Diary of a geek

December 2005
Mon Tue Wed Thu Fri Sat Sun
     
 

Andrew Pollock

Categories

Other people's blogs

Subscribe

RSS feed

Contact me

JavaScript required


Saturday, 31 December 2005

2005: The year in review

2005 is the first year I've blogged from start to finish, so it is interesting to go through and reflect on what has happened. It's certainly been an eventful year.

Executive summary: got engaged, got married, got a job with Google, moved to the US. Did a whole lot of other mainly geeky things in between.

January
  • Moved from living in an old rundown share house in Ainslie to a townhouse in Watson, without the flat mate
  • Started getting my teeth into work at my new job
  • Took Sarah to the ER with chest pains, after having had them on and off over Christmas
February
  • Proposed to Sarah
  • My blog got syndicated on Planet Linux Australia
  • Wrote my blog post about mitigating SSH brute force attacks using Netfilter's recent module. Still get a lot of search traffic from that today
  • Went camping at Jervis Bay, managed to hit a kangaroo on the way, had a rather traumatic time trying to euthanize it
  • Decided to continue studying at Uni part-time in conjunction with full-time work (masochistic, huh?)
March
  • Made changelogs.debian.net a whole lot spankier
  • Had a moderately unsuccessful time turning an old laptop with a dead hard drive into a diskless server with an NFS root filesystem. (I really must get around to trying again doing ATA over Ethernet)
  • Bought a QFE card, after much vying on EBay, which is still sitting in a drawer unused
  • Discovered how to make my laptop suspend
  • Completed a Saint John Ambulance Senior First Aid course
April
  • linux.conf.au happened, and I helped make it happen
  • Interesting side-effect of the above was that I got asked to apply for a job at Google
  • I had fun with a cylinder of surplus helium
  • Sarah is advised to discontinue triathlons because of a possible heart condition
May
  • My oldest friends separate, and it looks like they're going to get divorced
  • Sarah had her car broken into in the driveway and her purse was stolen
  • I get into a panic about passing Uni and really knuckle down
  • I discover a little too late that I've missed marking my ten thousandth day since birth
  • I organised a dinner meeting of Canberra Perl Mongers, which is a largely dormant group
  • We got a new cat
  • I hit two years as a Debian developer
  • I joined the Linux Australia sysadmin team
June
  • We decide to bring forward our wedding from April 2006 to July 2005, "just in case" the Google thing comes off
  • caesar, the box I use as my gateway blew up and got replaced with something gruntier
  • I got into discussions with University House about doing a wireless LAN setup for them for their guests
  • Started work on a box for Linux Australia that would host a few User Mode Linux instances for various things
July
  • My old Rover crew turned 20
  • We discovered the Tea Centre, and the wonders of different varieties of leaf tea
  • I scraped through first semester at Uni
  • I decided to upgrade daedalus and ordered a new box
  • Michael and I went to the US for face to face interviews with Google
  • Started semester 2 at Uni
  • Started migrating services to the new daedalus
  • Sarah and I were married
August
  • Google makes me a job offer
  • I ordered myself a new laptop
  • My car tyres got slashed while I was at Uni
  • Uni all got a bit much, and I decided to drop out
  • I got a 1 gig USB key
  • I had some fun with LVM snapshotting
September
  • Video card in my desktop blew up
  • I return to working in the office, and have a crack at catching the bus because of heinous petrol prices
  • I built Linux Australia's content mirroring box
  • The cat vomits one time too many and gets a new diet
  • We went and saw the Warehouse Circus' most excellent BAM! production
October
  • I ascended Mount Tennant with Rick
  • Sarah and I went and checked out the Tumut 3 power station
  • Sarah got her wisdom teeth out
  • I had some more fun with LVM and data migration
  • I had even more fun with LVM snapshots
  • We finally got our visas for the US
  • I quit my job
  • We bought a new dining table
  • We bought an iPaq and a bluetooth GPS and some navigation software
  • We bought a new digital camera
  • Canberra Perl Mongers had another dinner meeting
November
  • I finished up at Cybertrust
  • I went to the US
  • Sarah went to Singapore for a holiday with some of her relatives
  • I started at Google
December
  • Sarah arrived in the US from Singapore
  • We found somewhere more permanent to live
  • We bought new mountain bikes
  • All our stuff arrived from Australia

[10:39] [life] [permalink]

Thursday, 29 December 2005

Second stack

I had another cleat-related incident on the way home tonight. I thought I'd unclicked my left foot when I came to cross the road, but apparently hadn't, and I'd already rocked towards the left and was well and truly leaning that way before it became evident that my leg was still anchored to the pedal.

I fell pretty heavily on my left wrist, and it made a nasty crunching sound. Doesn't appear to be broken though, just sprained I guess.

On inspection of my left shoe when I made it home, it would seem that one of the bolts that holds the cleat to the shoe has come loose and disappeared. So when I turned my foot sideways, the cleat rotated on the other bolt, and didn't release properly, whereas I thought it had released by virtue of the fact that my foot moved sideways.

Just as well it's forecast to rain tomorrow. Don't feel much like riding at the moment.

[23:21] [life/mtb] [permalink]

Tuesday, 27 December 2005

Back online

Our DSL modem finally arrived today. Well, it kind of involved accosting the UPS guy in an adjacent street whilst walking back home from 7-Eleven acquiring ice cream, but hey, we got the thing in the end.

I went with Sonic on advice from guys from work, and I have to say I've been totally impressed with their customer service to date. Today I got an email from them because I'd reached my activation date, but they hadn't seen any ADSL traffic from me yet, and they just wanted to check that everything was okay.

We had a free dialup account for use while we waited for the ADSL to be provisioned (and the delay was with receiving the modem over the holiday season, not the ADSL provisioning itself). Also, their account management website allows an impressive amount of self-control over aspects such as spam filtering and firewalling. I'm a very satisfied customer so far.

[22:25] [life] [permalink]

Sunday, 25 December 2005

First Christmas abroad

(I love the term "abroad". It sounds so English.)

Well that happened. We had Michael and another Andrew from work who started two weeks before us and his wife come over for what Michael was calling "linner" (the inverse of "brunch"). Sarah cooked up an absolute storm. We had roast turkey, roast potato, pumpkin and sweet potato, steamed broccoli, cauliflower and asparagus, and Yorkshire puddings. We had so many types of gravy we completely forgot about the cranberry sauce.

Michael managed to track down a plum pudding (this country seems obsessed with pumpkin pie) and we had something approximating custard (something else this country doesn't seem to do) with it.

A very good feast was had by all, and six hours later we were done. Back to unpacking boxes.

Brought to you by some kind neighbour's open access point.

[20:39] [life] [permalink]

Thursday, 22 December 2005

Fun Christmas present

Our sea freight is being delivered on Christmas Eve. No prize for guessing what we're going to be doing on Christmas Day...

[16:19] [life] [permalink]

Google Reader saves my sanity

I've been relying on just Planet for reading blogs. I mainly read just Planet Debian and Linux Linux Australia, with a shortlist of other friends' blogs that used to be read via my own Planet instance, which is currently in a shipping container somewhere.

This of course sucks in two ways: if you don't keep up, articles fall off the bottom and are gone forever, and you have to mentally keep track of what you've already read.

So the next choice is a feed-reader like Liferea, but this then sucks in different ways: it's tied to the computer you run it on, and posts that have been previously read often seem to come back as new. I get this every time I refresh Planet Linux Australia. Drives me mad.

So what I really want is a way of being able to centrally store what I've read, regardless of where I am, and what computer I'm using. Enter Google Reader.

It has a nice clean interface, it's Ajaxed up the wazoo, and Just Workstm. My only (minor) beefs are that it doesn't seem to allow you to mark posts as read or unread, and that it always wants to have the current article second from the top in the list. Other than that, the UI is very clean and simple (and even uses vi keys). Added bonus is that if any other user is already subscribed to the feed, you get all the historical articles for free, which in the case of the Planets, goes back a lot further than the feed currently provides.

Ideally I'd like something like this, that I can run on my own server, because I like keeping everything in the family. In the meantime, this is a suitable alternative. Getting all the back-articles is a bonus well worth it.

Full disclosure: I work for Google, but that's what's making me look for a more efficient method to read blogs.

[11:10] [tech] [permalink]

The Chronicles of Narnia

Last night, Sarah and I went to see The Chronicles of Narnia: The Lion, the Witch and the Wardrobe.

I quite enjoyed it. It's been years since I've seen either the animated version (I think I've seen that at least twice, and I can't believe it was from 1979, that makes me feel so old) or the BBC TV mini-series (I think I saw that once), or read the books, so I couldn't remember the story very well at all, so it was great having a two hour long memory jog. It seemed very faithful to my memory of the original story.

Acting-wise, I thought the actors that played Edmund and Lucy did a particularly good job. I was initially a bit down on the choice of making Queen Jadice/The White Witch so young, but that turned out pretty good nonetheless. The voice of Aslan was a good pick.

My main beef was that the violence was too sanitised. I feel strange saying that, but up until the big battle scene, they went out of their way to make it all pretty tame and bloodless. There were also a couple of scenes that were very obviously shot in front of a blue or green screen. This movie had the potential to be Lord of the Rings material, but I think it fell down a bit, only on a few small things. The Lord of the Rings was as violent as it needed to be, without going into Day of the Dead territory, for example.

Very good, but not great. I hope they do the rest of the books though. Oh, and I really think all these people who are trying to draw all these Biblical connections are really reaching.

[10:55] [life] [permalink]

Wednesday, 21 December 2005

On mobility

Andrew Reid is now truly mobile.

I achieved something approaching mobility Zen, where I could use my Sony Ericsson T630's GPRS connection via Bluetooth from my PowerBook and my iPaq.

And then I left the country.

Bit of a bugger that.

[12:48] [life] [permalink]

On orthokeratology

Rob Thomson writes that he's going to give ortho-k a shot.

I used it for a number of years, and recommend it to anyone who wants to try it as an alternative to laser surgery. My experience of it was that there was a bit of trial-and-error getting the parameters for the contact lenses right, but after that, it was all good. The feeling of independence was enormous. I took up outdoor rock climbing. The ophthalmologist said that for some people they could get away with sleeping in them for one night in three, but I found I needed to sleep with them in every night to get good results.

Towards the end, I started to become dissatisfied with my vision quality, and I'd moved to Canberra, and so was seeing a different optometrist to the one in Brisbane (who incidentally seemed to be a bit of a pioneer in the field). I couldn't decide whether to get a new set of lenses made with the same parameters as the old ones, or go through the expense and trial-and-error nature of getting refitted again. Then one of my lenses broke at the 2004 linux.conf.au so I went back to wearing spectacles for a while.

I was going through my phase of wanting to get into the Queensland Police, so I decided to get laser surgery, discovering later that day that they won't accept candidates until 12 months afterwards in case their eyeballs spontaneously vaporise or something.

In summary, I can recommend ortho-k as a non-invasive alternative to laser surgery, but its downsides are pretty much those of wearing contact lenses. Camping was one thing that was a bit trickier and more inconvenient. Having really goopy eyes in the morning was another.

[12:44] [opinion] [permalink]

Tuesday, 20 December 2005

Riding to work

Got the new mountain bike last night. Very exciting. Also got clipless pedals, and shoes with cleats.

This morning, Michael and I rode in. It took about 30 minutes, and I only stacked it (because of the cleats) once. Michael's gory details here. Another 19 rides in, and they'll give me a free permanent locker.

Have I mentioned I'm loving life lately?

[09:39] [life] [permalink]

Saturday, 17 December 2005

Four weeks

I've still been extremely busy. Unlike my last fairly incoherent brain dump, this time I've been keeping notes on the things I wanted to write about, so hopefully I won't forget things.

Here we go...

Squirrels
Squirrels are absolutely everywhere. They're very fast and very cute. They're kind of like possums, except diurnal. They run up trees with ease, and leap from tree to tree. It's quite cool to watch them. The damn things don't stand still long enough to be photographed (properly), and they don't let you get too close without scampering up a tree or running off. I'm told they're the number one carrier of rabies, so I shouldn't be trying to get too close anyway.
Sales tax
Definitely one of the more annoying aspects of consumer life is the fact that prices quoted are not inclusive of sales tax. This means you always need to part with more cash than you expect. Furthermore, there are some places (some fast-food outlets) that do quote the prices inclusive of tax, so it's really hard to know what you're in for.
Speed limits
I find speed limit signs to be either infrequent or harder to notice, or a combination of both. They're just a black text on white background sign. I'm used to them having the red circle. That said, no one seems to drive at the speed limit anyway.
Ethnicity
Canberra's a very white town compared to say Sydney, but I reckon at least the San Jose area of California blows the socks off what I've seen of Sydney for multiculturalism. You really notice it over here. I've been at the mall in Milpitas, and you can play "spot the white European" (a variation of "spot the Caucasian").
Different responses to thankyou
I think the fairly standard response to saying thanks that I'm used to is "You're welcome". Over here, you get "mm hmm" a lot, which is just strange.
Fractions vs decimal
They love their fractions. Petrol gets quoted at 2219/10, which took me a while to realise was 221.9 cents per gallon
Alcoholic beverage labelling
Australia has the concept of a "standard drink". I remember as a kid the advertising campaign "rethink your third drink" (or for women, "rethink your second drink"). The idea being that men could drink two standard drinks in the first hour, and then one standard drink every hour after that, and be at 0.05% blood alcohol, which is the legal limit for Australia. And every bottled alcoholic drink is labelled with how many standard drinks it is. An average beer is about 1.2 standard drinks for example. No such labelling over here. You get the percentage of alcohol per volume, and that is it, which makes self-regulating very difficult. The limit is apparently 0.08%, but I don't think I want to be driving around on the wrong side of the road at that level (or any level really).
Christmas vs "Holidays"
Everyone and every piece of advertising goes on about the "Holidays". Retail people are always wishing us "Happy Holidays" instead of "Merry Christmas". I think this is because there's a large chunk of people who don't necessarily celebrate Christmas.
Tipping
I haven't really come across tipping in everyday life as much as I'd expected, but when I think about it a bit, I'm at work most of the time, so that's probably why. The general rule seems to be to tip "double the tax", so for a bill at a restaurant, or where you get personal service, such as a haircut, you tip. But you don't tip at McDonald's, nor Subway (where I would have expected you would).

That's about all my current observations on living over here.

Tomorrow we get our townhouse in Central Park. Our air-freight was finally delivered today. (What was supposed to take about 8 days took 4 weeks). Not sure when we can expect our sea freight at this stage.

We bought a couple of mountain bikes last weekend, and if the weather is okay tomorrow, we'll pick them up and ride them home. We've found a really nice off road (as in not shared with cars) bike path, which runs close to home all the way to work. I'm really keen to roller blade to work if it's feasible, and also to cycle in.

I'm a bit disappointed to discover after we've been accepted for the place that we're right on top of a toxic waste dump (or something like that). If I grow a second head, you'll know why.

The other piece of exciting news is that the bank sent me a debit card, when they'd previously told me they wouldn't until I had a Social Security number (still no sign if that yet). This thing (the debit card) is freaking weird. It's Mastercard branded, and in some places you use it like you'd use a debit card for EFTPOS back home. You swipe, enter your PIN and that's it. In other cases, you swipe and sign a bit of paper like a credit card transaction. In either case, money is sucked out of our checking account.

The scary thing is that no one seems to check signatures in this country, and a lot of places will accept credit card payments electronically (like petrol stations where you just swipe the card at the bowser and enter the ZIP code of your billing address and that's it). Oh, and I can use this thing like a credit card for Internet purchases. What bothers me is that the level of authentication is so low, but it's sucking actual money out of our checking account, so with all the credit card fraud around, it's relatively trivial to draw actual money out of a bank account, as opposed to using someone's credit. That said, I just got the card today, and since then, it's made shopping so much easier. It's amazing how many places won't accept a foreign credit card, and I was a big user of EFTPOS back home, and this ability to use a debit card like a credit card means I can essentially continue in that habit. I wasn't looking forward to carrying lots of cash or having to use cheques.

[23:43] [life/americania] [permalink]

I hate being too busy

There's been some sort of release of Demi, and I haven't had anything to do with it, other than request a Subversion repository for the Alioth project...

Blah.

[07:26] [debian] [permalink]

Sunday, 11 December 2005

You know you're working in a fantasy land when...

You say to your wife "Bleh. I won't need any money this week. The only thing I'd need money for is tipping the masseuse if I get around to booking a free massage".

[17:42] [work] [permalink]

Friday, 09 December 2005

Three weeks

I've been so busy, I haven't had time to blog. Rather than putting it off any longer, I'll just dump what I can remember.

Last Wednesday, Sarah arrived after her holiday in Singapore, and from all accounts, had a great time. Photos as well.

Sticking with the whirlwind theme, the next day, we had a "building warming" party at work for the new building we'd moved into the week before Michael and I started. The next night we had the work Christmas party, which blew the socks off any work Christmas party I'd ever been to before, and then on Saturday night we went to a party in San Francisco that we'd been invited to.

On a life in general front, I'm still waiting for a Social Security number. The lack of one makes life a bit difficult for a lot of things. It also turns out that Sarah's work permit will take about 90 days to approve, so she's going to be a lady of leisure for the next few months.

I've finally been issued with a work mobile phone (or "cell phone" as they call them), and so can stop roaming and paying through the nose for the privilege.

We've found somewhere to live. We take possession of a 2 bedroom townhouse (split-level) in a complex in Mountain View that is 3 miles from work on the 18th. The rent is $1725 a month, which is a bit better than we were expecting. The complex we're renting in does have shared laundries, which we'd not too keen on before getting over here, but they're quite modern and secure, and there's a laundry block close to our townhouse, so hopefully it won't be too bad. The whole place had been renovated about 5 years ago, so it's all in good condition. We could have rented a 3 bedroom apartment (single level) in the same complex for about $125 a month more, but we're trying to actually make some money while we're over here...

Driving on the other side of the road becomes fairly "normal" after about a week of doing it regularly. Sarah's adapted fine. Lane placement is the hardest thing, because your body's used to being in a certain spot on the road, and it's all different sitting on the other side of the car.

We've managed to open a rudimentary bank account, even with my lack of Social Security number. Unfortunately I can't get paid until I have an SSN. Upside of that is that if it doesn't happen until next year, I presumably won't have to worry about income tax for this US financial year. Downside is kind of obvious...

By far one of the stranger things of everyday life here is the lighting situation in the average residence. Lamps are all the rage, to the point that light switches don't exist in some rooms (notably bedrooms). Take where we're currently living for example. There's a light switch at the bottom of the stairs, there's one at the top. There's a bank of four in the living room, two of which control lights in the kitchen, and one the hallway. The last one controls a lamp in the corner of the living room, which is connected to a power socket (or power point as we'd call it).

The bedroom with the attached bathroom (en suite) has two bedside lamps, and that is the sole source of light. The bathroom attached has light switches, and the walk-in robe has a light switch. It's so weird. So walking into a darkened bedroom involves walking all the way in, and fumbling around with a lamp. It's often easier to turn on the light in the wardrobe so you can see what you're doing first. I can't think of any reason for it, except tradition. It's not like they're avoiding wiring the walls or the ceiling, because it's done partially already. The bedroom has a ceiling fan, but where in Australia, there'd be a knob on the wall near the light switch to control it, it has a little chain you yank on. To add to the strangeness, there are two switches on the wall, one of which seems to allow you to turn off the ceiling fan if it's already been switched on by pulling the chain.

The townhouse we're renting has a similar lamp dependency, so we're going to be making a trip to Ikea for some lamps it would seem.

That's about everything I can recollect right now... Oh, I should point out that I'm really loving it over here.

[21:55] [life/americania] [permalink]

Tuesday, 29 November 2005

Australian to American translation #3

Pepsi Max
Pepsi One
jumper
sweater
petticoat
jumper (many sniggers when you refer to "putting on your jumper")
entree
appetizer
main course
entree (ordering entree-sized dishes will not have the desired result)

[23:13] [life/americania] [permalink]

Thursday, 24 November 2005

My E-3 visa experiences

I've already fielded enquiries from two people who have found my blog via Google, and given the 10,500 visas a year being issued, there's only going to be more, so in the interests of not spending too much time answering questions individually, I'm going to write a detailed account of things.

Disclaimer:

This article is not a replacement for doing your own homework. I expressly disclaim any responsibility for you getting your visa application denied, being cavity searched when you attempt to enter the US, or being sent to Guantanamo Bay. In particular, this information is subject to change, and as I'm not applying for a new visa every day, I'm not going to know about the changes. If you find something here that is blatantly wrong, or out of date, please let me know, but at the moment, I'm writing about my experiences. I'm undecided about maintaining a website devoted to capturing the state of the art in E-3 visa applications. If in doubt, spend the money (and I do mean spend, it's not a cheap phone call) and call the information line - 1902 941 641 - to speak to a human being, and ask all the questions.

Resources

What's the process?

Your potential employer (sponsor) needs to file a Labor Condition Application (see the form here). At present, this form hasn't been brought up to date with respect to E-3 visas, it's the same form used for H1-B visas. Your employer needs to have written at the top of each page "E-3 - Australia - to be processed". This bit of handwriting is apparently key.

You need to have the signed LCA in your hot little hand before you roll up at the US Consulate to apply for your visa. As for how long these take to be processed by the Department of Labor, the FAQ says a week for postal applications. From my experience, and the experience of a couple of other people I've spoken to, it takes anything up to about four weeks. Generally speaking, you do not have to concern yourself with the LCA process, unless for some reason, you're sweating on the LCA so you can apply for your visa. My personal opinion is that the whole process is so long, bureaucratic and unpredictable, that you really don't want to be making any firm plans based on any assumptions on when you think anything is going to happen. Start your planning from when you have been issued your visa, not when you expect you will be issued your visa.

Once the LCA has been issued, your sponsor will send it to you along with a wad of paperwork, most of which you just take with you to the consulate. You can make an appointment online. Paperwork-wise, you need to take a completed DS-156 and a DS-157 if you are male between 16 and 45. These forms are available here. You can make an appointment online, the links to make an appointment at each of the US Consulates are also here. I found that the lead time to an appointment was around a month, so if you know the LCA application has been made, you can probably make the booking at the Consulate, so as to try and parallelise things a little bit.

What do you need to take to the interview?

You need to take your completed DS-156 and DS-157 forms. You need one for each person. So if you are the principal (i.e. the person being hired), you need a DS-156 for yourself, and your spouse, and whichever of you is male needs a DS-157. Bring the sponsor's offer letter too.

You need a receipt for a non-refundable visa application fee. You need one receipt per person applying for a visa. You get these receipts by paying $130 per person at any Australia Post outlet.

As the visa is non-immigrant, you need to be able show some sort of ongoing connection with Australia. If you own property here, and are planning to continue owning it while in the US, bring a rates notice. I don't know what else is useful to demonstrate an ongoing connection.

Also bring a bank statement, as you need to demonstrate an ability to support yourself while in the US.

Bring birth certificates and marriage certificates. Also bring a copy of your University transcript, and any assessments that your employer may have had done that state that you hold the equivalent of a US degree. I'm not sure how hard and fast the whole degree thing is. I have an incomplete degree and about 10 years of work experience. This was sufficient. I don't know how you'd go with absolutely no degree and lots of work experience.

Finally, you need to bring two US-sized passport photos. These are 5cm x 5cm, which are not what your average passport photo is like if you go somewhere and ask for a passport photo.

Processing takes about 3 days, although you get an indication on the day as to whether you are successful or not. If you don't want to come back to collect your passport with the visa in it, you need to leave sufficient stamped, self-addressed envelopes so that the Consulate can mail the passports back to you. It's a bit hazy as to what constitutes 3 days, but assume 3 full working days, plus whatever time it takes for the postage, so up to 5 working days.

Good luck with your visa application. Let me know how it goes, and if this has been of assistance.

[12:42] [life] [permalink]

Priceless


My blog is worth $11,855.34.
How much is your blog worth?

[10:33] [meme] [permalink]

Monday, 21 November 2005

Accidentally good choice of start date

We seem to have conveniently and unintentionally chosen a good week to start. Thursday is Thanksgiving, and a holiday, and Friday is as well, so three day week.

Talk about easing into things.

[22:53] [work] [permalink]

My kingdom for a bayonet light bulb

So, they're obviously very proud of the fact that Thomas Edison invented the light bulb, as they're all Edison Screw over here. Nary a bayonet to be found anywhere. Difference illustrated here.

On Sunday we went to Home Depot (the one we walked into at Milpitas could have been Bunnings at Fyshwick if it were green instead of orange), and when I asked someone about light bulbs with bayonet fittings, he made noises about auto shops and stuff, which suggests that they just don't do house lighting with them at all.

Why do I want a bayonet light bulb so badly? I have a lamp that was made by my late grandfather, which is one of the few non-dual voltage items I didn't jettison (probably the only one actually), and I was rather keen to actually use it. I don't expect the bulb that was in it to survive the shipping process, and even if it did, if it didn't instantly blow up at 110V, I suspect it would be a bit dim.

If anyone knows of any bayonet-to-edison adapters, please let me know.

Update:

Google is my friend

[22:16] [life/americania] [permalink]

Australian to American translation #2

ta
thank you
manchester
sheets and towels and things of that ilk

[21:39] [life/americania] [permalink]

First day

My brain is full. I wonder if cranium extensions are covered by health insurance over here?

All I will say is that it is so cool, and that they have their induction process down pat, and the breadth and depth of their internal corporate intranet is nothing short of that of the Grand Canyon.

I am indeed feeling lucky.

That is all.

[21:20] [work] [permalink]

Saturday, 19 November 2005

Debian saves the day again

I'm already over punching in over thirty numbers to call people back home with the prepaid phone card I've bought, so I did a quick apt-cache search dtmf, happened upon dtmfdial, and in five minutes had a quick and dirty shell script making my laptop do all the button pushing for me. So as to not drive anyone in earshot insane, I just hold the cordless phone's microphone to my headphones.

Of course, if the phone had a speed dial, all this would be unnecessary.

[23:46] [geek] [permalink]

Australian to American translation #1

(Despite what I said, I'm still going to feed this to Planet Debian as I've actually had one person ask me not to stop)

feature wall
accent wall
ensuite
confused look from apartment leasing salesman (Australian for the bathroom attached to the master bedroom)

[22:42] [life/americania] [permalink]

Hello America!

Where do I start? It's been an eventful couple of days...

The flight to LA was uneventful. Qantas is certainly orders of magnitude more pleasant to fly with than United, even though we were seated in a bulkhead area. I had a 13-month old baby seated next to me (no, Mikal was on the other side), and he was about as well behaved as you could possibly ask a 13-month old baby to behave. Mikal also behaved himself. I had the intention of trying to get something approximating 8 hours sleep, as we arrived at LAX at 7am local time, but I only managed about 4 hours. I did spend about 8 hours with a mask on and my brain in idle, so I arrived at LAX being mostly coherent.

Entering the US via LAX was a much less traumatic experience than I was expecting. The E-3 visa was accepted fine, and I now have an I-94 stapled into my passport. Quarantine involved getting looked up and down by a guy in a booth, who waved me through.

We had 3 hours to spare (or about 2 by the time we cleared all the immigration/customs queues) and then hopped on a 50 minute American Airlines flight to San Francisco, hired a car and drove to Santa Clara.

The accommodation we're staying in for a month is very spiffy indeed. It's a largish gated community of units. Mine's got a ground floor entry, but everything else (except the garage) is upstairs. When Sarah gets here, we'll put up some photos. The weather is lovely as well.

Our first outing was to the Social Security office to attempt to get social security numbers. This wasn't as successful as I'd hoped, as we were too freshly in the country to show up on their systems, so we left with letters saying we'd get one within four weeks, when our details had been verified.

Yesterday evening, we went for a general recce of the surrounding area, and checked out a supermarket. That was less disconcerting than I expected, although I don't think it was a terribly huge supermarket. Having a GPS certainly raises one's confidence when navigating significantly.

Last night I discovered that all the keys in my apartment were not created equal, and that the two loose in the lock box on the front door were the only two that opened the unit, and the two sets on key rings on the coffee table only opened the amenities and my mailbox. So I got to spend a bit of time sitting on my front doorstep until the nice man from Synergy Relocations came out to let me in (except his key didn't work either, so he got to make conversation with a legal alien while we waited for someone else to come out with a key).

Today, we drove around to see a shopping mall, and the first set of shops we found happened to be around the corner from an enormous (by my standards) apartment complex, which had some signage implying that it had vacancies, so we decided to get the low down on how renting worked before we did our rental tours. Casey drove us around in a golf buggy and gave a tour of what two different floor plans looked liked. It seems that in this part, it's standard for an apartment to include the refrigerator, dishwasher, microwave, washing machine and clothes dryer, which is good to know.

Let me just say that if this is what living in an apartment complex is like, it's more like living in a resort. The place had pools everywhere, tennis courts, two gyms, a community centre, it was just unreal. It was also cheaper than I was expecting.

We then went to a massive shopping mall to do some window shopping. Discovered Wetzel's Pretzels. Hope they're not too fattening...

Tomorrow, I'm going to avail myself to the complex's gym, and generally get ready for the week ahead.

Future posts will be in a new category, which I won't be feeding to Planet Debian as not to bore people. I will inflict Planet Linux Australia readers with them until someone asks me to stop. If you'd like a custom feed that excludes my American adventures, please let me know.

I wonder if adjusting Blosxom's idea of timezone buggers up existing posts and aggregators like Planet in general?

[17:38] [life] [permalink]

Thursday, 17 November 2005

Farewell Australia

Well, this is it. I'm in the Qantas Club with Mikal, the flight to LA boards at 12:35 or something. I ticked the "not coming back box" on the departure box.

This is going to be one hell of an adventure. Bring it on!

[16:13] [life] [permalink]

Tuesday, 15 November 2005

Roll back, or roll over and go back to sleep?

So, today is my last day at Cybertrust. Much to my displeasure it started at 4am, when I had to come into work to perform a load balancer upgrade.

I'd previously joked with a few people that I was tempted to not bother with the upgrade and just say I'd rolled back. Funnily enough, that was exactly the outcome anyway...

Being an uber secure facility, we keep all our class C rack keys in an electronic key safe. This being a funky PIN access-restricted, battery backed, solenoid-driven thing.

So when I rolled up at work at silly o'clock, the first thing I went to do was go to the key safe to pull out the rack keys I'd be needing to access the relevant racks to perform this upgrade. They key safe's little LCD display was dead. I laughed. I then proceeded to get lots of people out of bed to try and track down the location of the spare set of keys that wasn't in the key safe.

So to cut a long story short, we burned all our troubleshooting time trying to get rack keys, and we had some strange problems with locally attached devices not ARPing correctly, so we had to roll back anyway.

So I might as well have rolled over and gone back to sleep at 4am when the alarm went off. At least I'll get to knock off work early.

[15:01] [work] [permalink]

Monday, 14 November 2005

An uplifting experience

So, as of sometime this morning, most of our worldly possessions were (in cartons) loaded into a shipping container bound for the US. Unfortunately, I don't finish work until Wednesday, so my lovely wife was charged with supervising the packers yesterday and today.

My one word of advice with respect to packers is to be extremely careful, and assume that they will assume nothing. If you don't want something packed, don't leave it unsupervised or anywhere where it may be packed. My electric toothbrush was left unattended for slightly too long, and is in a carton somewhere. As was half of the bike rack until we raided a few cartons last night and rescued it.

Obviously literacy doesn't rate very highly as a requirement to be a packer either. We had "stools" spelt as "stulls" and "wine rack" spelt as "win race" on some of the items packed. I'd also never seen a couch bubble-wrapped until yesterday. Pretty much no item was left exposed. Everything is either in a carton or bubble-wrapped with funked brown-paper-backed, branded bubble wrap.

[20:56] [life] [permalink]

Is there a new BIND vulnerability lurking in the wings?

In recent times I've started seeing something in my logs that I haven't seen before. I'm yet to do any further investigation, but I suppose the next steps would be some packet captures and BIND source code poking...

Nov  8 02:13:16 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov  8 02:13:16 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov  8 02:13:16 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error

Nov  9 01:08:33 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov  9 01:08:33 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov  9 01:08:33 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error

Nov  9 10:01:13 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov  9 10:01:13 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error
Nov  9 10:01:13 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov  9 10:01:13 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov  9 10:01:13 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error
Nov  9 10:01:13 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov  9 10:01:13 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov  9 10:01:13 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error

Nov 11 00:02:35 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 11 00:02:35 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 11 00:02:35 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error
Nov 11 00:02:35 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 11 00:02:35 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 11 00:02:35 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error

Nov 13 02:05:47 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 13 02:05:47 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 13 02:05:47 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error
Nov 13 02:05:48 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 13 02:05:48 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 13 02:05:48 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error
Nov 13 23:03:05 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 13 23:03:05 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 13 23:03:05 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error

Nov 15 02:37:32 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 15 02:37:32 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 15 02:37:32 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error
Nov 15 02:37:34 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 15 02:37:34 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 15 02:37:34 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error
Nov 15 02:37:34 daedalus named[6933]: errno2result.c:109: unexpected error:
Nov 15 02:37:34 daedalus named[6933]: unable to convert errno to isc_result: 14: Bad address
Nov 15 02:37:34 daedalus named[6933]: dispatch 0x80f6970: odd socket result in udp_recv(): unexpected error

[14:18] [tech/security] [permalink]

Thursday, 10 November 2005

Distributed code reviews are cool

Thanks Sam for your even more compact (but harder to follow) PHP code to find a specific instance of a given day in the month

I haven't tested your first function rigorously, but it seems to hold up to the second and fourth Thursdays of the month, which is mainly what I'm after.

The second function, which avoids function calls, appears to suffer from a partial off-by-one bug.

[13:33] [code] [permalink]

And it's not even summer yet!

My friend Kim, who's done the Brisbane → Melbourne → Brisbane thing (like I've done the Brisbane → Canberra → Brisbane → Canberra thing) is finding summer back in Brisbane a bit uncomfortable.

When I moved back to Brisbane I did it around this time of year, and coming from Canberra's late spring (which actually behaves like a late spring) to Brisbane's eternal summer of a spring is a bit of a shock to the system.

The humidity was the prime factor in me wanting to return to the blissful dry heat of Canberra's summer.

Kim, I feel your pain, furthermore, I'll be in Brisbane this weekend to feel it in person.

[03:45] [life] [permalink]

Finding a specific instance of a given day in the month in PHP

When I took over organising the CLUG meetings, I managed to replace most of myself with a small shell script (I even have the t-shirt).

Now that I'm leaving Canberra, Steve Walsh has kindly taken over the running of the script.

So I've done a bit more work on the script, and added a public front end to it, and made an RSS feed (my very first).

So until yesterday, to work out the fourth Thursday of the month, I'd been calling a Perl script that used Date::Manip, when I decided to investigate doing it with PHP natively. Tony gave me some initial code, but I ended up with this:


function nth_day($instance, $dow, $month, $year)
{
    
$first_dom = date("w", mktime(0, 0, 0, $month, 1, $year));
    
    if (
$first_dom <= $dow) {
        
$first_instance = date("j", mktime(0, 0, 0, $month, 1 + ($dow - $first_dom), $year));
    } else {
        
$first_instance = date("j", mktime(0, 0, 0, $month, 8 - ($first_dom - $dow), $year));
    }

    
$instance_we_want = $first_instance + (($instance-1) * 7);

    
$date = date("j", mktime(0, 0, 0, $month, $instance_we_want, $year));

    return
$date;
}

[02:05] [code] [permalink]

Sunday, 06 November 2005

Ouch

Greg Kroah-Hartman did say:
If you have a problem with the way Debian handles udev, I'll point you to the proper place to complain about that. Debian is slowly sinking into the muck and it's fun watching it happen.

That hurts.

[19:31] [debian] [permalink]

Obfuscating email addresses with JavaScript

So I got pet peeved by Carlos Laviola in relation to by recent pondering about how MacOS X's SSH agent starts up on login.

Perfectly reasonable grounds for complaint. I have had people contact me in relation to blog posts in the past, so it's obviously not impossible. People know I'm a Debian developer and can put two and two together and wind up at db.debian.org.

Anyway, I'm the first to admit that my blog probably has too many of the Weblog Usability Top Ten Design Mistakes (something for me to work on). To date, I've been avoiding plastering my email address on my website because I didn't want to get it harvested. I try and use a per-list email address for this reason as well, and I haven't enabled blog comments because of comment spam, and because I haven't been clever enough to implement comments with Blosxom full stop.

So I started getting an idea for reversibly encrypting my email address on my blog after reading about Hashcash for Wordpress the other day.

I first started playing around with the Vernam cipher in High School, when I wanted to easily reversibly obfuscate some data for something. I'd read about this cipher in a magazine or something and seen it implemented in Pascal (it's not exactly hard).

So I happened upon the idea of encrypting my email address with the Vernam cipher. Turns out another chap's already got a page for encrypting and decrypting on the fly with JavaScript. It even generates the JavaScript for putting in your own web pages. I had to use a different key to avoid getting dollar signs in the encrypted string, as this confused the tripe out of Blosxom (and me for a while when I tried to figure out what was going wrong).

Then I thought it'd be nice to explain to people who had JavaScript disabled what they might be missing out on, so I fiddled around with some DOM stuff, and had some text get displayed if JavaScript was disabled. When JavaScript is enabled, this text is replaced by the decrypted text.

So of course, like the Wordpress Hashcash, this is largely relying on the inability of spam bots to grok JavaScript. Once they can, this obfuscation technique is all for naught. Meanwhile, you can email me bit more easily now if you get the urge.

View the source of my blog for an example of the implementation.

[03:56] [code] [permalink]

Tuesday, 01 November 2005

The quest for IPMI LAN access over down interfaces continues

Today I upgraded daedalus to 2.6.14. I had to backport yaird to stable, which wasn't a big deal. It's available here if you're interested. The kernel package for 2.6.14 from unstable worked fine otherwise.

I had two motivations behind upgrading - inotify and another look to see if the situation with IPMI had changed.

Well inotify just works, and is the bomb. I'm going to have lots of fun with it.

IPMI, on the other hand is still broken, which makes me sad. As I've previously pointed out by way of example, LAN access to the base-board management controller via IPMI is impossible after Linux shuts down the interface. It's supposed to work, but the way Linux does it seems to stop it from working.

I'd read that the problem was resolved in 2.6.12, and so dutifully tested it out on daedalus to my detriment. I also tested it on 2.6.14, but again, had the same problem (I remembered to schedule a deferred reboot this time).

So IPMI with a box running Linux is all good as long as the box is actually running. I suspect if the box panicked and/or hung itself, it'd also be useful for rebooting it, but if you shut the box down and remove power, IPMI won't allow you to turn it back on again.

[16:01] [tech] [permalink]

Saturday, 29 October 2005

How does MacOS X (Panther) start ssh-agent?

Dear Lazyweb,

Ever since I reinstalled my PowerBook a few months ago, after I'd put back on all my software (including the lovely SSHKeyChain), I couldn't get the same SSH agent behaviour I used to have.

Specifically, the first time I'd SSH somewhere after logging in (or after awakening the laptop), I'd be prompted (in a nice GUI kind of way) for my SSH passphrase, after which the private key was loaded into my SSH agent, and life was good from then on.

That is no longer the case. I get prompted for my SSH passphrase in the terminal window and on a use by use basis, i.e. the key isn't being loaded into my agent after the first time I get asked for my passphrase.

I think the root of the problem is that my ssh-agent is being started with the -c option (generate C shell commands) when I'm actually using Bash. So, the crux of my question is where the hell does ssh-agent get started from, and how can I change how it is started?

Love and sloppy kisses,

Andrew

[22:48] [tech] [permalink]

Friday, 28 October 2005

The FAI FAQ has been obsoleted by the FAI wiki

For a few years I've hosted a Faq-o-Matic instance for FAI.

I received an email today from someone saying that all of the content in the FAI Faq-o-Matic had been merged into the FAI wiki, so I've just reconfigured my web server to redirect visitors straight to the wiki. I'll give this a couple of weeks or so for the search engines to all get with the program, then I'll completely decommission the web server.

[05:34] [tech] [permalink]

Thursday, 27 October 2005

Last CLUG meeting for a while

Tonight was my last CLUG meeting for a while, and it was a pretty good one.

We didn't have a whole lot of structure to the meeting. Bob gave a couple of short talks. I gave a short talk off the cuff about the wonders of LVM. Hugh showed off some virtual reality goggle things. Alex tried to have a bit of a hackfest on Coda, but I think there was a general lack of Coda fu, so that didn't get very far unfortunately.

Steve Walsh has kindly offered to take over as the person behind the shell script that schedules the meetings, and I've moved it from caesar (in the cupboard at home on the end of an ADSL connection) to daedalus in Brisbane, so it will continue to be accessible while I'm relocating.

I'm looking forward to checking out SVLUG and BALUG (which seems to have fallen off the Internet (from home) at time of writing, looks like someone needs to read the IETF's BCP #16).

[06:09] [clug] [permalink]

Wednesday, 26 October 2005

On this surplus orange problem

Okay, this may be a bit naive, but rather than having farmers dump a quarter of their annual orange output, why can't the Federal Government step in, and using some of the money they'd have earmarked for foreign aid, buy the oranges and ship them to the nearest country in receipt of our foreign aid? Everybody wins.

[23:43] [opinion] [permalink]

Falcom A2D-1

Product
A2D-1
Vendor
Falcom
Australian Reseller
Cellular Access
SAGE-AU Member Discount
No
Why do I think this is cool?
The Falcom A2D-1 is a great industrial-grade GSM modem that works very well with stuff like smstools and can therefore be integrated nicely with monitoring products such as Nagios. I've used one of these personally at home for a number of years, and in two different jobs. Generally I find them to be more reliable than a mobile phone and gnokii. Just putting this blog post here in the hope that the new Australian reseller's Google juice is increased a bit.

[19:32] [tech/gadgets] [permalink]

Canberra Perl Mongers meeting

The Canberra Perl Users Group is having one of its extremely irregular meetings next week.

If you're in Canberra, or will be on November 2, let me know. The last one wasn't too bad.

http://mail.pm.org/pipermail/canberra-pm/2005-October/000146.html

[18:06] [code] [permalink]

New toys

We've been stocking up on gadgets for our upcoming trips.

Camera

Sarah's going to Singapore to catch up with some relatives and then joining me in the US a week or so later. As our digital camera is currently a 1 megapixel afterthought on our Sony DCR-PC100E Handycam of 5 and a bit years, we thought it high time we got something half-decent as a compact camera.

I'm moderately keen on getting a digital SLR, and after using Mikal's Canon EOS 350D when we went to San Francisco for our Google interviews, wouldn't mind getting one of those down the track and doing a photography course. So we tossed up whether or not to get a compact now and an SLR later, or scrap the SLR, and get something in the middle like a Canon PowerShot S2 IS. We settled on getting a Nikon CoolPix 5900, partly because apparently all the PowerShots are stuck in Customs at the moment and there's none to be had in the country for love or money.

iPaq and GPS

There is no way I was going to drive in the US again without some form of satellite navigation in the car. There's just too much going on on the roads over there (not to mention driving on the other side of the road) to have to worry about how to get from A to B. We were just intending to buy a car that had satellite navigation when we got over there, and try our level best to get a hire car with one in the interim.

Some friends were saying that we'd probably pay a lot more for a car with it as a built in option, than if we were to buy a handheld/portable GPS. Then Mikal bought a bluetooth GPS for his iPaq, and that convinced me to go that way as well. So I bought an iPaq hx2100, which interestingly seems to have just fallen off HP's website (it was there on the weekend), so it must be approaching obsolescence or something.

Today I got the Destinator software with maps for the US, and some evaluation maps for Australia, and tonight Sarah and I went for a spin to try it out.

It was pretty cool. One thing that could be better is the differentiation between the directions leading up to a turn and turn itself. For example, it says "Turn right in 300 metres" and then proceeds to count down (e.g. "Turn right in 100 metres". Then it just says "Turn right". It'd be more obvious if you didn't have to listen for whether it was "in x metres" or not and either tacked "now" on the start or end of the final direction. It was also cute how it called roundabouts "circles". Going straight through a typical roundabout was "Take the second exit on the circle". If you ignored directions at some point, it'd plot a new route to still get you to your destination. All in all, I'm pretty happy with that purchase.

The bluetooth GPS unit itself is cool. I'm able to talk to it from our PowerBook under MacOS X as a bluetooth serial port, and I'm yet to try the same with Linux on my D610. Hopefully I'll be able to get it work with gpsdrive

The one downside with getting an iPaq and running Pocket PC 2003 (or WinCE as I prefer to call it) is it's forcing me to spend more time in Windows on my laptop than I otherwise would, just so I can do syncs and stuff. Hopefully once I've got the iPaq all bedded down, that'll change...

[05:11] [tech] [permalink]

Tuesday, 25 October 2005

Hand me the brown paper bag

The moral of the story is always, always use at to schedule a reboot shortly in the future, no matter how harmless you think something is...

Today I stopped procrastinating about upgrading daedalus's kernel to 2.6.12 and did it. That worked fine. The reason for the upgrade was that I'd read somewhere that 2.6.12 fixed the problem with things like Dell's Baseboard Management Controller, where if you downed the interface in Linux, it downed it so far so that the BMC (which does some funky low-level physical interface sharing) also stopped being remotely accessible.

So I upgraded, hopeful in the fact that if I were to ever remotely shut down daedalus, I could turn it back on or reboot it remotely with ipmitool. I thought I'd test this, so I did this:

daedalus:~# ip l s dev eth0 down; sleep 10; ip l s dev eth0 up

and promptly kissed daedalus goodbye. Not just for 10 seconds, for until I could get the colo guys to kick it in the guts for me. Grrr.

At least I determined that the problem appears to persist. If I down an interface in Linux, it's down for the BMC as well. That sucks.

[19:14] [tech] [permalink]

Monday, 24 October 2005

Somewhere to live (temporarily)

The cast of thousands tasked with relocating us to the US continue to swing into action. For up to a month, we'll be accommodated at The Carlyle in Santa Clara. It looks a bit over the top. I mean we really don't need chandeliers, but at least it has a gym so I can try and keep off my Google pounds.

I also looks reasonably close to work.

Now if we can just get through all this customs paperwork for importing our personal effects...

[16:16] [life] [permalink]

Unbelievable

But true.

You Passed 8th Grade Math
Congratulations, you got 10/10 correct!
Could You Pass 8th Grade Math?

[05:47] [meme] [permalink]

Saturday, 22 October 2005

New dining table

About a month ago we lashed out on our first major purchase as a married couple and got a new dining table, as we anticipated having a few dinners with friends before we left the country.

Our new dining table Our new dining table

Last week it arrived, and tonight we had our first 8 person dinner to christen it. I made Moroccan stuffed lamb with roast vegetables, which turned out to be a success. It's always a bit scary making a new dish for the first time when you've got people coming over for dinner, as if it's a total disaster, you've still got to subject your guests to it.

[07:08] [life] [permalink]

Friday, 21 October 2005

Just the way I want to spend my Friday night...

Bashing my head over why Firewall-1 is eating my ACK packets for dinner - when I'd rather be at home eating some myself. Dinner that is, not ACK packets. They're not all that filling. No payload and all.

So, the bastard thing has a rule that is supposed to accept packets from the big bad interweb, and let them in to a web host, after a spot of load balancing and what have you. I'm testing it with a remote connection from home. The SYN comes in, the SYN goes out. The SYN arrives where it's supposed to. The web server ACK's that SYN. The ACK arrives at the firewall. The ACK is never seen again. Oh, and the firewall logs an ACCEPT on the packet.

So after restarting Firewall-1, rebooting (gotta love the fact this isn't production yet), checking my routing (there's not a lot to check, it's going to go out the default gateway), I'm at headbutting keyboard point.

At least I found and fixed a problem with logging.

[02:42] [work] [permalink]

Tuesday, 18 October 2005

I'm feeling lucky redux

Today we finally got our E3 visas in the mail, so I've resigned from Cybertrust, and I'll be starting at Google in Mountain View, California, in probably 5 or 6 weeks time.

Much bubbly to be consumed tonight.

[23:19] [life] [permalink]

Saturday, 15 October 2005

Fast clean chroot creation with LVM snapshots

Now that I've got a bit more disk space, I decided to fully script chroot creation with LVM snapshots.

This requires dchroot, LVM, and as as many logical volumes as you want chroots for, with a logical volume naming scheme like this:

apollock@caesar:~$ sudo lvs | grep pristine
  stable-pristine   base -wi-a- 320.00M
  testing-pristine  base -wi-a- 320.00M
  unstable-pristine base -wi-a- 320.00M

sudo makes life a bit easier as well.

Next, you need a directory structure like this:

apollock@caesar:~$ tree /chroots
/chroots
|-- pristine
|   |-- stable
|   |-- testing
|   `-- unstable
|-- stable
|-- testing
`-- unstable

Finally, you need some /etc/fstab entries to mount the chroots (and a /proc):

/dev/base/stable-pristine       /chroots/pristine/stable        ext3    defaults,noauto 0 0
stable-proc     /chroots/pristine/stable/proc   proc    defaults,noauto 0 0
/dev/base/testing-pristine      /chroots/pristine/testing       ext3    defaults,noauto 0 0
testing-proc    /chroots/pristine/testing/proc  proc    defaults,noauto 0 0
/dev/base/unstable-pristine     /chroots/pristine/unstable      ext3    defaults,noauto 0 0
unstable-proc   /chroots/pristine/unstable/proc proc    defaults,noauto 0 0

/dev/base/stable        /chroots/stable ext3    defaults,noauto 0 0
/dev/base/home          /chroots/stable/home    jfs     defaults,noauto 0 0
/dev/base/tmp           /chroots/stable/tmp     jfs     defaults,noauto 0 0
stable-proc     /chroots/stable/proc    proc    defaults,noauto 0 0
/dev/base/testing       /chroots/testing        ext3    defaults,noauto 0 0
/dev/base/home          /chroots/testing/home   ext3    defaults,noauto 0 0
/dev/base/tmp           /chroots/testing/tmp    ext3    defaults,noauto 0 0
testing-proc    /chroots/testing/proc   proc    defaults,noauto 0 0
/dev/base/unstable      /chroots/unstable       ext3    defaults,noauto 0 0
/dev/base/home          /chroots/unstable/home  ext3    defaults,noauto 0 0
/dev/base/tmp           /chroots/unstable/tmp   ext3    defaults,noauto 0 0
unstable-proc   /chroots/unstable/proc  proc    defaults,noauto 0 0

Note that you don't need to bother double-mounting /home and /tmp in the "pristine" chroots, because generally speaking, only root will be logging into them, for the purposes of installing packages or upgrading what's already installed.

So firstly, create the logical volumes that are going to hold the "pristine" chroots. Put your favourite filesystem on them, and mount them. Then use debootstrap to install a base installation. I found I had more success doing an installation of sarge into the stable chroot's logical volume, and then dd'ing that across to the testing and unstable logical volumes, and doing a dist-upgrade afterwards.

Once you've got your base chroots installed, add entries to /etc/dchroot.conf for them, as well as the subsequent snapshot ones:

unstable /chroots/unstable
testing /chroots/testing
stable /chroots/stable

unstable-pristine /chroots/pristine/unstable
testing-pristine /chroots/pristine/testing
stable-pristine /chroots/pristine/stable

Then use dchroot (as root) to log into each "pristine" chroot in turn and install build-essential, fakeroot, and whatever else you want to have consistently installed in each instance of the chroot.

Once you're done with this, you can use the couple of scripts I've knocked up for easily creating an instance of one of these pristine chroots. You can then install whatever packages you like into these instances, build your packages, and then when you're finished, just throw away the logical volume. You can rinse and repeat this process as much as you like, and it's as quick as creating a snapshot logical volume, giving you a clean chroot to start with every time.

[07:37] [debian] [permalink]

I love LVM.

There is sliced bread, and then there is LVM.

Today I had a pleasantly easy time migrating one of my servers from a 40Gb disk to a 120Gb disk, thanks to LVM.

Background

A few months ago, caesar, my general purpose box, blew up. It's motherboard was of the vintage that couldn't cope with a disk larger than 32Gb, so it had a 40Gb hard drive in it, jumpered to look like a 32Gb disk. Apparently I could have probably fudged the geometry of a larger disk in the BIOS so that it would boot, but I survived with a small disk, and wasn't keen on reinstalling at the time.

When I replaced caesar, it was capable of using a larger disk, but I just did a direct disk swap from the old caesar to the new one, and got on with my life. I subsequently replaced daedalus, my web server in Brisbane, which made two 120Gb disks available.

Recently, I started hitting the limits of the 32Gb disk, and the old daedalus (recycled into minotaur) was just sitting around with a 120Gb disk in it, not doing very much, so I decided to try and migrate from the 40Gb disk to the 120Gb disk.

Partition layout

The way I generally partition a disk is I have a 512Mb partition for my root filesystem, a swap partition as big as the swap allocation recipe I'm subscribing to at the time, and use the rest as a physical volume for LVM.

Copying the root filesystem

So I took the 40Gb disk out of caesar, put it into minotaur as the primary disk with the 120Gb disk as the slave, and booted into single-user mode. Next, I created a partition for the root filesystem on the 120Gb disk the same size as it was on the 40Gb disk. I ensured the root filesystem was mounted read-only, so everything would be consistent, and used dd to copy /dev/hda1 to /dev/hdb1. Next, I shut down and reconnected /dev/hdb (the 120Gb disk) as /dev/hda to make sure I could boot from it okay. I think because this disk had previously had minotaur's Linux installation on it, with GRUB, this worked fine. I'd probably have had to dick around with installing GRUB in the MBR otherwise.

Moving the logical volumes

Once I was satisfied that I could boot from the 120Gb disk, I swapped back again so I was booting from the 40Gb disk as /dev/hda, and again booted into single-user mode. I did a pvcreate on /dev/hdb3, and then a pvmove /dev/hda3 /dev/hdb3 and sat back and twiddled by thumbs for a while.

At about 72 percent, I got a kernel oops and the pvmove bailed out. I started to worry a bit at this point, and retried the pvmove without any arguments. According to the manpage, it's supposed to restart from the last checkpoint. In hindsight I should have rebooted straight away, as the kernel obviously now had its knickers in a knot. The pvmove didn't seem to progress, and I couldn't interrupt it, so I had to do a hard reset. As Debian's single-user mode tends to do a hell of a lot (including mounting all the filesystems), the mounting of one of my ReiserFS filesystems seemed to also cause the kernel to oops also. So I rebooted with the "emergency" argument instead, and manually ran just enough of the rcS.d scripts to get the logical volumes available, and reran the pvmove again. This time it completed successfully.

I then used vgremove to remove /dev/hda3, which no longer had any extents allocated to it, from my volume group, and then did a pvremove on it for good measure. I disconnected the 40Gb disk, and booted with the 120Gb disk as the master, and all was good.

I put the 120Gb disk back into caesar, and if I hadn't had to pull it out of the "rack" to stick a head on it to discover that it wanted me to press F1 because the 40Gb disk had turned into a 120Gb disk, that part would have been interventionless.

So I was very pleased with how easy the whole process was. If I hadn't had those couple of kernel oopses, it would have been a piece of cake (and the oopses didn't really give me that much grief anyway, thanks to the checkpointing). So LVM would be great with an environment where SMART was accurately predicting the demise of a disk. You could ideally migrate all the data off a failing disk, probably without rebooting, and if the disks were hot pluggable, just remove it from the system without any downtime. Of course, it's no substitute for a good bit of RAID, but pretty cool nonetheless.

[03:08] [tech] [permalink]

Friday, 14 October 2005

No, I am not a wife beater

Sarah just looks like shit after having her wisdom teeth out.

I felt like everyone was giving me funny looks today when we ventured out to do a few things. It's certainly not a good look.

[22:32] [life] [permalink]

On musical breasts

Oh dear God.

So I wonder in future, rather than what cup size, the surgeon will ask how many gigabytes a woman would like her breasts to be? I find this whole concept as freaky as Jon Oxer's desire to implant an RFID tag in his hand. Insert heebie jeebies here.

[15:10] [tech] [permalink]

Thursday, 13 October 2005

To dpatch or not to dpatch

That is the question.

So as Joey's blogged, those in the anti-dpatch (and co) camp have stated their reasons for disliking it.

I can see where they're coming from.

One problem that I can see with having all the Debian-specific modifications just rolled up in the diff is that when a new upstream release comes out that incorporates some of them, the uupdate application of the diff isn't going to work cleanly. It's been so long since that's happened to me that I forget what actually happens, and what has to be done to rectify the situation.

Of course, the solution is to use a revision control system. I've really got to bite the bullet and start doing that. I've never really written anything terribly big (yet), so I haven't got a lot of revision control system experience. I've listened in on talks about Bazaar-NG and Arch and stuff, and haven't really gotten a lot out of it, because I haven't really, well, got the experience with doing version controlled work, and that's largely because I haven't had the need.

Time to take things to the next level, methinks. Time to stop procrastinating about putting src:dhcp3 into Alioth and just do it and die.

[05:20] [debian] [permalink]

Wednesday, 12 October 2005

dpatch considered harmful?

Joey Hess needs a peppermint.

I'd also like him to explain what's wrong with dpatch, as until now, I was of the opinion that it was the duck's testicles.

[22:54] [debian] [permalink]

Blogging saves the day

Well kind of.

A colleague in Operations came up to me with a Firewall-1 problem, which was identical to one I'd experienced earlier in the year.

I couldn't remember the details, but I remembered the situation, so I just pulled up my blog, used Firefox's find-as-you-type feature, and pointed him at the details.

[19:03] [work] [permalink]

Serenity

Tonight we went and saw Serenity.

I think the thing I noticed first was that it showed that 3 years had elapsed since the TV series and the movie. Haircuts weren't exactly consistent, Jayne looked like he'd lost a bit of weight. The Shepherd was sporting braids. Oh, and he somehow had parted company since the last episode of the TV series. Hadn't seen that one coming, whereas Inara's (initial) absence wasn't a total surprise.

Someone was complaining about the movie's explanation for the origins of the Gorram Reavers, but I thought it was fairly reasonable. Heck, they featured in more of the movie than they did in the series.

I didn't find it all that compelling (but I didn't find the series that compelling either), but it was still enjoyable. Not sure if I'd have gotten as much out of it if I hadn't seen the series first. And it didn't adequately explain the background of Shepherd Book, which was one of the many plot lines that was built up in the series, but not explored to its end.

Overall, I think it's a bit of a shame that Firefly's plot didn't get to fully develop. Must do some research on why it was axed.

[04:56] [life] [permalink]

Firefly

Today Sarah and I finished watching all the episodes of Firefly on DVD.

It grew on me over time. Initially I thought it was all a bit too Western, cowboy and Indian, but by the end of it, I was really enjoying it. I think I got a chuckle out of every single episode. I haven't really looked into why the series got axed when it did, because it didn't seem to have anything terribly wrong with it. I really liked the motley crew of Serenity. I think Jayne was my favourite. He was such a meat-head, but he was always coming out with funny lines.

So now that we're all clued up on the series, we're off to see Serenity tonight. Hopefully it ties up a lot of the loose ends and answers some of the questions left hanging from the series.

[00:32] [life] [permalink]

Monday, 10 October 2005

Sarah's little bottle of wisdom (or My wife, the chipmunk)

Sarah had her wisdom teeth taken out this morning. The bottom two were impacted, and the top two didn't have enough room to come down, so they all had to go.

I'm taking today and tomorrow off to look after her.

The surgery went fine. She had what they call "twilight" anaesthetic, as she didn't cope too well with the general anaesthetic last year when she had her arthroscopy. She's still a bit groggy, and I don't think the local anaesthetic in her gums has worn off yet, because she isn't feeling too sore, but the swelling is starting to kick in. It's bled a bit more than I'd have expected.

She got to keep the teeth, and they're huge! The bottom two are a bit grey and festy in parts. In the photo below, the outside two are the bottom two, and the middle two are the top two. Not sure what was left and right.

Sarah's wisdom teeth Sarah's post-op swelling

[23:30] [life] [permalink]

Big weekend away

Sarah and I had to go to the US Consulate in Sydney for my E-3 visa application on Friday, so we decided to make a bit of a long weekend of it.

So first up, we drove to Artarmon on Friday morning, and ditched the car at Sarah's Aunty Glenda's place (she was the MC at our wedding). We jumped on a train, which managed to

  1. arrive, and
  2. stay on the tracks

until we got into town, where we headed into the Consulate. Michael and Catherine had an earlier appointment that morning, and they were as successful as you can be on the day with their application.

We said a quick hello to them in Martin Place and headed up to the Consulate, as Michael said things were starting to get busy, so I figured the sooner we got in the queue, the sooner we'd get processed.

Security was interesting. Reception was on level 10, and we rocked up to what appeared to be a very temporary looking setup: a room with an "in" door and an "out door" at opposite ends of one wall, a bunch of chairs arranged in a sort of seminar layout, and a desk with a security guard.

The guard quizzed us as to who we were, if we had an appointment and ID and whatnot, and checked our names off against a list, and then searched our bags and ran a metal-detector wand over us and directed us to take a seat.

Half a minute later, another guard appeared, and ushered us into an elevator, which he had to swipe a card to get to go to something like the 59th floor.

Upon alighting from the elevator, we were presented with another desk with a pair of security guards, who again quizzed us as to who we were and what we were doing there, and then got us to empty our pockets to walk through an airport-style metal-detector. I'd brought my laptop bag (sans laptop) to hold all our paperwork, and that had a drink bottle with water in it on the side. The guard asked if it was water, and when we said it was, asked Sarah to have a drink of it to confirm it was safe. She took a sip and then proceeded to have a massive coughing fit. I thought we were going to get chucked out before we'd even started. She reassured them that it was okay, and took another sip and had another massive coughing fit! Fortunately the guards had a sense of humour about it all and let us in.

The Consulate itself was close to what I expected, but I didn't expect so many people to be sitting around waiting, and I didn't expect to have to talk to the Consulate staff through a sheet of plate glass.

We had a minor glitch with our paperwork, which my sponsor is sorting out at the moment, so we came away with our application being placed on hold. Eligibility-wise, it shouldn't be a problem though, which was more what I was worried about. The whole process took about 2 hours (and most of that was waiting around. We probably spent a total of about 10 minutes actually talking to people).

Next we had lunch with a couple of friends of Sarah, and then did a spot of shopping, and then jumped back on the train to Artarmon. We had a few drinks at the local pub with my mate Andrew (who conveniently lives two streets from Sarah's Aunty), and another former work colleague, and then had dinner with Andrew, back at Sarah's Aunty's place.

I awoke on Saturday morning thinking I was in a wind tunnel, there that much wind howling around outside. Shortly after that, there was a huge bang, and part of a tree across the road had blown over onto the power lines, so that was it for electricity for the remainder of our stay that morning. We got to watch the electricity company come out, chop all the wires off and chainsaw up the tree limb. Then we headed off to Newcastle to visit our friends Michael and Elise. I'd managed to sleep funny and pulled a muscle in my neck, so Sarah had to do the remainder of the driving.

We stayed the night with Michael and Elise, and then headed back to Wollongong to visit my boss, who has moved from Canberra to an absolutely gorgeous house on the coast, and then we headed home, arriving back at about 6:30pm on Sunday night.

So we had a busy weekend, but an enjoyable one. Would have been nicer if I hadn't had the paperwork problems with the visa, as I still have no idea of any time frames for relocation.

[20:13] [life] [permalink]

A picture tells a thousand words

Gee I wonder when linux.conf.au 2006 registrations opened?

Graph of traffic to the lca2006 webserver

[19:15] [tech] [permalink]

Sunday, 09 October 2005

lists.debian.org has Message-ID lookup

Google by Message-ID no more, Andrew Suffield has written a cool Message-ID lookup page.

[20:06] [debian] [permalink]

Tuesday, 04 October 2005

Are you subscribed to Linux Weekly News?

Catching up with my LWN backlog, I read that LWN subscriptions have pretty much flat-lined, and the current level isn't terribly sustainable.

I'm lucky. I get my subscription paid for because I'm a Debian developer (one of the few perks of the job).

Would I subscribe if I had to pay for it myself? After having been a subscriber for about 2 years, and for $60USD per year, probably yes.

LWN is one of the few weekly publications that I make a point to read. I find the writing style, and the length of the articles to be quite good. I think most "political" issues are covered fairly objectively. It's a good read.

I also subscribe to Linux Journal in dead-tree format, and to be honest, I have about 6 months worth of magazines lying around the house at the moment, still in their plastic. Purely because I just haven't had the time (or the presence of mind when I have) to sit down and have a read of them. And that's not because I don't think LJ is a good publication, quite the contrary, I think I'm just satisfying my information requirements with LWN, and so I'm not finding that urge to pick up the magazine.

I personally wish Jonathan all the best with LWN, and hope to see it reach 10 years. If you like what you can read for free, and would rather read it hot off the press, consider subscribing. If you're a Debian developer, you've got nothing to lose.

[22:33] [tech] [permalink]

Trip to the Snowy Hydro's Tumut 3 power station

Making the most of the long weekend we just had, Sarah and I decided to blow a tank of fuel doing a trip to the Snowy Hydro Power Scheme yesterday.

It took us the best part of 3 hours to get there from Canberra.

I was really impressed with the sheer engineering of it all. I had no idea how much water they were moving around from so many different dams. The scheme is just as much about carting water around as it is about generating power. In fact, the generating power bit is just a front to make carting the water around vaguely cost-effective.

The tour itself was a bit disappointing. You didn't get to see a real lot, and you weren't allowed to take photographs. I guess there isn't a lot you can see in a functional power station. The turbine is pretty much all concealed. The bus-bar room looked innocuous enough, but the tour guide said that if someone walked in there, it'd be like a bug in a bug zapper...

All in all, it was worth the trip though. I like dams and power stations, so it was fun crawling all over the place taking in all the different vantage points.

[02:01] [life] [permalink]

Upwardly mobile lemmings

That was Rick, his brother and myself on Sunday. We made the most of the weekend and walked up Mount Tennant, in the Namagdi National Park. I'm still sore.

The mountain is about 1300 metres above sea level, and we started at about 600 metres. The walk up was about 6 kilometres, and took about 2 hours. The walk back took about an hour and a half.

There was a rainwater tank at the peak, which I was very happy about, as I exhausted my water bottle getting up there.

There was also a fire observation tower, which we could get half way up without a key to the padlock. I took a couple of north-looking photos with my phone, which was all I had with me in the way of photographic equipment.

View north from fire observation tower on
Mount Tennant   View north from fire observation tower on
Mount Tennant

The view north was of southern Canberra, and the view south was of more mountains.

[01:41] [life] [permalink]

Friday, 30 September 2005

BAM!

Tonight, Sarah and I went to see the Warehouse Circus' latest production, BAM!, at the Canberra Street Theatre.

The main reason (well the only reason we knew it existed) was because my study buddy Tiane was in it.

I've never been to a performance at the Canberra Street Theatre before, and the theatre itself was really first rate. So was the performance. It was an inspirational combination of dance, acrobatics, juggling and pantomime. I can't remember the last time I went to see a live stage performance (excluding stand-up comedy). Tiane was really awesome too. She's so strong. She was a corner-stone in many of the performances that involved people stacked on each other, and did a really cool solo trapeze act. It was a great night out for not a lot of money. Canberra's own Cirque du Soleil.

The live music the performances was done to was fantastic as well. A good combination of techno and trance, with some really phat bass that really got my innards resonating. Oh and did I mention I thoroughly enjoyed myself?

If you're in Canberra, go see it. It's well worth the money.

[05:37] [life] [permalink]

Tuesday, 27 September 2005

Pure gold

Sarah sent me this link about a prank someone played on an eBay scammer...

[21:44] [humour] [permalink]

Kynan didn't break my mail server

Kynan is publicly flagellating himself for allegedly breaking my mail server.

Thing is, while he did manage to create a virtual forwarding loop, he only did for his own domain, not everybody else, so it's not like it actually inconvenienced anybody or anything...

[20:46] [tech] [permalink]

But I don't want to be patent encumbered!

[00:20] [geek] [permalink]

Monday, 26 September 2005

Wow

Ozlabs have a band! Cool!

[13:58] [clug] [permalink]

Friday, 23 September 2005

Thank goodness for irssi's nick highlighting

Or I might never have known about this photo from the SAGE-AU 2003 conference in Hobart...

[06:18] [life] [permalink]

Tuesday, 20 September 2005

Oh the humanity!

So I dropped out of Uni this semester, and that included dropping out of a subject on concurrency, and here I am at work trying to deal with a problem of multiple scripts writing to a FIFO concurrently, and I'm trying to devise a solution whereby they'll only write one at a time, and also there won't be starvation.

Ye gods, the practical application of something at Uni. Who would have thought? But I dropped out... Argh.

[19:00] [work] [permalink]

Monday, 19 September 2005

There is no escape

So, I have been officially redeployed back to the client's site I was previously working in. So much for my little sabbatical at the office, and catching the bus... Ah well.

[18:05] [work] [permalink]

Sunday, 18 September 2005

I swear our cat is bulimic

She just barfs everywhere. Well, not quite everywhere. Almost exclusively on the carpet. Tonight, she came into the lounge room pretty much purely for the purpose of throwing up, and left again.

She loves to eat, and I think that's the problem. She bolts down her food, and then tends to throw up again shortly afterwards. I think we'll have to drop her back to a diet of purely dry food, and in strict rations, and see how that goes. We're both getting a bit sick of cleaning up cat vomit off the carpet. So far, we seem to have escaped any significant damage. We'll have to wait and see how the carpet steam cleans up at the end of the lease.

[02:26] [life] [permalink]

Saturday, 17 September 2005

New video card and battling with Windows 2000 to get it to use it

So I ventured out to the Computer Fair at Woden CIT (my least favourite venue), and acquired myself a new video card to replace the one that had died recently.

I don't really follow developments in PC hardware, and I didn't really know what to get. Rick is violently against ATI, so I decided to stick with nVidia, since the previous card was an nVidia GeForce2 MX or something like that.

So Sarah and I set out with the intention of getting a GeForce4 MX 440, which seemed to be nice and bottom-of-the-line. I was expecting to pay through the nose for a new video card, and I really didn't need anything terribly whiz-bang.

It turned out that there wasn't anything of that ilk available, and the prices were a lot lower than I was expecting. We got a GeForce 6200 with 256M of RAM for $95. In hindsight, I probably should have used the list of supported cards that the XFree86/X.org nv driver spits out when it can't find a supported card, but I managed to get the card working under X.org with the nVidia binary driver.

Getting Windows 2000 to play ball turned out to be a far more difficult problem. What ended up being the problem was Windows, in its infinite wisdom, decided to reenable all the disabled devices when it found some new hardware. I have to disable my Fusion HDTV-Plus DVB card under Windows, because (I think due to a card/motherboard/ACPI issue), Windows gives a BSOD on bootup with the driver enabled.

I didn't realise straight away that this card been reenabled, and so I was trying to boot into Safe Mode so I could try and take stock of the situation. The problem was, I couldn't log in as Administrator in Safe Mode, and I still have no idea why. After using the extremely useful Offline NT Password & Registry Editor to attempt to reset the Administrator password from Linux, I still had no joy, and tried booting into Safe Mode with Networking instead. At least then I could log in as myself, authenticating against my domain (which is implemented by a Samba server). I could then disabled the DVB card and boot normally to install the right video card driver.

Windows is such a prat of a thing when it breaks.

[19:57] [tech] [permalink]

Thursday, 15 September 2005

I love devscripts

Every time I fossick around in the devscripts package I find something new and useful. Today's find was the tagpending script.

I've been getting into the habit of the good practise of tagging the bugs I've fixed as pending. Particularly so for dhcp3, as it has a truckload of bugs, and I tend to spend a lot of time working on them to knock off as many as possible before making an upload. Until now, I'd been fixing the bug, adding it to the changelog, and then marking it as pending with the also lovely bts command.

Well tonight, while trying to re-find dd-list, I discovered tagpending, which scans the changelog, queries the BTS via LDAP, and automatically marks and bugs closed in the changelog as pending that aren't already.

Nice one Joshua!

[05:27] [debian] [permalink]

Back at the office - the first fortnight in review

So, as I mentioned previously, my stint working on site at one of my company's clients ended at the end of last month due to contractual headcount reductions. I returned to the general Professional Services pool in at the office.

It's been an interesting couple of weeks, and I get the distinct impression that they don't really know what to do with me. This is partly of my own making, as I have been totally frank an honest with my management about an opportunity to work overseas that arose months ago. That has gotten to the point where I'm just waiting for the visa to get sorted out, and then I'm pretty much going to resign. Problem is, I have no real idea of when the visa is going to be ready, so therefore I can't give anyone, myself included, a better idea of time-frames than "probably November".

So for the first week and a bit, I sat at the desk of a project manager who was on leave, and did bits and pieces of a number of projects. The work was very stop-start though, and I found this a bit unsettling, as Professional Services is all about billable hours, and I didn't want to have big wads of unbillable time on my timesheet where I'd been twiddling my thumbs.

On Monday, when the project manager returned, I relocated to the "hot desk" - a desk intentionally kept vacant for visiting members of staff from other offices. That lasted until about lunchtime yesterday, when I was asked if I could help out with a stack of documentation relating to the old client whose site I used to work at, that needed to be done by the end of the month. So then I relocated upstairs to the NOC.

Then my old boss called me this afternoon and asked me if I'd prefer to go back to the client's site for a couple of weeks to help bail out a hardware upgrade project that had gone off the rails. I'd much rather to that than go batty trying to write gateway design documentation, so I agreed. I just have to wait for a new building pass to be issued.

So, in summary, I feel like I'm a bit... unallocated. But I guess that is the price I have to pay for being upfront and honest about probably leaving the company. I get to keep getting paid until I leave, and they get to throw me wherever suits them. C'est la vie.

[01:17] [work] [permalink]

Wednesday, 14 September 2005

On the price of petrol

Got this via email this morning...

You
know the world has changed when your car's drink costs more than your own.

[15:58] [life] [permalink]

Tuesday, 13 September 2005

So it's not just me...

...who is freaked out by Jon's desire to implant an RFID tag in his hand.

[16:56] [life] [permalink]

Monday, 12 September 2005

The Six Dumbest Ideas in Computer Security

[18:59] [tech/security] [permalink]

I smell some carnage coming up

Or "Don't reboot your net-booting clients if you've just upgraded your DHCP server"

For reasons of RFC correctness, the ISC has changed the behaviour of their DHCP server, within a maintenance release, between versions 3.0.2 and 3.0.3.

Specifically, the next-server attribute defaults to zeros if not set, whereas previously it defaulted to the address of the DHCP server. So, upgrading has the potential to break setups that previously worked.

It doesn't help that the upstream manpage for dhcpd.conf doesn't appear to have been updated to reflect this change. That'd be #327829.

I put a NEWS.Debian into the 3.0.3 release of the package that's just hit testing, but I'm wondering if in the interests of full(est) disclosure, it's better to use a selectively displayed debconf note instead? I think I'll do that for the next revision of the package, just to avoid surprise, as the NEWS.Debian file doesn't get translated, and doesn't really get put in your face unless you have apt-listchanges installed and appropriately configured.

[17:20] [debian] [permalink]

Sunday, 11 September 2005

dh-make-perl rocks!

I had the need for Schedule::At today, and as it isn't in Debian, I thought I'd have a play with dh-make-perl to make a package out of it, rather than just slapping it on my server.

I was very pleased to discover that making a package out of (at least a trivial) Perl module is as easy as falling off a log. It only fell down on dependency determination. It failed to declare a build-dependency on at and so one of the tests failed when built under pbuilder. It also appears to have failed to declare an install-time dependency on at as well.

Other than that, it worked great. I especially liked the fact that I didn't even need to have the source tarball - it just went off and fetched it for me, using the CPAN module.

I'll never use the CPAN module to install Perl modules that aren't shipped with Debian again...

It's kinda weird how it's named dh-make-perl, when dh_make uses an underscore...

[23:54] [debian] [permalink]

Mirror, mirror, on the wall...

Who's the most forgotten mirror admin of them all?

This is the way we fill the mirror,
fill the mirror,
fill the mirror.

This is the way we fill the mirror, on a wet and rainy Canberra afternoon.

(With apologies to Playschool)

Cacti graph showing utilisation of /srv
increasing

[00:18] [tech] [permalink]

Friday, 09 September 2005

Discovering the pluses of buses

Or "Taking ACTION"

(I wonder how many more ACTION slogans I can cram in here?)

ACTION is the Australian Capital Territory's Internal Omnibus Network. I was so stoked when I discovered that was an acronym... It's got "omnibus" in it. Yeah!

Anyway, enough of the acronym, and the advertising slogans. With petrol prices bursting through the "ludicrous" level and rapidly approaching "fucking insane", when Sarah decided today to ride her bike to work instead of carpooling with me, I thought I'd give catching the bus to work a go.

We've got it pretty good. There's a bus stop right outside the entrance of our townhouse complex.

The first bus plus I discovered this morning was that you stand a much greater chance of getting to where you want to go if you get on the right bus. There are two different bus routes that go past the bus stop outside our place, but only one of them goes past my work. For some reason, I'd completely disregarded the timetable of the route that was no use to me. I knew that the bus I wanted left the terminus (a couple of stops further from mine) at about 8:01am, so I figured if I was at the bus stop at 8am, it'd all be good.

So this morning, I was at the bus stop at 8am, and at about 8:02am, a bus rolled up, and I got on it. Not paying any attention to the route number. Pretty soon, it was apparent that it wasn't the bus I wanted. I should have been more awake I guess. Fortunately, it still went reasonably close to my work, and I had a brief (and pleasant) stroll from where I bailed out, to my work. Post-mortem analysis showed that both buses leave the Watson terminus at about 5 minutes apart from each other. So when we used to drive to work and leave a bit after 8am, the bus we'd see at the bus stop wasn't necessarily always the same bus...

I think I can count on the fingers of one hand the number of times I've caught a bus since I've been living in Canberra. I always get anxious, especially today, because not long after I got on, I started to wonder if I was on the right bus or not. I had no idea where the bus I knew I didn't want went, so I wasn't sure where I was going to wind up. It's also a bit of a hit and miss affair with knowing when you've passed the stop before your stop and so should ring the bell.

I caught the bus home after work much more successfully, and in spite of the minor SNAFU this morning, I quite enjoyed myself. I think I'll get a book of 10 prepaid tickets for $21.40, which is a far cry from the near $100 it now costs to fill up the tank in the car, and load up my iPod Shuffle and start bussing it in to work.

[02:22] [life] [permalink]

Thursday, 08 September 2005

Popping the hood on Mailman

I know just enough Python to get myself into trouble, or out of it as was the case tonight.

I was playing around with my new installation of Mailman, and I wanted to have all web interface interaction occur within an SSL encrypted session - problem was, I'd changed "http" to "https" in the DEFAULT_URL_PATTERN in /etc/mailman/mm_cfg.py after I'd already created a mailing list, so this one list wasn't playing ball.

Dumping the list's config out with config_list didn't help a lot, as it just had the hostname part of the URL in it, not the protocol.

Time to breakout the withlist utility. Problem is, that throws you into an interactive Python interpreter at best. So I put my Dive Into Python reading to good use, used the dir() function on the "m" mailing list object at my disposal, discovered, amongst other things, the web_page_url field had what I wanted (including protocol specifier). So I changed it, called m.Save() and got on with my life.

[03:59] [tech] [permalink]

Give me Sendmail any day

Last night I burned a heap of time setting up Debian's packaged version of Exim 4. I wanted to also use Mailman and Request Tracker, and this was where I ended up spending a heap of the time. This was mainly due to me trying to bolt up the learning curve, and running out of steam.

I was also a bit confused by the way the configuration files worked. I figured that because I answered "no" to the "Split configuration into small files?" question, the myriad of files in /etc/exim4/conf.d were the alternative to splitting up into even more.

So after I dicked around with this myriad of config files, with no visible change in behaviour, I realised that /etc/exim4/exim4.conf.template was my actual config file (I was mentally filtering out anything without ".conf" on the end of the filename). I decided that the "split-out" config option wasn't actually all that bad, so I turned around and used it instead.

Next, I was more used to Debian's Sendmail package's makefile driven configuration regeneration approach, so I wasn't sure if I had to do anything special after altering config files. Turns out from inspecting the init script, it regenerates everything on a reload, so that wasn't a big deal. The script named "update-exim4.conf" (which to me sounds like a config file in itself) will do it on demand.

So, at this stage, I had a basic Exim configuration happening. Next, I wanted Mailman, so I chucked that on. Again, drawing on my Sendmail experience, I foolishly thought it would be pretty much the same. Turns out, that Mailman can, with a bit of encouragement, integrate right in with Exim to the point where you don't need to explicitly add the half a dozen aliases that you'd normally have to add with Sendmail after you've created a new mailing list. This I liked. Fortunately, the /usr/share/doc/mailman/README.EXIM.gz file has a fairly comprehensive set of instructions on how to get things going.

At this point, I think Debian's Exim4 package should default to the "split-out" configuration option, and the Debian package of Mailman should, if Exim4 is the installed MTA, plop the relevant files into /etc/exim4/conf.d

So that got me going with Mailman. Sweet. Onto Request Tracker.

Total bloody nightmare

Again, like Mailman, you can (almost) make the alias additions redundant for Request Tracker queues, which is good, because out of the box, Debian's Exim4 doesn't like piping stuff to programs via the aliases. I couldn't figure out how to just enable that feature, and it sounded like a bad idea anyway, so I struggled onwards, and did some Googling, until I happened upon this kind soul who had some pretty good instructions, which I just adapted for the Debian installation of Exim and Request Tracker.

So that concluded the MTA battles of last night. For extra credit, after I've got Drupal working the way I'd like it to work, I'll revisit the Exim config to ensure it's doing all the cool built in spam prevention stuff that Exim is reportedly so good for.

[02:48] [tech] [permalink]

Sunday, 04 September 2005

You know you've married the right woman when...

you wake up at 4am feeling parched because you had (quite) a few too many glasses of red at the neighbours' the night before, and there's a glass of water beside the bed for you.

I love my wife.

[16:43] [life] [permalink]

Saturday, 03 September 2005

Must be the weekend for hardware failures

The last time I was in Brisbane, I retrieved the old daedalus, which is the 4 year old VA Linux 1RU low-end Pentium III that used to serve my website.

It sat in a carton in the lounge room until this week, when I finally unpacked it and chucked it in the study.

This weekend, I started cannibalising the drives out of it. It has 2 Seagate 120G disks, which were software mirrored, but that had been playing up due to some errors on what appeared to be on the second disk. The intention was to take one and put it in brutus, my desktop machine, which has my DVB card in it, so I could record more TV. I'd then keep the other disk in the old daedalus and reinstall it with a fresh install, and it would just be a general purpose sacrificial box/distcc node or whatever took my fancy.

Easier said than done. I discovered the folly of using the LVM volume group name of "base" for everything - you chuck another disk in with the same (but really different) volume group, and LVM gets very upset. No amount of tweaking /etc/lvm/lvm.conf to ignore /dev/hdb seemed to help (perhaps I should have put explicit partitions in the file instead of the whole disk device).

I tried to do all manner of creative things, including plugging the second drive into my laptop via Mikal's IDE-USB adaptor, but that approach didn't seem to have the drive show up properly.

In the end, I booted from a Sarge netinst CD, with only the second disk attached, and did a vgrename on it.

Then the video card started doing weird stuff. More often than not, the video output is all "wonky". A lot of what looks like interference, garbage characters. You can barely make out the display when it's displaying 80x25 character-mode. Sometimes on the next boot it's okay for a while. Sometimes hitting the reset button a few times cleans it up, but it seems to be a temporary fix. I had a boot that started off fine go to custard after a while.

I'm putting this down to the fact that the fan on the video card (an nVidia GEForce2 MX if I recall correctly) being seized (well it's not turning, and is quite stiff to turn manually), with presumably nasty effects on the card.

So I guess my next Computer Fair purchase is going to be a new video card. Thing is, I don't really follow PC hardware, so I have no idea what to buy.

I'm contemplating getting a DVI card that can provide two outputs, or use a DVI-VGA dongle. Then I can keep my honking big 17" CRT for a bit longer, and upgrade to a pair of LCD flat panels down the track if I'm feeling rich. Alternatively, I guess I could just replace the entire box and dice with one of those stupidly cheap Dell package deals, that include a flat panel, and be done with it. Relegate that machine to being yet another sacrificial box.

I don't play games, so I don't need anything terribly fancy, but I do occasionally watch a bit of the TV I've recorded on the box. I guess I should start doing some video card research...

[22:03] [tech] [permalink]

Friday, 02 September 2005

On America's choice of building sites

I haven't fully comprehended the situation in New Orleans. This interview transcript helped improve it a little bit.

The one thing I have to say is, why the hell do you build a city of some half a million people (is it really only half a million? That's what Google tells me it is.) below freaking sea level?

It's up there with rebuilding a destroyed house in a place they call "Tornado Alley". I do not understand the logic. At all.

I can't begin to comprehend the sheer disruption to so many peoples lives. So there's supposed to be something like a million people displaced. Probably without homes to go back to. They're saying it's going to be months before those people can return. What do they do for work in the meantime? Where to do they all go? It's not like every motel between New Orleans and where-ever they all tried to shoot through to is going to be able to cope with that many people. The mind boggles every time I try and think of the sheer logistics of it all.

[23:40] [opinion] [permalink]

Wednesday, 31 August 2005

Firefox's Live Bookmarks are the business!

Yesterday I figured out how to do Live Bookmarks in Firefox, and so today I reorganised my toolbar so that I had the feeds from the Planets that I usually read, as well as Google News. So now I can see at a glance if there are any new posts. Very cool.

Screenshot of my Live Bookmarks in action

[17:04] [tech] [permalink]

Curses. Foiled again.

Courtesy of The New Inventors, it appears that someone else already came up with my latest brilliant idea of diverting rainwater from downpipes to somewhere more useful than the storm water drain.

[04:33] [life] [permalink]

Fun with LVM2 snapshots

So I thought I'd have a bit of a fiddle with LVM2's snapshot feature, given there's been a bit of discussion about it lately.

Turns out, if pbuilder were to use this, it'd greatly speed up the chroot creation time.

What I did was create a logical volume for use as the chroot "master" if you will, and unpacked a tarball of a pbuilder chroot into it.

I then created a snapshot logical volume that used this "master" logical volume. Pretty much instant copy. Mounted the snapshot volume, and ran amok on it. Then unmounted it, removed it, and the original "master" logical volume is still in its original state. Sounds good to me. I wonder if the Debian buildds would benefit from this as well?

[01:59] [tech] [permalink]

Monday, 29 August 2005

Look Ma, I got me a USB key!

I finally got around to buying myself a USB key at the Computer Fair on the weekend, largely because some changes to my work environment were going to require that I start sneaker-netting files around a lot more, and also because I'd wanted one for a while.

I wanted to get a 1GB one, because I could stick a whole ISO image on it, as well as have a bit of room for playing around. I also wanted to be able to shove a Debian installation ISO of some sort on it, so I could boot from the key if I so desired.

So far, despite really clear instructions, I haven't had a lot of luck on the booting front, and I discovered today that Windows seems to only show the first partition of the key, which is a bit limiting. That said, it certainly came in handy today.

Last week I got a new desktop workstation, because my work laptop was being reimaged with the new corporate SOE, and was to be solely used for accessing the corporate VPN. The desktop was to do actual work on on the client's management LAN. The workstation was some sort of Dell (can't remember the exact model), and it came with two 17" LCD flat panels. I decided to dual boot it between Windows XP and Debian, with the intention of spending most of the time in Linux if I could manage it.

The one downside: no Internet access from this management LAN, hence the USB key.

I did a base installation with the first Sarge CD, and then did some nasty hackery to do the rest sneakernet style, ferrying files between my laptop on the (very slow) corporate VPN with Internet access, and the desktop. It worked fairly well. I wrote a little shell script called offline-apt-get, which basically just spat out the URLs of the files it needed to download, and I redirected this to a file, and then ran a wget --input-file on this file on my laptop, and then copied all the .debs retrieved into /var/cache/apt/archives, and proceeded to apt-get install as normal. apt-get updateing was achieved in a similar manner, except I copied the relevant Packages files into /var/lib/apt/lists with the appropriate names to match the entries in my sources.list.

So I ended up a sources.list that mentioned externally unreachable Debian mirrors just like a normal install would, and just a bit more manual labour in terms of fetching files.

For the record, the offline-apt-get script just looked like:

apt-get -y -qq --print-uris $* | awk '{ print $1 }' | sed "s/'//g"

[05:26] [tech] [permalink]

Sunday, 28 August 2005

Yay!

Kynan's blog feed has finally stopped looking like utter poo and is actually readable in my personal Planet. This is a good thing, as I've been trying to read his blog, but it's been an uphill battle in terms of legibility.

[06:03] [life] [permalink]

Saturday, 27 August 2005

Wedding photos

All 243 of the professional ones are now up here.

I want to take this opportunity to sing the praises of Andrew Sawatske of Hi-tide Photography. Sarah vaguely knew him from triathlon circles. He does a lot of sports photography as well as weddings.

He's from the Central Coast, so as part of the photography package, we put him up at University House, where most of the wedding guests were staying, and he came to reception as well, and sat on the triathlete table. He really enjoyed himself, which I think is reflected in the extra work he did.

So not only did we get excellent wedding photos, he also sent us a DVD slide-show at no extra cost. We got all of this, including high-resolution digital copies of all the photos on DVD, four weeks after the wedding.

[19:21] [life] [permalink]

Wednesday, 24 August 2005

Fun with xargs

Had some fun with xargs this morning. I came up with such a monstrosity, I have to record it for posterity.

The situation was one where we had a script that was scping a whole pile of files around, and the source directory got so big, that a straight "scp ${SOURCE}/* $DESTINATION" was resulting in the good old command-line too long situation.

Sounds like a job for xargs I say. But how do we tack the destination on the end? I'm used to situations where you just want to pass a whole lot of arguments to a command, but not have a constant value on the end. Oh, and this was on Solaris for good measure, so I was fully expecting to not be able to do it.

Did some prototyping. Put "a-z" in /tmp/alphabet, one per line.

apollock@caesar:~$ cat /tmp/alphabet | xargs -L 6 echo
a b c d e f
g h i j k l
m n o p q r
s t u v w x
y z

Right, so that solved the argument length issues, but I needed a constant argument on the end. I tried

apollock@caesar:~$ cat /tmp/alphabet | xargs -L 6 -i echo '{}' foo
a foo
b foo
c foo
d foo
e foo
.
.
.

But as you can see, (and so the manpage says), -i implies -l1 (which is the same as -L 1). Bummer.

So then I came up with this ripper:

apollock@caesar:~$ cat /tmp/alphabet | xargs -L 6 echo | xargs -i echo '{}' foo
a b c d e f foo
g h i j k l foo
m n o p q r foo
s t u v w x foo
y z foo

That's the ticket!

[17:31] [work] [permalink]

Finally

One of the things I wanted to do when I first got my PowerBook was connect to the Internet via the GPRS connection of my T630 over Bluetooth. It's always eluded me.

I recently reinstalled my PowerBook because I wanted to reduce the amount of space dedicated to Linux, and generally give it a clean out. Tonight, I was reinstalling bits and pieces and decided to revisit this chestnut again.

After a bit of concerted Googling, I found the homepage of Ross Barkman, who has some useful extra scripts for the T630, which for some reason, Apple doesn't ship with MacOS X. After throwing this into my /Library/Modem Scripts/ directory, and following the detailed instructions included with the scripts, I had things working very nicely indeed via Telstra.

Thanks Ross, I owe you a pint.

[03:51] [tech] [permalink]

Tuesday, 23 August 2005

Yeah baby!

A.N.D.R.E.W.: Artificial
Networked Destruction and Rational Exploration Worker

[23:08] [geek] [permalink]

Dropping out

Well, taking leave from the program is the official term.

I had a shit of a Monday yesterday, and that just threw me over the edge, so I decided to withdraw from this semester. Apparently I can take 12 months leave without any dramas. The only downside is that it starts from the start of this semester, so I need to resume study or reapply for another 12 months at the start of second semester next year. We'll see what happens.

I feel a bit hollow at the moment about doing it. I feel particularly bad about letting down my two assignment partners for COMP2110. I'm going to miss hanging out with my friend Tiane as well.

Sigh.

[05:32] [uni] [permalink]

Friday, 19 August 2005

National "Mate" day

As opposed to National Mating Day.

Apparently some directive that the security guards at Parliament House may no longer address members of the public as "mate" has caused a bit of outrage.

The local radio station certainly wasted no time in seizing upon it.

So... G'day maaaaaaaaaaate!

[05:15] [life] [permalink]

Thursday, 18 August 2005

To withdraw or not to withdraw?

That is the question.

Never before has a University census date been something I have been eyeballing so closely. I am in two minds about whether or not to persist with this semester's study.

Why?

Well there is a reasonable chance that I won't be in the country come exam time. The conundrum becomes: do I risk that I will, persist with my study, blow my fees, and hope I'm here (and pass my exams)? Or do I want to spend my final days in the country relaxing a bit more? That option is starting to appeal to me. Especially given that I really don't feel like I've engaged terribly well this semester with all the other distractions in my life lately (potential changes in employment, marriage, overseas trips, excessive trips to Brisbane).

That and the two courses I'm doing are a combination of damn hard and damn boring: Software Design is boring, and Concurrent and Distributed Systems is extremely hard, with a track record in failing students (quite a few are repeating it). To cap it off, the boring one is actually more important as far as prerequisites for third year go.

I already feel behind. I have two assignments on the boil right now (one of them a group one), and I'm going to Brisbane for the weekend, so this weekend is a write-off.

So I can spend every night next week at Uni, as well as all of next weekend, and flog myself silly, and I might just get somewhere remotely close to back on track again, just to find out that I have to withdraw further down the track anyway (possibly with academic as well as financial consequences) or I can just withdraw now, presumably get my money back, and not get a blight on my record.

The one downside to doing this is it fucks up my original (and future) plans for returning full-time and knocking over 3rd year in one hit. I'd still be two courses shy of graduating.

Sometimes I wonder if I'm ever going to get this degree. Sometimes I wonder if it really matters. Then I remember how close I came to probably not being able to get a US work visa at all because of my lack of a degree, and I remember...

Sigh. Waiting sucks.

[23:46] [uni] [permalink]

So cut

And that's just my car tyres.

I had my usual 9am Friday lecture this morning, so I went straight to Uni from home, and parked at the usual set of parking meters close to where my lecture is, at about 8:45am. I was the first car there.

At about 10:10am, I returned to my car to discover that the back two tyres were flat, and the front left one was also looking a bit short of breath. I was a bit stumped on what to do with that many flats for a while, and finally called the NRMA to try and organise a tow.

The operator tells me they'll have someone there "within the hour". So I sit in the car and twiddle my thumbs. An hour and a bit passes, and there's no sign of anybody, so I call again, just to check they've got the location correct. They tell me that they were only going to send a patrol car (one that can jump start your car, give you emergency fuel, look under your bonnet, that sort of thing) not a tow truck. I tell them that that isn't really going to help me with three flat tyres, and so could they please send me a tow truck. They agree, and say that one will be dispatched.

Shortly afterwards, I get a telephone call back from someone at the NRMA trying to talk me out of getting a tow truck and just getting a patrol vehicle. They put me on hold for a bit and say something about getting the patrol vehicle to swap the spare and blow up the rest and see how we go. I couldn't be bothered arguing with them, and at this stage I wasn't sure why my tyres were flat, so I agreed. Another hour passes.

The patrol vehicle turns up at about 12:15pm, and proceeds to blow up the back two tyres with a portable air compressor, and sure enough, the knife slash points become quite obvious because air is pissing out of them. Great. To cap it off, I'm not entitled to free towing because it is malicious damage as opposed to a breakdown. Maybe that's why they wanted to send a patrol vehicle so badly. The patrol dude tells me it'll cost $88 for the NRMA to tow me to a tyre place, but he rings a mate who says he'll do it for $65 or $55 or something (didn't quite make it out over the radio), and be there in another hour or so. So we (Sarah had come and joined me, and my study buddy Tiane had as well) settle back and wait some more. Steve happens to wander past as well. We could have had a right party in the car at this point.

An hour and 20 minutes pass, and no tow truck. So I call the NRMA and ask them to call the patrolman and get me the number of the tow company he'd called. I get that, call them, and they have no idea what I'm talking about, and tell me that it'd normally cost $170 for a tow, but they'll do it for $80 cash and be there in another hour.

That tow truck rolled up a bit quicker than that though, which was a relief. The car's now sitting at the tyre shop until Monday because everyone seems to need to order in the type of tyres I have on my car, and don't keep them in stock. Lucky we're going to Brisbane for the weekend.

So I ended up getting to work at about 3pm. I'd love to know who slashed my tyres and why. I don't recall causing any road rage on the way to Uni, and it's been a huge inconvenience. Parking around the Uni is hard enough as it is, without putting me off parking in the one spot I can usually get a carpark.

Sigh.

[22:56] [life] [permalink]

Wednesday, 17 August 2005

Yes, those lca2005 papers are mostly available

Martin and Mikal jumped the gun slightly and have mentioned that the papers from the conference are available. I'm actually in the final stages of extracting the last remaining ones from a few speakers who haven't coughed up yet (you know who you are).

I was suggesting Steven hold off announcing to lca-announce until such time as the majority of the papers were up, so people wouldn't have to keep checking back for the one paper that wasn't there yet, but was wanted.

Oh, and while you can browse at http://lca2005.linux.org.au/Papers, the papers are also linked in from the conference program pages, which may make finding a specific paper easier.

[20:34] [lca] [permalink]

Don't get on the wrong side of Rove McManus

Sarah and I went to see Rove McManus Stands Up this evening. It's been a while since I've seen some stand up comedy.

I think the first thing that took both of us back a bit was his gratuitous use of the word "fuck". It's not like I've never seen a comedy act that didn't rely on massive amounts of cursing and swearing to get a laugh, it was just a bit of a surprise to hear it coming out of Rove's mouth, compared to what you see from him on TV. I'm personally don't think it's all that necessary either.

The thing I was most impressed about was his ability to ad-lib and adapt his act to what was going on in the audience. That and the fact that he localised things a bit. He made reference to catching a bus to Woden for example. Little things like that showed that he took the time to research where he was performing.

Overall, good value for money. Good night out.

Oh, and why shouldn't you get on the wrong side of him? Well he spent a sizable chunk of the evening paying out on Australian Idol's Anthony Callea, which apparently stemmed back to a rehearsal for the Logies, where one of Callea's minders asked him not to make a short joke about him.

[06:07] [life] [permalink]

Monday, 15 August 2005

Sheesh

My
computer geek score is greater than 83% of all people in the world! How do
you compare? Click here to find out!

Not as geeky as some...

[16:20] [geek] [permalink]

Sunday, 14 August 2005

Introducing Sarah Pollock

I need to boost her Google-juice a bit. Sarah Pollock managed to make a meal of renaming her blog last time she tried, but this time it Just Worked.

I suspect the other Sarah Pollock is going to remain more interesting to Google, though.

I wonder if this just negates the Google-juice-boosting attempt?

[00:57] [life] [permalink]

Saturday, 13 August 2005

Inflation by stealth

I had a crack at making some herbed meatballs for dinner last night, and I went to the supermarket to get some of the ingredients. The recipe book called for a 440g tin of tomato soup, but all I could find was a 420g tin.

I'd always heard of how manufacturers did one of two things over time to bump the price: raise the price, or reduce what you got for your money. This was the first time I'd seen an example of the latter first hand.

Bad inflation. No donut for you.

[16:29] [life] [permalink]

Wednesday, 10 August 2005

Do you know your IMEI?

Kynan lost his phone, and is regretting not knowing his IMEI. I realised I didn't have a readily accessible record of mine, so after a spot of Googling, determined that to get a Sony-Ericsson T610 to give up its IMEI, you enter *#06#. I could have sworn that Nokias used *#0000#, but Sarah's 5110 needed *#06# as well...

[03:39] [life] [permalink]

Tuesday, 09 August 2005

Nice work

Good to see Discovery made it back in one piece.

[05:12] [life] [permalink]

Last enforcement modules migrated

This morning and last Tuesday morning saw me in at work at stupid o'clock again migrating the last two enforcement modules in this site. Both went fine, and it's nice to have semi-completed a project. There's another site up in Sydney that I'm nominally supposed to also be migrated, but due to some contractual changes, I'm being pulled off this contract back into the general Professional Services practice at the office. Fine by me, a change is as good as a holiday.

[03:56] [work] [permalink]

Sunday, 07 August 2005

New laptop

I recently ordered a new laptop for myself, as I shortly have to get my work laptop reimaged with the new corporate SOE, which is most likely going to exclude dual-booting. My work laptop is a Dell D600, and I've been fairly happy with the performance of Linux on it, so I elected to buy a D610, as it seemed to have superceded the D600. I didn't do any further homework. Fatal mistake.

Turns out that the D610 is not just a new D600, aside from being drastically different, the video chipset seems to differ between Intel i915 and and some sort of ATI Radeon Mobility M300. I have the latter, however I've seen stuff on linux-on-laptops.com, which alludes to D610s with the former. From what I've read, I think I'm glad I have the ATI.

Anyway, Debian Sarge just works on a D600. Debian Sarge with a 2.6 kernel can't even see the hard drive (SATA, whoa) of a D610, but strangely the 2.4 kernel can. So I've ended up installing Sarge with a 2.4 kernel, then installing the 2.6.12 kernel from unstable, and then having my 2.6 kernel and a hard drive. Good stuff. But I can't see the CDROM. It's SATA too (wtf?), and apparently you need to tweak the kernel a bit. I hate tweaking kernels. Once you start, you never get it right.

Next, ACPI suspend to RAM doesn't work. It goes into suspend and then wakes back up straight away. So while I'm building my own kernel, I might be needing to build Suspend2 into it as well. I had to use the X.org packages from unstable to get X working, but then it just worked. So currently I'm running more of unstable than stable. I suspect I might reinstall again and see how much of just Etch I can run, as ideally I'd like to track testing with this laptop, not unstable, but it's obviously going to take a bit of work to get this thing to where I want to have it.

For the record, what I got was:

  • 512Mb RAM
  • Pentium M 1.60Ghz processor
  • 80GB hard drive
  • the super dooper burn everything under the sun optical drive
  • the spanky 1400x1050 screen with the ATI Radeon Mobility M300 graphics chipset and something like 64M of video RAM
  • the bluetooth option
  • Intel Centrino 2200 wireless chipset, because that's what the D600 had I knew it worked (I think it was also a tad cheaper than the other alternative)

All this for the princely sum of $2,200 AUD. I'm fairly happy. Not as happy as if it worked out of the box like a D600, but happier than if I'd bought a total lemon. I am typing this from Linux, wirelessly, at 1400x1050, so it's not all bad. If it slept when I closed the lid it'd be mostly all good.

[00:02] [tech] [permalink]

Thursday, 04 August 2005

I'm feeling lucky

That is all.

[18:23] [life] [permalink]

Saturday, 30 July 2005

Many happy returns

It seems that Mikal has tried having a stealth birthday recently. Tut tut. Happy birthday mate.

[16:58] [life] [permalink]

Friday, 29 July 2005

Let the ladies gym wars begin

The radio informed me on the way home that the Fernwood gym at Belconnen had held a "mass breastfeeding" in protest over how rival gym Club Pink had apparently ejected two members for breastfeeding or something.

The bit that I found amusing was that they actually played a response from Harry Konstantinou on the air as part of the story, with him trying to play down the whole thing (something about them having no problem with breastfeeding, and they provided appropriate facilities).

I dare say they wouldn't have played a soundbite other than for the fact that Harry is quite the entrepreneur (I'm aware of him being behind The Club Group, Velocity Internet, The Technology Warehouse, eSolve IT, as well as owning commercial property and being involved in commercial construction), and as such, is quite a large advertiser on the station.

[01:40] [life] [permalink]

Wednesday, 27 July 2005

Sendmail 8.13's s3kr1t new GREET_PAUSE feature

In endeavouring to catch up with my debian-devel backlog yesterday, I discovered that Sendmail 8.13 has a new feature whereby it can be configured to hold off on issuing the 220 response for a brief delay. Any hosts that connect and immediately try to ram an SMTP conversation down it's throat get summarily told to naff off with a 554 response because they are violating the relevant RFC.

So I thought I'd turn said feature on yesterday to see what happened. It's certainly generating some hits in the logs. I've just done a spot of analysis, and of the 28 unique IPs that were knocked back, 16 of them were in the dul.dnsbl.sorbs.net blocklist, which I already use to knock back some spam. Of the remainder that resolved (2 didn't), they all looked a bit dynamic from their hostnames. The one that stood out was nproxy.gmail.com. I did do some tests from GMail as soon as I enabled the feature yesterday, and all tests have worked fine, but I've taken the precaution of (hopefully correctly) whitelisting all of GMail's IP addresses.

Biggest problem is the lack of documentation, specifically in relation to whitelisting. I'm not sure if you have the same sort of flexibility that you usually have for specifying hosts. The Sendmail documentation only mentions how to turn on the feature, and the Sendmail website doesn't even mention that much.

Anyway, I guess time will tell if it's helping any more than just using the DNS blacklists I am already using. If you're adversely affected, don't err, email me and let me know...

[19:02] [tech/spam] [permalink]

Monday, 25 July 2005

Debian Solaris?

There have been a few rumblings about a Debian architecture based on an OpenSolaris kernel.

I think this is the only way to make Solaris useable. I've always lamented how much of a royal PITA it is to get common-or-garden Open Source software onto Solaris. You can use Sun Freeware, but that only gets you so far, and you end up the most convoluted mess in /usr/local (FHS, what FHS?). This is mainly due to the fact that Solaris' inbuilt packaging system blows hairy goats, and that's all that Steve Christensen has to work with.

I think that a Debian GNU/OpenSolaris system be a massive step forward (because the Solaris userspace is like so 1970). But in all honesty, what would you really gain from using it over Linux? I mean, is the Solaris kernel really all that great? At the end of the day, that's all you'd be left with that was OpenSolaris specific.

[05:20] [tech] [permalink]

Married!

Sarah and I being presented with our marriage certificate

What a day. Where do I start?

Sarah looked absolutely beautiful. We've got a few of the preliminary photographs by the professional photographer up, and there's already one review. The professional photos look absolutely fantastic, and I'm dying to see all of them.

I really enjoyed the whole thing, which was good, given I've always dreaded my wedding day because I didn't want to be the centre of attention. We were untraditional, and we had the photos taken before the ceremony, mainly for practical reasons, as being the middle of winter, we'd have lost most of the light by the time the ceremony had finished.

Despite some concerns, I stuck with having Nick as by best man. Susan also attended the wedding, and I was really glad that they could both be there, even though Susan had a few sad moments. I'm really glad I kept Nick was my best man, as he's the guy I had earmarked for the job for literally years. At the reception, we had a wedding guest register, and Nick wrote this, which brought a tear to my eye:

Andrew, you are the brother that I will never have, and I love you. Sarah you're now my sister as well.
I'm tearing up again just writing it here.

Nick drove down a few days before the wedding and stayed with us, and I'm really grateful I could spend a few days with him, as we haven't had any quality face time for probably years. It reminded me of the good old days.

The ceremony was short and sweet, just the way we wanted it. Despite me trying to memorise my vows, I stuffed them up, and Sarah didn't. She made a little "nyah nyah" face at me after she'd successfully delivered her vows, and the entire audience cracked up. It's always good to have a laugh at a wedding anyway, I reckon.

The reception itself was something we didn't really do our homework on, and was a bit random at times. It would have been good to have done a prepared speech, but Sarah and I just jumped up and said a few thankyous. Nick and Sarah's maid of honour, Lani, gave beautiful speeches, as did Sarah's grandmother and my father. Overall, I think everyone had a great night. I know we did.

The whole thing happening as well as it did, in only seven weeks, was a testament to Sarah's excellent organisational abilities.

[05:02] [life] [permalink]

Friday, 22 July 2005

Apache 2's mod_rewrite behaves differently?

There's always got to be something that doesn't quite work the same when you upgrade from Apache 1.3 to 2.0 hasn't there?

The small bunch of rewrites that I had that made changelogs.debian.net do its thing seem to be causing circular redirects under Apache 2.

Here's what I had under Apache 1.3:

RewriteEngine on
RewriteRule ^/Pics - [L]
RewriteRule ^/logos - [L]
RewriteRule ^/default.css - [L]
RewriteRule ^/favicon.ico - [L]
RewriteRule ^/$ http://%{SERVER_NAME}/index.php [L]
RewriteRule ^/(.*)$ http://%{SERVER_NAME}/changelog.php [NE]
#RewriteRule ^/(.*)$ http://%{SERVER_NAME}/redirector.php [NE]

I basically want every non-image, non-CSS, non-index.php request to be internally redirected to changelog.php, where it will parse up and interpret the URI and do stuff accordingly.

[14:13] [tech] [permalink]

Thursday, 21 July 2005

OMFG!

Solaris 9's df takes the -h option!

[00:08] [tech] [permalink]

Wednesday, 20 July 2005

First phase of migrating servers completed

Today I think I've reasonably successfully migrated email from the old daedalus to the new one. I have some niggling problems with SquirrelMail, which seem to be related to switching from Courier IMAP to Dovecot, but that's about it.

For tomorrow's act, I think I'll try to migrate Mikal's website without breaking it any more than I already have in recent times. Then I'll migrate the other random sites I host, along with the plethora of subdomains of my own, and that should be pretty much it.

I'm trying to get completely off the old box, so I can retrieve it when I visit Brisbane on the weekend of August 20.

[05:49] [tech] [permalink]

Apparently my blog sucks

Well, there's no apparently about it. I know it sucks, it just seems that the entire blogosphere has decided I need to know about it as well. It all comes down to spare time, and the fact that it looks fine to me in my browser (Firefox), at the resolution I usually operate at (1400x1050 or better), so I don't have a nagging urge to do anything about it.

A while ago I went nuts with CSS and deviated from the bog standard layout that Blosxom offers. I was going through a rounded corner phase. The problem was the column layout (and man, doesn't doing columns and stuff in CSS suck?) seemed to not rescale cleanly at lower resolutions. It looks even more abominable in Internet Explorer. Problem was, as I said, that it looked fine to me whenever I looked at it on one of my laptops with Firefox.

So, since I'm too time poor to do anything about, and I seem to have a horde of people who like to read my blog directly, I hereby throw out a bounty that I've been meaning to put out for a while. I will pay $100 in cash or gadgets (in Australian dollars) to whoever feels like redesigning the CSS for my blog so that it doesn't suck. I'd like it to look like it currently does in Firefox (at 1400x1050, but also at lower resolutions) and IE, and be implemented in a such as way as it is Blosxom flavour friendly. Get in touch with me first, so I don't have a small army of CSS monkeys all doing it, as I also have a few more rounded corner type things I'd like have done while you're at it.

[05:35] [tech] [permalink]

Tuesday, 19 July 2005

Rumba!

So much for the bridal waltz. It's turned into the bridal rumba instead. Alli was kind enough to take time out tonight from being sick to give us a very crash course in how to do the rumba. At the very least we should be able to fumble our way through the box-step.

[05:13] [life] [permalink]

Monday, 18 July 2005

Back to school

In keeping with the hectic theme that is my life these days, uni restarted today. It really crept up and caught me unawares.

I have a dreadful timetable this semester, because I'm doing two Computer Science subjects, and they like doing three one hour lectures a week. To cap it off, one of the subjects isn't doing a 5pm laboratory, so I have to do a two hour lab during work hours.

Software Design, I'm told is fairly easy, compared to Software Construction, but this was told to me by someone who didn't consider themselves a code monkey, so I'll just have to see for myself what it's like. It's got an open-book exam, which is always a double-edged sword.

Distributed and Concurrent Systems is a course that has a bad rep from everyone I've spoken to. With a final exam worth 70%, it certainly sounds intimidating. I need to make very sure I stay on top of this one. Apparently we're going to learn Ada. I always relish the opportunity to be forced to learn a new language, so this course should be interesting.

Just to round things off, parking has become even more difficult, with the open-air, non-permit-requiring casual carpark in City West being closed for some new building the ANU is going to whack up. The parking for non-permit holding people is absolutely deplorable, as I have ranted about in the past.

[05:38] [uni] [permalink]

Saturday, 16 July 2005

Home again, home again...

I can't be arsed blogging specifically about the last two days in San Francisco, because I'm feeling rather worn out right now, but I thought I should mention that I've arrived home safe and sound.

In a nutshell, Wednesday saw me tag along with Marc on a flying lesson, which yielded some nice photos with Mikal's camera, I had my interview, which I was fairly happy with, and we made an expedition into Oakland via the BART from Fremont to attend a Bay-Area Debian dinner meeting and do a spot of keysigning (which I must go and do before I get too much older).

Thursday we checked out of the hotel early, and drove into San Francisco, and did a so-so bus tour of the city for three hours (I was feeling pretty weary, so I didn't get that much out of it apart from a three hour rest). The fog in the middle of summer is really trippy. Then we had lunch at the Hard Rock Cafe, and took a ferry to Alcatraz for an audio tour. I actually found Alcatraz pretty ordinary. The place is really falling apart.

We then drove to the airport (took us three attempts of doing happy laps of the entire city to get the right exit) and successfully checked in nice and early, after declining to be bumped to a later flight that went via Hong Kong (no thanks, even with the $500 in traveller's cheques). I managed to sleep for most of the 14 hour flight, but didn't feel particularly rested.

For good measure, I had my Buck's night last night, after stepping off the plane that morning, and Sarah had her Hen's night. I was feeling royally stuffed by about 9pm, so I don't think I was a lot of fun, and called it a night at 1am. Sarah partied on till 4am, and it sounds like she had lots of fun.

So, next weekend is the wedding... Eeek. We've got to clean up the place a bit before the hordes of relatives descend upon us.

[21:43] [life] [permalink]

Tuesday, 12 July 2005

Andrew and Mikal do San Francisco: Day 2 - driving around aimlessly

Or should that be "Driving around screaming in terror"?

I had a lovely night's sleep, from 10pm until about 5:30am, when I woke up because I think the room had gotten a bit stuffy. As bad as going for 40-odd hours without sleep might be, I think it's the best way of dealing with jetlag for me. I've had no problems functioning today at all.

We thought we'd go for a bit of a dummy run to the place of the interview, and feeling all bright eyed and bushy tailed, I thought I'd give this insane driving thing a go. It is very offputting. I'm glad I've got someone else in the car. If I had had to have flown over here alone, hired a car and driven to the hotel for 30 minutes on the wrong side of the road after a 12 or 15 hour flight, I think I'd have been beside myself, if not wrapped around another car or something.

I think the two main problems I had driving today were that all directions seem to assume you have been born with a built in compass, or are otherwise polarised and able to determine where the heck north is at all times; and Mikal has a terrible sense of direction. I think I see why GPSes are so prolific over here.

So after driving in the wrong direction for a while, we stopped off at a drug store, of which I'd have to say drugs make up about 5% of their total inventory and bought a map (they don't seem to run to bound street directories, again, maybe this is why GPSes are so prolific here (you can buy them at a drug store too)), got ourselves back off again in the right direction, and got to where we were trying to go.

After that excursion, we went for a drive to San Jose, which didn't take too long at all, and checked out the Tech Museum of Innovation. This was mildly disappointing, as a few of the exhibits were broken, but was very hands-on, much like Questacon back home, with a bit more of a focus on technology than science. The highlight of this was that we got to ride on a Segway. I drove back, and there wasn't even too much screaming.

I ran away with Mikal's CompactFlash, and you can find some happy snaps here

Tonight we had dinner with Marc, and he gave us a bit of a driving tour of the surrounding area, as well as showing us his house. He's going to give me a joyflight tomorrow morning before the interview, and we're planning on attending the Bay Area Debian meeting tomorrow night.

[23:17] [life] [permalink]

Monday, 11 July 2005

Andrew and Mikal do San Francisco: Day 1 - the journey

I'm so tired I can hardly write.

So we left Canberra at 11am on Monday (local time), got to Sydney, had a hell of a time checking into our United Airlines flight, made a mad dash through Customs and boarded our flight.

The flight was fairly uneventful. I opted not to sleep and try to sleep in the California night time when we got to our destination, hence it's now Tuesday 10am Canberra time (5pm Monday California time) and I'm dead on my feet.

I read Dan Brown's Angels and Demons cover to cover for the majority of the flight, and it was a really good read. The plot had more twists than something really twisty that my tired brain can't think of right now.

Entering the US was a breeze. I was really dreading the whole immigration thing because Mikal had had a bad experience last time he came to the US for a job interview, but I think this was more a case of him ticking the "Seeking employment box" (which also has some other nasty stuff bundled together with it) on the immigration form. I ticked the "Business" box and informed the immigration officer I was here for an interview and it wasn't a problem. I didn't have anything like what AJ had when he entered the US via LAX. Customs didn't even want to look in my suitcase.

The hotel is quite comfortable and has a really non-hotel atmosphere to it.

We went for a bit of a drive and a wander around Palo Alto for lunch. This whole left-hand-drive, drive on the right is a bit offputting. I might try and drive tomorrow when I'm feeling a bit more refreshed.

[17:37] [life] [permalink]

Wednesday, 06 July 2005

On this udev 060 and 2.6.12 kernel thing

Marco wrote a fairly reasonable explanation of the udev situation.

I just hope that he (or someone else) files a release critical bug to keep udev 060 out of testing if this is the appropriate thing to do. He says that there is a reason why we call it unstable, but one also needs to remember that what goes into unstable ultimately winds up in testing, and ideally we want testing to be releaseable at all times. If something winds up in testing that only runs optimally on non-existent kernel packages in testing, then that's... suboptimal.

[20:08] [debian] [permalink]

I love it when things Just Work

daedalus, my colocated server in Brisbane is getting a bit long in the tooth. It's an 866Mhz Pentium III, with 256Mb of PC100 RAM, and a couple of 120Mb IDE hard drives. The hard drives are new to when I reinstalled it about a year ago, but other than that, nothing's changed since I bought it in 2001. It's served me extremely well.

I started hosting Mikal's website, late last year some time, and then I also hosted a temporary UML instance for the linux.conf.au 2006 guys. Then the poor old box really started to grind. It also crashed a couple of weeks ago, and since then, one of the disks has been exhibiting read errors (they're software RAID-1, but post crash, the one with the read errors came up clean, and couldn't sync properly with the one that didn't have read errors).

So I decided it was time to lash out on a new box. With the possibility of relocating to the US to work, I didn't want to have to deal with a dying box from the US, so I figured this was a very good time to be upgrading. I ordered a Dell 1850 in the last days of the financial year. I went a bit nuts:

  • 2 x 3.0Ghz Xeon 2M cache CPUs
  • 2 Gb DDR-2 400Mhz RAM
  • 2 x 73 Gb SCSI drives
  • dual power supplies

Hopefully this will last me the next four years and beyond.

But anyway, onto the Just Works bit...

Tonight I went to install Sarge, and I thought, bugger burning a CD, let's try a netboot. So I untarred the relevant tarball onto my boot server, tweaked DHCP slightly, and PXE booted the new server, and it all Just Worked. I installed an LVM on RAID setup with absolutely no funny business required. It was awesome. d-i is the business.

[06:30] [tech] [permalink]

Tuesday, 05 July 2005

No such thing as bad press?

I tend to disagree.

Stuff like this sticks in peoples minds (i.e. it makes a great soundbite) and just gives the Red Hat weenies more ammunition against Debian in the corporate world, which is never good. It's hard enough as it is to get pointy-haired bosses to accept Debian as a technnologically superior alternative, without having people remember for the life of this stable release that it was plagued with a brief delay in releasing security updates.

It does shit me more than a little that the release was delayed for so long because the security infrastructure was the supposed blocker, and come the release, and oh look, the security infrastructure is a problem...

Frustration.

[22:40] [debian] [permalink]

Monday, 04 July 2005

My first quote

Pity they couldn't get my name right...

Update

They fixed it. So much better than dead tree media.

[04:49] [life] [permalink]

Spiffy

The new look Planet Linux Australia is the most spesh looking Planet I've seen to date (not that I've seen that many)

[02:42] [geek] [permalink]

Sunday, 03 July 2005

Relief again

Got my Semester 1 results today. Scraped through yet another finance subject and got a Distinction for Software Construction. I think it's time to bid the Faculty of Economics and Commerce adieu, as much as I like them and all.

I think Semester 2 is going to really hurt, with two Computer Science subjects. The department's love of multiple lectures per course per week really sucks for people working full-time. I can see myself having to come and go from campus up to three times a day on at least two days a week.

[21:35] [uni] [permalink]

Sigh

It troubles me that our country's supposed peak academic institution can't get its processes in order to ensure that an SSL certificate is renewed within a reasonable time before its expiry:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4088675 (0x3e6363)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com
        Validity
            Not Before: Jun 29 07:20:17 2004 GMT
            Not After : Jul  2 00:22:40 2005 GMT
        Subject: C=AU, ST=Australian Capital Territory, L=Canberra, O=Australian National University, OU=Division of Information, CN=anubis.anu.edu.au
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:ce:1a:b7:80:da:a2:93:be:a2:0d:3f:7f:5c:70:
                    9e:de:e1:88:8d:aa:d6:e2:42:9f:73:94:7a:92:5c:
                    1f:db:33:d2:6d:c9:6f:51:f7:a1:b0:c7:50:99:58:
                    81:c9:13:3d:ac:8a:2e:f7:b8:3f:a0:2e:9b:95:97:
                    ef:7a:8f:72:ed
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 
                URI:http://crl.thawte.com/ThawteServerCA.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.thawte.com

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption
        c9:1a:1e:f2:b5:87:26:6b:45:2d:2b:3c:08:de:f7:98:35:6c:
        52:90:a6:ff:21:f7:40:3e:db:21:fd:30:6f:dc:b2:64:94:45:
        41:2e:0b:b8:9f:6c:37:f7:94:7b:22:05:37:b3:68:96:1e:18:
        88:9d:c0:7e:1a:93:fb:27:0d:ce:9f:3d:f8:ef:6f:c0:68:2f:
        76:2c:8e:e8:6e:22:51:10:92:f2:8d:86:a5:7b:0f:a7:a8:3d:
        44:9f:9c:39:02:21:84:3c:06:82:ff:ed:26:0f:1c:b2:36:37:
        08:0a:ff:0a:60:eb:20:8d:9e:44:e6:de:13:da:67:f3:79:30:
        1f:80

[15:57] [uni] [permalink]

Saturday, 02 July 2005

Tea Totalling

In the few weeks since we discovered The Tea Centre, we now own two teapots, two infusers, and five cannisters of tea. No more teabags for us.

[22:27] [life] [permalink]

Bethungra Rover Crew turns 20

Last night I went to a barbeque and general get together to mark the fact that my old Rover crew had turned 20. With Land's End apparently folding, this makes it the oldest crew in the Australian Capital Territory. Numbers-wise, it's not too healthy at the moment, but hopefully moving out to Gungahlin, where it's the only crew, instead of Kaleen, where there was a bit of crew saturation, will give it a larger pool of people to draw from.

I look back on the few years I spent in Rovers with many fond memories. My only regret is not getting into it earlier. I strongly recommend it to anyone who might be relocating to a different city, as it gives you another (large) pool of people to meet and socialise with, rather than just the people you work with. I think it was one of the things that made my Brisbane-Canberra move so much more bearable.

What the hell is a Rover?

[22:24] [life] [permalink]

Friday, 01 July 2005

On the future directions of Linux Australia

So, there's been a bit of discussion about the future of Linux Australia.

I'd had absolutely nothing to do with LA until I got on the organising committee of linux.conf.au 2005, and even then I didn't really follow what was going on. I viewed it as needlessly political, when I really just wanted to get on with doing stuff. I became a member when I registered for linux.conf.au 2004 (heck it was free, why not?) but to this day, I'm not subscribed to linux-aus.

Funnily enough, I'm now one of the volunteer sysadmins for the organisation though, but then, that's in line with me getting on and doing things, so it's probably not that funny.

Anyhoo, Jon ponders throwing money at some dedicated warm bodies.

I've been a continuous member of the System Administrator's Guild of Australia since 1998, and this is the only other vaguely similar organisation that I have any experience with. Granted, SAGE-AU is obviously a fee-paying organisation, so it has a revenue stream to work with, but I get the impression that LA has a bit of money in the bank, and it too has a revenue stream, in the form of linux.conf.au.

For as long as I can remember, SAGE-AU has had an office/operations manager/admin type person, in the form of Lee Monet. She's fluctuated between full-time and part-time, and from all outward impressions, she's an integral part of the continuing operational viability of the organisation. She is also consistent from year to year, where the Executive aren't necessarily. She does a lot of the legwork for the annual conference as well.

I think if LA were to hire a dedicated person (call them what you will) even on an initial part-time basis, it would improve the effectiveness of the organisation, allowing the Executive to get on with the job of overseeing things, and making decisions, rather than getting bogged down in technical and operational details. I also think it would cost a lot less than the $100K that Jon considers it would cost for a paid CEO or secretariat. If I tried hard enough, I could look up the SAGE-AU financials to see how much Lee costs.

I guess what it boils down to is where does Linux Australia fit in in the grand scheme of things? I get the feeling that it's really come about as the umbrella for linux.conf.au, but is looking to do more with itself, but hasn't quite worked out what that needs to be. I'm totally ignorant of the history of the organisation, so I can only go by my personal impressions. I suspect that the various members of the committee that have come and gone over the years have differing views as well.

Does it want to be a super LUG? Does it want to represent users, developers, vendors, or all of them? Can it effectively represent all three groups at the same time? The Australia Unix Users Group seems to be trying to reinvent itself as the Open Source representative of the country, then there's Open Source Industry Australia, which I hadn't even heard of until linux.conf.au 2005, which sounds like it's trying to represent people trying to make a buck out of Open Source. And of course, the Australian Computer Society that swans around and tries to keep the ear of Government about all things IT.

So, if you ask me, the Australian IT/Linux/Open Source .org scene seems to be a bit crowded. Maybe LA could do worse than just stick with running a kick-arse conference? Is linux.conf.au even staying true to its name? Maybe the biggest return to its members would be keeping the conference cost low?

Just my random musings from the couch on a Friday evening...

[05:23] [opinion] [permalink]

Thursday, 30 June 2005

More fun and games: running Sarge in a UML

Once I'd got the underlying UML host system installed, I set about creating a couple of UML instances, one for the 2006 linux.conf.au guys, and one for mucking around in, and will be for the 2007 guys when they want to get the ball rolling.

Next I ran into some bizarre problems with UML. The host is running a 2.6.8 kernel with the SKAS patch, and the UMLs themselves are running 2.6.10. I used rootstrap to create the initial filesystem, and then jumped on the console to install OpenSSH, and then SSH in to do the rest of the configuration.

The problem was I got struck by #298427, which is indeed a bizarre little bug. I initially worked around this by reconfiguring the SSH daemon not to use PAM and setting PasswordAuthentication to yes. I later hit some strange segmentation faults with BIND 9 as well, so I tried the alternative workaround I had subsequently found, which was to move /lib/tls out of the way.

Given that this seems to fix the problem, and it's bigger than just SSH, I'm guessing the problem is actually some sort of libc6 + UML + 2.6.10 problem or something, although I haven't had this problem previously, and I was using the exact same UML kernel and host kernel, so it's a bit odd. Maybe its a Celeron thing or something. I don't know what the implications are of having /lib/tls nonexistent at the moment either, but it can't be ideal.

[03:08] [tech] [permalink]

Fun and games: installing Debian into a chroot

I was added to the Linux Australia sysadmin team shortly after linux.conf.au. To date, I've just been picking around the edges of stuff that needs doing on digital, but this week I got to really sink my teeth into stuff.

The 2006 linux.conf.au guys didn't have a server to host the website on, so LA acquired one specifically for this purpose. What we decided to do was use User Mode Linux to provide a virtual server for the 2006 guys, with a second one on standby for the 2007 guys.

The physical server is living with Jon Oxer in Adelaide at Internet Vision Technologies. I had the job of installing Linux on it.

Jon had done a quick install of Ubuntu on the first disk (it has two SATA disks) and so what I decided to do (as I wanted to use Sarge) was install Debian onto the second disk. I also wanted to mirror the disks, so I created a degraded RAID-1 array out of the second disk, created an LVM physical volume out of one of the arrays (with the associated volume group and logical volumes), and proceeded to try and install Sarge in a chroot onto this.

This went fairly well, except I ran into a few issues with the initrd. Because when Jon swapped it around to boot from the second disk, what was /dev/sdb became /dev/sda, and everything that had hardcoded devices in it promptly freaked out on bootup. I ended up dealing with this by making the initrd myself with the -k option, and tweaking the script that assembled the RAID array, as well as making sure the right devices existed. Poor old Jon had to switch back to the temporary install on the first disk a few times for me until I successfully got everything to work, but I really enjoyed working through the issues and further improving my understanding of Debian's initrd. It really does make the bootup a bit... fragile.

Once I managed to successfully boot from the degraded RAID array on /dev/sda (previously /dev/sdb), I copied the partition table across, and hot-added the second disk to the array and let it rebuild.

[03:02] [tech] [permalink]

Tuesday, 28 June 2005

sar breakage

I recently decided to take a bit more of an interest in what my server (which was starting to chug a bit) was doing, and started running sar. Then I thought I should actually look at what sar was collecting, so I wrote a script to throw it into a database.

Then I upgraded to 6.0.0, and the -H option, which outputs in a delimited format, which makes throwing the data into PostgreSQL trivial, promptly disappeared. This made me sad. I'm curious as to why said option disappeared.

Update:

I've discovered that in 6.0, there's a new command called sadf, which is like a wrapper around sar, and it's what does the equivalent output of the old sar -H with a -d option.

[16:20] [tech] [permalink]

Sunday, 26 June 2005

There's no outage like an unscheduled outage

At about 21:15 on Friday night daedalus seems to have shat itself. It was still pingable, and attempts to make a TCP connection on port 22 resulted in a connection being made and then unceremoniously closed before an SSH banner was made. HTTP requests just timed out. It looked like a good bit of resource starvation to me. I had an SSH connection open, and attempts to get it to do anything resulted in the packets being acknowledged, but no actual response.

Friday outages always suck because generally the earliest someone can reboot the box is Monday morning. Fortunately, Ben was kind enough to go in for me on Sunday morning and kick it in the guts. Ah the joys of being 1000 kilometres from my box... I think it might have also got wind that I was thinking of replacing it with something a bit newer and gruntier, and got offended or something.

There's no good evidence of what actually happened. It looks as if it was mostly dead from around 21:15. No cron jobs ran, no log entries, nothing. These are the worst "crashes" to try and diagnose. I know for a fact it's short on RAM, and a UDMA-66 IDE cable would help reduce I/O bottlenecks.

[00:34] [tech] [permalink]

Thursday, 23 June 2005

Quotable quote

Mikal: Dude, I run everything as root. Do you think I'd be running a firewall?

While trying to get a point-to-point Ethernet connection to work between our laptops at this month's meeting.

[02:18] [clug] [permalink]

Tuesday, 21 June 2005

Complying with Policy 10.1 is harder than it looks

I've been bashing on dhcp3 just a bit lately. The current thing I'm working on is bringing the Standards-Version up to the present day. Using the upgrading checklist that comes with debian-policy (which is mighty handy I might add), I've gotten to the stuff in section 10.1 first referred to by Policy version 3.5.7.0, namely the stuff about supporting building packages with the optional use of DEB_BUILD_OPTIONS.

The snippet in 10.1 makes it look a lot easier than it really is.

Certainly, I think the argus-server source package already had a pile of

     CFLAGS = -Wall -g
     INSTALL = install
     INSTALL_FILE    = $(INSTALL) -p    -o root -g root  -m  644
     INSTALL_PROGRAM = $(INSTALL) -p    -o root -g root  -m  755
     INSTALL_SCRIPT  = $(INSTALL) -p    -o root -g root  -m  755
     INSTALL_DIR     = $(INSTALL) -p -d -o root -g root  -m  755
     
     ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
     CFLAGS += -O0
     else
     CFLAGS += -O2
     endif
     ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
     INSTALL_PROGRAM += -s
     endif
type stuff in debian/rules when I inherited it, but I only discovered how ineffectual this is on its own when I tried to add it to the debian/rules for dhcp3, and did some closer inspection of what was really going on.

Basically, setting CFLAGS in debian/rules isn't worth a pinch of shit unless you pass it to the call to ./configure like

./configure CFLAGS="$(CFLAGS)"
even then, all bets are off as to how it's going to work, depending on the upstream Makefile.

Again, using the Argus source package as my benchmark, I'd always casually eyeballed the build logs, seen lots of "gcc -O2" going on, and assumed it was because of my CFLAGS in debian/rules.

Wrong.

As it happened, the upstream Makefile was already using -O2. On closer inspection, there was no -Wall, so my CFLAGS in debian/rules wasn't being used at all.

So I fixed (for Argus) by passing CFLAGS to the ./configure invocation. Next problem is that because the upstream Makefile is using -O2, I'm now actually passing -O2 twice. The downside of this is that if a user builds the package with "DEB_BUILD_OPTS=noopt", it's going to pass "CFLAGS=-O0 -Wall" to gcc, along with the -O2 in the upstream Makefile, and $DEITY only knows what optimisation level it's going to actually use.

I think to do things properly, I'm going to have to patch the -O2 out of the upstream Makefile (for Argus).

Coming back to the DHCP package, it's weird. The configure script isn't actually a GNU autoconf configure script, so passing it a CFLAGS argument does diddley-squat. If I invoke make with a CFLAGS environment variable, it overrides the options passed to the compiler in the Makefile, which most importantly includes a whole bunch of -I's, so the build fails completely. So I'm not quite sure how I'm going to implement DEB_BUILD_OPTS support for this sucker just yet.

[06:28] [debian] [permalink]

Tuesday, 14 June 2005

The power of procrastination

I'm sure if I look back over my Debian activities, I'll always find a spike around exams, when I should be studying. Problem is, I have the attention span of a newt, and doing some QA or general packaging work is so much more appealing.

With that in mind, I present to you 3.0.2-1 of dhcp3.

I'll do some testing of it after my exams, and then upload it to unstable.

Now, it's time for a hotdog...

[20:28] [debian] [permalink]

Saturday, 11 June 2005

Cool cat...

[16:18] [life] [permalink]

Monday, 06 June 2005

You know you've been doing too much Java

when you start writing object-oriented PHP...

That said, it is kinda cool... I've written a class that tells you how many days or how many weeks until a specified date (no prize for guessing what I'm using it for).

[05:25] [uni] [permalink]

Sunday, 05 June 2005

Configuring the timezone on a Cyclades AlterPath ACS

So I noticed that the timezone on these puppies at work was wrong, so I went about trying to fix it. I happened upon this page in German, which after translation (thanks Babel Fish!), I managed to decipher the following:

The factory default contents of /etc/TIMEZONE are:

GST+7DST+6,M4.1.0,M10.5.0
and what I believe to be the desired contents for Australia/NSW or ACT:
EST+10EDT+11,M10.5.0/02:00,M3.4.0/03:00
From my understanding, translates to something like "The default timezone is GMT+10, but when we're in daylight saving time we want GMT+11. Daylight saving kicks in on the last Sunday of the tenth month at 2am and ends on the last Sunday of the third month at 3am." (So M10.5.0 means "day zero of week 5 of month 10). I presume this is a BusyBox thing. The things people do to save space.

Update

It's a uClibc thing. Some good documentation on the TZ variable is at http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html

Update

I swear drugs are involved here. I had to use

EST-10,EDT-11,M10.5.0/02:00,M3.5.0/03:00
to get things to work as expected, which from my interpretation of some other documentation, really means I'm saying we're 10 hours behind UTC, which isn't the case, but yields a correct time. Go figure.

[17:22] [work] [permalink]

Saturday, 04 June 2005

Warwalking

Well kind of.

I've been in discussions with Sean Moroney, the General Manager of University House about setting up a wireless LAN.

This morning I went out armed with a couple of laptops and my Linksys WAP54G access point to see how good the signal would be from various parts of the building.

The whole exercise took a lot less time that I expected, and the signal from just the one access point at the top of one of the blocks was quite good, so I reckon about 4 access points strategically placed throughout the building should be enough the saturate it and the surrounding grounds.

[18:16] [tech] [permalink]

Carnage and mayhem

This morning when I went to use my laptop, everything seemed a bit kaput. The wireless adapter was associated with the access point, but nothing was happening. I went to my wired desktop PC and tried to bring up the web interface for the access point, and it wouldn't come up. This struck me as weird. Then I noticed that the stack of computing gear I have crammed into the wardrobe of the study seemed a bit quieter than usual. This was because caesar, my PC which is my "everything" (firewall, ADSL termination point, file server, fax gateway) box was off.

I checked the power to it, and couldn't get it to switch on. If I pulled the power cable and reinserted it, it'd flash some power lights briefly but then die again.

I pulled the lid off, and poked around and concluded that perhaps the power supply had died. Luckily there was a computer fair today, so I headed out there to try and find preferably a new micro-NLX case, as I didn't like my chances of getting just a power supply of the right size and shape.

Lucked out on the case, so I bought a $25 ATX power supply with the intention of using it and leaving the lid off and generally doing lots of dodgey power stuff to power the box from the ATX power supply externally.

Got home, tried that, and a pop and a bad smell later, I declared that if it actually wasn't the motherboard that had been dead before, it probably was now, as the box was still exhibiting the same behaviour with the external power supply.

So I raced back to the computer for a second time, and managed to get there within the last 30 minutes before closing time and bought a 1.7 Ghz Pentium IV Compaq Evo with 256Mb of RAM and a 20 Gb hard drive for $350. I got home, slapped the old hard drive in it, and everything just worked, which was really nice.

I've got to say that apart from the stupid proprietary screws, this box is so nice to work on. You can get the lid off without using any tools, and then the CDROM, floppy and hard drives are on a tray that flips up and lets you get at the CPU and DIMM slots. The hard drive takes some wide proprietary screws that allow it to just slot into a holder for it, that has a quick release catch. I really liked that, and was prepared to put up with the stupid screws for that feature.

The PCI slots are on a riser card, and that is attached to a separate chassis, and you can just rip that straight out, riser and all, and seat the PCI cards comfortably and then reseat the whole box and dice when you're done.

All in all, I think it was a good buy, so if I can get another one as a sacrificial play box at the next computer fair I probably will.

[06:47] [tech] [permalink]

Shotgun wedding

Well not quite.

The job overseas is looking like more of a vague possibility, and so for the potential purposes of visa applications, we have decided to bring forward the date of our wedding to July 23 rather than April 22 next year.

So now we have the joy of trying to arrange a wedding in 7 weeks or something.

[06:25] [life] [permalink]

Thursday, 02 June 2005

Firewall-1: Great when it works, utter poo when it doesn't

Let me just start off by saying that CheckPoint Firewall-1 is probably my preferred EPLed packet-filtering firewall. The GUI is good, the fact that it is "object-oriented" is also good. What is not good is the complexity of a deployment and the ability to troubleshoot it when things go wrong. When it's broke, you are left with your pants down.

I've just deployed some new (non-production) firewalls. I've got a management station (which is also an enforcement module), which is multi-homed (5 interfaces). There are two enforcement modules managed by this management station, one on each of two of the 5 interfaces.

I'm able to push a policy from the management station to the enforcement modules. That's all good. If I try to make the enforcement module fetch a policy from the management station, it decides it would like to talk to it on one of the unrelated interfaces, rather than on the interface that is directly connected, or to the interface with the IP address of the management station object in the rulebase. Bonkers.

Furthermore, if I do issue a

fw fetch master
this works fine. It's just trying to log to the wrong interface of the management station, and fetch its policy (by default) from the wrong interface. Highly vexing stuff. As it's non-production, I'm getting close to reinstalling Firewall-1, but I wouldn't mind determining the cause for future reference in situations where this might not be an option.

[17:54] [work] [permalink]

Wednesday, 01 June 2005

Mmm Cyclades AlterPath ACS good

Disclaimer: I like Cyclades products. They Just Worktm

Yesterday and today I got to have a fiddle with the new AlterPath ACS product, and they're very special. I'd previously used the TS product a few years ago, and been quite happy with them, especially when having to use Digi's cheap imitation, that didn't Just Worktm.

I got LDAP authentication for individual ports working reasonably painlessly, and for good measure, then enabled local LDAP authentication to the terminal server itself, with similar ease.

The web GUI is a bit sluggish, but was still useable.

The userspace environment on the box was a bit stripped out for my liking, but still useable. A non-BusyBox vi would go a long way, as would iproute, but other than that, I really can't complain.

[18:55] [work] [permalink]

Sunday, 29 May 2005

Fun and games with cross-platform database interoperability

Okay, so I'm no longer buzzword-compliant with the current fashion on Microsoft data access. That's because I haven't followed it for around 5 years.

The problem:

We've got a Windows application (it's a honking great big CD burning "appliance" (I use the term loosely, it's really a full-blown Windows box with a burn of CD burners in it and a bit of robotic stuff going on)). We want to push files to it from a Solaris box, and have it produce CDs when it's received enough to fill a CD.

The software on the Windows box driving this whole process can apparently log to a database, using OLE DB. Good for it. We don't want to delete the files from the Solaris box sending them across until we know we've successfully got them on CD.

The current school of thought on how to deal with this was to use a MySQL database on the Solaris box, and query it to find out what files have been burned to CD, and then remove them from the Solaris box.

I got involved at the point where a co-worker had been bashing on some (what appeared to be) significantly dated piece of software to do OLE DB access to MySQL. I actually don't have the foggiest on what the difference between OLE DB and ODBC is. I'd previously had success getting Microsoft Access (as a front end) to talk to MySQL (as a back end) via ODBC, so I thought I'd have a fiddle.

I threw away the MySQL OLE DB stuff and got the latest greatest MyODBC driver for Windows (which appears to be significantly better maintained). I also grabbed the latest greatest Microsoft Data Access Components (MDAC) just to get the OLE DB provider for ODBC if I didn't already have it.

So the problem appears to be that the application, when it tries to create tables in the data source provided, tries to do it the "Microsoft SQL" way, and throws square brackets around the table name, and possibly the attribute names as well. Someone muttered something about part-time DBAs creating tables with spaces in the names.

I'm of the theory that this is happening in the application, and no amount of data access crap between the application and the database is going to clean this up. It's just not talking in an ODBC compliant manner. Damn it.

So the next approach is to try using MSDE as the database, and have it on the Windows box, and use FreeTDS on Solaris to query the database. Bags not having to build that.

I'd really like a sacrificial Linux box for prototyping. It would mean I could very quickly test the viability of things like this without having to inflict building the software on Solaris on someone (and waiting for it to happen).

[17:39] [work] [permalink]

Saturday, 28 May 2005

Yummy surprise

This afternoon Sarah took me out to high tea at the Hyatt to celebrate the end of all my assignments because we haven't been able to spend a lot of time together lately because of them. It was a lovely surprise and the food was delicious.

[00:44] [life] [permalink]

On Schapelle Corby

So, she's been found guilty of drug importation and copped 20 years?

Do I think she's guilty? Of stupidity, definitely, if all the reports are accurate. Of drug trafficking, I'm not convinced.

I remember seeing footage of her months ago when she was first arrested, being dragged into court laughing. In a country with the death penalty for drug trafficking, it's no laughing matter under any circumstances. Apparently she tried to stop the customs officials from opening her bag. Apparently she admitted to the drugs being hers. I don't know about the validity of either. If it's true, then it reinforces the stupidity charge.

What I will say is that there is no way in the world I would holdiay in a country with such a fucked up judicial system. Apparently they didn't fingerprint the bag of drugs - because the customs officials had all handled it after they found it, so it was pointless. Had proper forensic process been followed, perhaps they could have connected the bag of drugs to a baggage handler in Sydney airport.

In Australia, you're innocent until proven guilty, and you only have to prove reasonable doubt. Sure, she had the drugs in a bag in her possession. A judge would take a very dim view of the lack of forensic process followed though, once it was discovered.

If the allegations of Sydney airport baggage handlers doing dodgey stuff (perhaps strengthened by something concrete) didn't equate to a bit of reasonable doubt, I don't know what would.

So whether she's guilty or not, I think she deserved a better trial and handling of her case.

I think Australians should vote with their feet. Don't holiday in a country where you are at risk of not receiving justice if you fall fowl of the law - even by accident.

[00:39] [] [permalink]

Friday, 27 May 2005

Two years

On Wednesday, I hit the two year mark as a Debian Developer, but was too busy to take the time to reflect.

I first was introduced to Debian back when I had the ISP, and one of our technical staff suggested that when we replaced a Slackware box, we install Debian on it instead. I remember grappling with this dselect thing, but immediately liking the fact that I didn't have to compile stuff (and deal with all the complexities that went along with it). I'm thinking we're talking about bo here.

I remember when apt first came out, and the first thing you did when you installed a Debian box was download the .deb from http://people.debian.org/~jgg and could bid adieu to this hideous dselect thing. That was good. I then plodded along with Debian for the next 3 years or so, increasing my general Linux fu.

Then I had the opportunity to deploy a large-scale Debian-based Internet gateway at my current place of employment. Somewhat prodigiously, woody had just been released, and I discovered FAI.

Around this time, we also were using Argus to attempt to do data billing of our clients. The existing Debian maintainer was in the NM queue himself, and cracked the shits one day over how long New Maintainer processing was taking and decided to orphan all his packages. As we were reasonably reliant on Argus, I figured this was a good time to get involved and adopting it, and decided to get the ball rolling on becoming a developer myself.

So what have I done in my first two years as a Debian Developer? Not as much as I'd have liked, but still a fair bit. The packages that got me involved in the first place, argus-server and argus-client are in pretty good shape. Upstream is a bit dormant at the moment, and after Sarge releases I plan to look into reworking the maintainer scripts as they're a bit crufty.

I've packaged dstat and elfsign from scratch. I don't think elfsign is terribly popular, but due to the trickle of bug reports that have come in for dstat, I suspect that it has caused a little bit of interest. The upstream author has also seized upon the PTS and I suspect he thinks it is the best thing since sliced bread.

I also adopted simpleproxy and vaiostat (which I've subsequently handed over to someone who still has a VAIO) and become a co-maintainer of dhcp3. I plan on doing a lot of stuff with dhcp3 in the near future.

The two other areas that I've contributed have been debian-installer and QA. The former not as much as I'd have liked, and the latter a reasonable amount.

For the installer, my main contribution was doing some test installs. I also made a few trivial fixes to lvmcfg and mdcfg, as the functionality that both of these provided was important to me. I would have liked to have done a lot more, but d-i has a bit of a learning curve, and I just didn't have enough spare time.

QA on the otherhand, was something I could really sink my teeth into, and I could do as much or as little as I liked, due to the granular nature of the work. When I first started on the list of orphaned packages with the maintainer not set to the QA group, there were I think over 300 packages languishing there. I got stuck into them, and progressively worked through the list, making numerous uploads, suggesting removals, fixing easy to fix bugs.

It's been an enormously educational experience, as there's been some real antiques sitting there, with build systems that predate all of the stuff that is in popular use today. It was fun trying to get a handle on how those packages built so that I could attempt to fix stuff.

So that's been my first two years. I don't know what the next two will bring. I've been in two minds over whether Debian is imploding, and whether I'm better off expending my energies on Ubuntu instead. Things that I guess will help make up my mind are how the Social Contract changes are implemented, what happens with the whole Vancouver Proposal thing, and how long it takes to release etch. Time will tell.

[16:09] [debian] [permalink]

Little Cat

Or "LC" as she is known, is the name of our new cat.

A while ago, we sought permission to keep a cat in our new place, and somewhat to our surprise, we received it. We hadn't raced out and got a cat immediately though.

Someone was advertising at Sarah's work that a 10-year old desexed female cat required rehoming, so we took her. She's settled in really well, but for a cat that is so small, seems to have hollow legs. Seems like we need to work on the food rations a bit yet.

[15:24] [life] [permalink]

Calm before the storm?

Well, with one week of teaching remaining, I have passed through Assignment Hell moderately unscathed. Poor Sarah has hardly seen me for the last three weeks though.

Neither assignment that was due yesterday is spectacularly good, but hopefully I will pass both of them.

Now for exams. Luckily I have managed to get some time off for the week of them so I can do some mad cramming the whole time.

[15:17] [uni] [permalink]

Thursday, 26 May 2005

Who would have thought?

That on my favourite Unix, Solaris, you needed to have the NFS client packages installed in order to get the NFS server kernel module to load.

I love Solaris. Let's put bits of the kernel in random packages. That's the way.

[22:26] [work] [permalink]

Monday, 23 May 2005

World of pain (or 6th migration (fourth enforcement module))

Just when you thought it was safe to sleep past stupid o'clock...

I wrote last week that my firewall replacement program had been put on hold. Well, due to some internal politics, I ended up replacing the last remaining one in this particular gateway this morning, rather than leaving it with two arms on new firewalls and one arm on an old one.

I didn't actually mind too much, as it's kind of nice to actually vaguely finish something. I've only got two more in this site to do (in a separate gateway), but that'll happen probably in July at the rate things are going.

Anyway, I was in a world of hurt this morning performing this change, and it was all my fault.

I like to have a repeatable, auditable process for building these firewalls, and it's served me quite well to date. I think I need to more thoroughly check what I'm doing though. I did build this one in a bit of a rush because I only learned I was doing it last Wednesday afternoon, and did most of the configuration migration on Thursday.

The main source of problems was that I managed to migrate /etc/netmasks as /etc/defaultrouter. So not only did I bring up all my interfaces with completely insane netmasks, I also brought up my firewall with 8 default routes. This left me quite miffed, as I discovered after I'd swapped to the new firewall that I had completely bogus interface netmasks and a pre-migrated /etc/netmasks file. I couldn't figure this out, as I'd ticked off migrating /etc/netmasks on my checklist. It was only after a colleague came in and noticed the 8 default routes and that /etc/defaultrouter contained /etc/netmasks, that I realised what had happened.

I'm very annoying with myself for

  1. screwing up
  2. not realising pre-swap that I'd screwed up.

The moral of the story is that I need to actively recheck my checklist after I've completed it, not trust myself to have done each line-item correctly at the time.

At least there were no kangaroos this morning.

[17:07] [work] [permalink]

Thursday, 19 May 2005

Holy crap, Canberra.pm had a meeting!

Earlier this month, Jacinta Richardson of Perl Training Australia fame emailed the Canberra Perl Mongers mailing list mentioning that Paul and herself would be in Canberra later in the month delivering some training, and was keen to have a dinner and talk.

This was met with good old apathy, and after a round of prodding, I decided I'd organise a dinner at Bernadette's in Ainslie.

There was something like 9 of us there. Paul gave a talk about Mason, and Jacinta gave a sneak preview of an upcoming Perl Security talk she's giving next month. Both talks were quite interesting, and Paul's talk got me thinking about demi again, and whether I should just stop trying to find time to learn Python, and write it in Perl with a Mason web interface instead.

I learned an interesting bit of trivia about the meaning behind the abbreviations for internationalisation (i18n) and localisation (l10n). The 18 and 10 are the number of letters between the "i" and the "n" and the "l" and the "n", respectively.

The private function room we had the dinner and presentations in worked quite well, and it was a good night.

[05:45] [life] [permalink]

Wednesday, 18 May 2005

Using bl.reynolds.net.au as a DNS RBL?

You might like to stop

[23:30] [tech] [permalink]

My brief run in with Open Source spreadsheets

Well I just tried to do (what I consider to be) a fairly basic thing I used to do a lot of in Excel, in both OpenOffice.org's Calc and Gnumeric.

That would be categorising my mobile phone bill.

In Excel, I'd turn on the auto filter, and then do an @SUM on the cost column. If I filtered by something in one of the other columns, the total at the bottom reflected the total for the current filter.

I can't seem to do this (at least not by doing the same sort of actions) in either Gnumeric or OpenOffice.

A further annoyance is that if I do use a filter, I cannot access beyond the bottom of the selected rows. So I can't add an @SUM at the bottom of the cost column after I've filtered. I can't even scroll any lower.

How annoying. (Oh and I do like how OpenOffice wants to ask me if I'd like to autosave. How polite. And useless)

[04:39] [tech] [permalink]

Tuesday, 17 May 2005

Kangaroos have the worst road sense

So I was driving in to work this morning at stupid o'clock because I had to perform a firewall replacement out of hours.

Just before I get to work, I blat along an 80 km/h zone. It alternates between two and three lanes and is a dual carriageway. It's Ginninderra Drive. Nice bit of road. Then I peel off that, and drive around the back of the AIS and then I'm all commuted out.

So it's still well and truly dark at stupid o'clock, and as I come over this bit of a hill, decelerating as I approach the bit where you peel off towards the AIS, I spot a fairly decent sized roo standing upright on the side of the road. Not wanting a repeat performance of last time, I further jump on the breaks and slow right down to about 20 km/h or so, and am nearly beside the kangaroo. At this point, Skippy the mental giant that he is, decides it's a good time to cross the road. Fortunately slamming the brakes on at 20 km/h isn't a terribly big deal, and noone was hurt.

You've just got to love how kangaroos seem to like to try and cross the road at the least opportune time. They'll wait until the one car on the entire highway is right in front of them. They must have a liking for being caught in headlights or something.

[00:14] [life] [permalink]

Fifth migration (third enforcement module)

This morning I did another Firewall-1 replacement. Not a lot to report. It was a bit more of an inconvience because I couldn't rack the new one in alongside the old one because of rack space constraints, so I had to start extra-early so as to get it all done before the testers all did their thing.

The remainder of the rollout has been put on hold as I'm being transferred over to a disaster recovery project (well, it's really a project to build a fully DR-capable replica of the existing site for deploying up in Sydney).

At this stage it's just for June, but who knows how long it'll really be?

[00:01] [work] [permalink]

Monday, 16 May 2005

On HTML email

From the SANS Internet Storm Centre Incident Handler's diary:

If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>.

Heh.

[14:14] [humour] [permalink]

Friday, 13 May 2005

Damn

apollock@debian:~$ date -d '13 dec 1976 + 10000 days'
Fri Apr 30 00:00:00 EST 2004

No 10K days party for me :-(

[05:18] [geek] [permalink]

Thursday, 12 May 2005

The clock is ticking...

Tonight Sarah and I went to see the marriage celebrant to lodge the Notice of Intended Marriage, which we had no idea was a legal requirement for getting married until we rang the celebrant earlier this week.

Apparently you have to wait a month after lodging this thing before you can get married, and have up to 18 months to tie the knot. As there is the possibility we might be moving overseas for work, and we might need to have a quickie wedding beforehand, we thought there was no harm in lodging this thing now.

[05:48] [life] [permalink]

Sunday, 08 May 2005

Adventures in User Mode Linux

I have an upcoming application for some UML hosts, so I blew the cobwebs off the Debian packages over the last week and had a bit of a fiddle.

kernel-patch-skas

So if you want to run a UML guest, you really want to have the Seperate Kernel Address Space patch in the kernel of the host running the guests. As I track Sarge, and currently run a bog standard Sarge 2.6.8 kernel, I wanted to be able to just patch SKAS into it. I didn't want to deviate drastically.

So first cab off the rank was hacking kernel-patch-skas so that it would patch a 2.6.8 kernel. This was relatively easy, I just had to retrofit the 2.6.8.1 patch, which was already in there. I took out the hunk that patched the top level Makefile, and it applied perfectly to both a clean 2.6.8 kernel source, and a 2.6.8 source with kernel-patch-debian-2.6.8 applied. It built, I'm running it on my test box.

kernel-patch-uml

This is where the fun starts. At present, this patches 2.4.26 or 2.6.8.1. I naturally wanted to have it work with everything in Sarge, so I added 2.6.8 to the mix, with the same patch as 2.6.8. This applied fine to the 2.6.8 sources.

user-mode-linux

This is where the fun stops.

As it currently stands, this package is just a bit of glue between the kernel-source package and the kernel-patch package. It also introduces a few patches of its own, which I haven't been able to figure out yet. With some slight modifications to this package, I had it build-depending on kernel-source-2.6.8 and my new and improved kernel-patch-uml and had all the patches applying. Building was a different story.

I've temporarily given up on trying to get UML to work with everything in Sarge. Apparently there are some security issues with anything older than 2.6.9, so I've turned by attention to Sid for the time being. I believe 2.6.11 has all the UML patches merged in, so I've gutted user-mode-linux to just essentially build-depend on kernel-source-2.6.11 and not apply any patches at all, and build with ARCH=um. That's currently building, so we'll see what sort of a mess that leaves me with.

I NMUed kernel-patch-skas this morning, don't know if the release team will accept it into Sarge or not, given it is frozen, but if they do, at least you will be able to build a UML hostable kernel from Sarge. Building a guest will be a different story, unfortunately.

Matt Zimmerman replied to my NMU asking me if I'd like to adopt the UML packages. I probably will, given I'll be having a bit to do with it again. Unfortunately I have no kernel fu whatsoever, so if I hit problems, I'm going to be stuck between a rock and a hard place.

[19:52] [debian] [permalink]

Friday, 06 May 2005

New category

I've created a new category in my blog for cool technical gadgets that I come across in the course of my work or play. Because I don't want to be accused of advertising and get struck off any Planets, I won't be feeding it Planet Debian or Planet Linux Australia.

Update

Due to technical difficulties with the fakecat plugin for Blosxom, I'll be spamming all you Planet readers with my gadget posts. Sorry, I tried. It's vaguely product-reviewy as opposed to blatant advertising anyway.

Update

Due to extreme responsiveness from fakecat's author, Planet Debian and Planet Linux Australia readers are now spared.

[02:06] [tech] [permalink]

I have a green helmet

No, I don't have a gangrenous penis.

Today, I was issued with my helmet as I had passed my first aid course.

For some reason, first aid officers get a green helmet. Chief fire wardens get a red helmet, floor wardens get a yellow one.

I'm not quite sure why someone who performs first aid requires a helmet. If I don't wear it, can I still provide first aid?

[01:47] [work] [permalink]

Thursday, 05 May 2005

iBoot

Product
iBoot
Vendor
Dataprobe
Australian reseller
Zantech
SAGE-AU member discount?
Yes
Why do I think this is cool?
This is great for the situations where you want remote controlled power, but don't want to go all out for (or need as many ports as supplied by) something like what Cyclades or APC sell.

[23:53] [tech/gadgets] [permalink]

Wednesday, 04 May 2005

On the state of law and order in the Australian Capital Territory

So Sarah's car got broken into last night and her purse stolen.

It's bad enough that the theft occurred in a dense townhouse complex, to a car parked in a driveway metres from our front door, but when the police were called this morning, they weren't even interested in coming out to fingerprint the car.

As Sarah said to me today, it means thieves can just go about doing their thing with impunity if the police won't even attempt to follow them up.

You'd think with a place as small as Canberra, that if everyone knows someone who knows someone else (i.e. 2 degrees of separation), that the criminal population would have to be well known to the police. You'd think with a bit of a concerted effort, they'd be able to wipe out a lot of theft.

It reminds me of another time (Christmas Eve in fact) when we were living in Ainslie. We were woken at around the crack of midnight by a nearby house burglar alarm going off. After it continued making an ungodly noise for about 5 minutes, Sarah called the police attendance number, and the police weren't interested in coming out, even though there may have been a burglary in progress.

I told my mate Nick, who is a cop in Queensland about it, and he said that up there, they'd make it a priority to attend such a call, as it meant they could potentially nab a burglar "in the act".

ACT police are so lax.

[05:10] [opinion] [permalink]

Star Wars day

"May the Fourth be with you".

Groan.

[04:53] [humour] [permalink]

Drowning, not waving

To quote Mikal

It's just hit me this week that I'm not going to be able to just sail blithely through this semester and pop out the other end passing everything. It's just not going to happen. Steve's right, full-time work, part-time study is hard. (I mean, it's not like I haven't done it before, and I wasn't terribly successful back then).

I'm off to bury myself in a textbook. If you're looking for me most weeknights and weekends, try the University.

[02:30] [uni] [permalink]

Monday, 02 May 2005

Devastated

Yep. I think that pretty much sums it up. My oldest, dearest friends are looking like they're going to split up.

I've known Nick since around 1995, when I was working in my first job as a Mainframe Operator at the Brisbane City Council. He had worked with my Dad as a chainman in the Survey Section of the Works Department before that. I think he was engaged to Susan from the point that I knew him.

Nick's a top bloke. Really cool, funny, with a really quick, smart mouth. He's in his thirties now, so he must have been about 22 or 23 when I first met him. As an 18 year old, I hero-worshipped him.

I can't remember what year they got married, but I went to their wedding. The one thing that has stayed with me to this day is a line from Nick's speech at the reception. It went something along the lines of

Marriage is the ultimate game, and I'm in it to win it.
with some sort of reference to football (he's always been an avid Rugby League and Touch Football player.

Nick left the Brisbane City Council to work for Australia Post, intially as a postman, and later as a night sorter. Susan was always a paediatric nurse. We shared many a drunken party, camping trip, dinner, and picnic together. I have a fantastic photo from a camping and fourwheel drive trip to Stradbroke Island, which I used to proudly display until I broke up with the girlfriend who was also in the photo.

I moved to Canberra. I was never very good at staying in touch with people, but the one set of friends I always called, and always made a point of visiting when I was in Brisbane were Nick and Sue. Nick wasn't always fantastic at returning the calls, and if it were anyone else, I would have written them off as not worth the effort.

Nick left Australia Post, and was successfully recruited into the Queensland Police. I flew up for his swearing in.

They decided to have kids. Susan had a hell of a time falling pregnant with their first child. I know Sue got very depressed, and I think Nick, being a fairly, umm, emotionally withdrawn type (a "bottler") wasn't necessarily seen as being terribly supportive by her during this time. I suspect it is around this point where things started to come unstuck. As an outside observer, who saw them infrequently, it was hard to tell. I know for a fact there was a lot of tension around this time.

After about two years, and some medical intervention, Susan fell pregnant, and had a healthy son Jack. I have nice framed photos on display in my living room. I was so happy for them when Susan finally fell pregnant I cried.

That was a little over 2 years ago. A year ago, Susan fell pregnant again, totally out of the blue and three months ago, gave birth to their second son, Harry.

We were in Brisbane on the weekend for the wedding of one of Sarah's cousins, and I'd been looking forward to it as it was to be the first time I'd see Harry.

Nick was on duty when we dropped around to see everyone, and he only popped in briefly. After he'd left, Susan told me that he'd moved back with his parents 2 weeks previously. She said she couldn't understand why. I'd seen things becoming increasingly strained between them over the years, but I'd hoped things wouldn't ever come to this.

Today, I gave Nick a call, to hear things from his side. He said that he'd fallen out of love with Susan. There wasn't anything there any more. He only thought of her as a friend and was like a sister to him, not a lover. He wanted to remain amicable with her, and not have a messy split that was the result of a spirally relationship, and most of all, he didn't want it to all go totally pear-shaped in front of the kids. He said he felt trapped.

I can understand where he's coming from. I've been in a similiar relationship in the past (sans the kids), and it's hard. When you aren't a fantastic communicator, it's even harder. I just think it's sad how society has gotten to the point where "till death do us part" is really "until it gets too hard". I personally don't see what's wrong with spending the rest of your life with someone who is your best friend.

I'm really sadened by this development. I love Nick and Sue enormously. Nick realises that this is going to totally turn his life on its head, as they have so many mutual friends, and it'll kill him financially. I'd asked Nick to be my best man at our wedding next year. He said (and I agree) that maybe that isn't the best idea. That makes me sad as well. I was going to mention that line that has stayed with me all these years in my speech at the reception, but it doesn't really mean that much if the person who said it didn't win the game...

Sadness.

[23:43] [life] [permalink]

On Ian Murdock and Debian

When I first read today that our progenitor had been kicked off Planet Debian, I was absolutely outraged.

Now that Scott has explained himself I can more or less accept that he did the best he could given his situation at the time. Mind you, I'm not sure how pressingly urgent it was that he get struck off as quickly as it happened, but I don't know the full circumstances.

So now I direct my anger at the > 80 people who complained to Scott about Ian's post about Componentized Linux RC1.

Oh eighty complainants, how does one person blogging about one Linux product differ from a multitude of others blogging about another Linux product, that is, Componentized Linux and Ubuntu? I just don't see where these people get off. Both are derived from Debian, both employ Debian developers. Most importantly, I am happy and interested to read about both of them.

The sheer inequality of this pisses me off immensely.

While we're at it, why is it that one half of what the project is named after has to sit in the New Maintainer queue for a year this month? I think that is grossly offensive in and of itself.

Anger.

[21:45] [debian] [permalink]

Fourth migration (second enforcement module)

This morning I got up at a quarter to 5 to get into work and do the next firewall migration. This one had to be done "out of hours" because I'm getting into the territory of the firewalls that see all the action now.

I was really apprehensive about this one, given that I first started building this firewall about a month or more ago. With a lot of politics, hardware orders taking forever to turn up, and me taking a couple of weeks off to help run a conference, the schedule got pushed back a lot. It had been so long since I'd done a migration, and so long since I'd built this firewall, that I was really worried I'd mess something up.

Fortunately all my checklists I'd made seemed to hold up alright. Yay for quality assurance. Some strange anti-spoofing problems crept in, but a co-worked is going around doing a general anti-spoofing cleanup after me, so I've left that for them to resolve in a more permanent fashion that I did.

[21:27] [work] [permalink]

Monday, 25 April 2005

Garbage bags are quite buoyant

The problem with having a leftover tank of helium in your garage on a public holiday is that you have to inflate things. Since I didn't have any balloons, the next best thing was garbage bags.

I inflated one, and to my surprise it was a lot more buoyant than I expected. I was planning on taking it out the back and expecting it to hover to about the second story balcony or something, instead it bounced off the eaves, and ascended into the heavens and was taken by a cross-wind off in the direction of Mount Majura, rapidly disappearing out of sight.

Sarah thinks I'm acting like a 12 year-old, but how many 12 year-olds have a tank of helium in their garage?

I do feel guilty about letting loose a flying garbage bag though... If it wasn't littering, I'd do it again so I could get some photos...

[00:20] [life] [permalink]

Saturday, 23 April 2005

Well, that happened... (or reflections on the conference from a delegate's point of view)

Okay, now that I've braindumped about organisation stuff, I'll braindump about the conference in general (what I experienced of it).

The (warm body) networking was the best part for me (again). It was terrific that so many overseas Debian and Canonical/Ubuntu people were here this year (or was it just that since LCA 2004, and probably more importantly, Planet Debian, I recognise more names?). It was great to meet for the first time Scott James Remnant, Colin Watson (who has a totally awesome accent), the much maligned James Troup (who I didn't get an opportunity to buy a beer), Mako, Matthew Garrett, Matt Zimmerman, and probably a whole bunch of other people that I've forgotten to mention.

One of the definite highlights for me was the opportunity to have a one-on-one chat with Mark Shuttleworth. He is one exceptional person. He's got himself one metric spankload of money, but he's doing some really good stuff with it, rather than just pissing it up against the wall being an uber-rich dude.

He laid out his vision (and it really is visionary stuff) for where he wants to take Ubuntu and what he wants to do, and I was really impressed with the breadth, depth and clarity of what he had to say for himself. He knows exactly what he wants to do and how he wants to do it, and he's got the money to make it happen. Totally inspirational stuff. As I have said before, I think I need to jump on the Ubuntu bandwagon.

I also made his talk about going to space, and that was truly amazing. Again, here was a guy with a metric spankload of cash, and rather than just paying his way into it (granted, he did part with a wad of cash to get in) he went through all the rigorous training, and really became a cosmonaut, complete with a mission to accomplish while he was up there. I really don't think "space tourist" is a terribly accurate definition for him. From the sounds of it, it took some real determination on his behalf to get to where he got. He told his story really well, and you can tell he really enjoys talking about it. I hope that one got video recorded successfully, as I really want Sarah to see it.

I didn't catch a lot of Eben's talk, which was one I really wanted to catch, because I was running around trying to deal with drinks for lunch, which had been overlooked. Everyone was raving about him and his talk though, so that's another one I hope I can catch on video.

Unfortunately I didn't see a lot of what I really wanted to catch, which was the Debian Miniconf. I came in the tail-end of Mark Shuttleworth talking about Ubuntu and Debian. I suspect it was a similiar spiel to what I'd had when I spoke to him earlier, so hopefully I didn't miss too much. There was just too much initial registration stuff and general firefighting to do to allow me to have the first two days totally not doing organisational stuff. Oh well. I should have seen that coming.

I caught bits and pieces of Ted Ts'o's Recovering from Hard Drive Disasters tutorial, and what I caught was pretty cool. I missed the Bitkeeper part of Tridge's keynote, which was right towards the end, because I was doing morning tea preparation stuff, but based on some of the media coverage, it sounded interesting. Hopefully that one was recorded okay as well. I think I caught bits and pieces of Jeremy Allison's CIFS to the UNIX Desktop talk, but kept getting dragged out to attempt to deal with the issue whereby some flog was running a rogue wireless access point, and doing all sorts of nasty man-in-the-middle attacks on people. That really pissed me off (the fact that someone came to the conference and did that). Unfortunately due to the nature of wireless LANs, we really couldn't do a lot about it, but there was a small lynch mob of geeks (myself included) running around for the remainder of the day running iwlist scan on their laptops non-stop, attempting to get a whiff of the bastard again.

I was really looking forward to JB's talk about Asterisk. As it turned out, I had done my RHCE course with him last year in Brisbane (small world). The talk was disappointing. JB was an inexperienced speaker (but it is good to give those types an opportunity to improve) and his talk wasn't technical enough, and a lot of people actually thought he was trying to sell Asterisk, and it was perceived as being too salesy.

I successfully caught all of Martin Pool's talk about Bazaar-NG, and it was really excellent. (I still don't have the whole GNU/Arch, tla/baz/Bazaar/Bazaar-NG thing 100% clear in my head though, not being a really big user of revision control systems).

I also caught all of the OzTivo talk, unfortunately not realising it was on at the same time as Marc MERLIN's talk about spam evasion with Exim. Fortunately I did have a bit of a chat with him at the Professional Delegate's Networking Session, and he's convinced me that I need to give Exim a thorough investigation.

Andrew Morton's keynote on Friday was good. I was really interested to hear what he had to say, but was having a bit of trouble catching everything from right up the back. Fingers crossed the audio was recorded successfully. He didn't use any slides so that's all I really need.

I caught all of Elizabeth Garbee's talk on Tuxracer. I was really impressed by her speaking ability. She was really confident, spoken extremely well, and was humorous. The content probably wasn't technical enough for LCA, but it was great to see a young woman presenting, and it was a really enjoyable presentation nevertheless. I'm glad the CFP guys selected it.

That was about the extent of the talks that I made it to.

I'm really looking forward to Dunedin, where I can socialise more and generally be a normal delegate again. In the meantime, I can get back to having a lifestudying.

Oh yeah, shutterbug Michael Davies took a whole heap of photos, which I'm currently hosting for him, and are proving quite popular.

[06:31] [lca] [permalink]

Well, that happened... (or reflections on the conference from an organiser's point of view)

Phew! LCA 2005 is done, and I have to say that I'm personally fairly happy with how things went. There were a few things that we could have done better, but overall, I think it was a pretty rocking conference, which was Steven's main objective.

I figure now is a good time for a braindump, so stand back, here goes...

From an organiser's perspective (in the order they occur to me):

Waaaay too much pizza. The CLUG pizza guestimating algorithm clearly does not scale. We had something like 150 pizzas surplus to our requirements. The final batch of 100 that arrived went straight to Ainslie Village, where they were gratefully received, and about another 50 left over from the preceding 300 where dispersed around the campus of the ANU to random resident students and anyone else who happened to be in the right place at the right time. Oh, and we really didn't do a terribly good job of catering for the people with special dietary requirements. We went to the trouble of asking delegates if they had any when they registered, but didn't plan appropriate alternatives for the Saturday conference-provided pizza lunch, hence me making a rushed trip to the nearest kebab shop for half a dozen felafel kebabs for the vegans and the food^Wdairy intolerants.

Lightning talks fell off the radar. I think Steve thought that I was looking after them, and I certainly didn't think I was. They didn't even make the program, so they really got overlooked. We managed to shoehorn them into the program on the last day with me nominally coordinating them, but it was a bit too disorganised for my liking. I think they are a very important part of the conference, so they need to get factored in. Perhaps half an hour of them a day (first up, prior to the keynote?) would be a good way to do it in future.

Speaking of keynotes, giving away a laptop was certainly a great way to ensure attendance. Rob did a fantastic job of defragmenting the audience every day. I did find the latecomers, who insisted on clustering around the back rather than finding a seat, mildly annoying. The back rows of the theatres were also popular because the wireless coverage was better there. I had mixed opinions on whether people should be availing themselves to the wireless LAN during presentations, but everyone seemed to be doing it, so I guess go with the flow...

The birds of a feather sessions could have been advertised better. This was my responsibility. I had one delegate have a bit of a bitch to me at the Professional Delegates Networking Session about the sessions being too late and poorly advertised. I hope he email[ed|s] the feedback through to us so we get it straight from the horses mouth. I don't really know how we could have done that a lot better, scheduling-wise. I was keen on having 2 hour (maybe 1.5 hour would have been better?) BOFs, and with a pretty jam-packed program, this meant things had to stretch into the evening. The problem with this was that once people shot through for dinner, they didn't tend to come back again, so that realistically really leaves you with 9am until about 6 or 7pm at the latest, before people are going to want to run away and have dinner. I had 12 BOF slots, of which I think 7 I'd filled before the conference started by people emailing us. I wanted to preferably keep half the slots available for people to suggest topics during the conference, but I allocated the vacant slots to the later 2 hours, which I suspect is what the delegate I spoke to at the PDNS was pissed about. In hindsight, perhaps having them later in the week would have been better, however that would have required some serious rejiggery, because most other nights had something on, between the Penguin Dinner, and the PDNS. There was just a lot of stuff to try and cram in, and something had to give. Maybe running more BOFs in conflict with stuff would have worked.

The quiz show was a late addition to the program, and seemed very popular. It was a shame that it was up against the keysigning, with so many well-connected foreigners chosing to attend it over the keysigning.

The venue for the Penguin Dinner was a bit ordinary (mainly with respect to open space and audibility from the back of the room). We were a bit limited with where we could seat 500-odd people, within walking distance of the conference venue. I still think it was a fairly good night, even if I didn't manage to blow $2005 on a signed t-shirt :-) The food was pretty good in my opinion.

I think the conference venue itself rocked extremely hard (damn, that phrase is infectious). Having all the theatres in close proxmity worked well. Having it all in the one building was a definite bonus. The foyer ended up being big enough, even with the couches (and the couches were a brilliant idea).

The (data) networking was really good. I don't think anyone found the static IP addressing requirement humungously onerous. The proxy ARP problem that was bouncing MacOS X and Windows clients off the wireless LAN was a bit of a pain, but the fact that we could piggyback on the ANU's excellent wireless LAN was a real bonus. Bob did a fantastic job of getting a lot out of the ANU's networking guys. I think the terminal room was sufficiently good as well. Throwing a few PCs in there seemed to be well received, as they seemed to be in use most times I poked my head in the room.

I found the organisers' room was too far away from the action. It was good to go and chill out there, but the registration concession booth seemed to become the de facto organiser's room instead. That didn't seem to be a major problem though. I'm not sure how well patronised the speakers' and media rooms were. They appeared vacant the majority of the times I walked past them to go to the organisers' room (which wasn't that often).

Having ready access to a laser printer and laminator was bloody brilliant. I spent so much of the first couple of days just knocking up signage as the requirements popped up.

The slideshow in the theatres worked really well as an information dissemination technique (if I do say so myself). The technology we used to implement it was a little bit flakey (the theatre PCs were netbooted with a minimal Linux installation, and all ran svncviewer back to a central server, which had the desktop shared with rfb. If I'd had a bit more time, and done a bit more testing, I probably wouldn't have gone with something that shared the normal X desktop (or maybe a different VNC server that did), as it did some weird shit with what was exported via VNC if you switched to another virtual terminal. But it worked well enough. I had a lot of trouble finding a GNOME-based slideshow displaying app. I ended up using gqview, which was okay, but not great.

Some delegates seemed to be a bit grotty. Mikal lamented about finding apples cores under all the couches, to which I think Chris or Jeremy responded "those damn Apple users!". That was an amusing comment today. I think bins were in sufficient supply that there shouldn't have been as much mess as there was.

I think we overcatered morning and afternoon teas. I dare say LCA2005 will be forever known as the LCA where the delegates were stuffed with food to the point of popping. The coffee was good, and one of our main concerns (that we wouldn't be able to caffeinate enough people in the time alloted) was unfounded.

The cowbell worked well as an indication that the talks were restarting after the breaks.

Umm, I think my brain is starting to run out of things now...

But please, if you have some feedback, (positive or negative, but preferably constructive if it's negative) please email it to us.

I'm looking forward to attending LCA 2006 as a mere delegate again.

[05:39] [lca] [permalink]

Tuesday, 19 April 2005

And the word for the day is...

"Cool"

[22:01] [lca] [permalink]

Sunday, 17 April 2005

Twas the night before lca2005, and all through Manning Clark, nobody was stirring, not even a conference organiser

I started the day with a couple of airport pickup runs, picking up some Debian developers and dropping them at their accomodation. I also introduced Mako to Vegemite and Tim Tams, which I'm sure he'll be blogging about...

I'm really pleased with how things have gone today. We did our first batch of earlybird registrations (guestimates are about 20% of delegates registered this afternoon). The wireless LAN appears to be working, excluding a gratuitous ARP problem with MacOS X (it's a Linux conference, use Linux, dammit!) which I will Google for a solution shortly.

The slideshow is up and running in the theatres, and I have managed to get svncviewer playing ball with init, so I can remotely PXE boot the theatre machines and have them automatically VNC into the main server with the slideshow running on it (I can drive the whole gig from the couches in the foyer, very cool).

I think the couches in the foyer should be a big hit. They were certainly well patronised this afternoon by the delegates that turned up to register.

Bring it on, I can't wait. (But I'm glad to be at home getting ready for bed at a sane hour, rather than doing a million last-minute things).

[05:00] [lca] [permalink]

Friday, 15 April 2005

Holy bags of schwag, Batman!

Have we got some cool schwag... We've just spent this morning doing the bag brigade thing and packed 500 bags with some very cool schwag if I do say so myself.

I'm impressed that we've managed to have the whole lot done before midday...

Now I just need to organise the printing of some signage, make sure all the lecture theatre slideshow stuff works, and I'll be feeling pretty happy with things.

[18:50] [lca] [permalink]

Thursday, 14 April 2005

Twas the week before linux.conf.au, and all was busy

I've had my own personal hackfest this week, and it's been fun.

First, I tried to get Debian going on an E450 for use as a desktop in the terminal room (as you do). This worked, but I ran into some unpleasant video problems. So I tried taking dilinger's Sargeified Ubuntu xorg packages and building them, which worked, but presented a whole bunch of keymap problems, so I wrote that off as a failure.

Next, I dicked around with the slideshow presenting solution for the theatres when there isn't a presentation on. We've hijacked the PCs that are part of the theatres, and are netbooting them with Linux, and then they're going to VNC back into a central server using svncviewer (so they're pretty minimal), which will run a set of slides (which I must create tomorrow).

The piece de resistance was the access point I helped Bob with today for the backpackers hostel to provide delegates staying there with some wireless Internet access (we're hoping more than one person is actually going to stay there so they can avail themselves of this).

It's a small cased mini-ITX box, with a PCI wireless card and an iBurst modem hooked up to it, running a bit of NoCatSplash (just because I could) (I can't believe this isn't in Debian?). It's doing transparent proxying. It's not that exciting, but I think it's cool because we've essentially made our own bit fat access point with extra functionality to suit our requirements.

Tomorrow I need to make the aforementioned slides up, figure out how to make up a BOF sheet in LATEX that doesn't suck, and do some general gophering. Probably thoroughtly test the backpacker's access point too.

[04:41] [lca] [permalink]

Perfect weather for a conference

I took this week off work to help do finishing touches to linux.conf.au and the weather has been fantastic. I really hope it keeps it up for next week. If it does, the decision to hold the conference in April will have really paid off.

[04:19] [lca] [permalink]

Tuesday, 12 April 2005

In the interests of timely information dissemination

This email should have gone out sooner, but it still going through the works, so to get the information out before delegates start unplugging and getting on planes and getting out of contact, here's a sneak preview:

Hi!

With the conference less than a week away, we thought we should give you some
orientation information for when you get here, to help you find your way to
the Manning Clark Centre. Once you've registered, you will receive your bag
of schwag, which will include the conference handbook, which will answer any
further questions you may have.

This email contains:

* Directions to the Manning Clark Centre from all over the place
* Emergency contact telephone number
* Important note regarding delegate badges
* A reminder about the keysigning
* Current weather conditions

------------------------------------
> Where is the Manning Clark Centre?
------------------------------------

The MCC is building 26a, and can be found at 
http://campusmap.anu.edu.au/displaymap.asp?grid=gh32

How do I get to the Manning Clark Center from Burgmann College?

Burgman College is building 52 on
http://campusmap.anu.edu.au/displaymap.asp?grid=cd54

Walk out of the college onto Daley Road and turn left. Take the right fork
onto Sullivan's Creek Road. Keep walking. You should pass the Hancock
Library on your left and there will be a zebra crossing across Sullivan's
Creek road to a bridge over Sullivan's Creek. Walk over this bridge and
follow the path along the rear of the Chifley Library (with Fellows Oval on
your right). Take a left turn past the entrance to the Chifley Library,
keeping the A.D. Hope building to your right and you should see a ramp
leading up to the Manning Clark Center.

How do I get to the Manning Clark Center from the City (a.k.a. Civic)?

Assuming you will be entering the campus via University Avenue, walk down
the pathway keeping the Copland Building (building 24 on
http://campusmap.anu.edu.au/displaymap.asp?grid=ef32) on your right, until
you reach the University Union Building (building 20) and hang a right up
the ramp to the Manning Clark Centre.

How do I get to the Manning Clark Center from University House?

University House is building 1 on
http://campusmap.anu.edu.au/displaymap.asp?grid=cd32

Walk along Liversidge Street until you come to Ellery Crescent. Follow it to
the left, until it reaches a cul de sac outside Melville Hall (on your
left). This will lead you onto the same path beside the Copland Building
referred to in the directions from Civic above.

-----------------------------
> Emergency telephone contact
-----------------------------

If you get completely, utterly and hopelessly lost, ring 6125 8186 
(that's +61 2 6125 8186) and it will divert to an organiser, who will try
their best to direct you to the Manning Clark Centre.

------------------------------------------
> Delegate badges, more precious than gold
------------------------------------------

As you may have already learned, linux.conf.au has sold out quite a few
weeks before the conference. Because of venue restrictions, numbers are
strictly limited to 500. To ensure this, we will be checking delegate badges
throughout the conference. Make sure you wear yours at all times and do not
lose it. We will be charging a replacement fee of $50 to replace delegate
badges (after sighting satisfactory identification). Anyone found not
wearing a badge at the venue will be asked to leave.

Your badge is also your ticket to the conference dinner and the professional
delegates networking session (if you your registration includes these).

------------
> Keysigning
------------

If you are interested in taking part in the GPG keysigning party at LCA
make sure you submit your public key prior to Friday 15th. More
information and instructions on how to submit your key can be found at
http://www.keysigning.org/event/lca2005

---------
> Weather
---------

If you're wondering what to pack, currently it is a bit unseasonably warm,
with maximums in the mid to high 20 degrees (Celcius). There is rain
forecast for Friday, which may drop the temperature back a bit next week, so
you might want to bring a mixture of summer-type clothes (i.e. shorts and
t-shirt type stuff) and slightly warmer clothes (i.e. jeans).

See you soon!

[04:44] [lca] [permalink]

Monday, 11 April 2005

Switching to static output

Fingers crossed I haven't screwed up and Planet Debian is going to see all of my blog all over again.

I've switched Blosxom to do static output, rather than forking off a Perl process for every connection. I can't wait until Blosxom 2 comes out and supports mod_perl.

This afternoon daedalus started to really chug. I'm either getting a lot of (spam) email and MIMEDefang is thrashing the box, or my blog just got real popular (or both). Enabling static output certainly is pretty trivial. Here's hoping the load on daedalus drops off again.

Update

Well fakecat and static output generation don't play well, which means the custom RSS feeds for Planet Debian and Planet Linux don't get updated properly, so I'm switching back to dynamic output until I can resolve that.

[15:39] [tech] [permalink]

Sunday, 10 April 2005

I am Andrew The Blogger

I went to see one of my lecturers this morning, as I have this week as well as next week off for linux.conf.au preparations.

Thanks to Steve forwarding one of my previous blog posts to the entire Department, the first thing he asked me was "Are you Andrew the blogger?".

[20:48] [uni] [permalink]

Confucius say: Man who host website on dynamic IP address gonna have bad time

I've been following Dirk Eddelbuettel's dramas with his broadband IP address changing (but hey, they don't call it a dynamic IP address for nothing), and I thought I would write about how I survive on a dynamic IP address. Until I moved house and had an outage of a few weeks of my broadband, I had changelogs.debian.net hosted on the back of my broadband connection without any major problems using this method.

I've been using ADSL since around 2000, and always been on a dynamic IP address. I had previously enjoyed a static IP address on my dialup connection back in the good old days (gee our web design sucked back then).

I have had daedalus.andrew.net.au since around the same time I went broadband. It has always been sitting in a colo facility somewhere, so is subsequently on a static IP address, and it acts as the primary nameserver for my domains.

For secondary DNS, I use a mixture of a free account I have with UltraDNS (from back in the days when it was Secondary.COM), and the member service provided by SAGE-AU.

So my ADSL IP address changes from time to time. My ADSL connection usually drops out and reconnects every 7 to 10 days, usually coming back with a different IP address. I like to maintain home.andrew.net.au pointing at it, so that I can SSH into it from elsewhere.

So in the way of DNS zone files, I have andrew.net.au, which has everything in it, and I have a subdomain (an actual bonafide subdomain in its own zone file) called dyn.andrew.net.au. (I'll explain why in a moment, it's technically not necessary, but convenient to do so). home.andrew.net.au is a CNAME to caesar.dyn.andrew.net.au, and this is the DNS record that I update whenever my ADSL connection "redials".

My ADSL connection is PPPoE, so I use the Roaring Penguin PPPoE software, which just works with pppd. pppd allows you to run arbitrary scripts when the link comes up, so I've written a Perl script to send a signed (TSIG) DNS update request to my nameserver, and dropped it in /etc/ppp/ip-up.d/

You have to go for a signed request because the update is coming from dynamic address space. I guess I could have added a huge ACL to my BIND configuration allowing all of the address space for my ISP to be able to send my nameserver dynamic updates, but that's a bit broad for my liking. So instead, I have:

zone "dyn.andrew.net.au" {
        type master;
        file "/etc/bind/master/dyn.andrew.net.au.zone";
        allow-update {
                key zoneupdatekey;
        };
        allow-transfer {
                203.27.221.52;
                131.170.24.210;
        };
};

I then create a key with

dnssec-keygen -a HMAC-MD5 -b 512 -n ZONE dyn.andrew.net.au
This produces a couple of files like Kdyn.andrew.net.au.+157+43730.key and Kdyn.andrew.net.au.+157+43730.private, which strangely enough seem to contain the same key material, despite one supposedly being private. I add the key material to a key directive in my named.conf:
key zoneupdatekey {
        algorithm hmac-md5;
        secret "iBHthjiMEM3gqPaQy1oME9sTp87awUU65s+z9Rd9s3wxfE1BpTzfM0j/qSGKCxfDECKvVxOLyxQP459JAx5IfA==";
};
(and no, this is a key I generated for the purposes of this blog entry, not my actual key)

This key is also in my script, as is the domain that is being updating, and that is it. The script can be tested by hand by invoking it:

PPP_IFACE=ppp0 PPP_LOCAL=127.0.0.1 /etc/ppp/ip-up.d/dyndns
and this should set the IP address to 127.0.0.1 for the A record in question. The script logs to /var/log/messages on the box it is run on, and /var/log/daemon on the box running BIND will contain some information about how the update request was handled.

caesar.dyn.andrew.net.au has a 5 minute TTL, so the most anyone with a self-respecting caching nameserver should retain the old IP address for when it changes is about 5 minutes. That's good enough for me.

Why did I bother with the whole subdomain thing? The BIND 9 Administrator Reference Manual says that you shouldn't edit a dynamic zone file by hand, so you really don't want to mix a zone file that has manually maintained entries with stuff that is updated dynamically. Also, BIND tends to make a bit of a mess of the zone file, so I give it its own zone file to make a mess of, and never touch it myself.

So in summary, home.andrew.net.au is a CNAME to caesar.dyn.andrew.net.au, which is updated dynamically via my script. My script is just a Perl implementation of something you could do with nsupdate and a few lines of shell, by the way.

[20:38] [tech] [permalink]

Friday, 08 April 2005

There are at least four security flaws in this piece of software

#!/bin/sh
eval ls > $HOME/listing

This is on the cover of a brochure for a "Writing Secure Software" tutorial offered by eSec back in 2001. I kept the brochure because it made me think, and until now, I hadn't been able to find four flaws. I was just doing some cleaning up and I found it again.

So far, I have:

  1. relying on $PATH to provide ls (someone can overload it to cause something else to executed).
  2. trusting the output of the aforementioned ls command and executing it
  3. relying on $HOME to be set to something sane
  4. making an assumption about the current working directory of the script (as this is going to influence what ls returns and is thusly fed to eval)

Well, that is four things, but I'm not sure if that was the four things eSec had in mind. Now I think I will throw it out...

[21:17] [tech/security] [permalink]

Thursday, 07 April 2005

Pop

That was the sound of our current domestic bliss bubble bursting.

This afternoon, I got a phone call from a sales droid at the real estate agent that manages the place we're currently renting. He said the owner had asked for an appraisal on the property. This can only mean one thing, he is thinking about selling.

Selling means two things: tons of people traipsing through the place, and the probability of having to move again increasing.

I really don't want to move again. We're pretty settled here.

My interpretation of the ACT Residential Tenancy Act is that a lease can be terminated early if the title of a property changes hands, so we might not be safe until our lease runs out, if the property does change hands and the new owner wants to live in it.

So I can only hope that the owner just wants an appraisal for the heck of it (but who does that?) or the appraisal isn't that good, so he decides not to try and sell it. Maybe rising interest rates have something to do with it all...

Time will tell.

[04:10] [life] [permalink]

Tuesday, 05 April 2005

Priceless!

[15:49] [humour] [permalink]

Sunday, 03 April 2005

Pondering my future

I have to say that what Matthew Wilcox had to say regarding the Social Contract changes strikes a chord with me, and echoes the sentiments I've heard of other developers around the traps.

I hadn't been thinking about it too much until someone I respect greatly brought it up recently, and it made me think about it in about as much depth as Matthew probably has, and I didn't like it.

I definitely feel that calling the GR an "editorial change" was grossly misleading.

I guess I will have to consider whether I want to continue in the project once the new Social Contract starts to take effect on Etch.

Maybe Ubuntu is a more moderate alternative.

Like Matthew, I have an emotional attachmen to Debian. I firmly believe it is a technically superior Linux distribution. If Ubuntu builds on that strong foundation without some of the licensing fanaticism, maybe that's where I'm better off contributing my spare time...

[06:39] [debian] [permalink]

I'd like to be a Mr Mom

Sixty Minutes ran a story tonight about men being the "housewife".

I've wanted for a long time (once I had settled down and gotten married, and had kids) to be the one doing the domestic duties, provided it was economically feasible.

For a few years I've been jaded with the IT industry. I can't see myself being in it for the rest of my life. I think the realisation came when SecureNet was acquired by Betrusted. We scored a manager from the United States, and he was having one-on-ones with everyone. He remarked to me about how I'd been there 18 months and was a "veteran" (there had been significant staff turnover in those 18 months). It was like "Wow, you've been here 18 months! There's forever!"

This made me realise that if I was considered a "veteran" after 18 months to 2 years in a job, that I'd be looking at something like another 12 different jobs in my working life. I'd actually like to settle down in a job and be a 20 year veteran, not a 2 year one, and you just can't do that in IT. You either go bust, get bought, or the job gets so sucky that you just plain quit. So far, I've been in all of those situations in my 10 years (egad, it's been 10 years!) in the workforce.

I figure, if Sarah can earn enough money, and my investments can supplement that, why should I have to keep working? I love kids. I change a pretty mean nappy, I'm a clean freak (when I put in the effort). I could do Open Source stuff from home in my spare time (some mothers may laugh at me now, saying that it is a full-time job just being a parent).

I think most importantly, I'd like to be there for my kids. I've worked some pretty horrendous hours in jobs in the past, and I don't want to be working jobs like that when I have kids at home I could be spending time with.

I certainly don't agree with 60 Minutes calling the phenomenon a "social upheaval". Gawd, just because people aren't sticking to their gender stereotypes any more? Give me a break. I think it's a lifestyle and an economic decision. I know Sarah really enjoyed last year when I was a full-time student and not working at all. She had lunches made for her, all the housework got done, and I was a much nicer person to have around.

[05:06] [life] [permalink]

One assignment down

Whilst I don't necessarily agree with the motive for this particular assignment being one done in pairs, I have had a pretty fun time doing the actual work. It was nice to be able to openly collaborate on an assignment for a change.

I worked quite will with my partner, Tiane. We both have half a clue about Java, and we both seemed to be on a similiar wavelength. We were able to elaborate on our ideas really badly to each other, yet understand what we were trying to say and do, which was rather convenient.

In terms of efficiency, it probably wasn't all that good. I think we spent 3 sessions in the labs at uni for about 7 hours at a time, but the time seemed fairly productive. Doing the work in three sessions seemed to help us take a fresh approach to problems. We would solve something in 15 minutes that we'd previously been bashing our heads against in the previous session.

So I'm kind of hoping the next assignment will be a partner one as well, because it's more fun.

[04:48] [uni] [permalink]

Is Architecture: Any too much? (or If only one could control wanna-build more easily)

As I continue to wade through the backlog of mail in my debian-devel folder due to The Thread, I read a small thread starting with this message from Peter De Schrijver, which got me thinking.

Why do we bother building everything on every architecture?

I haven't seen or played with any of the more uncommon architectures that are potentially going to be affected by the Vancouver Proposal, but I know ARM is more of an embedded system architecture, and I don't actually know what m68k is good for, other than maybe revelling in a bygone era.

For some of these architectures that have trouble keeping up with building everything, do we actually need to build everything on them? Does s390 need KDE? Does it even need X? Can you sit in front of a mainframe and use it as a desktop computer? Would you even want to? Similar questions must apply for some of the other architectures.

So I wonder if we're a bit too quick to use Architecture: any in our binary packages? Well, as I just discovered on #debian-devel, the Architecture: field is irrelevant anyway (to package building), it is wanna-build that attempts to build everything, and it doesn't look at the Architecture: field of a source package.

So it's a bit of a shame package maintainers can't more directly control this from their packages, and it's a shame that it can't be done on a opt-out basis. For example, if KDE didn't need to be built on m68k, the kde source package could have something like Architecture: any, !m68k. Even if the architecture list had to be explicitly specified, wishlist bugs could be used to add an architecture to the list that a particular package was built on.

But, as it seems that the build process doesn't work this way, this approach won't work in any shape or form without a bit of reengineering of all the buildd stuff.

One upside of these musings is that I discovered a veritable wealth of knowledge about how everything hangs together, which was something I was lamenting about the lack of about 18 months ago, so I can improve my education some more.

Back to reading debian-devel...

[04:40] [debian] [permalink]

Thursday, 31 March 2005

ROTFL

I haven't even finished reading it yet, and I can't link to it yet because it hasn't hit the archive, but Joerg's Bit's from the DAMs is priceless!

[22:51] [debian] [permalink]

Finally...

I have finished reading The Thread. It nearly killed me, but I avoided killing much of it so I could try and be as informed about it as possible. I don't think reading it across such a period of time helped me retain much though...

I don't think my opinion on the proposal has changed much. I'd still like to see Sparc make the grade, and I still think it can. If anything, this proposal has given all the ports a bit of a shake up. They can't just sit back and assume that their port will release with Etch, and that they need to keep their houses in order. (I'm sweating on udev to build on arm so can get the fix for #300435, peddle harder guys!)

I'll certainly be taking a more active interest in the Sparc port (other than just using it), and helping out where I can.

[00:00] [debian] [permalink]

Wednesday, 30 March 2005

Passed first aid course

Yay. I am now a qualified Senior First Aid officer with Saint John Ambulance, and I have my Wednesday nights back. Might come in handy for Linux.conf.au...

[04:02] [life] [permalink]

Saturday, 26 March 2005

Aural deja vu?

My favourite TV show is Rage, I tape about 5 hours of it every Saturday morning, and usually watch at least some of it during the course of the weekend.

I was sitting down watching a bit this afternoon, when I noticed two songs that were close to each other in the charts sounding very identical.

Falling Stars by the Sunset Strippers sounds virtually indistinguishable from Star2Fall by Cabin Crew. Different record companies. A bit of Googling turned up this bit of juicy gossip.

Now if they'd just use something original, there wouldn't be a problem...

[00:35] [life] [permalink]

Thursday, 24 March 2005

Laptop sleep, laptop wake up, laptop sleep...

Mikal just enlightened me on the wonders of ACPI suspend...

Here I was thinking I was going to have to totally reinstall my laptop because I hadn't made my swap partition big enough, and I was using LVM and was all out of partitions, and all I had to do was put a 3 in /proc/acpi/sleep! Sheesh...

A quick bit of extra hackery to acpid and now when I close the lid, my laptop takes a snooze. I'm so happy. I really need to read up on the ACPI thing...

[03:51] [tech] [permalink]

Wednesday, 23 March 2005

GNU/Screen deserves an award

I think GNU/Screen should get some sort of award for being a really cool piece of software. Or maybe it's Unix Ptys that should, but screen is what really exploits them...

The multiuser feature is something that I use rarely, but when I do, I really appreciate it. Today, I used it to help diagnose a co-worker's problems with building some software, from the comfort of my desk, without having to try and squeeze in next to him at his desk, and squint at his ridiculously small xterm font.

I've previously used it to train another sysadmin, so rather than two of us having to sit on each others laps in front of one computer, we could both sit at our own desks and talk to each other, while taking turns to drive the same shell.

[16:17] [tech] [permalink]

Tuesday, 22 March 2005

Oh dear God.

My tax dollars at work.

Now all I need is a GPS...

[21:16] [opinion] [permalink]

Wednesday, 16 March 2005

Adventures in reverse engineering

This week has been fun. I've been reverse-engineering how a a Linux-based load balancing appliance works.

The appliance is an F5 BIG-IP Local Traffic Manager.

Up until version 4.5, they used to be BSD-based, but they went to a new hardware platform, and decided to double 4.5 and came up with v9, which incidentally, appears to be Red Hat 9 based.

We want to be able to customise the build process so that we spit out a site-specific-configured BIG-IP. No problem I think, I'll just build an RPM containing all of our config files in it. I'd previously pulled to bits the installation process, and it was quite trivial to just grab the ISO, unpack it, chuck an extra RPM on, add that RPM's filename to a file, and rebuild the ISO. Hey presto, my "Hello, World" proof of concept RPM was being installed on a BIG-IP.

So then I tried to go for gold, and built a preliminary config RPM, with our password file in it and whatnot. This is where I got too clever for myself and forgot one minor problem. Half the files I'm trying to install in my RPM belong to other RPMs already installed, so of course RPM bleats, and the package doesn't install. Bummer. I need to find out if I can declare that one RPM overwrites bits of another one, otherwise I'll really have to hack to the installer so that it can force a specific bunch of RPMs in.

<rant> It would help if I could find a canonical, current source of documentation for the RPM spec file and RPM building in general. Google is useless. You put "rpm" and "spec" together, and you start finding all sorts of random spec files for packages, which is not what I want. www.rpm.org is grossly out of date, and not terribly in-depth, and the chapter of the Fedora Developer's Guide is a joke. </rant>

[14:46] [work] [permalink]

Tuesday, 15 March 2005

Nicely put

I think Steve Langasek's wife has very nicely summed up Steve's proposal in her blog.

I'm still trying to wade through the 400+ emails that followed up the announcement, so I haven't been able to digest what the general vibe is, and I've only briefly lurked on IRC today (but I log #debian-devel, so if I really cared I could go back through it).

As I said yesterday, the new release strategy doesn't impact me in a negative manner terribly much. My pet non-x86 architecture that is affected is SPARC, and it's a pretty neglected pet at that.

One thing that I thought about today when I opened by debian-devel folder and was greeted by 400+ emails in one thread, was that if all the energy had been expended on fixing bugs, then we'd be able to freeze Sarge tomorrow...

[02:05] [debian] [permalink]

Poverty stricken?

I just learned yesterday, that the reason the assignment for COMP2100 is to be done in pairs is more because they can only afford to pay for marking of half as many assignments as there are students in COMP2100, than because they want to encourage us to be able to work in groups.

It's pretty tragic that the Department is so strapped for cash that they've had to cut back on the continuous assessment in this manner. They've also cut back the laboratory sessions this year by one half as well.

It's a bit of a fudge, the ANU jumping up and down about how they haven't raised fees, if students enrolled in COMP2100 this year are paying the same amount as students who were previously enrolled in COMP2100, and receiving a vastly inferior teaching experience. I think I'd rather pay more to maintain the same level of education.

[01:45] [uni] [permalink]

Monday, 14 March 2005

Thumbs up

The Stunning New Release StrategyTM sounds pretty good to me.

I think I'd like to see the SPARC architecture hang in there though.

[00:30] [debian] [permalink]

Friday, 11 March 2005

Blosxom ate my flavours again

Real men don't backup, they just use Google's cache.

Argh. I just got bitten by #265021 again. Thank $DEITY for Google's cache. I managed to repair the damage with about half an hour of reverse engineering the HTML output with a cached copy and vimdiff.

I vented my frustration by raising the severity of the bug.

Meanwhile, rather than just bitching and moaning about it, I'll put blosxom on hold and put some thought into how to handle it better.

[22:54] [rant] [permalink]

Covert tunnelling over ICMP Destination Unreachable (Fragmentation Required) packets?

I had an interesting discussion this afternoon at work regarding the pros and cons of permitting ICMP messages into the classified gateway environment that we manage.

The necessity came up because something has been changed with the WAN link between the site where I work and the site in Sydney, and the MTU is now something more like 1300.

We're faced with the choice of:

  • enabling ICMP Destination Unreachable packets through the firewalls involved
  • lowering the MTU on the interfaces of all the servers in the environments affected
  • stripping the Don't Fragment bit on all the IP datagrams at some point before they traverse the WAN

If it were up to me, I'd be in favour of complying with RFC 1191 and being done with it, but one of my co-workers piped up about covert tunnelling over ICMP.

I have to admit that I hadn't heard about this until today. I had a read of the Phrack article in question, and it talks about doing it with ICMP Echo Request and Echo Reply packets, because these can readily have data added to the payload.

I'm interested in hearing about any exploitation of ICMP Destination Unreachable packets for such unintended purposes. I've raised this on the SAGE-AU mailing list, and the general consensus of responses so far is that blocking such ICMP messages is going to cause all sorts of breakage, and that if you're going to get paranoid about covert tunnelling over ICMP, you need to start worrying about IP over DNS and HTTPS proxying and a lot of physical security issues.

I agree completely. I'm all for Path MTU Discovery working as intended, unless someone can give me a good reason to the contrary. If I get time over the weekend, I'll have a bit of a play with Ethereal and something like sendip on my home LAN.

[01:27] [tech/security] [permalink]

Wednesday, 09 March 2005

Enforcement module migration SNAFU redux

Just when you thought it was safe to push a firewall policy...

Today one of the Operations guys tried to push an updated policy to the enforcement module that I migrated recently and was greeted by some errors regarding "No valid FM license". (I still haven't figured out what FM stands for yet).

I've no idea why this happened out of the blue. I could certainly push a policy after I finished the migration. I restarted Firewall-1, and also received some "No valid FM licenses" during the initialisation messages.

I pulled up the SmartUpdate application, and detached the licenses associated with that node and reattached them (well I noticed that one of them was for an IP address that wasn't on that firewall so I left that detached) and did a cprestart, and everything came good. I gave it a reboot just to make sure it wasn't going to return to SNAFUness after a reboot, and it was still good.

I look forward to the next enforcement module migration with much fear and trepidation.

[21:08] [work] [permalink]

Finally, a QFE card

I finally managed to get my hands on a QFE card today.

These things pop up reasonably frequently on the Australian EBay, but they are always hotly contested, and the price usually ends up skyrocketing by the end of the auction. They're popular because Sun has effectively discontinued them in favour of the Quad GigaSwift Ethernet adapters. They're pricing a QFE at $US 1,795 compared to $US 895 for a GigaSwift. I heard this was to deter customers from buying the QFEs as Sun want to stockpile what they currently have to use as spare parts for customers on hardware maintenance contracts. At around $AUD 100 - $AUD 150 on EBay, arguably brand new, they're a huge bargain.

After losing the third auction for one, I got sick of stuffing around with the auction process, and bought one outright from EBay in the US for less than what they were going for in Australian dollars on the Australian EBay. Gotta be happy with that.

I think I only paid for it on Saturday, and it turned up in the mail today, which totally blew me away for $AUD 12 in shipping. I don't imagine I could send something in the opposite direction for that much...

I quickly chucked it in my desktop PC to make sure it actually worked before providing some feedback to the seller. Linux picked it up fine, but my other NIC seems to be playing up. It didn't get a DHCP lease. Audio also went a bit bonkers. I suspect I have a resource issue of some sort, or I managed to scratch the motherboard when I snapped off the blanking plate for the last PCI slot in the box. I'll deal with it later.

I want to start having a play bridging under Linux, and build a bridging firewall that is totally transparent. I also want to build an inline transparent Argus probe. All these require lots of interfaces, so having four on one card is perfect.

Now I just need to have the spare time (and additional hardware) to do this. Argh. I have too many projects going at once.

[04:32] [tech] [permalink]

Wednesdays are officially hectic, first aid, meeting new people

That's why I'm blogging at 11pm instead of Zzzing.

A the best of times, I have a 2 hour lecture at 1pm, for which finding a carpark seems to be a nighmare on a Wednesday (Monday at 3pm and Friday at 1pm is significantly easier). Then I dash back to work for a token hour or so of work, then I dash back to Uni again for a 1 hour tutorial at 5pm, which for the next four weeks, I have to leave a bit early so as to make it to Deakin to a Senior First Aid course at 6pm until 10pm.

But it's all good. The First Aid course is interesting. The four hours went fairly quickly tonight. I met Renee, who has just started doing a PhD at ANU and just moved here from overseas (she's French-Canadian, but I'm not sure if that's where she's most recently from) with her Australian husband (who has just started a lecturing job at the ANU). One of the reasons she was doing the course was to meet people, so I might invite her and her husband around for dinner when I see her next week.

[04:17] [life] [permalink]

Monday, 07 March 2005

Adventures in resurrecting a laptop

When the hard drive in my VAIO died a few months ago, I figured it could still be put to use as a "server" of sorts with an NFS root filesystem. Yesterday, I spent some time trying to make that come about, with mixed success.

Because the VAIO PCG-F590 does not have an onboard Ethernet interface (what was Sony thinking?) I've had to rely on USB Ethernet adapters to get by, or a PCMCIA wireless card. As I wanted to use this laptop as the new under-bed Festival-powered weather-reading alarm clock (it has way better audio quality than my Ultra 5, which used to do the job), I didn't see the point in tying up a wireless card for something that was never going to move, so I went for the USB Ethernet adapter option.

I could have built a live CD, but the thought of constantly having to recreate and reburn a CD every time I forgot to install a package really didn't appeal to me, so the NFS root seemed much more practical. As the laptop was incapable of directly booting from a external Ethernet device, I created a bootable CD using the most excellent isolinux.

To get the kernel and initrd required for isolinux, I made a chroot (using debootstrap) on my NFS server. In this chroot, I added the initrd-netboot-tools package, which is part of the lessdisks suite of goodies, a project I'd never heard of until yesterday.

The beauty of using initrd-netboot-tools is I can still use a stock Debian kernel image, and with a bit of tweaking, the initrd does all the heavy lifting of acquiring a DHCP lease and mounting the NFS root. Very cool.

I had to do some slight hacking in the chroot that I was exporting so that the initrd was created correctly. The first problem I struck was there was a slight delay between loading the module for the USB Ethernet device and eth0 becoming available. I had to introduce a 2 second sleep before the DHCP request was made, otherwise it would declare that there was no Ethernet device, and not bother DHCPing at all. Here is an exact list of things I had to change in my chroot:

  • I added rtl8150, af_packet, nfs, ehci-hcd, uhci-hcd, pegasus (one per line) to /etc/mkinitrd/modules
  • I set ROOT= (i.e. nothing) in /etc/mkinitrd/mkinitrd.conf
  • I made sure /etc/fstab reflected the NFS mount for the root filesystem correctly
  • I added /bin/sleep to initrd_exe in /etc/lessdisks/mkinitrd/initrd-netboot.conf
  • I set nic_modules="rtl8150 pegasus" in /etc/lessdisks/mkinitrd/initrd-netboot.conf
  • I added /dev/urandom to initrd_files in /etc/lessdisks/mkinitrd/initrd-netboot.conf
  • I installed udhcpc in the chroot (but I think I could have alternatively installed a package that provided dhclient)
  • I hacked a "sleep 2" into the start of /etc/lessdisks/mkinitrd/install_scripts/70_dhcp

Once I'd done all of this, I installed a kernel-image package into the chroot (2.6.8-2 in my case) and then pilfered the vmlinuz and initrd.img for putting onto the CD.

The CD just had the kernel and initrd and isolinux.bin on it, ala:

.
`-- boot
    |-- initrd.img
    |-- isolinux
    |   |-- isolinux.bin
    |   `-- isolinux.cfg
    `-- vmlinuz

The isolinux.cfg is really basic (I need to change it so that I can actually pass some parameters at boot time):

DEFAULT /boot/vmlinuz
APPEND initrd=/boot/initrd.img rw root=/dev/nfs nfsroot=172.16.0.2:/export/laptop ip=dhcp hda=none nfs_opts=rw,sync,nolock

That's about it. Then I struck the problem with doing NFS over a USB Ethernet adapter, which I'm yet to resolve. I tested the whole process out on my current laptop (which has an onboard Ethernet) and it worked fine, so once I resolve the issues with NFS over a USB Ethernet adapter, I should have the VAIO working nicely as a diskless server under my bed reading the weather to me.

Update

I received a suggestion from Uwe Klein via the Linux USB users mailing list to lower the rsize to 1000. This allowed the bootup to proceed slightly further, before it got bogged down again in a similiar manner. Andreas Metzler suggested I switch to NFS over TCP, which ended up being just the ticket, and laughably easy to do.

For the record, I also ended up adding /bin/hostname to the initrd_exe line of /etc/lessdisks/mkinitrd/initrd-netboot.conf and my final isolinux.cfg contained:

DEFAULT /boot/vmlinuz
APPEND initrd=/boot/initrd.img rw root=/dev/nfs nfsroot=172.16.0.1:/usr/local/share/lazarus ip=dhcp hda=none nfs_opts=rw,tcp,sync,nolock,rsize=8192,wsize=8192 vga=0x317

The talking weatherman returns!

[03:33] [tech] [permalink]

Sunday, 06 March 2005

PaX takes its bat and ball and goes home?

I don't normally regurgitate vulnerabilities already announced on Bugtraq, but when one is so blatantly self-deprecating it deserves a special mention:

This is a spectacular fuckup, it pretty much destroys what PaX has always stood and been trusted for. For this and other reasons, PaX will be terminated on 1st April, 2005, a fitting date... Brad Spengler offered to take it up but if you're interested in helping as well, contact pageexec at freemail hu

[21:48] [tech/security] [permalink]

Thursday, 03 March 2005

Stunning New Release Strategytm

Oooooh.

I'm excited.

[21:38] [debian] [permalink]

changelogs.debian.net new feature

I've hacked changelogs.debian.net so that rather than redirecting to the relevant changelog on packages.debian.org, it essentially proxies the request (using curl) and does some substitution to make all bug references hyperlinks to the BTS, and all URLs normal hyperlinks.

I've asked Frank Lichtenheld if he can make the changelogs on packages.debian.org do this, so I'll revert back to the old behavior if and when this happens.

[02:15] [debian] [permalink]

Tuesday, 01 March 2005

I am Sisyphus of Debian QA

I think I know how Sisyphus must have felt. The bottom of the list was in sight, when this happened. At least it keeps me occupied.

[14:12] [debian] [permalink]

Monday, 28 February 2005

Third migration (first enforcement module) SNAFU

Yesterday, I migrated my first actual enforcement module. What was supposed to be quite simple, went quite pear-shaped instead.

Fortunately, I picked a relatively unimportant firewall for the first cab off the rank, so the fact that I ran an hour over the alotted change window wasn't an issue. It also enabled me to keep bashing on the problem until I resolved it, rather than having to back out.

What was the problem? Well, it was actually a problem with the migration of the management server for that particular enforcement module. When I migrated the SIC (that's Secure Internal Connection for you non-Firewall-1 savvy people) related crap in $CPDIR/registry/HKLM_registry.data, I screwed up, and didn't set the 6 characters in the SIC's distinguished name to the same thing for both occurences in that file, which produced quite screwed up results when resetting the SIC between the management server and the replaced enforcement module.

What I had was:

: (SIC
        :ICAState ("[4]3")
        :ICAdn ("o=my_management_server..yyyyyy")
        :HasCertificate ("[4]1")
        :MySICname ("cn=cp_mgmt,o=my_management_server..zzzzzz")
        :CertPath ("/opt/CPshrd-53/conf/sic_cert.p12")
)

when I really should have had:

: (SIC
        :ICAState ("[4]3")
        :ICAdn ("o=my_management_server..zzzzzz")
        :HasCertificate ("[4]1")
        :MySICname ("cn=cp_mgmt,o=my_management_server..zzzzzz")
        :CertPath ("/opt/CPshrd-53/conf/sic_cert.p12")
)

This had the interesting effect of the enforcement module getting the 'zzzzzz' SIC during the initial SIC initialisation, but the management server thinking it was 'yyyyyy', and expecting this during normal SIC operation, so nothing worked.

This problem hadn't manifested itself for the other enforcement modules, as they must only deal with the 'MySICname' part of HKLM_registry.data for normal operation. I'm guessing the 'ICAdn' is only consulted when the SIC is reset.

So I just fixed up the HKLM_registry.data file on the management server and restarted Firewall-1 on it, and then lo and behold, I could establish a connection to my new enforcement module.

[16:55] [work] [permalink]

Saturday, 26 February 2005

This month's QA effort

This morning I did some bug triage on html2ps and made QA uploads of both html2ps and vcr.

It's amazing what procrastination enables you to do. I should make a "Powered by procrastination" button for my website or something. If I could be bothered.

[14:37] [debian] [permalink]

Friday, 25 February 2005

Just when you thought it was safe to eat a hot cross bun...

I'd just finished spraying all the spiders outside, and thought I'd have a hot cross bun (as you do).

The hole in the bag seems too small for a mouse to get through, yet the amount of bun gone seems too much for cockroaches, and there are cockroach baits all over the kitchen...

I suppose a mousetrap is next.

[00:15] [life] [permalink]

Thursday, 24 February 2005

How closely do you work with your upstream software author?

It's surprised me somewhat how some maintainers don't seem to interact with the upstream author(s) of the software that they package. To me, it seems the natural way to operate. It's a partnership between the author who has the intimate knowledge of the code and the software, and the package maintainer, who knows how to package for the distribution.

I'm not meaning to point fingers at peoply by using these examples, they're just some cases I've come across recently, which has prompted me to write about it.

When Andreas Barth recently made a request for adoption of iproute, I glanced over the current bug listing, and in my opinion, saw a lot of bugs that weren't specific to the packaging of the software, and should have been forwarded upstream. When I asked Andreas what sort of a relationship he had with upstream, I think he said something to the effect that he hadn't had any dealings with them during his maintainership of the package.

Similarly, the other day I was looking over the list of orphaned packages with the maintainer not set to the QA group, with the intention of perhaps doing an upload or three in some spare time that I had, and I stopped upon html2ps, which had a good number of bugs open.

I dropped the upstream author an email, as again, a lot of the bugs looking like fundamental issues with the software, not with how they were packaged in Debian. The author replied, saying he hadn't known of the BTS page for his software, and hadn't known of some of the bugs. He actually went so far as to write a bit of a narrative to a lot of the bugs listed, which I will have to followup the various bug reports with.

I realise that there is personal style to package maintainership, and that some maintainers may be intimately familiar with the source code, but at the end of the day, we all want "Zarro Boogs" in our packages, so I'd think its in our best interests to do whatever we can to help make that goal come about as easily as possible.

I'm also personally of the opinion that the Debian packaged version of some software should attempt to walk and talk as similiarly as the original upstream version. In an ideal world, all distros would strive for this, so there'd be a degree of interoperability between distributions for given software packages. So to this end, I'd rather see an upstream bug fixed upstream, than fixed in a Debian package specific manner, which caused the Debian package to diverge in behavior from upstream.

For the packages I maintain, I'm on fairly familiar terms with the upstream authors. For packages I ITP or adopt, I generally ping the upstream author when I file the WNPP bug. If I don't get a response from the upstream author, I think twice about going through with the adoption or initial packaging. Like I said, it's a partnership, so it's a bit harder when you're on your own, and you're not intimately familiar with the code.

So, get to know your upstream. From my experience, it's a win-win situation.

[21:54] [debian] [permalink]

Monday, 21 February 2005

Second migration successful (well, kind of)

This morning I did the second (and final) Firewall-1 management server migration at this site. It wasn't as successful as the last one, in that it didn't Just Work.

With some help from Jonathan, the problem was traced back to the Get Topology function getting it wrong. I have to do a Get Topology after I've migrated the configuration as the new hardware has different Ethernet device names to the old one (gotta love how Solaris has hardware specific Ethernet device names). Unfortunately, in the process of doing the Get Topology, Firewall-1 decided to mark one of the interfaces as External, when it really should have been Internal, so then the anti-spoofing stuff kicked in and it decided that connections that were legitimate were actually spoofed, and dropped them.

It made matters worse (but was probably a blessing in disguise in that it highlighted the problem immediately) because the interface in question was the one that connected this management server to the rest of the management network, you couldn't get through the management server (which is also an enforcement module) to other hosts behind it.

Update

It wasn't so much a case of the Get Topology function getting it wrong. It seems that Firewall-1 will assume that the interface with the default route going out it is external. So for this particular firewall, I just need to redo the routing so there are specific routes and no default route, and in theory everything should be considered internal.

[17:10] [work] [permalink]

Here we go again...

Considering I wasn't planning on continuing my studies this year, I seem to be doing a remarkably good job of being enrolled.

So work was magnanimous enough to give me 2 hours a week of paid time to attend classes, which leaves me with another 3 hours (plus travelling time) to make up myself (so no lunchbreaks and lots of early starts for me).

I'm doing COMP2100 (which actually looks quite interesting) and FINM2001.

I wasn't intending to do another Finance elective, however the only other Computer Science subject I was eligible for is taken by a lecturer who I have taken a strong disliking to, so I figured I'd rather do Corporate Finance with one 2 hour lecture a week than the Computer Science alternative with three 1 hour lectures a week.

It'll be very interesting to see how I go, doing full-time work and part-time study. I really hope I can pull it off, at least for one semester.

[03:23] [uni] [permalink]

Sunday, 20 February 2005

Visa mini is insane

I'd seen some ads around the place for this new Visa mini card, but hadn't remembered to pull up a web page for it when I'd been near an Internet connection.

Today, I got an updated terms and conditions in the mail to add conditions for the new Visa mini card (not that I had one, but the same terms and conditions cover all credit card customers).

So it seems they are trying to accessorise the credit card. Why on earth would you want to parade around with your credit card (with presumably number showing to all and sundry) around your neck or wrist?

The thing that cracked me up to the point of writing this was the added terms and conditions. They've had to add stuff to direct customers not to insert their mini card in ATMs or full card insertion readers. Customers who do so will be liable for the cost of any resulting damage. What a joke. Not to mention that most card readers at supermarkets (well Woolworths at least, Coles isn't) are the full card insertion type.

[23:51] [opinion] [permalink]

Saturday, 19 February 2005

Roadkill camp snorkel

Sarah and I went to Jervis Bay (well Huskisson to be precise) for the weekend, to camp with a bunch of the regulars who are friends with Elise and Michael, as well as a few new people.

Travelling to various places via the Federal Highway, I've noticed a tiny sign that points to Nowra via Tarago and Currawang, which has always intrigued me, as taking the "conventional" route to Nowra and similar coastal locations usually involves hopping off the highway much further north, so on Friday night after work, we decided to try this route, more to see where the heck it went than as a shortcut.

It was a fairly interesting drive on the most part. Probably 50% of it was on dirt roads. We drove past some mines I didn't know exist, some tiny towns (probably questionable as to if they had town status), lots of sheep paddocks, and possibly found a way to get into the back of the intriguing Lake George.

When Elise called at about 9:30pm to find out where we were, there was much laughter in the background from the others who knew the area. Apparently everyone's taken this road once, thinking it is a shortcut.

The downer on the night was towards the end of the journey. We were on a dirt road, and what was about the fifth car we'd seen all night was heading towards us, so I'd slowed down to about 40 km/h, and a bunch of kangaroos appeared, and one hopped right in front of me, and I hit it, and then it got hit by the other car coming in the opposite direction. The other car didn't even stop.

I pulled over and had a quick look at my car to make sure it was still drivable (only minor cosmetic damage to the front grill and a damaged headlight housing thankfully), and then walked back about 20 metres to see what condition the kangaroo was in. It wasn't looking too flash. It had at least a broken back leg, with the bone sticking out, was hyperventilating and was bleeding from the nose and mouth. I dare say it was in shock.

I decided that the best thing I could do was put it out of its misery, which was not something I was really happy about doing, as if you haven't already figured out, I'm a bit of an animal lover. I returned to the car to find something to do the deed with, and the only thing I could think of was the steering wheel lock. So I grabbed that and went back to the kangaroo.

Problem was, I just couldn't do it. I raised it a few times to take a swing at the back of the head, but I just couldn't bring myself to do it. I ended up going back to get the car to try and finish it off with that. I ran over it once, and as I was turning the car around to head back off in the right direction again, I noticed it was still moving, so I ran over it again. I couldn't bring myself to check again after that. It was the first kangaroo I've ever hit, and Sarah and I were both a bit traumatised from the experience.

So that was our Friday night trip to Huskisson. We put the tent up at the caravan park we were staying in and hit the sack as Sarah was pretty tired.

The next morning, we went to Green Patch beach in the Booderee National Park to do some snorkelling. I was really looking forward to snorkelling as Sarah had given me a snorkel, mask and fins for my birthday and I hadn't had an opportunity to use them yet.

The visibility was a bit ordinary, and there wasn't a lot to see. I saw some small fish and lots of sea urchins. After lunch, we headed to Summercloud Bay, still in the national park, and had some better results there. The highlight being a huge (we guessed about a metre wide) sting ray, right underneath us.

At about 3:30pm a thunderstorm blew over, and so we decided to head back to Huskisson. Sarah and I stayed in the car for a bit, right down on the beach, watching the lightning over the ocean, and saw some spectacular lightning bolts.

When we got back to Huskisson, the others who had gone scuba diving for the morning had gotten back and were already at the pub so we headed there as well (the storm had passed by this point) and had some dinner.

We headed back early because we were tired and had turned in by about 9pm. We were woken at about midnight by Michael (he and Elise had their tent next to ours) throwing up, so something mustn't have agreed with him in his dinner (he had baby octopus, and had an unintended bit of paper in it).

It also started raining at some point after that, and didn't really let up after that, so when we got up we decided we'd break camp after breakfast and head home.

We had a pretty good weekend. It would have been better if we hadn't hit a kangaroo, and it rained less, but both things aren't really anything we had much control over.

[23:23] [life] [permalink]

Thursday, 17 February 2005

Oh no!

The dude with the disturbing ringtone has just moved directly behind me.

[16:33] [work] [permalink]

Wednesday, 16 February 2005

Mitigating against SSH brute force attacks using Netfilter and the recent module

As I mentioned previously, I recently discovered the wonders of Netfilter's recent module, and have decided to try and employ it to ward off the evil script kiddies and their brute force SSH scripts.

As I like to be able to SSH to my server from where ever I happen to be, and I won't necessarily have the infrastructure to use public key based authentication, I thought I'd see how a bit of selective packet filtering would go.

I'm using:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

This will allow three port 22 connections from any given IP address within a 60 second period, and require 60 seconds of no subsequent connection attempts before it will resume allowing connections again. The --rttl option also takes into account the TTL of the datagram when matching packets, so as to endeavour to mitigate against spoofed source addresses.

As an additional nicety, I could refine this to use a custom chain and a whitelist that exited the chain for source IPs that were trusted.

I'm going to run this ruleset on my server for a while and see if I

  1. don't lock myself out
  2. make a dent in SSH brute force attacks

Update

After much discussion with Juergen Kreileder, this ruleset would appear to be slightly better:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

This has the (arguably) added benefit of not hosing any established SSH connections from the host that has made too many SSH connections in a short period of time, and allows for whitelisting.

Update

I've had a few people email me and ask about the whitelisting part, which I didn't do a terribly good job of explaining. I should have said that you need to create a custom chain first:

iptables -N SSH_WHITELIST

and then add whitelisted hosts to it in a manner like this:

iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT

this clears the whitelisted host out of the recently seen table, and because is has an ACCEPT jump target, should stop further processing anyway.

[14:32] [tech/security] [permalink]

Tuesday, 15 February 2005

Linux Journal Is Currently Unavailable Due to a DDoS Attack

That's what I just got when I tried to visit the site. Bugger.

[16:11] [tech/security] [permalink]

Psychologically scarred by mobile phone ringtone

Back in the bad old days I had a Nokia 6110 mobile phone, and I used the caller groups feature to give all work related callers the ringtone called "Trio".

Fast forward three and a bit years, and someone in the office I'm working in has the same ringtone, and everytime I hear it I have an involuntary shudder.

[14:56] [life] [permalink]

Monday, 14 February 2005

Netfilter "recent" module

I've recently had the Netfilter recent module brought to my attention, and man, is it neat! The final example on the website for it is a bunch of rules that temporarily open up a hole in the firewall to allow an ident request in when an outbound SMTP connection is seen. Very cool. I'm interested in doing something to mitigate SSH brute force login attempts.

[18:27] [tech/security] [permalink]

Learning awk

As bizarre as it my seem, I've managed to get through life until this point without knowing any awk. If cut and paste didn't cut it (no pun intended), I'd just write a Perl script and be done with it.

There's the possibility that I might have to maintain some behemoth monstrosity of an awk script, so I'm using a bit of spare time whilst the bureacratic wheels turn to read O'Reilly's sed & awk, Second Edition

[17:36] [work] [permalink]

Prior art?

The other day, Mako graced his blog with some photos of himself in a very fetching number designed by his girlfriend and knitted by his mother. I was immediately reminded of a similar outfit my lovely fiancee's grandmother knitted for her recently...

I wonder which one came first?

[03:01] [life] [permalink]

Saturday, 12 February 2005

She said yes!

I took Sarah away to Sydney for a surprise pre-Valentine's Day weekend. (Well it was as surprise as you can make something where we have such busy schedules that I had to just tell her to keep a weekend open for "something special" about 3 months ago).

We stayed at a swanky hotel and did the bridgeclimb, where I popped the question to her at the top of the bridge. A couple of photos from the climb are here

[20:56] [life] [permalink]

Wednesday, 09 February 2005

Pride in your work

The convoluted way things work (for procurement) within the client's organisation I'm working at are that all hardware is ordered through, and remains property of EDS.

So for this firewall replacement project I'm doing, a bunch of hardware (mainly V240's) was ordered. Another project ordered a few V440's with fibre channel cards. Sun being Sun, ship the cards separate to the boxes, and EDS fit them. Problem is, EDS didn't consult the order when they went to install the cards, and just saw that there were the same number of cards as boxes and installed one in each (when in fact the V440's should have had two cards each and the V240's none).

So this morning, I proceeded to remove the fibre channel card from my V240 for the next firewall I'm replacing, and put it into one of the V440's. I had to pinch a blanking plate from the V440 to fill the gap in the V240. All good, I think. Wrong.

I get the lid off the V440, and discover that the existing fibre channel card hasn't been screwed in, and the blanking plate for the (vacant) PCI slot next to it is (poorly) held in by an ill-fitting PC case screw. Looks like they lost some screws when they were installing the cards methinks.

The V440's have a mix of 33 and 66 megahertz PCI slots. The only cards to go in the box are the two fibre channel cards, and of course EDS has installed the one that is already in there in a 33 megahertz slot, when they had the pick of the slots. So I moved the existing card while I was in there, and installed the one I took out of my V240 in another 66 megahertz slot, found a random screw that fit so that both cards were screwed in, closed it up, and thought I'd have a bit of a rant about taking pride in your work.

[17:45] [work] [permalink]

Tuesday, 08 February 2005

Windows Update is stupid

So I fire up Internet Exploder to run Windows Update (I only use it for this and submitting my timesheet) so as to download this month's plethora of critical updates for Windows, and the stupid thing wants to ignore my proxy settings and make direct connections for the downloads. This of course won't work, so the downloads fail. Nevermind the fact that I used a proxy server for every HTTP connection up to the point of initiating the downloads.

[16:04] [work] [permalink]

Loopback devices under Solaris

I was helping a co-worker grok how to loopback-mount an ISO image, and after discovering it was lofiadm that one needed to use in place of losetup, was having a bit of a peruse of the manpage and was amused no end to note that the examples they are are mounting an Red Hat Linux 6.0 for SPARC ISO image.

You wouldn't expect to find this subtle reference to a competing operating system within the Solaris documentation.

[15:49] [work] [permalink]

Sunday, 06 February 2005

I've been syndicated!

I just read the announcement from Linux Australia about how they've set up their own Planet, and casually loaded it up to see what feeds it has, and lo and behold, I'm in it. Well shucks, I didn't think I was worthy...

[18:15] [life] [permalink]

First migration successful

So this morning I migrated my first Firewall-1 management server in the production environment. Thanks to lots of testing and experimenting and breaking and fixing things in the test environment, I pulled this off without a hitch. And the management servers are the hard ones. The enforcement modules are a piece of cake. There's nothing to migrate except the license. I just need more hardware to turn up before I can proceed further. In the meantime, I've scored another project to do on the side, migrating a data service from an old firewall environment to a new(er) one.

[16:39] [work] [permalink]

Sweet

My boss' boss has agreed to give me two hours a week paid study leave to attend University classes. The rest I have to make up myself. Better than a kick in the teeth, and better than having to make up the total contact hours myself. Now if I can just get tutorials outside of work hours, I should only have to make up about three hours a week of lectures.

[14:59] [work] [permalink]

Saturday, 05 February 2005

If they had half a brain...

Just reading an anti-phishing page of my bank, and they have this gem towards the bottom:

Please Note: The email address spoof@national.com.au must only be used to report suspected spoof emails or hoax websites claiming to be from the National Australia Bank. If you believe your Internet Banking information has been compromised, or you notice a transaction you did not initiate, change your Internet Banking password immediately and contact the Internet Banking Support Team via the details below:

This is after they have plastered the aforementioned email address all over the page a previous two times. Are they expecting the page skimmers the spammers use to abide by this directive?

[20:22] [opinion] [permalink]

Thursday, 03 February 2005

Why I hate Solaris

I really hate working with Solaris, and it's not because of the kernel, it's because the userspace experience is so abominable. The GNU user environment is really what makes Linux so kick arse. I can survive quite well (in a poweruser capacity) on a BSD box if the environment is GNU.

So here's my current list of things that I constantly bump into that agrieve me no end:

  • there is no decent shell by default (by decent, I mean something with command recall that doesn't suck, like Korn shell).
  • Solaris find blows goats when it comes to any decent options (my kingdom for iname)
  • there is no watch command
  • df is shite

The first thing I do, if I have the option, is GNUify the environment a bit, but that is really a band-aid solution. Invariably, the packages from Sun Freeware are used to achieve this, but I'm not a big fan of how well they are packaged, and you end up with lots of stuff in /usr/local/bin, and sooner or later, you have to get into LD_LIBRARY_PATH hell, and it all goes downhill from there.

In Sun's defense, they are getting with the program, and shipping more and more GNU stuff as optional packages. Solaris 8 (which is what I'm currently having to endure) does ship with GNU Bash, less, and gzip. Solaris 9 goes so far as to ship OpenSSH if I recall correctly. So things are improving, but the user experience (for me) still leaves a lot to be desired, compared to a stock installation of say Debian GNU/Linux.

[16:47] [work] [permalink]

Moved

Well now that the ADSL has finally been relocated, the latency is low enough to make blogging from home tolerable. I feel officially moved now that the Internet access is like it usually is.

We've been here three weeks next Monday, and we're probably about 80% unpacked (the other 20% is going to suck and drag on forever). I also need to get a couple of coffee tables and a bookcase of some sort, but that can wait until my credit card cools down a bit.

It's nice to have a more modern place (mmm, dishwasher), and to have it to ourselves. The increased distance from town is noticeable. Driving home from the ANU tonight after a linux.conf.au organising committee meeting really helped drive that point home, but in reality, the commute is still trivial.

[02:36] [life] [permalink]

Wednesday, 02 February 2005

Underwear goes inside the pants

This song has been copping a bit of airplay in the last few weeks during the afternon drive timeslot. I think the lyrics are very poignant, and worth a read.

[01:59] [life] [permalink]

Tuesday, 01 February 2005

Just when you thought it was safe to recompile your wireless drivers...

This is a bit odd. I'm running the stock Debian 2.6.9 kernel on my laptop, and I'm just manually compiling the Intel IPW2200 driver and throwing it into my modules directory. Periodically, I grab the latest version and give it a whirl. I'm hanging out for monitor mode support so I can go wardriving again.

Anyhoo, tonight's build attempt failed:

apollock@debian:~/ipw2200-1.0.0$ make
make -C /lib/modules/2.6.10-1-686/build SUBDIRS=/home/apollock/ipw2200-1.0.0 MODVERDIR=/home/apollock/ipw2200-1.0.0 modules
make[1]: Entering directory `/usr/src/kernel-headers-2.6.10-1-686'
  CC [M]  /home/apollock/ipw2200-1.0.0/ipw2200.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_module.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_tx.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_rx.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_wx.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.o
  Building modules, stage 2.
  MODPOST
Warning: could not find versions for .tmp_versions/ipw2200.mod
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ipw2200.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ipw2200.ko] undefined!
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.ko] undefined!
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt.ko] undefined!
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ieee80211.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ieee80211.ko] undefined!
  CC      /home/apollock/ipw2200-1.0.0/ieee80211.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211.ko
  CC      /home/apollock/ipw2200-1.0.0/ieee80211_crypt.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt.ko
  CC      /home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.ko
  CC      /home/apollock/ipw2200-1.0.0/ipw2200.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ipw2200.ko
make[1]: Leaving directory `/usr/src/kernel-headers-2.6.10-1-686'
apollock@debian:~/ipw2200-1.0.0$ 

I then proceeded to try and recompile the version I was previously running (and hit the same problem). Now I was mildly annoyed, because I'd gone and clobbered my working version with a dud version, irrespective of which particular version I used. So I tried it in 2.6.10 as well, for good measure (I'd previously experienced reliability issues with the driver under 2.6.10, which is why I'm still running 2.6.9).

I'm inclined to say that something is wrong with the Debian kernel headers, but not being a kernel guru by any stretch of the imagination, I'm not quite sure how to say this conclusively in order to file a bug or anything... I might get Rick to read my blog and see what he says.

[03:02] [tech] [permalink]

Monday, 31 January 2005

Groan.

This one just went around work:

A byte walks into a bar and orders a pint. Bartender asks him "What's wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought you looked a bit off."

[19:05] [humour] [permalink]

Sunday, 30 January 2005

Migrating enforcement modules is easier

This morning I migrated a Firewall-1 enforcement module in my test enviroment. This was a hell of a lot easier than the previous migration of the management server.

This probably stems from the fact that an enforcement module is really just a container for a security policy, as pushed from a management server. All I had to do was manually transfer the licence, and reset the Secure Internal Communication (SIC).

So my first real live migration is being presented at today's change control meeting, and I think that gets sent to a higher level change control meeting on Wednesday, so if it is approved at both of these, I should be right to go the week after next. I just have to keep myself occupied in the meantime. I'm going to Melbourne for the day next Tuesday to attend an AUUG junket.

[15:58] [work] [permalink]

Sunday, 23 January 2005

LVM on root with d-i

Junichi was wondering about the root device being a logical volume. Jeff said he wasn't sure about d-i doing it. I can personally say that I've performed an install with root on a logical volume using d-i. Been there, done that, got the t-shirt. Whilst it is nice to have everything inside LVM, the downside is, you have to use LILO as your bootloader, and I find GRUB far more flexible. I did such an install a while ago, so it is possible the situation in RC2 or the daily builds is different.

[04:00] [debian] [permalink]

Thursday, 20 January 2005

Migration success (I think)

I think I've had a win (it's always nice to end the week on a high note). I cracked the shits and plugged my laptop in place of the Windows Terminal Server (my laptop also has the Firewall-1 GUI software installed) and with the firewall policy unloaded (via the console) I was able to make a connection to the management server. I then edited the object for the firewall, told it to reget the topology (taking into account the change of interface names) saved it, pushed the policy and lo and behold, I could SSH to the management server.

That said, I now cannot make an RDP connection to the terminal server, so I'm not sure if Windows freaked out over a duplicate IP address and took itself off the network, or if I plugged the cable back into the wrong interface. I'll look at that on Monday.

[22:24] [work] [permalink]

Second attempt at migrating

So given yesterday's attempt failed dismally, I tried the procedure outlined in a different document. This procedure seemed a bit more holus bolus in its approach to what needed to be copied (i.e. you pretty much copy all the files from the server you're migrating, delete a few and hope for the best).

Similiarly poor results. I don't even get anything in the logs this time, which makes it all the more vexing. Using tcpdump and fw monitor shows SYN packets entering the firewall and nothing coming out.

I'm starting to run out of ideas. There's only so much you can do with Firewall-1 from the command line. Hopefully the client's support contract renewal will have been processed by Check Point by Monday...

[20:43] [work] [permalink]

Voicemail galore

Heh, this is funny. One of the other guys noticed that my voicemail light was on on my phone. I haven't been told how to drive my voicemail, or that I indeed had voicemail. He dialled it up to retrieve the messages, and in the meantime I had to help relocate my manager's desk, so I just left the handset on my desk while it played through all the messages. About 45 minutes later, I picked up it to see where it's at. It's at message 63 from June 30 (presumably last year).

I suspect my predecessor didn't know he had voicemail either...

[16:16] [work] [permalink]

ANU's parking policy is stoopid

As I'm only intending to study part-time this year, I'm not eligible for a carpark. This is a PITA because as a part-time student, working full-time, the one thing I don't want to be spending more time than necessary is finding a carpark. I just want to get in, park, attend my classes and get out again.

I was going to try and get creative and enrol as a full-time student and then drop half the subjects before the census date, but it's just not worth the hassle. I'm still dubious about how I'm going to go doing this full-time work/part-time study thing anyway.

[04:30] [uni] [permalink]

Wednesday, 19 January 2005

First attempt at migrating

This morning I attempted to swap the cables that connected the old Firewall-1 Management Server to the rest of the network, and to the test LAN's management segment. It should have Just WorkedTM but it didn't.

11:23:09 drop   172.28.49.3 >bge0 product: VPN-1 & FireWall-1; src:
172.20.50.203; s_port: 2730; dst: 172.28.49.3; service: 22; proto: tcp;
th_flags: 19; message_info: TCP packet out of state;

is what the logs said. Jono said that should only happen if there's a routing error, which there isn't. I'm wondering if it's got something to do with the change in interface names. Unfortunately, the way this test network is setup, the Windows Terminal Server from where I can run the management GUI is through this Management Server (it's also an Enforcement Node), so until I can convince it to pass traffic as per its policy, I can't manage it terribly well. It's really annoying, because the Lightwave that is attached to its console is also through the firewall, so I have to go into the computer room with my laptop and physically plug into the console port, which means I can't be sitting outside testing network connectivity with my laptop plugged into the normal management LAN.

[16:59] [work] [permalink]

Tuesday, 18 January 2005

Sigh

**************** Interface Configuration ****************

Scanning for unknown interfaces...
Firewall-1 found that you are using interface bge, which is not supported.
Please refer to Check Point's SecureKnowledge article ID 55.0.4089734.2604361
for a list of supported interfaces and known issues.
This interface will not be protected by Firewall-1.

Press Enter to continue.

Update: Apparently you can hack $FWDIR/boot/ifdev to convince it to support such interfaces. I love Firewall-1. Really.

[20:30] [work] [permalink]

Quality Microsoft software

This has been doing the email rounds today:

Check this one out for taking the scenic route.


http://mappoint.msn.com/DirectionsFind.aspx

1. In Start and End, pull down "Address in" and choose Norway. 2. In
Start, enter "Haugesund" into City. 3. In End, enter "Trondheim" into
City. 4. Press "Get Directions"

[19:21] [humour] [permalink]

Weird login problem

So I'm trying to migrate a Firewall-1 Management Server from one box to a freshly installed box. I have an image that takes care of the baseline installation of Solaris and an unconfigured Firewall-1 NG installation. I just tried blatting /etc/{passwd,shadow,group} as well as configuring the hostname and all the interfaces. I gave it a reboot to see how it all went, and wasn't able to login. I'd just get

cannot chdir to /root, errno = 2

After providing a username and get returned to a login prompt. What I believed to be the root password wasn't accepted in single-user mode. I'm not sure if it's a permissions thing. I was relatively careless and just went

cat > /etc/passwd
<pasted contents of /etc/passwd on existing server here>
^D

(and so on for /etc/shadow and /etc/group). This potentially left an /etc/shadow with suboptimal permissions, but you wouldn't expect it to lock you out altogether. I did fail to create home directories, but again, I wouldn't expect that to lock me out either. So now I've booted into single-user mode from a Solaris CD... Brown paper bag job by the looks of it. I think I pasted /etc/group into /etc/shadow. That'll do it.

Now this is humorous:

# grep sarah /mnt/etc/passwd
sarahr:x:2001:500:Sarah Kay Roper:/home/sarahr:/bin/false

She contracted out here a long time ago. I guess this is a test machine, so the password database isn't maintained (or was based on an old snapshot of the production password database). Still, it's funny.

Yet I have digressed, and I have spoken too soon. That doesn't seem to have resolved my lockout problems. I tire of this two-man reset and break to PROM crap.

{1} ok setenv auto-boot? false
auto-boot? =          false

Subsequent power cycling will result in a PROM prompt without any further ado.

Ah, the problem is quite simple (I think I was grepping the wrong /etc/passwd when I booted from CD and mounted the hard drive on /mnt). Some brainiac has changed root's home directory to be /root (I actually prefer this, but it's not the norm for Solaris) and this directory didn't exist. That's quite incredible how if root's home directory doesn't exist, no one can log in...

[18:32] [work] [permalink]

I didn't think this was possible

While on the topic of breaking into Sun boxes...

SC Alert: Host System has Reset

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.



Initializing  1008MB of memory at addr        1000000000
SC Alert: SC Request to send Break to host.

{1} ok boot -s
FATAL: OpenBoot initialization sequence prematurely terminated.

FATAL: system is not bootable, boot command is disabled
{1} ok reset-all

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.



Boot device: disk0  File and args:
/
SC Alert: SC Request to send Break to host.

Type  'go' to resume
{1} ok boot -s

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.



Rebooting with command: boot -s

So apparently you can break out the PROM initialisation and leave the box in an unbootable state. Nice...

[18:07] [work] [permalink]

Give me Cyclades Console Access Servers any day

We use these horribly Lightwave Console Server 3200 things, and they really suck. The CLI is ordinary, but the really annoying feature is that frequently when I powercycle a Sun box, it'll drop the TCP connection, but keep the telnet session open internally, so it keeps me attached to the port, and won't let anyone else have it. Sometimes it times out the connection after a while (but who wants to wait?) and so you have to login in on the administrative port, and forcibly close the connection.

So when you get off your fat arse to walk the (non-trivial) distance to the server room, unlock your rack, kick your Sun box in the guts, lock your rack, and bolt back to try and send a break before the box boots past the point of sending a break, and you discover your console session has died in the arse, it really sucks. You then have to clear out your stuck session, and repeat the whole process again...

I'm not looking forward to when we move downstairs. It'll be completely impractical to bolt anywhere then, and breaking into a Sun box will require one person to perform the power cycle whilst another person sits watching the console (or I take a laptop with me and do it in situ).

At least Lightwave seem to have superceded the 3200 with something that hopefully sucks less (and is more dense). In my experience Cyclades have never sucked, and running embeded Linux makes them inherently more cool.

[18:00] [work] [permalink]

Please, don't bring back Beazley

Disclaimer: I'm not terribly pro-Labor, I'm more Liberal, however I'm pissed at Howard over the war in Iraq.

Can the Opposition please get it's act together and give us a credible leader and alternative Prime Minister? Kim Beazley is just not it. The media have already elected him as leader of the Labor Party, however I personally hope it doesn't happen.

So we've just had an Opposition Leader who's had to resign because of health problems. Let's not replace him with an overweight has-been, who hasn't been free of his own health problems in recent times. He kept saying he was healthy today in his press conference, but I have my doubts. I suppose he's going to have to swear off the KFC again and restart running up Mount Ainslie at 5am? He can't be looking forward to that.

Kim Beazley just isn't Prime Minister material, in my opinion. Neither was Simon Crean. I think Mark Latham was the closest thing Labor's come up with since they were last in government. I think there is a serious lack of credible candidates. I think the party's full of people who'd like to think they'd make Prime Minister one day, but until the party can publically get its act together and stop infighting, every 18 months when they have a leadership stoush just puts another nail in the collective political coffin, and leaves them languishing in the political wilderness even longer.

So in the interests of having a viable Opposition, and keeping the Howard Government accountable, will the Labor Party please get its freaking act together?

[03:12] [politics] [permalink]

Monday, 17 January 2005

Outlet

So I think I'll start blogging about the technical aspects of my work, as a record of the technical achievements I make, and the problems I solve. I'll just have to try not to whinge too much about the political aspects...

[18:46] [work] [permalink]

Sunday, 16 January 2005

Not as nerdy as I thought...

I am
nerdier than 46% of all people. Are you nerdier? Click here to find out!

Well, I am more of a geek than a nerd...

[22:34] [life] [permalink]

Saturday, 15 January 2005

On microwave oven power

Last week, our microwave oven stopped heating things. It'd go through the motions, but after it finished, your dinner was still stone, motherless cold. I dropped it into the repair place, and a week later (after much nagging) they told me the magnetron tube had died. It was going to be comparable to getting a new microwave in repair costs, so I decided to get a new one rather than getting it repaired, as the display was dodgey.

The microwave I had was 1000W, and the microwave I bought to replace it is 1200W. I remember when they used to be 650W. It's all good that they're constantly getting stronger, as they cook faster, but it really stuffs around microwave recipes and cooking instructions. The microwave dinners that we frequently eat are geared towards a 1000W microwave, so we've got to experiment with the time to avoid overcooking them.

The power levels apparently do something like Medium High = 70% (so 840W) and Medium = 50%, and so on. I'd rather see them have the ability to dial up the wattage directly instead, so if something had cooking instructions that said "8 minutes on high, assuming a 1000W microwave oven", you could set the power to 1000W, and cook for 8 minutes, instead of having to come up with something less than 8 minutes that cooks the food properly without overdoing it.

Maybe I should have just shopped around more...

[01:34] [life] [permalink]

Friday, 14 January 2005

SSH daemon weirdness

This Saturday and last Saturday, Nagios has told me that it couldn't ssh to daedalus, my server in Brisbane. I figured out last weekend that what seems to be happening is the SSH daemon is getting filled up by connections to its MaxStartups limit (which is 10 by default in the Debian ssh package). The Debian default value for LoginGraceTime (which is how long to hold an unauthenticated connection open for) is 10 minutes.

So you can make a good DoS attack on a default Debian SSH daemon by just doing something like:

while :
do
	nc $VICTIM 22 &
done

So I decided to file #289573. Lowering LoginGraceTime won't really resolve the problem, but it'll shorten the length of the DoS (hopefully).

My initial suspicion is that it's related to those brute force SSH login attempts that have been running around for months, however, I had a brief look into today's DoS, and whilst there were the 10 or so unauthenticated sshd's lingering around tying things up, there weren't any actual TCP connections associated with them, so I'm now wondering if there's a bug in OpenSSH that is being tickled by all this...

The fact that it only seems to be an issue on Saturdays makes me suspect script kiddies...

[19:07] [tech] [permalink]

Tuesday, 11 January 2005

changelogs.debian.net moved

As I'm soon to be moving, and my ADSL will be out of action for $DEITY knows how long, I've moved changelogs.debian.net from running on caesar at home to daedalus in Brisbane. Hopefully the transition has been transparent. I'll leave it running on caesar for a while until the DNS updates.

[14:24] [debian] [permalink]

Open house

Because we're moving out, and our landlord Dave is going to have total strangers renting his house instead of a former co-worker, his partner and a random, he's decided that as he's in Singapore, he'll use a real estate agent to let the place.

I got a phone call from said real estate agent yesterday, saying that a prospective new tenant that had looked at the place previously wanted to have another look with his prospective co-tenant mates. I told her that 6:30pm on Tuesday would be okay.

So what seems to have happened is she's subsequently told all other interested punters to go around and have a look at the place at 6:30pm on Tuesday. Here we all are expecting to show the house to three people, and instead, more cars than you can poke a stick at are lined up on the kerb at 6:25pm. We had about 30 people traipse through the house. It was quite an unsettling experience having that many people wandering around the house looking at everything. Hopefully they'll get enough applications from that lot so we won't have to endure another such exhibition. The rental market must be pretty hot at the moment.

Still, I can't see why anyone would rent this place when for exactly the same money you can have this place instead...

[04:40] [life] [permalink]

Tuesday, 04 January 2005

On quality property management (or the myth thereof)

As a rental property owner, one of my pet peeves is crap property management. You fork out the bucks for a property, you entrust the management of it to a company, and they take a not inconsequential slice of the rent each week, and you just don't get any quality. And you're the paying customer. I shudder to think how they look after the tenant.

So as a tenant, when I get what I consider to be a shoddy customer experience, I get equally irate. Like today.

Today we went in to sign the lease for the townhouse we're going to rent. We don't get it until the 14th, but we signed the lease and handed over the bond today. We went to the office of the real estate agent who is doing the property management in our lunch break and met the property manager. He was alright. He asked us how much time we had, and I indicated I'd only paid for 20 minutes parking, and so he whizzed through the lease reasonably quickly. It was a standard ACT Residential Tenancy Agreement, so that wasn't an issue.

They preferred to have the rent paid by direct debit, and this is where I started to get disappointed by their setup. They couldn't cope with us electronically transferring the rent to their bank account, it had to be them sucking it from our bank account. They couldn't cope with sucking from two bank accounts, it had to be just one. They only suck the money out on the Tuesday after the rent is due, not on the day it's due, and if the Tuesday in question happens to not be a business day, they suck the following Tuesday. If the direct debit is dishonoured for whatever reason, they try again the following Tuesday, then they cancel it and get in touch. (We're paying fortnightly). So that's the main gripe, their payment options suck big time (no pun intended). The only other option is cash over the counter. After having paid electronically for probably the last 2 years, I have no desire to darken the door of the real estate office ever again. I might be inclined to give them a piece of my mind or something. Give me BPay or at least the ability to do a direct deposit puhleaze.

The property manager went to get the receptionist to process the bond receipt while we were still signing paperwork and filling out forms, so that the receipt would be ready on the way out. So when we're ready to leave, we get back to the reception desk, and the receptionist has been too busy gasbagging to someone else about her Christmas to have actually started processing the bond. She then proceeds to stuff up the receipt multiple times, processing it as a rent payment, getting the amount wrong, having to reverse transactions etc before a correct receipt is printed.

It's pretty obvious that all the awards that they like to brag about receiving are for sales and not for property management.

This is where I have one of my pipedream business ideas - a property management company that deals specifically in quality property management, and looks after the tenants. I envisage something like allhomes, but where tenants can apply online, landlords can view applications and comment on them, landlords can see property reports. I was thinking of something where the company could negotiate good rates with painters, plumbers, tradespeople in general, and get quality repair work done when required. Perhaps call centre driven. I had a creative thought tonight about using VoIP and having a distributed call centre of property managers working from home. Like all of my pipedream business ideas, I lack the guts and motivation to put my money where my mouth is and take it anywhere though...

[03:46] [rant] [permalink]

Dude, where's my Synaptic toolbar?

So I fired up synaptic today for my daily dist-upgrade, and immediately noticed that something was missing... Seems I have been bitten by #288445. I hope someone figures out what the problem is...

[00:48] [debian] [permalink]

Monday, 03 January 2005

Additional DAM

I just read that Joerg Jaspert has been appointed as an additional Debian Account Manager. This is great news, as it will hopefully improve the processing of the New Maintainer queue, and take some load (and hopefully flack) off James.

Joerg was my Application Manager when I went through the NM process, and I was impressed by the depth and thoroughness of his questions. I think he is an excellent choice.

[02:35] [debian] [permalink]

Sunday, 02 January 2005

New, non-RC dstat uploaded

Martin Godisch kindly helped resolve bug #283019 by uploading a version of sleuthkit with /usr/bin/dstat renamed to /usr/bin/diskstat, and I have uploaded a version of dstat that conflicts with all previous versions of sleuthkit, and mentions where to find Sleuthkit's dstat in its manpage.

[04:52] [debian] [permalink]

Home again

Just got home. We left Brisbane yesterday morning, and drove to Port Macquarie (we went via the Pacific Highway this time for a change of scenery). We camped in a caravan park (it was very hard to find one with any vacancies) and discovered that the tent pegs seem to have become separated from the rest of the tent since the last time it was used.

Fortunately, using a rock, the picnic table at the caravan park, some miscellaneous Christmas presents and the car, we were able to secure the fly on the tent making what I called "Camp Bodgey". Luckily the weather held out and it wasn't too windy, or we might have had a bad night...

We briefly stopped off in Newcastle for lunch with Elise (Michael was asleep because he had worked the night before). Traffic was significantly heavier than on the New England highway on the way up. The overtaking lanes north of Newcastle were all closed for some unfathomable reason, really slowing down the traffic. It took us 16 hours and 1208 kilometres, including the time spent for lunch in Newcastle, and the kilometres running around Port Macquarie.

The car's clutch survived, fortunately. My brother, who is a mechanic, reckons it doesn't have much left in it.

[02:27] [life] [permalink]