Skip to main content.

Sun, 05 Oct 2008

qemu IP address patch

I sometimes use the qemu virtualization system, or its cousin kvm, for creating virtual computers to test software in. Conveniently, qemu makes networking those really easy.

Unfortunately, the IP addresses it assigns for virtualization happen to be in the same subnet as my desktop at work (at CC, 10.0.2.x). I had some fear of changing a piece of software as presumably complex as qemu.

I forged ahead and came up with a patch that I posted to the qemu-devel mailing list. I'm just wring this post in case someone wonders, "How can I change the IP address of the user net layer used by qemu to avoid a conflict?"

The answer is as easy as replacing the string "10.0.2" with "10.0.3" globally across the qemu codebase and recompiling. If that mailing list post ever goes away, I have a local copy of the patch.

(This work was sponsored by CC, but pending an okay from CC, you should be free to use it under the terms of the WTFPL.)

[] permanent link

Sat, 04 Oct 2008

What are your most expensive websites to run? Patching Apache to find out

When running a busy webserver, one may want to know how much server time is spent preparing each request. That would be especially useful if broken-down per web site you host. Server processing time indicates things like how long MySQL queries took, or how loaded the disks are; in general, they are the measure of how difficult it was to answer a request. It may also be interesting to compare server time spent processing a request today to the same request's time in the past as an indication of how system changes (upgraded disks, more complex filesystem) have affected your ability to process web requests.

Apache's mod_log_config lets you log how long a request takes from start to end, which includes the amount of time taken to send the actual data. That can be imagined as server_processing_time + time_to_send_data_to_client. I wasn't interested in seeing how slow or fast clients' net connections were.

In a project I named vhost_effort, I wrote a patch to Apache to be able to log just that server time spent from the start of the request to when the request is ready to be sent. That work was done at Creative Commons, and the software results are available under the Apache 2.0 license. vhost_effort.py is a hack that generates a pie graph for how much server time is spent on each vhost (among other sorts of visualizable statistics). I began thinking of using a visualizer for disk usage to make the pie graph interactive, but by the time I was nearly done working that out we had already gathered all the data we needed.

My projects page has a link to the code in the Creative Commons Subversion repository. I did write about this at labs.creativecommons.org a year ago also.

Code in Creative Commons Subversion.

[] permanent link

Fri, 22 Aug 2008

dd, dd_rescue, and ddrescue

The short answer: "Use GNU ddrescue. GNU stands for Quality."

dd is a classic UNIX utility to read from and write to files (often devices). Typically, one uses it to copy a hard disk to a file, or to image a hard drive by copying a backup onto it.

One hits a problem when the hard disk has errors. In this case, dd abruptly stops working in the middle, reporting an "Input/output error." But when the hard disk has errors, usually what you want is to get an image of all the blocks on the hard disk that are readable - not just the first few before the first error!

(Note for the pedantic: Yes, I know about dd conv=notrunc,noerror. They're so easy to misuse (mostly by forgetting one of those two options) that they're worth avoiding.)

Two tools are available for this particular purpose. Confusingly, one is called ddrescue, and the other is called dd_rescue.

Around 2001, Kurt Garloff wrote dd_rescue. It does what dd does if you pass it some options, but it comes with instructions on how to use it to recover data from drivers, like by running it multiple times or bakcwards. A wrapper script called dd_rhelp automates that process.

When you're running dd_rescue on an obscure OS like Mac OS X 10.3 because you dropped your laptop in Uganda and the Linux partition grew bad blocks and you still want your data, you will find that dd_rhelp is written as a complicated shell script that relies on GNU versions of core system utilities. OS X provides non-GNU versions, and you will waste hours fiddling with compiling those utilities just so you can run some dumb shell script.

In the summer of 2004, the same summer as I dropped my laptop, Antonio Diaz Diaz wrote "ddrescue," a stand-alone C++ tool that does the same things as dd_rhelp, but more sanely and therefore more efficiently. It became an official GNU project. GNU ddrescue, like dd_rhelp, can keep a log file to let itself gracefully pick up after interrputions.

When your hard disk fails, you should turn to your backups. But if you need a tool like these, just remember: "GNU ddrescue."

$ sudo apt-get install gddrescue

[] permanent link

Sun, 03 Aug 2008

Real DOS on a virtual disk

Sometimes you need to run DOS programs, like to flash BIOSs on your laptop. Sometimes, if you're Kragen, that lets you fix ACPI on your BIOS, giving you a hope that X will boot up more often than 1 in 3, sound will skip less, and the first PC card you insert will be assigned a valid IRQ. (The last one is particularly interesting: to get a working PC card before the promised joy of the BIOS update, you have to plug in one card, watch it get assigned the mostly broken IRQ 3, plug in a second card, watch it get assigned the useful IRQ 4, and then you can remove the first one. This is a good way to get a wifi card working.)

Here's a simple HOWTO for getting that going on a Linux machine without repartitioning or booting off external media.

I'll refer to aptitude; I'm assuming you're using a Debian/Ubuntu machine so that makes sense.

Step 1: Install syslinux

$ sudo aptitude install syslinux

Now memdisk is in /usr/lib/syslinux/memdisk .

You should copy it to /boot/ in case your root filesystem is encrypted: 

$ sudo cp /usr/lib/syslinux/memdisk /boot/

Step 2: Get your DOS floppy in /boot

Debian packages FreeDOS in dosemu-freedos. Unfortunately that doesn't include a floppy image. Instead: 

$ cd /boot
$ sudo wget http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/fdboot.img

Step 3: Configure GRUB

Put this in your /boot/grub/menu.list and smoke it: 

title FreeDOS
kernel /memdisk
initrd /fdboot.img
boot

Step 4: Reboot, and choose FreeDOS!

Ta-da, you're done.

More options

For bonus points, you can customize the floppy disk image. The easiest way to modify is to mount it loopback: 

$ sudo mount -o loop,mode=777 /boot/fdboot.img /mnt/

Then you can copy files into /mnt/, and then when you're done: 

$ sudo umount /mnt/

Ta-da, the image has been changed! (Thanks to Kragen for confirming that this actually works.)

The lame old way to customize the image is to use "mtools."

P.S. Thanks to Albert Lee for explaining this trick to me in the first place!

[] permanent link

Wed, 16 Jul 2008

IP over Avian Carrier: Security implications

BBC News has a story on Brazil's pigeon drug mules.

Quoth Bruce Schneier:

I think this is the first security vulnerability found in RFC 1149: "Standard for the transmission of IP datagrams on avian carriers." Deep packet inspection seems to be the only way to prevent this attack, although adequate fencing will prevent the protocol from running in the first place.


[] permanent link

Mon, 26 May 2008

IPv6

Kartik pointed me to this post about "The Future without IPv6". IPv6 is the future addressing scheme that the Internet will hopefully be transitioning to in the next decade or so; IPv4 is the current setup. The reason we need a new addressing scheme is simple - we've run out of addresses. The dream of the Internet was "end to end connectivity," but you can't do that if you don't have enough addresses to give everyone on the network an address.

You've seen this every time you open up a laptop and it gets an IP address from a "wireless router" - the IP address created for you by that router actually can't be reached from the broader Internet. Network Address Translation (NAT) is a trick the router plays where it changes the headers on your messages destined for the Internet so everyone else on the network thinks the box sent the message. But this means if you want to do something not allowed by that box in the middle, or allowed but misunderstood, it is in an incontrovertible position to screw that up.

The article writes:

Ubiquitous multilevel NAT means the Internet becomes a system for making TCP connections.

Using the Internet only for TCP connections to me spells the end of decades of Internet innovations like Voice over IP that rely on the flexibility of the Internet. And the fact that these connections must always go to the few servers able to have their own dedicated IP addresses creates a separate class of connection in the Internet world: "consumer" vs. "distributor". That class distinction is what IP was designed to erase.

I don't agree with the author that we will never move to IPv6, but I also know we won't do it fast enough to satisfy me. Luckily, thanks to the "end to end" nature of the Internet, especially IPv6, I can do my own migration now and give my computers both IPv4 and IPv6 addresses. I'll be here in the future, waiting for the rest of you guys.

P.S. I'm already "multiplexing multiple transports over a single TCP connection" with my always-on SSH tunnel. I am aware of the drawbacks he lists.

[] permanent link

Mon, 03 Mar 2008

Interactive ext3 performance

In 2001, drobbins published an article on IBM DeveloperWorks remarking that the data=journal mount option improved interactive performance on one test from ca. 70 seconds to 7 seconds.

Even today, the openSUSE wiki echoes this advice. I wonder if it still holds.

[] permanent link

Tue, 08 Jan 2008

Passwordless alpine with Dovecot

Do you run a server that people SSH into for email?

Do you like to offer them (al)pine?

Do you use the Dovecot IMAP server?

Do you think your users would like to enjoy IMAP benefits from the comfort of alpine without entering their password?

I do! Here's how: Add this to /etc/pine.conf: 

rsh-command=/usr/local/bin/alpine-rimapd %s %s %s %s
rsh-path=/bin/sh

And store this in /usr/local/alpine-rimapd: 

#!/bin/sh
exec /usr/sbin/dovecot --exec-mail imap

chmod +x that sucker and you're off to the races!


[] permanent link

Tue, 25 Dec 2007

Sending mail from a laptop

I often find myself on what I would call "hostile" networks: They allow only very limited Internet access, like by blocking port 25 so I can't connect to my mail server. Maybe for you, you're never on filtered Internet access, but your home ISP doesn't let you send mail out when you're not at home, but you want to send email directly from your laptop anyway.

Just do what I do! Let me explain.

Summary

Justification

Implementation in Three Steps

Step 1: ssh tunnel

This is the hardest part. To make things simple, I create a dedicated user on each end.
On the remote server (server)
[me@laptop] $ ssh me@server
[me@server] $ sudo adduser tunnelendpoint
[me@server] $ sudo su - tunnelendpoint
[tunnelendpoint@server] $ mkdir .ssh
On the local machine (laptop)
[me@laptop] $ sudo adduser tunnelclient
[me@laptop] $ sudo su - tunnelclient
[tunnelclient@laptop] $ ssh-keygen -t rsa # make it passwordless
[tunnelclient@laptop] $ cat .ssh/id_rsa.pub | ssh tunnelendpoint@server 'mkdir -p .ssh ; chmod 0700 .ssh ; cat >> .ssh/authorized_keys'
On the remote server
[me@server] $ sudo su - tunnelendpoint
[tunnelendpoint@server] $ nano -w .ssh/authorized_keys
You'll see a key that starts with "ssh-dss". Before that, add this string and leave a space before "ssh-dss":
command="nc localhost 25",no-X11-forwarding,no-agent-forwarding,no-port-forwarding

(Note: "nc" is in the netcat package.)

On the local machine (laptop)
[tunnelclient@laptop] $ ssh tunnelendpoint@server
220 rose.makesad.us ESMTP Postfix (Debian/GNU): "every tragedy is a beauty that has passed"

Hooray! If you see a reply like mine that starts with "220", then all is well.

You're done with the hard part. Now the easy parts.

Step 2: inetd

[me@laptop] $ sudo aptitude install openbsd-inetd

Now edit /etc/inetd.conf to have this line:

127.0.0.1:125 stream  tcp     nowait  tunnelclient    /usr/bin/ssh    -q -T tunnelendpoint@server

Now restart the inetd (sudo /etc/init.d/openbsd-inetd restart) and test it:

[me@laptop] $ telnet localhost 125 
220 rose.makesad.us ESMTP Postfix (Debian/GNU): "every tragedy is a beauty that has passed"

Step 3: Postfix (optional)

This is my favorite part, but it's only necessary if you plan to send email when you're not connected to the Internet.

Just install Postfix, and add this to /etc/postfix/main.cf:

relayhost = 127.0.0.1:125

Restart Postfix and you should be set. Try sending some mail!

Closing

I was inspired by a Debian Administration post, except I had my own ideas about the best way to do it. I still like my way best.

One problem with the above approach is that it requires root on "server". It would be possible to do the ssh tunnel thing without using a separate "tunnelendpoint" account, but instead to add that key to your regular username.

[] permanent link

Tue, 23 Oct 2007

Announce and discuss lists

I have a habit of entering a community and leaving both an announce and a discuss list wherever I go. The wisdom of this is still unresolved. I thought I'd share one thing I do beyond that: set the reply-to header on the announce list to go to the discuss list.

That way, when there's an announcement and the peanut gallery wants to add something, they'll reply and the people interested in hearing more will hear it.

I remembered this upon reading that the BALUG lists have the same sort of split, and that in particular that they were considering (on an opt-out basis) auto-adding people from discuss to announce.

[] permanent link