My hat’s off today to the guy who packaged Windows Patch KB951847. An update to the .net Framework. There’s three hours of my life that I won’t get back. Just as a general rule I want to know how to turn Windows Update off completely. The Mac OS X’s update is smart. It pops up sometime during the day and says that there are updates. Then it give me the option of downloading them. It lives under the Apple Menu so it’s always easy to find. About 90% of the time I say not right now and then do the update manually within a day or two. On the other hand: windows update complains loudly if I try to make it emulate the same behaviour. It’s constantly putting up a little red shield in the system tray and then putting up a balloon to say “You turned me off, what are you crazy”. It seems reasonably obvious that Windows does not know it’s place in my computing world and more so, doesn’t understand why it got put there in the first place. On my Machine Windows is a VM under Parallels. I’ll start it once every six months or so when openning a Word doc or excel spreadsheet and I’m trying to work around a bug in OpenOffice.org or I just don’t feel like using iWork. That’s pretty much him. I’ll run Windows Update when something breaks but since Windows is a distance also-ran on my computer that won’t be frequent. As to why it got there.Window’s behaviour in the first place is the issue. Insistant system tray applications constantly stealing my screen real estate. Update that were written by crettins who thought to try and save me time by not sending a complete package and an attitude towards system failures that would have stranded Jim Lovell on the Dark Side of the Moon are pretty much all it took to convince me to buy a Mac.
Dante
In Dante’s Inferno there were circles in hell designed to separate the ordinary sinner: the guy who designed the keyboard I’m working with (which provides no feedback when a key has been struck for example) from the guy who deliberately put the “global nuclear war” button right next to the “toast apple poptarts” button. My “9th circle of hell award” goes to the guys who designed the firewall that I’m working with lately. It appears that in their wisdom they’ve chosen to implement the “Red Alert — all hands on deck” alarm for the following scenario. You have a server connected to a client via tcp. The server is a fairly recent linux box that can do RFC1323 extensions. The client is a boring Windows XP box with a TCP RWin size of 65536 bytes. Between them is a Comcast business class Cable connection. In this scenerio the Windows box is trying to download a file from the server on the Comcast connection. The problem is literally that the connection is too fast for the Windows XP Box to fully cope. Nowadays when I test Comcast Cable connections I’m surprised to see anything less than 25Mbit/s.In whole numbers thats 25,000,o000 bits / sec. In more familiar units that 312.5 kBytes /s. The problem is that I’m starting to see firewalls that see this as an issue because they have been programmed with very conservative specifications about what constitutes a denial of service attack. I’m seeing firewalls that scream DOS when they are connected to a Business Cable modem line and have clients with tcp receive window size of 65536 bytes. Why? it’s simple. On aBusiness Cable line with 25Mbits/s download rate you have to be able to buffer 96kbytes/s in tcp windows just to keep up with a server (or client) at the other end of a fast line. These firewalls are calling DOS because the other end can fill their TCP window and then some. The right thing to do is to watch. If the otherside wants to DOS you he’ll send many packets after your Rwin is filled. If he’s just a really fast server on a really fast pipe. He’ll respect your RWin and quit sending. If you’re firewall decides to be agressive and drop the connection (by proactively sending a TCP RST) then you should probably act accordingly.
My thanks to Chuck Skuba on this post. I have to be 100% and fess up that I gathered the data but he did the homework.
— Chris
Pantone Huey/MacBook success
A while ago I found the Pantone Huey on closeout at my local Circuit City. At $80.00+ I didn’t consider it much of a bargain but at $25.00 it didn’t look like such a bad deal. I fired up the device on my MacBook and began the disappointment. It turned my display Green. On my Mac Mini with my Samsung Display it was pretty good. If you don’t know it the point of this device is to tune your display’s color so that when you process a photo and then print it you don’t get surprised by the difference between what your monitor and printer consider to be fully saturated blue. At $25.00 I figured that it would be ok with the Mini. I was on vacation for a while and would have good access to the Apple Store and Genius bar so I packed the Huey along. But that was still no news. Then I ran into this link.   a At the bottom they discuss the Huey and it looks like it doesn’t like the polarization of the MacBook Screen. On calibration it wants to be oriented vertically but I found that it gave me a good calibration oriented horizontally.
Automating the dart league (Part 1)
I’m trying to automate the process of getting scores on my Dart League web page. To that end I’ve reworked the typical dart league standing Spreadsheet (called a model for the rest of the the article) for easier integration with a website.
Here’s the sheet: Dart League Model.
The idea is that the League secretary or statistician will update this model to generate the periodic league standings sheet. The added bonus is that this model has a sheet (see why I wanted to call it a “model”) that serializes the results data for easily and automatically updating the mod_python/postgresql or php/mysql or whatever you prefer. In the long haul I’ll use the following toolset:
- php or mod_python to handle the file upload form
- mod_python or php to handshake in the uploaded file
- xls2csv to convert from Microsoft Excel format to comma separated value format
- mod_python to insert the data into a temporary table in mysql or postgresql
- mysql or postgresql to integrate the results into the website.
Alternatively I may use procmail and python to handshake in the data from an email attachment. This replaces steps 1 and 2 above. The result will be either a webform where you upload your statistics or an email address for a bot which automatically handshakes in your stats. If I go email I may have to wrap everything with GnuPG to sign the data so I can know what to ignore.
Just for the purposes of naming I’m going to refer to a “spreadsheet” as a “model” from here on in. This is because Excel allows you to have multiple “sheets” within a model and you can link the data between the sheets. The model that I’m presenting makes pretty heavy use of this feature. The following describes how it works and I’m gonna give you estimates of how long it took me to set things up. I consider myself pretty good at Excel so double any times that I quote for Novice Excel users. If someone here is good at Excel Macros I can see spending some time to embed some of my knowledge into the model in the form of macros.
To use this model you start by laying out the sheet called “Tables”. This sheet has entries for your teams and the dates that you play on. These table contain your master data for your league. Since they get referenced in the rest of the sheet this is where you would go if you want to use the correct a misspelled team name. This took me about a hour to setup and needs to get done once at the start of the season. After that you shouldn’t ever have to touch it.
The next thing to do is to setup the sheet called “Enter Data Here”. This is where your week-to-week data entry goes. There’s an row for each team in your league and a column for each week that you play. That defines a box for each score. So if the Beachcomber Cafe team scores 11 points in Week 1 (June 26th) you put an 11 in the appropriate box. There’s a separate area for penalty points should you get a late score sheet or a late payment for a player. This took me about another hour to setup. You would have to set this up once also during the season. Adding this weeks scores took less than 15 minutes. Adding scores has to get done each week but I expect that this work will become common so it should take the same effort as me, week to week, as anyone else.
There is a sheet called “Results for Display”. This is the sheet that you want to print out or convert to PDF and distribute to your members. It’s exactly like the sheet that you are currently using for this with the exception you do not enter the data here. This sheet references the data on the previous sheet: “Enter Data Here”. The only thing would want to do to this sheet is fix the formating to suite your own league. I did address a pet peeve of mine in my rendition of this sheet. I show the team, then their total score, followed by their average. And the teams sort into places, first, second, third, by average. I’ve talked to a bunch of people about this while they agree with my math they say that sorting the scores by average rather than raw points is beyond the math skills of the common dart player. You don’t have to do it this way.
This sheet took me a little less than a hour to setup for MSDL. It requires weekly maintenance to sort the teams into order. The sorting columns are hidden so the maintainer has to know how to show hidden columns, sort from Z-to-A, and then rehide the columns. All told this takes about a minute for me to do.
There is a sheet called “Results for Display”. This is the sheet that you want to print out or convert to PDF and distribute to your members. It’s exactly like the sheet that you are currently using for this with the exception you do not enter the data here. This sheet references the data on the previous sheet: “Enter Data Here”. The only thing would want to do to this sheet is fix the formating to suite your own league. I did address a pet peeve of mine in my rendition of this sheet. I show the team, then their total score, followed by their average. And the teams sort into places, first, second, third, by average. I’ve talked to a bunch of people about this while they agree with my math they say that sorting the scores by average rather than raw points is beyond the math skills of the common dart player. You don’t have to do it this way.
The final sheet is called export_for_website. It took me about a half hour to set that up but for someone else the effort is all done. This sheet formats the data into one big long table suitable for direct import into a database. My plan is to import this data using a combination of tools which will take the sheet, convert it into a data format (CSV or comma separated value), load it into a database table and then then have some database code (a stored procedure) which updates the website tables. The trigger to load the database could be a special email recipient or I could put together a web form with a box for uploading the spreadsheet. Either method should be pretty easy to work for a novice user. If you don’t understand any of that I will be glad to explain it to you. If you do understand that but don’t get the next piece that’s completely okay. For advanced users I could set things up so that you directly import the data if someone is using the full Microsoft office Suite including Access and ODBC. Similar functionality is available to people who use OpenOffice. *Plug* I’m using open office to create all this and the package is Free!
FreeBSD’s geom makes life easier.
FreeBSD’s geom is the missing link that I’ve been searching for. Geom is an abstraction for mass storage providers and consumers which really cleans up the mass storage layer in Unix. In geom your disk drive combined with it’s driver is a mass storage provider. The filesystem layer is a mass storage consumer. Geom provides the glue in between providers and consumers which allows greatly enhanced function. Encrypted or compressed storage can be easily built using this framework.
I’m using geom with the automounter, amd to revamp my use of removable media. If you use the new gnome framework gnome’s hald does this also but it requires the user to unmount the drive. I like using amd here. Even though there’s a slight performance penalty amd will automatically unmount the drive for you after a configured period of inactivity. I find that this is an effective way of getting around one of Unix’s quirks. Unix doesn’t react well with a piece of the filesystem just disappears which is what happens when you remove a mounted USB stick. Amd can be configured to unmount the stick 30 seconds after you’ve stopped using it. Doing this almost eliminated the resulting kernel panics and length fscks that I experienced when I first started using USB storage.
The automounter is a utility that was designed to mount storage into the filesystem on demand. It works by providing an NFS look alike storage system. You literally mount the automounter into a directory in the filesystem. The automounter is configured with a map that assigns different directories within it’s filesystem to different pieces of mounted storage. So if amd is providing the directory /Volumes and has a mapping for MyUsbStick when you try to get a directory listing of /Volumes/MyUsbStick, the automounter has all the information needed to do the mount and provide access to the filesystem beyond. So far that’s about even.
Without geom that was a nice enough setup. But when the kernel attaches your usb stick in FreeBSD it gives it a name like /dev/da0s2e or /dev/da1s1. It’s easy enough to figure out what this means. da0s2e is the “e” partition on the second slice of the first “SCSI” drive in the system. USB and firewire drives a psuedo SCSI drives in FreeBSD and in Linux because the SCSI protocol was flexible enough to serve as the model for mass storage. But what happens if you have two systems and one of them has a SCSI controller in it or if you have two USB sticks. SCSI drives are number in the order in which they appear on the system so for the man with two USB sticks the whether they are connected as Drive a is da0s2e and drive b is da1s2e or vice versa depends on the order in which you plug them in. It turns out that geom embraces the concept of a volume label and can create a shadow device based on that label.
To use this feature of geom load the kernel module geom_vol_ffs (Available in FreeBSD from 6.x onwards) then add a label to your FreeBSD filesystems using the tunefs command:
# tunefs -L “MyLabel” /dev/da0s2e
Then you should end up with a device entry for your disk called /dev/vol/MyLabel
Have fun
— Chris
FreeBSD/WPA
Since I got my Mac some of my FreeBSD projects have been languishing on the back burner. Two are important, getting an IPSEC tunnel using IKE between FreeBSD (racoon) and OpenBSD (isakmpd frontended by ipsecctl) and getting WPA going. A couple of months ago I replaced WEP with wpa in my home wifi setup. There’s no arguing that the security is better and on the Mac it’s drop dead simple. I never understood what was going on in FreeBSD I understand it now. WPA appears to be divided into two parts like IKE. One part runs on the client and another in the Wireless AP. FreeBSD includes a program called wpa_supplicant which manages the WPA key exchange for you. To handle this it also has to manage the wireless interface. The automatic setup is actually pretty easy. I found this which helped me out. I wanted to understand what was going on under the hood. It turns out the setting up the config per the original article is the first step. Then run:
wpa_supplicant -B -Dbsd -iath0
as root. This handles the WPA negotiation. When ifconfig reports that you are connected you can run dhclient ath0 to connect.
Dav backended web servers
My father-in-law asked a question about email the other day that perplexed me. We recently got him a Mac and he was complaining about the “spinning beach ball of death” when he tried to send a message. It turns out that the message was 50 full sized digital photos for my brother-in-law. After he explained that detail it made sense that Mail was choking. I told him that the mail was simply too big and that the better way to share the pictures would be to post them in a website. I also promised to come up with a solution for him in a week or so and give him a helping hand getting everything posted.
Normal people would look at Picasa or Flickr or something but neither of those sites interest me. Most of the photo sites on the web want you to sign up which infringes on my privacy. They grant you some promotion through search engines for the privilege but Bapa doesn’t need the world to be able to see his photo album. To my “Open source guy” brain the immediate solution would be to create the site and then setup something like coppermine or gallery2 but both of those solutions require me to teach Bapa how to post to a photo web site. Picasa and Flickr have the same issue.
Fortunately for me, Bapa has a Mac. The Mac has a set of wonderfully integrated tools for doing exactly this sort of thing. I decided that the easiest thing to do would be to Apache and mod_dav to grant access to some web space. And then use apache to publish a site from within the web space. The Apache config is actually pretty simple. You use two virtual hosts. One points to the backend and one points the actual site. Here’s the apache2 config for the backend:
<VirtualHost *:80>
ServerName backend.example.com
ServerAlias backend
ServerAdmin webmaster@example.com
DocumentRoot /home/www/sites/backend.example.com/
DAVLockDB /var/www/DavLockDb
<Directory "/home/www/sites/backend.example.com/Dav/">
Dav On
AuthName "Photo DAV Fileshare"
AuthType Basic
AuthLDAPURL ldap://ldap-slave.example.com/ou=people,dc=example,dc=com?uid
<LimitExcept GET HEAD OPTIONS PROPFIND>
require valid-user
</LimitExcept>
</Directory>
ErrorLog /home/www/sites/backend.example.com/log/error_log
CustomLog /home/www/sites/backend.example.com/log/access_log common
</VirtualHost>
The goal here is to provide DAV access to the web sites storage so the Macintosh toolkit sees it as just another place to store files. The Directory setting tell Apache to provide the Dav directory and everything below it as a shared file system using the DAV protocol. In this case authentication is provided via LDAP but that could easily be changed to .htaccess files.
The actual web sites virtual host config is here.The trick is in setting DocumentRoot to be a subdirectory of the Dav provided above.
<VirtualHost *:80>
ServerName photos.example.com
ServerAlias photos
ServerAdmin bapa@example.com
DocumentRoot /home/www/sites/backend.example.com/Dav/photos
ErrorLog /home/www/sites/backend.example.com/log/error_log
CustomLog /home/www/sites/backend.example.com/log/access_log common
</VirtualHost>
The result is that Bapa can attach the file structure that contains his photo share as a DAV imported file system from his Mac (Finder: Go -> Connect to Server – http://backend.example.com/Dav/photos. Then tell iWeb to publish his website into that space et voilá: his pages are magically published to the web under photos.example.com.
This is about 90% of your setup. You will want to secure things to make sure that they aren’t easily broken. Apache accesses the Dav as user: www so it’s pretty important to make sure that the DAV directory is protected from tampering by having it owned by root:
# mkdir -p /home/www/sites/backend.example.com/Dav/photos # chown root:root /home/www/sites/backend.example.com/Dav # chmod 775 /home/www/sites/backend.example.com/Dav
# chown root:www /home/www/sites/backend.example.com/Dav/photos # chmod 775 /home/www/sites/backend.example.com/Dav/photos
These permissions setup the Dav share so that an object stored in the root of the Dav may only be deleted or removed by its owner. The DocumentRoot of the photos site can be written into by the www user. This isn’t meant as absolution security as much as a means to keep down support calls.
Caveats
In this example I’m doing nothing to protect Bapa’s password from interlopers on the net. In reality you would want the DAV to be provided over https to protect the password. A VPN connection is another possibility.
Old Code does die
I have a very old VA Linux 2200 box that I use a firewall. I recently upgraded it a later version of OpenBSD but it appears that I’ve found a regression in the X Server. This machine uses the Intel 440Gx Chipset with an integrated Cirrus Logic CL GD5480 Video adapter. It looks like the support for the video adapter has fallen out of Xorg 7.2 since the old OpenBSD could drive this box at 1280x1024x16bpp even though the box only has 2M of video RAM (If you do the math, don’t ask me I’m trying to found out how myself). The new driver can’t do this. I’ve spent a few hours trying to find Doco for the chipset in Xorg but the man page is another one of those “This section needs to be completed things…”
Use the source, Luke!
I wrote earlier about SASL and postfix. One side affect of my setup has been that I get these spurious warnings in my logs.
Apr 4 10:22:19 corellia postfix/smtpd[69626]: auxpropfunc error invalid parameter supplied
I’ve been meaning to throw some time at this problem for a while now but everything works so I haven’t. Upgrading my infrastructure to the latest Open and FreeBSD’s has me using newer packet filtering code with more capabilities so what was once a non-problem has become a pain in the neck. This problem is tied to another feature of cyrus sasl that if find annoying. The configuration for postfix and cyrus is handled through a file called smtpd.conf. This file is stored in /usr/local/lib/sasl2/smtpd.conf. This is annoying for one because under Unix configuration files like this belong in /etc. But for two because the file is poorly documented at best. Reading the source for postfix shows that this is handled by the smtpd_sasl_path. It’s already well documented that this variable isn’t a path, it’s the base file name for the configuration file. This is fixed in postfix 2.5. The warning comes from the initialization of the ldapdb component of sasl. Even though I’m not using it I have to specify the parameter ldapdb_uri.
Trackback Spam
Someone is attempting to spam my blog pretty heavily through trackbacks. This is stupid. It’s never going to work since I have so few comments here anyhow that I moderate all of them. It only serves to annoy me by generating an email saying that I have comments to moderate. My original thought was to block inbound packets from the offenders. It would be pretty simple. Add a table to my firewall config and then use a little shell script magic (grep, awk etc) to pull the addresses from the log an load them into the table. But a quick pass through sort confirmed that these attacks were coming from mostly different addresses. For now I’ve disabled trackbacks by disabling the php file that supports them. Next up change my mail filter to quarantine the emails appropriately. Sigh.