much variety in the Android ecosystem, so your mileage may vary.

Now that I have gained control over a piece of hardware that I bought and whose usage  should therefore never have been restricted by its manufacturer in the first place, the next step is to put CyanogenMod on it. Long story short : I fumbled with transfers and Android boot loader functionalities that I don’t yet fully understand, so I failed and bricked my device. In the next installment of this adventure, I’m sure I’ll have a nice tale of success to tell you about – meanwhile this one will be a tale of recovery.

This brick situation is a Motorola Defy with blank screen and a lit white diode on its front. The normal combination of the power and volume keys won’t bring up the boot loader’s menu on start. But thanks to Motorola’s hardware restrictions designed to keep the user from modifying the software, the user is also kept from shooting himself in the foot and the Defy is only semi-bricked and therefore recoverable. Saved by Motorola’s hardware restrictions… Every cloud has a silver lining. But had the device been completely open and friendly to alien software, I would not have had to hack at it in the first place, I would not had bricked it and there would have been no need for saving the day – so down with user-hostile hardware anyway !

With the Motorola Defy USB drivers installed since the SuperOneClick rooting, I launched RSD lite 4.9 which is the Motorola utility for flashing Motorola Android devices. Here is the method for using RSD lite correctly. RSD lite immediately recognized the device connected across the USB cord. The trick was finding a suitable firmware in .sbf format. After a few unsuccessful attempts with French Android versions, I found that JRDNEM_U3_3.4.2_117-002_BLUR_SIGN_SIGNED
_USAJRDNEMARAB1B8RTGB035.0R_USAJRDNFRYORTGB_P003_A002_HWp3_Service1FF
worked fine and promptly booted me back to some factory default – seeing the dreaded Motoblur signup screen was actually a relief, who would have thought ?

After re-flashing with RSD Lite, I found that there is a Linux utility for flashing Motorola Android devices :  sbf_flash – that would have saved me from borrowing my girlfriend’s Windows laptop… But I would have needed it for SuperOneClick though – isn’t it strange that support tools for Android are Windows-dependent ?

With CyanogenMod in place, my goal will be to make my personal information management system as autonomous as possible – for example I’ll replace Google Contacts synchronization with Funambol. CyanogenMod is just the starting point of trying to make the Android system somewhat bearable – it is still the strange and very un-Unixy world of Android, but is a pragmatic candidate for mobile software freedom with opportunities wide open.

But first I have to successfully transfer it to my Android device’s flash memory… And that will be for another day.

If you need further information about hacking Android devices, great places are Droid Forums and the XDA-Developpers forum – if you don’t go directly, the results of your searches will send you there anyway.

Systems administration02 Mar 2011 at 22:13 by Jean-Marc Liotier

Today I landed my mandatory corporate Windows laptop at a desk supporting a nice 24″ monitor. Willing to take advantage of the available extra display real estate, I plug the DE-15F cable into the laptop’s D-subminiature video port and proceed to set the extra monitor’s resolution in the “Settings” tab of the “Display Properties” dialog. Alas 1280×800 pixels is the most I can set – it is the laptop’s main display’s resolution and it is far below the 1920×1200 pixels the secondary display is capable of. Shutting off and on the monitor, disconnecting and reconnecting the cable on the laptop’s port, putting the laptop to sleep and even rebooting… Nothing worked : it seemed that the system was not detecting the monitor properly and chose to handle it with some sort of default resolution. I even uninstalled the operating system’s monitor drivers – with no visible result.

Suspecting a hardware problem I decided to check all the connections. A quarter of a century of experience has taught me that connections are the most frequent cause of incidents. I reseated and properly screwed the cable to the monitor… And I was mildly surprised to see the display properties settings tab let me choose the monitor’s nominal resolution at last. My instincts had been vindicated.

What happened was a loose VGA cable. All the pins necessary for display were making contact, but some of the ones necessary for plug’n’pray detection were not. Mere visual inspection could not have found that – only reseating the connector makes the problem evident by solving it. I’m not sure I would be able to misconnect the cable just right to reproduce this situation if I wanted to…

And that’s how I learned about Display Data Channel, a collection of digital communication protocols between a computer display and a graphics adapter that enables the display to communicate its supported display modes to the adapter. I’m sure you won’t resist following this link to learn about DDC1, DDC2, DDC/CI and E-DDC to understand some basic technology working in the shadows, taken for granted until it stops functioning…

Code and Free software and Networking & telecommunications and Systems administration and Unix01 Mar 2011 at 20:06 by Jean-Marc Liotier

I loathe Facebook and its repressive user-hostile policy that provides no value to the rest of the Web. But like that old IRC channel known by some of you, I keep an account there because some people I like & love are only there. I seldom go to Facebook unless some event, such as a comment on one of the posts that I post there through Pixelpipe, triggers a notification by mail. I would like to treat IRC that way: keeping an IRC application open and connected is difficult when mobile or when using the stupid locked-down mandatory corporate Windows workstation, and I’m keen to eliminate that attention-hogging stream from my environment – especially when an average of two people post a dozen lines a day, most of which are greetings and mealtimes notifications. But when a discussion flares up there, it is excellent discussion… And you never know when that will happen – so you need to keep an eye on the channel. Let’s delegate the watching to some automation !

So let me introduce to you to my latest short script : bipIRCnickmailnotify.sh – it sends IRC log lines by mail when a specific string is mentioned by other users. Of course in the present use case I set it up to watch for occurrences of my nickname, but I could have set it to watch any other string. The IRC logging is done by the bip IRC proxy that among other things keeps me permanently present on my IRC channels of choice and provides me with the full backlog whenever I join with a regular IRC client.

This Unix shell script also uses ‘since’ – a Unix utility similar to ‘tail’ that unlike ‘tail’ only shows the lines appended since the last execution. I’m sure that ‘since’ will come handy in the future !

So there… I no longer have to monitor IRC – bipIRCnickmailnotify.sh does it for me.

With trivial modification and the right library it could soon do XMPP notifications too – send me an instant message if my presence is ‘available’ and mail otherwise. See you next version !

Networking & telecommunications and Security and Systems administration07 Feb 2011 at 13:04 by Jean-Marc Liotier

I work for a very large corporation. That sort of companies is not inherently evil, but it is both powerful and soulless – a dangerous combination. Thus when dealing with it, better err on the side of caution. For that reason, all of my browsing from the obligatory corporate Microsoft Windows workstation is done trough a SSH tunnel established using Putty to a trusted host and used by Mozilla Firefox as a SOCKS proxy. If you do that, don’t forget to set network.proxy.socks remote DNS to true so that you don’t leak queries to the local DNS server.

In addition to the privacy benefits, a tunnel also gets you around the immensely annoying arbitrary filtering or throttling of perfectly reasonable sites which mysterious bureaucracies add to opaquely managed exclusion lists used by censorship systems. The site hosting the article you are currently reading is filtered by the brain-damaged Websense filtering gateway as part of the “violence” category – go figure !

Anyway, back on topic – this morning my browsing took me to Internode’s IPv6 site and to my great surprise I read “Congratulations! You’re viewing this page using IPv6 (  2001:470:1f12:425::2 ) !!!!!”. A quick visit to the KAME turtle confirmed : the turtle was dancing. The surprising part is that our office LAN is IPv4 only and the obligatory corporate Microsoft Windows workstation has no clue about IPv6 – how could those sites believe I was connecting through IPv6 ? A quick ‘dig -x 2001:470:1f12:425::2′ cleared the mystery : the reverse DNS record reminded me that this address is the one my trusted host gets from Hurricane Electric’s IPv6 tunnel server.

So browsing trough a SOCKS proxy backed by a SSH tunnel to a host with both IPv4 and IPv6 connectivity will use IPv6 by default and IPv4 if no AAAA record is available for the requested address. This behaviour has many implications – good or bad depending on how you look at it, and fun in any case. As we are all getting used to IPv6, we are going to encounter many more surprises such as this one. From a security point of view, surprises are of course not a good thing.

All that reminds me that I have not yet made this host available trough IPv6… I’ll get that done before the World IPv6 Day which will come on 8th June 2011 – a good motivating milestone !

Brain dump and Debian and Free software and Systems administration and Unix17 Nov 2010 at 19:54 by Jean-Marc Liotier

On Identi.ca I stumbled upon this dent by @fabsh quoting @nybill : “Linux was always by us, for us. Ubuntu is turning it into by THEM, for us“.

It definitely relates to my current feelings.

When I set up an Ubuntu host, I can’t help feeling like I’m installing some piece of proprietary software. Or course that is not the case : Ubuntu is (mostly) free software and as controversial as Canonical‘s ambitions, inclusion of non-free software or commercial services may be, no one can deny its significant contributions to the advancement of free software – making it palatable to the desktop mass market not being the least… I’m thankful for all the free software converts that saw the light thanks to Ubuntu. But nevertheless, in spite of all the Ubuntu community outreach propaganda and the involvement of many volunteers, I’m not feeling the love.

It may just be that I have not myself taken the steps to contribute to Ubuntu – my own fault in a way. But as I have not contributed anything to Debian either, aside from supporting my fellow users, religiously reporting bugs and spreading the gospel, I still feel like I’m part of it. When I install Debian, I have a sense of using a system that I really own and control. It is not a matter of tools – Ubuntu is still essentially Debian and it features most of the tools I’m familiar with… So what is it ? Is it an entirely subjective feeling with no basis in consensual reality ?

It may have something to do with the democratic culture that infuses Debian whereas in spite of Mark Shuttleworth‘s denials and actual collaborative moves, he sometimes echoes the Steve Jobs ukase style – the “this is not a democracy” comment certainly split the audience. But maybe it is an unavoidable feature of his organization: as Linus Torvalds unapologetically declares, being a mean bastard is an important part of the benevolent dictator job description.

Again, I’m pretty sure that Mark Shuttleworth means well and there is no denying his personal commitment, but the way the whole Canonical/Ubuntu apparatus communicates is arguably top-down enough to make some of us feel uneasy and prefer going elsewhere. This may be a side effect of trying hard to show the polished face of a heavily marketed product – and thus alienating a market segment from whose point of view the feel of a reassuringly corporate packaging is a turn-off rather than a selling point.

Surely there is is more about it than the few feelings I’m attempting to express… But anyway – when I use Debian I feel like I’m going home.

And before you mention I’m overly critical of Ubuntu, just wait until you hear my feelings about Android… Community – what community ?

Systems administration23 Sep 2010 at 11:27 by Jean-Marc Liotier

This just cost me twenty minutes of hair pulling and from the number of unanswered forum and mailing lists mentions of this “Lost connection to MySQL server during query” error in the context of remote access through an SSH tunnel, posting the solution seems useful.

Letting mysqld listen to the outside is a security risk – and an unnecessary one for the common LAMP setup on which the applications are executed on the same server as the database server. As a result, many Mysql servers are configured with the “skip-networking” option which prevents it from listening for TCP/IP connections at all. Local communication is still possible through the mysql.sock socket.

Nowadays, communicating through local sockets is rather rare – connecting locally is usually done through the TCP/IP stack which is less efficient but more flexible. So the naive user who expects TCP/IP everywhere sets up a tunnel to the Mysql server he usually accesses locally, he provides the right connection parameters to his Mysql client – and on his connection attempt he gets the “Lost connection to MySQL server during query” error.

So – when connecting through ssh tunnel to a mysql daemon, you need to make sure that the “skip-networking” option has been removed from /etc/my.cnf

When the “skip-networking” option is active, network parameters are redundant. But once you remove it, for security’s sake you must make sure that mysqld does not listen to the outside – so check /etc/my.cnf so that the “bind-adress” parameter is set as “bind-address = 127.0.0.1″.

Consumption and Security and Systems administration09 Apr 2010 at 1:33 by Jean-Marc Liotier

Lexmark stubbornly refuses to make any effort toward providing, or at least letting other people provide, printer drivers for their devices – don’t buy from them if you need support for anything other than their operating system of choice.

After repeatedly acquiring throwaway inkjet printers from Lexmark and repeatedly wondering why my mother’s Ubuntu laptop can’t use them, my father finally accepted my suggestion of studying compatibility beforehand instead of buying on impulse – years of pedagogy finally paid off !

My parents required a compact wireless device supporting printing and scanning from their operating systems – preferably fast and silent, if possible robust and not too unsightly. No need for color, black and white was fine – though I would have pushed them toward color if multifunction laser printing devices capable of putting out colors were not so bulky. Those requirements led us toward the Samsung SCX-4500W.

I connected the Samsung SCX-4500W on one of the Ethernet ports of my parent’s router and went through the HTTP administration interface. The printing controls are extremely basic – but the networking configuration surprised me with a wealth of supported protocols : raw TCP/IP printing, LPR/LPD, IPP, SLP, UPnP, SNMP including SNMP v3, Telnet, email alert on any event you want – including levels of consumables… Anything I can think about printing on top of my mind is there. The funniest thing is that neither the product presentation, nor the specification sheet or the various reviews advertise that this device boasts such a rich set of networking features… Demure advertising – now that’s a novel concept !

I set-up wireless the printer’s 802.11 networking features, unplugged the Ethernet cable, rebooted the device… And nothing happened. No wireless networking, no error and, when I reconnected the Ethernet cable and got back to the administration interface, the radio networking menu was not even available anymore. After careful verification I could reliably reproduce that behaviour. At that stage, my parents were already lamenting the sorry state of the ever-unreliable modern technology – and most users would have been equally lost.

I pressed on and found that I was not alone in my predicament. User experiences soon led me to the solution : I had configured my parent’s radio network to use WPA with TKIP+AES encryption (the best option available on their access point) but the Samsung SCX-4500W was unable to support that properly. The administration interface’s radio networking menu proposed TKIP+AES but silently failed to establish a connection and seemed to screw the whole radio networking stack. Only setting my parent’s Freebox and all other devices on the network, to use TKIP only instead of TKIP+AES yielded a working setup with a reachable printer, at the cost of using trivially circumventable security to protect the network’s traffic from intrusion.

Now that is seriously bad engineering : not supporting a desirable protocol is entirely forgivable – but advertising it in a menu, then failing to connect without generating the slightest hint of an error message, and as a bonus wedging the user into an irrecoverable configuration is a grievous sin. I managed to overcome the obstacle, but this is a device aimed at the mass market and I can perfectly understand its target audience’s desire to throw it out of the window.

On that problem was solved, configuring the clients over the network was a breeze and pages of nice print were soon flying out quickly and silently. In summary, the Samsung SCX-4500W is a stylish printing and scanning device that lives up to its promises – apart from that nasty bug that makes me doubt Samsung’s quality control over its networking features.

Scanning with the Samsung SCX-4500W is another story entirely – it should work with the xerox_mfp SANE backend, but only through USB. For now I have found no hope of having it scan for a Linux host across the network.

Systems administration and Unix09 Mar 2010 at 17:18 by Jean-Marc Liotier

Solid state drives provide incredible IOPS compared to hard disks. But the consideration of cost rules them out as primary mass storage. But for most applications you would not consider storing everything in RAM either – yet RAM cache is part of any storage system. Why wouldn’t we take advantage of Solid state drives as an intermediary tier between RAM and hard disks ? This reasoning is what hierarchical storage management is about, but Sun took it one step further by integrating it into the file system as ZFS‘s Hybrid Storage Pools.

You can read a quick overview of Hybrid Storage Pools in marketing terms, but you will surely find Sun’s Adam Leventhal’s presentation more substantial as a technical introduction. And most impressive are Sun’s Brendan Gregg’s benchmarks showing 5x to 40x IOPS improvement !

Adding SSD to a ZFS storage pool is done at to locations : the ZFS intent-log (ZIL) device and the Second Level Adaptive Replacement Cache (L2ARC). Usually they are set on two separate devices, but Arnaud from Sun showed that they can share a single device just fine.

The ZIL, also known as Logzilla accelerate small, synchronous writes. It does not require a large capacity. The L2ARC, also known as Readzilla accelerates reads. For the gory details of how Logzilla and Readzilla work, Sun’s Claudia Hildebrandt’s presentation is a great source.

Creating a ZFS storage pool with one or more separate ZIL devices is dead easy, but you then may want to tune your system for performance. It costs some DRAM to reference the L2ARC, at a rate proportional to record size – between 1/40th and 1/80th of the L2ARC depending on the tuning (I have seen several different estimates) – so don’t set a L2ARC larger than your DRAM affords you.

I hope that this sort of goodness will some day come to Linux through Btrfs, but ZFS provides it right now – and it is Free software too… So I guess that in spite of my religious fervor toward the GPL, my storage server’s next operating system will be a BSD licensed one… Who would have thought ?

Email and Knowledge management and RSS and Social networking and Systems administration and The Web and Unix27 Nov 2008 at 13:17 by Jean-Marc Liotier

Have you tried one more time to convince you parents to switch to web feeds to get updates from the family ? Do you cringe when you see your colleague clumsily wade through a collections of sites main pages instead of having them aggregated in a single feed ? Or did your technophobe girlfriend miss the latest photo album you posted ? With a wide variety of source acknowledging that web feeds ans web feeds readers being perceived as too technical, many of us have scaled back this particular evangelization effort to focus it on users ripe for transitionning from basic to advanced  tools.

Breaking through that resistance outright is beyond our power, but we can get around it. Electronic mail is a mature tool with well understood use cases with which even the least competent users feels comfortable thanks to how easily it maps with the deeply assimilated physical mail model. This is why Louis Gray has started mailing Google Reader items to promote the use of that web feed reader. But we can do better than that by building a fully automated bridge from web feed to email.

Our hope for plugging the late adopters into the information feeds is named rss2email. As its name suggests, Aaron Swartz’s GPL-licensed rss2email utility converts RSS subscriptions into email messages and sends them to whatever address you specify. Despite the name, it handles Atom feeds as well, so you should be able to use it with just about any feed you like. And of course rss2email is available from Debian.

The nice introduction to rss2email by Joe ‘Zonker’ Brockmeier is all the documentation you need – and rss2email is so simple that you probably don’t even need that. I now have some of my favorite late adopters each plugged into his custom subset of my regular information distribution feeds. The relevant news stories get mailed to them without me having to even think about it. And the best part is that they now read them !

Social networking and Systems administration and The Web15 Oct 2008 at 13:03 by Jean-Marc Liotier

While FriendFeed is the efficient geek hangout, it is Facebook that provides the social middle ground that bridges the gap between early adopters and the mainstream. What makes Facebook useful is that it attracts mainstream users and entices to publish content – something most of them would never do anywhere else. As Regular Geek puts it : “These are people who thought AOL was the internet“. They only visit a few mainstream sites and to them the Web is almost as read-only as dead tree media. That Facebook manages to turn them painlessly into content producers makes it useful for keeping in touch with everyone who does not know what web feeds are. Be aware that even though Facebook is not a dedicated photo sharing site, it beats them at their own game : with ten billion pictures posted, it is now the site with the most pictures shared.

But with mainstream users comes much cluelessness. Those are the people who mindlessly click the default option on every pop-up dialog in sight and then bring you malware ridden computers for healing while wondering why it is so slow and whether they should buy a new one – all they get from me nowadays is a kind word, an Ubuntu CD and offer to install it. Those users have shown time and time again how the path of least social resistance leads to a torrent of application spam.

Some applications such as are a useful addition to the social framework – among them I particularly like Friend Wheel. Many other are just games or even purely decorative trinkets but they should not be dismissed offhand: they have an important role in evangelizing social tools and in promoting use, and they have the social role of fostering playful interaction that reinforces social links. But if you look below, you’ll probably conclude that the quantity of shiny fluff is a tad overwhelming – this is the list of applications that my Facebook account blocks… And it was gathered in less than two years of activity !

  • Absolut Vodka
  • Addicted to NCIS
  • Addicted to Two and a Half Men
  • A la Antillean
  • Alice Blind Test
  • Amazing Wishlist
  • Animated GIFTS
  • A quel(le) star ressembles-tu le plus physiquement?
  • A quel X-Men ressembles tu ?
  • AREPAS and Venezuelan Food
  • Are you a great lover ?
  • Are You Lucky?
  • Are you Moroccan?
  • Are you romantic?
  • Art
  • ATTACK!
  • aWizard
  • Bathroom Wall
  • Be a Billionaire!
  • Because You’re Special
  • Become Rambo
  • Best Friend Contest
  • Best Match!
  • Best Wishes
  • Birthday Alert
  • Birthday Calendar
  • Birthday Cards
  • Blackjack
  • Bless You
  • Blow A Kiss
  • Books iRead
  • Booze Mail
  • Borat / Ali G Photos, Quotes and Trivia
  • Bowling Buddies
  • BrainFall.com Quiz Results
  • BrewSocial
  • Bubble Town
  • Bumper Sticker
  • Bumper Stickers [Photo Gifts]
  • Call Me on Skype
  • Card for Africa
  • Car IQ
  • Cat Breed Collection
  • Causes
  • Chanel Gifts ?
  • Characteristics
  • Check Your Dudeness
  • Chinese Horoscope
  • Circle of Friends
  • COMINGSOON
  • Comment finirez vous ?
  • Comment s’appellera l’homme de ta vie ?
  • Comparaison
  • Compare People
  • Coolest Friends
  • Coolest Person Contest
  • Crushes
  • Cute vs Sexy
  • Define Me
  • Delux Christmas Tree
  • Denzel Washington
  • De quel arrondissement parisien ètes-vous ?
  • Do people secretly hate you?
  • Drunk Survey
  • ePresident
  • Es-tu fort en histoire ?
  • Etes vous un minimum cultivé ?
  • Etre Marseillais
  • Eurosport – Liste des 23 pour l’Euro 2008
  • Family Guy – Blue Harvest
  • Family Tree
  • Famous Christian Quotes
  • FB Addict – are you hooked on FB?
  • FFR Supporters
  • Fine Wines
  • Flirtable
  • Fortune Cookie
  • Free Gifts
  • Fresh Prince
  • Friend Hug
  • Friends For Sale!
  • Fun Cards!
  • Funnest Person Contest
  • Funny Cards
  • Fun Toys
  • Genius Test
  • Gifts Gallery
  • Good Morning
  • (Green) What fruit are you?
  • Growing Gifts
  • Guerre des gangs
  • Hatching Eggs
  • hello kitty
  • High School Trivia Test
  • Holiday Shoppe (Christmas Tree)
  • Hotness
  • Hot Potato
  • Hottest Person Contest
  • How gangsta are you?
  • How Indian Are You?
  • how smart are u?
  • How stupid are you?
  • How will you die?
  • Hug Me
  • Hug Me
  • Hugs
  • Hug Time
  • Iframer
  • iLike
  • Instant IQ Test
  • IQ Test
  • IQ Test (Advanced Level)
  • is cool
  • iSmile
  • Japanese Foods
  • Japanese Sweets
  • Jedi vs Sith
  • Jetman
  • Jeu de Séduction
  • JungleBook
  • Kisses
  • Kisses!
  • Kiss Me
  • Knighthood
  • Language Exchange
  • Likeness
  • Likeness UNRATED
  • (Lil) Green Patch
  • Local Picks
  • Love Friend
  • LX Champions League
  • LX College Football
  • LX World Cup Football
  • Mario Kart RPG
  • Meet New People
  • Mesmo TV
  • MeteoSun
  • MindJolt Games
  • Mood Ring
  • Most Creative People
  • Most Eligible Singles
  • Most Gorgeous Person Contest
  • Most Wanted Valentine!
  • Mountain Climber
  • Movies
  • My Angels
  • My Aquarium
  • My Boxofun
  • My Drunk Friends
  • MyFlirt
  • My Hebrew Name
  • My Heroes Ability
  • My Music
  • My Personality
  • My Questions
  • MY SEXY FRIENDS
  • MySpace
  • MySpace Link
  • NAB Smart Cookies
  • Name Analyzer
  • NBA Challenge
  • Nicknames
  • Nova Music
  • OneTrack
  • Optical Illusions Challenge
  • OUIFM
  • Owned!
  • Passe Ton BAC !
  • Personality
  • Photo Quizzes
  • Pieces of Flair
  • Pillow Fight
  • Pillow Fight!
  • Pink Ribbon
  • Portrait Chinois
  • Pour quelle boîte Corse es-tu fait(e) ?
  • Pour quelle époque êtiez-vous fait(e)?
  • Pour quelle ville êtes-vous fait(e) ?
  • Pour quelle voiture es-tu fait(e)?
  • PrayLive
  • Premier Football
  • Pro League Rugby
  • PuzzleBee Jigsaw Puzzles
  • Q??l Pa?f?? E? T? ?
  • Que fuyez-vous le plus ?
  • Quel alcoolique êtes vous?
  • Quel chroniqueur du grand journal êtes-vous?
  • Quel écrivain êtes-vous?
  • Quel est ce défaut chez toi qui fait craquer les hommes?
  • Quel est ton degré de connerie??
  • QuEl EsT tOn MeC IdEaL???
  • Quel est ton niveau d’anglais?
  • Quel est ton niveau sexuel ?
  • Quel Festival es-tu?
  • Quel genre de pute es-tu ?
  • Quel joueur de rugby etes vous?
  • Quel joueur du PSG 2007-2008 es-tu ?
  • Quelle citation êtes-vous?
  • Quelle couleur es-tu?
  • Quelle desperate housewife êtes-vous ?
  • Quelle icone glamour es-tu?
  • Quelle ligne de métro êtes vous?
  • Quelle mec te correspond ?
  • Quelle paire de chaussures de créateur êtes-vous ? (pour filles)
  • Quelle princesse de Walt Disney êtes vous?
  • Quelles Vacances VIP es tu?
  • Quel Maman est tu ?
  • Quel mannequin es-tu?
  • Quel méchant de Disney es-tu ?
  • Quel nageur connus es tu ?
  • Quel personnage de desperate housewives es-tu?
  • Quel personnage de FRIENDS es-tu?
  • Quel personnage de KAAMELOTT es-tu ?
  • Quel personnage de la Révolution êtes-vous ?
  • Quel personnage des BRONZES êtes-vous ?
  • quel qualité êtes-vous?
  • Quel séducteur (trice) etes-vous ?
  • Quel sorte d’enfant étais-tu?
  • Quel sous-vêtement êtes-vous?
  • quel star es tu ?
  • Que pensent les autres de toi en secret?
  • Que vas tu faire de ta vie ?
  • Quizzes
  • RAYMOND DEMISSION !!!
  • Rock Paper & Scissors
  • R U CUTE!
  • Save An Alien
  • Say Happy New Year!
  • Say-it-with-Flowers
  • SceneCaster
  • ScoreMe
  • Secret Admirer – CRUSH on ME (PERFECT MATCH)
  • Send Beer
  • Send Chocolate
  • Send Diamonds
  • Send Good Karma
  • Send HOTNESS
  • Send Love Hearts
  • Send Luck
  • Send Sunshine
  • Send Teddy Bears
  • Send Tiaras
  • Send Tux
  • Send Veggie Tales
  • Sexiest Person Contest
  • Sexy Friends
  • Sexy Pillow Fight
  • Sexy Poke!
  • Shots!
  • similaire
  • Six Degrees
  • Sketch Me
  • Skiers vs. Snowboarders
  • Slayers
  • Slide FunSpace
  • Smiles
  • Snowball Fight
  • Snowball Fight!
  • Social Profile
  • Sparkey
  • SpeedDate
  • SpeedDate
  • SpeedDate
  • SpeedDate
  • SpeedDate
  • SpeedDate
  • Sports Fan
  • Status Competition
  • Stickerz
  • Sticky!
  • StyleFeeder
  • Sudoku
  • Suomi-ilmiö
  • Superlatives
  • SuperPoke!
  • Super Slot Machines
  • Super Wall
  • Sweetest Person Contest
  • Tarot
  • Test ton niveau de culture
  • Texas HoldEm Poker
  • The Brain Game
  • The Legend of Zelda Fan
  • The Official 100 Question Geek Test
  • The Sex Compatibility Test
  • The Unofficial Desperate Housewife Quiz
  • The World’s Smallest Political Quiz
  • Top Friends
  • T.O.T. Effect
  • Tower Bloxx
  • Travel Brain
  • Traveler IQ Challenge
  • Trend Setter
  • True Match
  • Truth Box
  • TuneSocial
  • Twirl
  • Twist me!
  • U.S. Citizen Test
  • Vampires
  • Wanna Dance?
  • Water Globe Gifts
  • WC 2010 Euro Predictor
  • We’re Related
  • WereWolves
  • What Beer Are You?
  • What Color Is Your Heart?
  • What Does My Birthday Mean?
  • What Drink Are You?
  • What flower are you?
  • What football player are you?
  • What Is Your Ideal Job?
  • What is Your Secret Sexual Fantasy?
  • What is Your Supermodel Personality?
  • What kind of candy are you?
  • What Kind of Cat Would You Be?
  • What kind of hair best suits you? (for girls)
  • What Kind of Mom Will You Be?
  • What Lost Character Are You?
  • What Mythological Creature Are You?
  • What serial killer are you?
  • What song are you?
  • What’s Your Stripper Name?
  • Whats you true name? (Girls only)
  • What type of person do you attract?
  • What type of warrior are you?
  • When will you get married?
  • Which Disney Princess Are You?
  • Which Disney Song Describes Your Life Right Now?
  • Which Fashion Designer Would You Be?
  • Which Festival best suits you??
  • which F.R.I.E.N.D.S character are you???
  • Which Friends Character Are You?
  • Which Grey’s Anatomy Character Are You?
  • Which Hot Celeb Are You?
  • Which Rockstar Are You?
  • Which Sex and the City Character Are You?
  • Which Simpsons Character Are You?
  • Which WaterAid Country Are You?
  • Who Has The Biggest Brain?
  • Who is Watching You ?
  • Who’s Online
  • Who’s the Coolest Cat?
  • Will you KISS me?
  • Winnie the Pooh
  • Word Challenge
  • Word Twist
  • YES or NO?
  • Your Birthday
  • You’re a Hottie
  • You’re Cute
  • Your Sexyness
  • YouTube Video Box
  • Zombies

You too can escape this minor pantheon of horror – and you can do it without the tedium of blocking each application as it spams your Facebook newsfeed. As you may know, Greasmonkey enables the customization through JavaScript of the way a webpage displays. Auto-Block Facebook Apps is a Greasmonkey script that will block application invitations sent to you by Facebook contacts. After the facebook profile page is loaded, it finds all the applications that your friends have invited you to and blocks them. Whenever you need you can go to the Facebook applications privacy controller and unblock the ones that you find somewhat valuable. With applications spam out of the way, Facebook will remain the neat social watering hole that makes it valuable for interaction with non-geeks.

Jabber and Systems administration and VOIP05 Jun 2008 at 23:59 by Jean-Marc Liotier

Since version 1.4, a Jabber module is available in Asterisk. If you know me, then you probably wonder why it took me that long to discover it. I began playing with it tonight and the short story is that it works, it is simple to configure and it makes telephony aware of presence.

Of course this is still far from the holy grail of a presence-centered converged synchronous communications platform, but it is a start and anything is better than today’s stupid mass-market telephony.

Here is my /etc/asterisk/jabber.conf :

[general]
;Auto register users from buddy list
autoregister=yes
;Jabber service label
[asterisk]
type=client
serverhost=jabber.grabeuh.com
username=asterisk@jabber.grabeuh.com/kisangani
secret=my_password
port=5222
usetls=yes
statusmessage="Watching the telephone"

Yes, that’s it : Asterisk is now registered as a Jabber client. There are other ways to do it using external modules, but this one is the simplest – and since it is now part of the main trunk it is probably the most stable. In particular you should be careful with class.jabber.php which is not maintained anymore and in the process of being replaced with the much more modern XMPPHP.

Now let’s declare a macro for taking full advantage of that. This one takes a look at the user’s presence and routes the call accordingly : if he is online or chatty the call goes to his desk phone – otherwise it goes his mobile phone.

[macro-reach_user]
; ${ARG3} is a destination such as SIP/whatever
exten => s,1,jabberstatus(asterisk,${ARG2},STATUS)
; presence in will be 1-6.
; In order : Online, Chatty, Away, XAway, DND, Offline
; If not in roster variable will = 7
exten => s,2,gotoif($[$[${STATUS}]<3]?available:unavailable)
; GotoIf(condition?label_if_true:label_if_false)
exten => s,3(available),jabbersend(asterisk,${ARG2},"Call from
 ${CALLERID(name)} at number${CALLERID(num)} on
 ${STRFTIME(,GMT-1,%A %B %d %G at %l:%M:%S %p)}")
exten => s,4,Dial(${ARG1})
exten => s,5(unavailable),Dial(${ARG3})

Since we have declared a macro, we have to call it in the context of our choice and assign the relevant values to the macro’s variables :

[whatever_context]
; ${ARG1} is the destination when at desk
; ${ARG2} is a jabber address used at desk
; ${ARG3} is the destination when not at desk
exten => 05600047590,1,Macro(reach_user,SIP/jml-desk,
 jim@jabber.grabeuh.com, SIP/freephonie-out/0666758747);
; repeat last line for each user

That’s all folks ! That is all it takes to have your calls routed to the right phone according to your presence status. It is really that easy.

Why no service provider is offering that is beyond me. The big ones are all waiting for the IMS systems they are going to deploy with a five years roadmap. But if you want the future right now there is no need to wait : all the technology is here today waiting for you to play with it ! And of course it is 100% Free software

Next Page »