Yenya's World

Tue, 14 Jul 2015

I am looking for the best way how to publish my photos on the Web. So far I have ruled out putting my photos to some "cloud" service out of my control (Picasa, Flickr, Rajče). I want something which could generate a static tree of files (HTML/CSS/JPG/JS), which can then be published by any web hosting service, or even on my own server.

Some time ago I have tested Highslide.js, but this is more lightbox than a gallery, and it cannot adapt itself to the size of the screen.

I have looked at Darktable, which has its own "web gallery" export format, but surrounding Javascripts are not good enough to make it fit the screen. I have googled many other project, usually ruling them out solely based on their demo galleries.

What looks promising so far, is the thing named Photoswipe. There still are some problems, though:

So, my dear lazyweb: which gallery for static files do you use? I would like to have something with the following properties:

What would you recommend?

Section: /computers (RSS feed) | Permanent link | 5 writebacks

Mon, 13 Jul 2015

Systemd Developer Attitude

Systemd. Some people love it, some people hate it. My own position is somewhere in between: I think many things they are trying to solve are real problems which need solutions, the system should "just work" for common use without the configuration, etc. But sometimes the overall attitude of the systemd developers is just plain wrong. The following bug report shows the problem pretty clearly:

timeX.google.com provide non standard time - issue #437

TL;DR: it can be summarized as follows:

There are several solutions to this problem which I would consider clean and fair:

The systemd maintainer's response was "we are not a vendor, we don't want a vendor pool", and "let's add a warning when somebody uses the defaults". I think using Google servers against the will of their owner is pretty rude, and having the defaults which need to be replaced, even though the possibility of having sane defaults exists, to be inconsiderate to their users.

In my opinion, the above clearly shows the attitude of systemd developers towards the rest of the world.

Section: /computers (RSS feed) | Permanent link | 0 writebacks

Fri, 10 Jul 2015

My First CVE Number

After banging our collective heads against the wall while trying to discover why one Samba share works as we expect, while another one with the same configuration on the same server does not, I have finally admitted that the bug is not in our setup, but probably in Samba itself.

Interestingly enough, the expected behaviour was the share where it did not work, and the other one worked only by accident. The fact that it worked in one case turned out to be a potential minor security issue. So this is the first security issue I have discovered, which has its own CVE number: CVE-2015-3287 (details will be in Samba bug #11395 after it is declassifiled).

I appreciate the fast response of Samba developer Jeremy Allison: the first fix was available within 3.5 hours after the bug was reported.

Section: /computers (RSS feed) | Permanent link | 1 writebacks

Tue, 09 Jun 2015

Laptop Upgrade, take 2

After thinking about upgrading my laptop in 2013, it is time for another try. My old ASUS F3E has flaky power connector, and sometimes fails to charge, which is quite annoying. So far my requirements are:

Of course, all the above criteria are met with exactly zero laptops currently available in the Czech Republic. So far I am considering the following less-than-optimal models:

So, my dear lazyweb, what would you recommend? Any other models? Any known problems with the abovementioned laptops? Thanks!

Section: /computers (RSS feed) | Permanent link | 12 writebacks

Fri, 29 May 2015

Historic Bugs

After each Fedora release, the bugs reported to the release which is to be EOL'd, are being closed. I have looked at the notifications sent out after the Fedora 22 release, and most of my bugs-to-be-closed are waiting for the developers to do something about the bug. I wonder whether reporting bugs to Fedora bugzilla is still worth the effort. Anyway, the following reply to the bug closing notice made my day:

No! This bug is on the federal register of historic bugs! You can't close it now. Changing to fedora 22 (where, of course, it is still busted).

As you might guess this is in reply to the infamous "no way to control X server startup options" bug #451562 of GNOME Display Manager. There is nothing being done about the bug (reported in 2008 against Fedora 9), despite promises from 2009, that the bug is being worked on. Apparently GNOME developers are busy making their applications incompatible with other desktop environments instead.

Section: /computers (RSS feed) | Permanent link | 0 writebacks

Thu, 28 May 2015

GNOME-Only Applications

Once upon a time, there was a windowing system called X. There were lots of applications for X written using various widget toolkits. In order to make the window operations unified across the whole desktop, regardless of the widget toolkit used by a particular application, the special application, called "window manager" provided window title bars and borders. Applications could inform the window manager about their particular needs (for example, their minimum required window size, etc.) using an open protocol called ICCCM. Not anymore.

Nowadays, GNOME developers decided that the only way to use their system and their applications is to have the complete desktop including all running apps GNOME-based. Being able to run GNOME apps under other desktop environments and vice versa is sooo last century way of desktop computing. From now on, all GNOME applications inform the window manager using ICCCM, that their windows are not to be touched by the WM. These windows then do not have window borders for resizing, raising/lowering/etc., they have their own title bar and maximize/minimize/close buttons different to the rest of the desktop, etc.

OK, after ditching GNOME desktop environment when GNOME 3.0 came out, it is time to ditch also the GNOME applications, as they are clearly not intended to run under the standard desktop environment. So far I have replaced the following applications:

evince with Okular
This means installing lots of KDE libraries, but on the other hand Okular does not take over the screen on startup (unfixed since at least 2008), it can zoom to the arbitrary size (CLOSED WONTFIX, really?), when I run "okular somefile.pdf" twice, I get two windows as expected, etc.
file roller with thunar-archive-plugin
Not that I use the GUI file manager often, but still.
eog and gthumb with (undecided yet)
I am still not sure about the replacement - so far I am testing ristretto, geeqie and some others.

There is a nice list of recommended applications for XFCE, which are written in GTK, but positively GNOME-free. Which image viewer and PDF viewer do you use, my dear lazyweb?

Section: /computers/desktops (RSS feed) | Permanent link | 6 writebacks

Mon, 23 Mar 2015

Backward Compatibility

One of the alleged advantages of certain family of operating systems from Redmond is backward compatibility. They say they support interfaces and applications back to the DOS era, and they sometimes even use this feature as an excuse for some doubtful technical choices they made. Yesterday I have discovered that it is not as good as they often say.

I wanted to install The Neverhood, an old 1996 adventure game. The result was the perfectly working game under WINE and Linux, and partly-working game under Windows 8.1: the gameplay was OK, but the in-game video sequences and their sound were too sluggish, as if it required 5 to 10 times more powerful hardware. According to the discussion forum posts about this topic, it is a common problem in newer versions of Windows. The recommended solution is to run the game under ScummVM, which is a rewrite of many ancient game engines.

Remember this the next time you hear an exaggerated statement about the backward compatibility of Windows.

Section: /computers (RSS feed) | Permanent link | 0 writebacks

Thu, 19 Mar 2015

Libvirt Dependencies

Welcome to Yenya's rant about software "features". Today we will have look at libvirt in Fedora and its dependencies. But firstly let me show you a funny picture:

systemd-hungry

Anyway. I teach a seminar on Linux administration, where one of the tasks is to compile and use one's own kernel. The task for the following week is to create a virtual machine. One of my students had an interesting problem with the second task - virsh refused to start his KVM-based virtual machine with the "command timeout" message.

Digging into the issue, we discovered that it works with the distribution kernel, but not with his custom kernel. Then we found that virsh tries to do a RPC call over D-Bus, which then times out, because the D-Bus object in question was not present. This object is supposed to be provided by a daemon called systemd-machined, which describes itself with the following headline:

This is a tiny daemon that tracks locally running Virtual Machines and Containers in various ways.

This is in fact an understatement, with the real situation being that this daemon is a core part of the virtualization subsystem, and it is not even possible to start a libvirt-managed guest without it. We have tried to start the daemon from the command line, but it immediately exited without a meaningful message anywhere. The only message in the syslogjournal was that systemd-machined failed to start when the system was booted.

Long story short, my lucky guess was that systemd-machined could have something to do also with containers, and it might have needed a container support in the kernel. After enabling about five namespaces-related kernel config options and booting a recompiled kernel, we were able to start systemd-machined, and only then we managed to start the VM using virsh.

This spaghetti-structured unstraceable mess of interconnected daemons communicating over D-Bus and providing no meaningful error messages, which is masqueraded under a collective name "systemd", makes me sick quite often.

Section: /computers (RSS feed) | Permanent link | 5 writebacks

Tue, 30 Dec 2014

PF 2015

I wish a nice year 2015 to all readers of this blog.

PF 2015

Section: /personal (RSS feed) | Permanent link | 0 writebacks

Sat, 20 Dec 2014

HDMI Sound

Another problem related to getting a new mainboard was sound. The mainboard has an on-board Intel GPU, which I use for the first seat. Unlike my previous graphics card for the Seat0, it is connected by HDMI port to my monitor. So I have decided to give sound over HDMI a try.

The problem was that it did not work: using pavucontrol, I have verified that sound is routed correctly to the HDMI interface, but the interface said that the output is disconnected. And I did not know how to "connect" it, because physically it has obviously been connected.

After some hours of searching I have found the following solution:

$ pactl list cards
...
Card #1
	Name: alsa_card.pci-0000_00_03.0
	Driver: module-alsa-card.c
	Profiles:
		output:hdmi-stereo: Digital Stereo (HDMI) Output (sinks: 1, sources: 0, priority: 5400, available: yes)
		output:hdmi-surround: Digital Surround 5.1 (HDMI) Output (sinks: 1, sources: 0, priority: 300, available: yes)
		output:hdmi-stereo-extra1: Digital Stereo (HDMI 2) Output (sinks: 1, sources: 0, priority: 5200, available: yes)
		output:hdmi-surround-extra1: Digital Surround 5.1 (HDMI 2) Output (sinks: 1, sources: 0, priority: 100, available: yes)
		output:hdmi-stereo-extra2: Digital Stereo (HDMI 3) Output (sinks: 1, sources: 0, priority: 5200, available: yes)
		off: Off (sinks: 0, sources: 0, priority: 0, available: yes)
	Active Profile: output:hdmi-stereo
	Ports:
		hdmi-output-0: HDMI / DisplayPort (priority: 5900, latency
offset: 0 usec, not available)
			Properties:
				device.icon_name = "video-display"
			Part of profile(s): output:hdmi-stereo, output:hdmi-surround
		hdmi-output-1: HDMI / DisplayPort 2 (priority: 5800, latency
offset: 0 usec, not available)
			Properties:
				device.icon_name = "video-display"
			Part of profile(s): output:hdmi-stereo-extra1, output:hdmi-surround-extra1
		hdmi-output-2: HDMI / DisplayPort 3 (priority: 5700, latency
offset: 0 usec, available)
			Properties:
				device.icon_name = "video-display"
				device.product.name = "PLE2607WS"
			Part of profile(s): output:hdmi-stereo-extra2
$ pactl set-card-profile 1 output:hdmi-stereo-extra2

Apparently PulseAudio knows that the hdmi-stereo-extra2 is the only connected output, but remains set up to hdmi-stereo instead. Now that is not very user-friendly, plug&play, etc.

Section: /computers (RSS feed) | Permanent link | 0 writebacks

Fri, 19 Dec 2014

Multiseat LightDM

After getting a new mainboard, I have upgraded my home computer to Fedora 20, and made my multiseat setup use the udev/logind/loginctl seat tags. About a month ago I have discovered that the seat numbers are not correctly assigned to sessions by xdm(8), so I started to look for solutions. Of course, that piece of crap called gdm was not even been considered for obvious reasons. Apparently the solution does exist, and suprisingly enough, it is really nice: it is called LightDM.

LightDM is the display manager. It has cleanly separated the display manager part (starting up the X servers, listening on XDMCP, etc.), and the user interface part (chooser). The later can be selected from various options - e.g. a KDE/Qt compatible one, and a GTK+ compatible one. The configuration is pretty straigthforward, and it does not try to hide anything from the user, unlike the above mentioned piece of crap.

The multiseat setup in LightDM is pretty straightforward: in /etc/ligthdm/lightdm.conf I have to add the following:

[Seat:0]
xdg-seat=seat0
xserver-command=X -layout Primary -isolateDevice PCI:0:2:0 -seat seat0 vt7

[Seat:1]
xdg-seat=seat1
xserver-command=X -layout Secondary -isolateDevice PCI:1:0:0 -seat seat1
-sharevts vt7

In the udev tags, I had to tag the following device as belonging to Seat1 (using loginctl(8)):

And that's it! The only (minor) nitpick is, that the GTK+ greeter does not remember the last logged-in user per seat, so it preselects the last logged in user on both seats by default. But we usually log in only after the reboot, so it is not a big problem.

Section: /computers/desktops (RSS feed) | Permanent link | 0 writebacks

Tue, 16 Dec 2014

Systemd: ENOENT

I maintain a small software project (about 4k LOC) which is a part of the university infrastructure. It is versioned in Git and installed on several computers across the university. Today I wanted to deploy it on a Fedora 20 machine, which of course is running systemd.

Firstly about my position on systemd: I think most of the things they are trying to acchieve are pretty cool, but sometimes the implementation and design choices are a bit questionable. Anyway, I have written two unit files for my software, even with the unitname@.service wildcard syntax. The units are OK, systemctl start unitname-instance.service works as expected. The crash landing came when I wanted to enable these units after reboot:

# systemctl enable unitname-instance.service
Failed to issue method call: No such file or directory

What's wrong with it? It can be systemctl start'd anyway, so the unit files should be OK, shouldn't they? After some hair pulling I have discovered that systemd intentionally ingores symlinks in the /usr/lib/systemd/system directory. Moreover, they just set O_NOFOLLOW and print whatever errno they get from the kernel, which is simply misleading. I think my use case - to have my own unit files in my git repository - is valid, and there is no reason for disallowing symlinked unit files.

Related Fedora bug reports: #1014311, #955379.

Section: /computers (RSS feed) | Permanent link | 0 writebacks

Sat, 13 Dec 2014

CSIRTs Considered Harmful

OK, I am fed up with spam coming from local CSIRTs. Firstly from CSIRT MU, and recently even from the CESNET CSIRT.

"The Guild of Firefighters had been outlawed by the Patrician the previous year after many complaints. The point was that, if you bought a contract from the Guild, your house would be protected against fire. Unfortunately, the general Ankh-Morpork ethos quickly came to the fore and fire fighters would tend to go to prospective clients’ houses in groups, making loud comments like ‘Very inflammable looking place, this’ and ‘Probably go up like a firework with just one carelessly-dropped match, know what I mean?’"
-- Terry Pratchett: Guards! Guards!

This is the problem with Computer security incident response teams (CSIRTs). When they are to actually handle the security incident, they work well. However, security incidents are not very frequent, at least the important ones. So they tend to over-estimate the impact of many so-called security problems, and tend to keep people notified about their own existence by spamming them, or even demanding replies.

For example, CSIRT MU monitors the network traffic and sends notifications about "suspicious" traffic. The report is an e-mail with the URL where the details supposedly can be found. In that page, there is a partial description of the incident, with complete description available through another link. So instead of opening, reading and deleting a single e-mail, one has to read the e-mail, open the included URL, and follow the link in that page. For example, CSIRT MU sends us notifications about some computers in our network "scanning" foreign networks, even though it is clearly visible that the "attack" uses one source and one destination address, and lasts for only a few seconds. Which most probably means that someone ran nmap against his own remote machine. So CSIRT sends us their report using their ticket system, and even demands that we respond in time about the cause (each response gets sent back to us twice - once in Group reply, and the second time through their ticket system). After we explain what is probably going on, their response is not a polite "sorry for bothering you with false-positive, we will refine our detection criteria". The response is "OK, I am closing the ticket", and the next day they send us another false-positive.

A few days ago we've got another "incident report", this time from CESNET CSIRT. They were notifying us about a new HTTPS server in our network with the Poodlebleed vulnerability. OK, we have notified the server owner and got the response "we will eventually look at it, but the same content is available over plain HTTP, and it is only a testing server". Which is a perfectly valid response. But CESNET CSIRT thinks they should spam us every day until this so called "problem" gets fixed.

In my opinion, something like CSIRT with dedicated staff should not exist (except in the largest companies, may be). The security response people should be the regular staff doing their own work, designed to stop their regular work immediately, should the security incident emerge, and work on the security incident instead. But the dedicated staff has too much time in their hands, and tend to look for opportunities to let people know about their existence. The same way as Ankh-Morpork Firefighters Guild did.

Section: /computers (RSS feed) | Permanent link | 5 writebacks

Wed, 10 Dec 2014

Apache Reload Bug

Yesterday I discovered something that I suspect to be a bug in Apache: we use the same config file for many of our systems, and put the specific parts inside the <IfDefine> blocks.

When the Apache started, it worked as expected. However, after a graceful reload, it seems that some instances of Apache started interpreting some <IfDefine> blocks, even though the particular <IfDefine> string was not present in their command line. I have even verified this by creating a dummy <IfDefine> block with a non-existent directive - the Apache server has started correctly, but died on a syntax error in the config file after a graceful reload.

Long story short, I have upgraded to the latest-greatest version of Apache, and the problem has disappeared. Has anybody seen something similar?

Section: /computers (RSS feed) | Permanent link | 3 writebacks

Tue, 01 Jul 2014

Static Transfer Switch

Static Transfer Switches (STSs) are amongst the most important parts of power distribution in our datacenter. Some of the datacenters are designed with redundant power paths in mind (as required e.g. by TIER 3 specification). The problem with TIER 3 is, that it requires all the equipment to have two or more power supplies. Some appliances (for example, ethernet switches) are much cheaper with a single PSU. An ethernet switch with two PSUs is usually from the vendor's top line, and is of course priced as such. We have decided to design our datacenter power distribution with single-PSU equipment in mind.

According to our experience, the majority of the power outages in our previous datacenter were either the planned outages, or were caused directly by the failure of the equipment which was supposed to provide higher availability (e.g. the UPSes themselves). So we have planned the datacenter to be able to bridge around the failed part of the equipment, while still providing the uninterrupted power even for the equipment with single power supply.

An STS can be viewed as a box with two incoming power lines and one outgoing line. It monitors the incoming power paths, and can quickly switch to the alternate path, should the currently-used path become faulty, providing uninterrupted service of the outgoing power line even in case of the failure of one of the incoming power lines. The "Static" part in the name means that there are no mechanical parts involved in the switching itself (such as relays), the switching is done by SCRs:

Our STSs are Inform InfoSTS. Their communication protocol and documentation is pretty bad, so I cannot really recommend them. Their proprietary Windows-only management software is even worse. For example, an attempt to set the time fails when the time is before 10:00, because the management software sends the time as H:MM, while the STS itself expects HH:MM even for hours less than 10. I have nevertheless managed to decode the protocol and write my own web-based management application for it (screenshot above).

Probably the most interesting part is that it is the first time I used SVG inside the web page, and Javascript for modifying it when the new data is read. So the schematics can be edited in Inkscape, and provided that the object IDs are unchanged, the application layer can still work with it. I plan to connect it with MRTG or Zabbix, and make all the numbers clickable, leading to the graph of the history of that particular variable.

Section: /computers (RSS feed) | Permanent link | 0 writebacks

About:

Yenya's World: Linux and beyond - Yenya's blog.

Links:

RSS feed

Jan "Yenya" Kasprzak

The main page of this blog

Categories:

Archive:

Blog roll:

alphabetically :-)