mikas blog

On each last Friday of July the annual System Administrator Appreciation Day is taking place.

Matt Simmons organized a SysAdmin Day Meetup to celebrate this event in New York. If you’re in New York on 30th of July consider registering yourself (it’s free and takes just a few seconds).

If you are participant of the Debian Conference in New York and are already hacking at the DebCamp you might want to join our group of Debian people who plan to show up, currently consisting of Paul Wise, Lars Wirzenius, Thomas Lange and myself. If you plan to join please ping me so we can show up at the SysAdmin Day Meetup together.

Last weekend (2010-07-02 – 2010-07-04) nine people met at the FAI developer workshop at Linuxhotel in Essen/Germany. If you can’t remember: FAI is a non-interactive system to install, customize and manage Linux systems and software configurations on computers as well as virtual machines and chroot environments, from small networks to large-scale infrastructures and clusters.

The participants of the FAI meeting:

second row from left to right: Michael Goetze, Michael Prokop, Andreas Schuldei
first row from left to right: Sebastian Hetze, Manuel Hachtkemper, Thomas Lange, Mattias Jansson
missing on the picture: Thomas Neumann (left on sunday midday) and Stephan Hermann (only part-time)

Friday afternoon started with getting to know each other, continuing with discussions all around FAI. On saturday we started to hack on FAI.

Between the hack sessions and discussions the attending people presented their FAI usage and approaches. Some notes from the presentations:

FAI Manager webfrontend / Stephan Hermann

Stephan ‘\sh’ Hermann presented his FAI web frontend which should be released under the GPL license in those days. The frontend uses qooxdoo whereas the backend is based on django, rpc4django and python-tftpy.

A demo video is available at blip.tv. Currently Stephan is searching for a nice name for his FAI management tool – please send suggestions either to him or to the linux-fai-devel mailinglist.

Grml / Michael Prokop

Grml is a Debian based Linux live system specially made for system administrators. Grml uses grml-live for building the ISOs, whereas grml-live itself uses FAI’s dirinstall feature to build the live system. This provides the Grml team with a nice way to autobuild 18 ISOs per day, known as daily.grml.org. Mika also presented Grml’s netscript bootoption and the ethdevice bootoption of live-initramfs which is useful for booting Grml/FAI via PXE.

Host Europe / Michael Goetze

Host Europe uses FAI for installing Debian and Ubuntu (32+64 bit) in the support center. They have ~20 FAI classes and use a Debian lenny NFSROOT as base for all deployed systems. Their main problems with FAI aren’t related to FAI itself, but instead e.g. broadcom NICs with lack of support for it in Lenny’s kernel. They are not using softupdate (yet) and currently use Kickstart for deploying CentOS but are working on deploying CentOS with FAI as well.

LIS AG / Sebastian Hetze

Linux Information Systems AG (LIS AG) are using FAI 3.2.17 and provide a luma and PyQt based GUI to their customers. They use DHCP, LDAP and DDNS for inventory, configuration and deployment.

Mathematical Institute of the University of Bonn / Manuel Hachtkemper

The Mathematical Institute of the University of Bonn uses FAI 3.1.8 and 3.3.5 for managing ~150 systems. They are automatically running softupdates every day, reporting how many hosts actually did run the softupdate and how many didn’t run. The involved failogwatch tool supports two regex files, one for excluding specific hosts and the other one for grepping for known problems in the logs.

Spotify / Andreas Schuldei + Mattias Jansson

Spotify is a peer-to-peer music streaming service and the operating people at Spotify use FAI for deploying the systems. Currently they are using FAI 3.3.3 to deploy ~400 bare metal machines and ~150 virtualised machines. They have their class names in DNS using the txt/Text record entry. They are using a self written prepend_class script to manage dependencies between classes.

University Köln / Thomas Lange

Thomas uses FAI’s trunk version (of course :)), managing ~25 machines with less than 20 FAI classes. He’s not using softupdates as Lenny’s aptitude ignores the hold status of packages (this bug should be fixed for Squeeze).

$COMPANY

One of the big telecommunication providers in Germany uses FAI 3.3.3 for installing their bare-metal and virtual servers, providing Debian, Ubuntu and SLES. They are using Debian NFSROOT as a base for all systems as well and their main problems with FAI wasn’t FAI itself but how to manage installation of virtual machines.

On Saturday evening we had a nice barbecue which included beer and Kölsch *d&r*. ;) On Sunday we continued with discussions and development.

Our work-log of the weekend:

• identified important packages for the Debian/squeeze release
• discussed features that should be available (important packages and bugreports, missing features,…)
• fixed several bugs (wrong exit codes, error handling, variable handling,…)
• discussed FAI packaging for Ubuntu (packages for lucid are available at ppa at launchpad)
• implemented support for grub2 in fai-cd (will be merged soon)
• implemented initial support for retrieving sources with FAI (available in svn’s trunk)

Important decisions made:

• next major release will have version number 4.x
• we want to continue to provide a stable version 3.x (no new features, just bugfixes and maintenance) side-by-side with version 4.x
• deprecated setup-harddisk will be dropped, setup-storage is well established, works fine and is properly maintained by FAI developer Michael Tautschnig (who sadly couldn’t attend the FAI developer meeting)
• a FAQ section will be created on the FAI homepage

We noticed that many FAI users implement their own way how to handle dependency management between classes, we will re-consider how we could provide such a mechanism through FAI’s core. We also noted that it’s important that any self-written scripts used within FAI are fully idempotent and users should be aware of this.

Last but not least – many thanks to the sponsors of the FAI developer workshop 07/2010! The workshop wouldn’t have been possible without our generous sponsors, namely being:

• Debian
• Linuxhotel
• Linux Information Systems AG
• Netways
• Spotify
• Thomas-Krenn.AG

From 2nd to 4th of July 2010 the FAI developer workshop will take place at the Linuxhotel in Essen/Germany. FAI? FAI is the abbreviation for Fully Automatic Installation. It’s a non-interactive system to install, customize and manage Linux systems and software configurations on computers as well as virtual machines and chroot environments, from small networks to large-scale infrastructures and clusters.

As the name states the workshop is targeted towards FAI developers. We – the FAI developers – want to get FAI into shape for squeeze, discuss pending issues like Ubuntu packaging, release management and of course meet in real life for networking and socializing. Our rough roadmap for the FAI weekend looks like this:

Friday:

• Setup of the network
• Introduction round, hello to everybody
• Define things that need to be worked on with high priority for the squeeze release
• Start of work

Saturday:

• Work on things for squeeze release
• Discussion: Features for squeeze
• Read access from /dev/beer

Sunday:

• Work on things for squeeze release
• Final round: What did we manage to do this weekend

Further details are available in the FAI wiki at http://faiwiki.informatik.uni-koeln.de/index.php/DeveloperWorkshopJuly2010.

The meeting wouldn’t be possible without sponsors – so special thanks to:

• Debian
• Linuxhotel
• Netways
• Spotify

If you are interested in sponsoring the FAI Developer Workshop as well please contact FAI lead developer Thomas Lange.

Auf den Grazer Linuxtagen und den Linuxwochen Wien habe ich jeweils einen Vortrag über “Grml Live-Linux für Deployment und Desaster-Recovery” gehalten, die Folien zum Vortrag gibts online (PDF – 1,6MB).

I love EtherPad for online collaboration in real-time. By today (14th of April 2010) new pad creation will be disabled at EtherPad.com. Being aware of that in advance and as the EtherPad software was open sourced recently friends of mine and I were working on providing a dedicated EtherPad setup. TitanPad was born!

Quoting our TOS / Privacy Info:

TitanPad was launched to provide an EtherPad setup which is unrelated to any commercial and political entities. Its goal is to offer a stable service through proper operating.
[…]

Now TitanPad is officially up and running and you’re free to use it for online collaboration. Feel free to drop your feedback, questions and suggestions to our team via mail to support (at) titanpad.com.

Fsck you, FIP.

I’m working for a customer who’s using IBM blades. Remote access isn’t limited to e.g. SoL but also possible through a Remote Console feature using a Java applet.

After migrating one of my 32bit systems to a fresh 64bit system I suddenly couldn’t use this Remote Console feature any longer. The error message was (leaving it for search engines and help other affected users):

load: class vnc.VncViewer.class not found.
java.lang.ClassNotFoundException: vnc.VncViewer.class
	at sun.plugin2.applet.Applet2ClassLoader.findClass(Applet2ClassLoader.java:152)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:303)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
	at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Plugin2ClassLoader.java:447)
	at sun.plugin2.applet.Plugin2Manager.createApplet(Plugin2Manager.java:2880)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Plugin2Manager.java:1397)
	at java.lang.Thread.run(Thread.java:619)
Caused by: java.net.ConnectException: Network is unreachable
	at java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
	at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
	at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
	at java.net.Socket.connect(Socket.java:525)
	at sun.net.NetworkClient.doConnect(NetworkClient.java:161)
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)
	at sun.net.www.http.HttpClient.<init>(HttpClient.java:233)
	at sun.net.www.http.HttpClient.New(HttpClient.java:306)
	at sun.net.www.http.HttpClient.New(HttpClient.java:323)
	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:860)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:801)
	at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:726)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:373)
	at sun.plugin2.applet.Applet2ClassLoader.getBytes(Applet2ClassLoader.java:458)
	at sun.plugin2.applet.Applet2ClassLoader.access$000(Applet2ClassLoader.java:46)
	at sun.plugin2.applet.Applet2ClassLoader$1.run(Applet2ClassLoader.java:126)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin2.applet.Applet2ClassLoader.findClass(Applet2ClassLoader.java:123)
	... 6 more
Exception: java.lang.ClassNotFoundException: vnc.VncViewer.class

The error message might not be obvious at a glance and that’s why I’m writing about it actually. It’s NOT the:

load: class vnc.VncViewer.class not found.

why it’s failing but instead the real reason for the failure is the:

java.net.ConnectException: Network is unreachable

As you can read in Debian’s Bug Tracking System in bug #560044:

Netbase has recently introduced the sysctl-setting
net.ipv6.bindv6only=1 in /etc/sysctl.d/bindv6only.conf and this setting will probably be the default in squeeze.

This setting breaks networking in java, and any traffic will always
result in a “java.net.SocketException: Network is unreachable”.

To quote /etc/sysctl.d/bindv6only.conf:

When disabled, IPv6 sockets will also be able to send and receive IPv4 traffic with addresses in the form ::ffff:192.0.2.1 and daemons listening on IPv6 sockets will also accept IPv4 connections.

When IPV6_V6ONLY is enabled, daemons interested in both IPv4 and IPv6 connections must open two listening sockets.

To work around this issue you can either execute the Java process through "java -Djava.net.preferIPv4Stack=true" or to change the IPv6 behaviour system wide execute "sysctl -w net.ipv6.bindv6only=0". To make this setting permanent across reboots adjust the setting inside /etc/sysctl.d/bindv6only.conf. After applying this workaround the Remote Console should work again.

void die_if_kernel(char *str, struct pt_regs *regs)
{
        static int die_counter;
        int count = 0;

        /* Amuse the user. */
        printk(
"              \\|/ ____ \\|/\n"
"              \"@'/ .. \\`@\"\n"
"              /_| \\__/ |_\\\n"
"                 \\__U_/\n");

  — arch/sparc/kernel/traps_64.c

Just booked my ticket for DebConf10. See you in New York.

Via flo:

Wir möchten Euch auf eine Veranstaltung am 20. März 2010 im Medienkunstlabor Graz (im Kunsthaus) hinweisen:
Blender 3D UserDay 2010

Weitere Informationen auf www.blenderusers.at.

Die Grazer Linuxtage (GLT) finden heuer am Samstag, dem 24. April 2010 auf der FH Joanneum statt.

Wir – das Organisationsteam der GLT – suchen auch heuer wieder gute Vorträge. Vor Kurzem ist Call for Lectures online gegangen. Du willst deine Software unter die Leute bringen? Es gibt ein gutes Projekt das unbedingt vorgestellt gehört? Dann halte doch einen Vortrag auf den GLT 2010! Es muss übrigens nicht zwingend mit Linux zusammenhängen, die Grazer LinuxTage sind bekannt für ein breit gefasstes Programm: Community, Internet/Netzwerke, Software-Entwicklung, Programmiersprachen, Projektmanagement im Open Source-Umfeld, andere freie Betriebssystem,… zählen ebenso zu den gern gesehenen Themen.

Projekt-Stände sind natürlich auch wieder vorgesehen. Interessenten mögen sich bitte via Call for Projects melden.

Ich hoffe man sieht sich auf den Grazer Linuxtagen 2010!

If you ever notice a device like that on your Linux system:

# fdisk -l
Disk /dev/sda: 8 MB, 8388608 bytes
8 heads, 32 sectors/track, 64 cylinders
Units = cylinders of 256 * 512 = 131072 bytes

Disk /dev/sda doesn't contain a valid partition table

… then the scsi_debug kernel driver is present. To get rid of the device either unload the driver or (if e.g. statically compiled into the kernel) use sysfs, like:

# echo -1 > /sys/bus/pseudo/drivers/scsi_debug/add_host

Further details available at http://sg.danny.cz/sg/sdebug26.html.

Distrowatch, Heise, Pro-Linux, Symlink, Golem & CO already have the news: a new version of the Debian based Live system for system administrators has been released: Grml 2009.10 – Codename ‘Hello-Wien‘.

One visible new feature is the new bootsplash which should lead you through the most important boot options. The new release features kernel 2.6.31.5 with various patches and extra modules. We’ve an automatic hostname configuration via DHCP & rDNS, improved network boot capabilities, extensive documentation to Grml’s Z Shell features and configuration, support for GRUB2 and directory-specific Z Shell configuration. Amongst the new software packages are Google’s stressapptest, btrfs-tools and guymager.

A full changelog and release notes can be found at http://grml.org/changelogs/README-grml-2009.10/.

As always, images for 32 bit and 64 bit x86 architectures are provided in the sizes grml (~700 MiB), medium (~200 MiB) and small (~100 MiB). They can be downloaded via HTTP, FTP, rsync and Bittorrent.

Thanks to all the contributors for being part of this rocking release!

Was: Vortrag “Sichere Kommunikation mit Quanten”
Wer: Dr. Christian Monyk, Leiter des Geschäftsfeldes Quantentechnologie (Austrian Institute of Technology GmbH)
Wann: Donnerstag, 22. Oktober 2009, 18:30 Uhr
Wo: TU Graz, Kopernikusgasse 24 (8010 Graz), im Hörsaal E (1. Stock)

Nähere Informationen unter: http://www.ove.at/akademie/details.php?ID=1043

Die Teilnahme ist kostenlos um Anmeldung wird jedoch gebeten.

Live-initramfs is a fork of Ubuntu’s casper for use within Debian. Nowadays several Debian based live systems are using live-initramfs to build an initramfs suited to boot live systems. Besides debian-live and all its users that’s at least Grml (and its derivates) and FAI.

I’m maintaining live-initramfs for Grml – so I know the limitations of live-initramfs. Yes, it has some design flaws but upstream finally decided to take the time to redesign it. That’s why I’m posting this: I would like to see even more Debian based systems adopting live-initramfs (hello Sidux!). This would improve compatibility with regards to similar bootoptions and features as well as better cooperation among the teams. Of course this will be possible only if live-initramfs is capable of handling all the necessary customization and configuration tasks that different live systems require nowadays.

So this are my current considerations regarding the redesign of live-initramfs:

• support all currently available bootoptions (for a clean upgrade path and wide adoption of live-initramfs 2.x)
• provide a possibility to use the rootfs from exactly the device that the kernel/initramfs is booting from (this is especially important if users have several similar systems on their usb drives)
• scan removable devices always before any harddisk devices by default
• provide a bootoption which displays the currently executed code:
  • avoids panic on user’s side if something takes longer than usual, so let’s inform the user instead
  • debugging is essential if anything fails, though:
  • rebuilding the initramfs with set -x isn’t a solution for normal users
• bootoption toram should run some “free memory checks”
• support custom hooks via something like hooks/live-custom (so other distributions don’t have to patch live-initramfs for adding additional stuff)
• consider inclusion of Grml’s patches (at least what you think might be interesting for you)
• split scripts/[live-bottom] into a separate package:
  • provide just the core files for booting in live-initramfs package, move debian-live specific stuff to a separate package
  • but please don’t just drop 23networking for PXE booting
• write messages through a clean interface:
  • so no /dev/console workarounds are necessary to get around the file descriptor hacks
  • support keeping the system completely quiet (for example for bootsplashes)
  • support custom failure messages (debian-live won’t have much fun if they receive distribution specific bugreports)
  • allow customization of the messages so every system can use its own look and feel for the boot messages
• provide status bars wherever possible:
  • when searching for the squashfs file this can take a while (quoting a Grml user: “cdrom -> ie -> activex -> fast ethernet -> OOB -> IDE -> Grml”), so optionally display which device is scanned
  • toram is annoying without any status information (displaying progress is possible e.g. using rsync)

If you’re interested in adopting live-initramfs in your distribution/system feel free to contact me (mika [at] debian.org). If you do have any further wishes for the redesign please let me know so I can forward them to upstream.

• Wer: Adi Shamir (Faculty of Mathematics & Computer Science, The Weizmann Institute of Science)
• Wann: Mittwoch, 16. Sep., 11:00 s.t.
• Wo: TU Graz, Hörsaal I7, Inffeldgasse 25 D, 1. Stock.

Title: Plumbing 101: How to Deal With a Small Cryptographic Leakage

Abstract: In this talk I will formalize the notion of leakage attacks on
iterated cryptosystems, in which the attacker can find (via physical
probing, power measurement, or any other type of side channel) one bit of
information about the intermediate state of the encryption after each
round. Unlike most of the other types of side channel
attacks proposed so far which are very speci fic, the new attack I will
describe can be applied even when the attacker does not know the layout of
the chip, the algorithm used to compute the ciphertext, the hardware and
software countermeasures employed, or even the physical source of the
leaked information he is measuring. In addition, the new attack can
tolerate considerable levels of noise (affecting 10% to 15% of the leaked
bits in practical scenarios). Finally, I will demonstrate the new approach
by describing efficient leakage attacks on two of the best known block
ciphers, AES (requiring about 2^{35} time for full key recovery) and
SERPENT (requiring about 2^{18} time for full key recovery).

Via Jogi:

NCC09 – Netart Community Convention 2009

what the net!

23. bis 29. November 2009 Graz/Austria

Zum insgesamt 5. mal werden sich Ende November 2009 Künstler_innen im
Rahmen der Netart Community Convention in Graz treffen. Die diesjährige
NCC glieder sich in drei Teile: parallel, seriell und virtuell (siehe
Modus Operandi im Wiki).

In den letzten Jahren wurde das Web – eine von unzähligen Anwendungen im
Netz – zum Synonym für das Internet schlechthin. Über weite Strecken
haben die Marketingabteilungen die Definitionsmacht übernommen und
packen mehr und mehr bunten Content in die überforderten Browser.
Die/der Userin nimmt ihren/seinen zugewiesenen Platz im Geschehen ein
und füllt die grossen Portale mit Inhalten, um im Gegenzug
Scheinfreiheit zu gewinnen.

Wir stellen diesem Umstand die Behauptung gegenüber, das wir uns im
Zeitalter des Web 0.2 befinden. Von diesem Punkt aus betrachten wir das
Geschehen und begeben uns auf die Suche nach möglichen weiteren
Entwicklungen. Anstatt uns auf der Oberfläche treiben zu lassen,
beginnen wir, die effektiven Produktionsmittel hinter den Kulissen zum
Thema der Auseinadersetzung zu erklären. Anstatt mit Antworten um uns zu
werfen, werden wir versuchen, passende Fragen zu formulieren.

Aufruf zur Teilnahme

Wir rufen hiermit zu Teilnahme in Form einer der im folgenden
beschriebenen Rollen auf. Konkrete Vorschläge und Ideen können ab sofort
auf der NCC09 Mailingliste und/oder im Wiki eingebracht werden.
Weitere organisatorische und diskursive Dinge werden ebendort
abgehandelt. Für Informationen steht weiters die NCC09 Webseite zur
Verfügung.

Update1 am 9. Juli: DebConf9, YAPC::EU::2009, UKUUG, OpenSourceWorld, Froscon, LinuxCon, Ohio LinuxFest, Kieler Linux Tage, Utah Open Source Conference und FSOSS09 hinzgefügt

Update2 am 13. Juli: Linux-Kongress, OpenSolaris Developer Conference, OpenRheinRuhr, Brandenburger Linux-Infotag und Ubucon nach Hinweisen von Jens Link und Dirk Deimeke hinzugefügt

Update3 am 26. Juli: Datum und Ort vom Linux-Kongress angepasst (Upstream-Change)

Update4 am 7. September: Hinweis auf www.opensourcepress.de/events.php hinzugefügt

Zusätzlich zu den Linux-Events in Österreich gibt es 2009 folgende nennenswerte Open-Source-nahe Veranstaltungen:

• Open Source Meets Business: 27. bis 29. Januar 2009 in Nürnberg
• FOSDEM: 7. und 8. Februar in Brüssel/Belgien
• CeBIT Open Source: 3. bis 8. März in Hannover
• GUUG-Frühjahrsfachgespräch 2009: 10. bis 13. März in Karlsruhe
• Chemnitzer Linuxtage: 14. und 15. März in Chemnitz
• OSDC 2009: 29. und 30. April in Nürnberg (als Vortragender bin ich Fixstarter)
• LinuxTag: 24. bis 27. Juni in Berlin
• OSCON 2009: 20. bis 24. Juli in San Jose/CA
• DebConf9: 23. bis 30. Juli in Extremadura/Spanien
• YAPC::EU::2009: 3. bis 5. August in Lisbon, Portugal
• UKUUG: 7. bis 9. August in Birmingham/England
• OpenSourceWorld: 12. und 13. August in San Francisco/CA
• Froscon: 22. und 23.08.2009 in Sankt Augustin (ich bin mit einem Vortrag und grml-Stand Fixstarter)
• LinuxCon: 21. bis 23. September in Portland/OR
• OpenSolaris Developer Conference: 23. bis 25. September in Hamburg
• Linux Plumbers Conference: 23. bis 25 September 2009 Portland/Oregon
• Ohio LinuxFest 2009: 25. und 26. September in Columbus/Ohio
• Kieler Linux und Open Source Tage: 2. und 3. Oktober in Kiel
• Utah Open Source Conference: 8. bis 10. Oktober in Sandy/Utah
• Ubucon 2009: 16. bis 18. Oktober in Göttingen
• Linux-Kongress 2009: 27. bis 30. Oktober in Dresden
• Free Software and Open Source Symposium 2009: 29. und 30. Oktober in Seneca@York Campus/Toronto
• OpenRheinRuhr: 7. und 8. November im Saalbau Bottrop
• Brandenburger Linux-Infotag 2009: 21. November in Potsdam/Brandenburg

Siehe auch technology-events.blogspot.com, IBM – Events – OpenSource, linux-magazin.de/events und Open Source Event Kalender.

Call for Papers für LinuxDay in Dornbirn/Vorarlberg (28. November 2009 ) und für das Linuxwochenende 2009 in Wien (24./25. Oktober 2009) sind gerade gestartet. Ich habe beide Events mal in meinem Terminkalender eingetragen und plane teilzunehmen.