Friday, December 2, 2011

Who has been spamming legislators with my identity?

Early this week, I received an email from a Tiffiniy Cheng at fightforthefuture.org. I decided to open the message, despite the subject line being spammy-looking at best. The email essentially thanked me for my work in helping to defeat SOPA, and urging me to contact my legislators regarding PROTECT IP. While I have no love for either piece of legislation, I was fairly certain that I have never heard of fightforthefuture.org before, and I had not made any effort related to SOPA. Looking closer at the email, I noticed that it was sent on the behalf of fightforthefuture.org by Blue State Digital, an organization born from the ashes of the Howard Dean campaign. The email was also sent to an email address I forgot even existed; that I created years ago and set to forward to one of my primary addresses.

I wrote off the email and carried on. Yesterday morning, I received another email from Congressman Dennis Cardoza's office. The email was a form letter thanking me for contacting him regarding SOPA. I'm pretty sure that Dennis Cardoza is a California Democrat, and that California has not yet acquired Minnesota, where I am, and have always been a resident. The second email was also sent to my long-forgotten email account. That these two emails are the only messages that have been received by this account in as many years, something smells fishy.

It seems to me that someone has gotten their hands on an email list (I probably supported some democratic cause years ago), and taken it upon themselves to use that email list to spam legislators. While I may have no love for the current generation of intellectual property law, I have even less love for people using my identity without my authorization. As broken as American politics may seem, this seems particularly dishonest, as it undermines one of the core principles of our government; the ability of citizens to correspond with their elected representatives. If legislators think that correspondence from their constituents might be bogus, why bother reading ANY correspondence?

Wednesday, November 9, 2011

Dry firing a Ruger Mark I pistol

From the FYI department...

I contacted Sturm, Ruger support to find out if it is safe to dry-fire the .22 Standard/Mark I pistol. Here is their response. Short answer, yes.


Comment / question:

I was given an old Ruger Mark I by my father, and I wanted to know if dry firing will damage the pistol. Your FAQ mentions that this is a safe operation on the newer Mark IIIs and .22 pistols generally, but does not say anything specific about its predecessor.


Response:
The firing pin in the Ruger .22 pistols is of the inertia type and dry firing should cause no damage to the firearm as long as the firing pin stop is in place in the bolt (refer to information regarding “To Unload” and “Reassembly” in the instruction manual). When handling the firearm, ensure compliance with all warnings and instructions contained in the manual and be especially careful to keep your firearm pointed in a safe direction. If you should need further assistance please call our Service Department at 928/778-6555 between 8:00 - 4:00, MST Monday thru Friday, at a time convenient for you. A Ruger Representative will be happy to help you.

Tuesday, September 6, 2011

ZFS Volumes not showing up on reboot?

If you're using ZFS on FreeBSD and your ZFS volumes do not appear after rebooting the system, verify that your rc.conf file has zfs_enable="YES". This allows /etc/rc.d/zvol to run, which executes an undocumented 'zfs volinit' command to create the /dev/zvol/... device entries. The script also adds swap space volumes if the ZFS volume has org.freebsd:swap=on set.

Friday, September 2, 2011

Apache syslogging on FreeBSD

If you need to use Syslog to send Apache log output there are plenty of examples already on the Internet. The first hit on google was the O'Reilly Sysadmin blog, which is very useful. However, the page is a bit old and the perl script they provide for Syslogging access logs is in need of updating. My modified version is below. To summarize the process..

  1. Put the following script in /usr/local/bin/apache_syslog.


    #!/usr/bin/perl

    # $Id$
    #
    # A wrapper script that logs apache access via syslog. Copied from an example
    # at http://oreilly.com/pub/a/sysadmin/2006/10/12/httpd-syslog.html
    # Script requires sysutils/p5-Sys-Syslog from FreeBSD ports.
    #

    use Sys::Syslog qw( :DEFAULT setlogsock );

    # Excluded, per the rules of Sys:Syslog
    # http://search.cpan.org/~saper/Sys-Syslog-0.29/Syslog.pm#THE_RULES_OF_SYS::SYSLOG
    #setlogsock('unix');
    openlog('httpd', "cons, pid", 'local2');

    while ($log = ) {
    syslog('notice', $log);
    }

    closelog;

  2. Install sysutils/p5-Sys-Syslog from ports (FreeBSD).
  3. In your Apache config replace your ErrorLog directive with "ErrorLog syslog:local1".
  4. Replace your CustomLog directive (for access logs) with "CustomLog |/usr/local/bin/apache_syslog combined".
  5. Edit /etc/syslog.conf, adding the following lines
    !httpd
    local1.* /var/log/httpd-error.log
    local2.* /var/log/httpd-access.log
    !*
  6. Create the log files with "touch /var/log/httpd-error.log /var/log/httpd-access.log".
  7. Edit /etc/newsyslog.conf, adding the following lines
    /var/log/httpd-error.log 640 14 * @T00 J
    /var/log/httpd-access.log 640 14 * @T00 J
  8. (Re)start syslogd and apache.
  9. Profit.


Tuesday, August 9, 2011

Clearing my mental hang-ups about Perl

The script below does some simple things to demonstrate to myself how a number of things work in Perl. Simple things, but ones that I sometimes have to stop and think twice about.

use Config::Auto;

# Test Config::Auto output, which should be a reference
my $ca = Config::Auto->new(
source => "test.conf",
format => "equal"
);

my $config = $ca->parse;

print "\$config is a " . ref($config) . " reference\n" if (ref $config);
print "c_one undefined\n" unless (defined $config->{'c_one'});
print "c_two undefined\n" unless (defined $config->{'c_two'});
print "c_three undefined\n" unless (defined $config->{'c_three'});
print "c_one non-existent\n" unless (exists $config->{'c_one'});
print "c_two non-existent\n" unless (exists $config->{'c_two'});
print "c_three non-existent\n" unless (exists $config->{'c_three'});


# Test a non-referenced hash
my %harsh=(
'one' => 1,
'two',
);
print "\$harsh is a " . ref($harsh) . " reference\n" if (ref $harsh);
print "one undefined\n" unless (defined $harsh{'one'});
print "two undefined\n" unless (defined $harsh{'two'});
print "three undefined\n" unless (defined $harsh{'three'});
print "one non-existent\n" unless (exists $harsh{'one'});
print "two non-existent\n" unless (exists $harsh{'two'});
print "three non-existent\n" unless (exists $harsh{'three'});

# Test array interpolation
my @array = ("one", "two");
print "\@array interpolated is: @array\n\@array not interpolated is " . @array . "\n\$\#array is $#array\n";

The test.conf file referred to above contains the following:

c_one = 1
c_two =

The following output is generated by the script:

$config is a HASH reference
c_three undefined
c_three non-existent
two undefined
three undefined
three non-existent
@array interpolated is: one two
@array not interpolated is 2
$#array is 1

Thursday, August 4, 2011

Renaming user-defined ZFS properties

Here is a short script I cooked up to rename the namespace of all the ZFS user-defined properties on a host. Useful if you need to change com.foo:beans to com.bar:beans for more than a couple of properties on a couple of filesystems.

#!/usr/local/bin/perl

#
# This script looks at the properties for every zfs filesystem and snapshot on
# a server and changes every occurance of a property in in namespace $old to
# namespace $old.
#

use strict;

my ($old, $new) = ("com.foo", "com.bar");
my $overwrite = "yes"; # overwrite existing $new properties
my $localonly = "yes"; # do not move inherited properties

for my $fs ( `zfs list -Ho name` ) {
chomp $fs;
&do_rename($fs);
}

for my $snap ( `zfs list -Ho name -t snapshot` ) {
chomp $snap;
&do_rename($snap);
}

sub do_rename {
#print "Renaming $old to $new on $_[0]\n";
# get list of properties with $old
for my $prop ( `zfs get -Ho property,source,value all $_[0] | grep $old` ) {
$prop =~ m/$old:([a-z._:][a-z.\-_:]*)\t([a-z0-9\/\- ]+)\t(.*)\n/;
#print "Examining property $old:$1 on $_[0] with value $3\n";
my ($suffix, $value) = ($1, $3);
# local check, if enabled
next if (( $localonly eq "yes" ) and ( $2 ne "local" ));
next if (( $overwrite eq "no" ) and ( &check_exists($_[0],"$old:$suffix") == 0 ));
print "Setting $new:$suffix=$value and inheriting (erasing) $old:$suffix on $_[0]\n";
( system("zfs set $new:$suffix=$value $_[0]") == 0 ) or die "Error during zfs set operation";
( system("zfs inherit $old:$suffix $_[0]") == 0 ) or die "Error during zfs inherit operation";
}
}

sub check_exists {
# Return 0 if the specified property [1] exists on object [0]
if ( system("zfs get -Ho value $_[1] $_[0] | grep -qE '^-\$'") == 0 ) {
# DNE
return 1;
} else {
print "$_[1] exists on $_[0]!\n";
return 0;
}
}

Monday, August 1, 2011

Undocumented zfs command

In the process of tracking down a ZFS mount problem (btw, a zpool will not mount automatically if the mount point exists), I realized that my ZFS swap volume was not available to FreeBSD. After some poking around, I found the /etc/rc.d/zvol script, which led me to the 'zfs volinit' command. This command is not documented in the man page or command usage, but it seems to be the goo that gets volumes going. Also, set the org.freebsd:swap=on property on your swap volume, to have it started automatically by the rc scripts.

Wednesday, July 27, 2011

I/O errors on zfs import?

I've been working on freshening up our backup scripts and I noticed that every time I do a ZFS import, the kernel logs I/O errors on RAID volumes, completely separate from the actual volume I want to import, including already mounted ZFS pools and UFS filesystems. For what it's worth, this behavior was occurring on a Dell r610, with an attached MD1000.

Jul 25 13:59:54 leopard kernel: mfi0: I/O error, status= 12 scsi_status= 0
Jul 25 13:59:54 leopard kernel: mfi0: sense error 0, sense_key 0, asc 0, ascq 0
Jul 25 13:59:54 leopard kernel: mfid1: hard error cmd=read 0-255

It was suggested that I should update the firmware on the disks, so this morning I went and updated all the disks, and the PERC 6/E. Voila! No more I/O errors on import.

For reference, here is the link to the firmware download I used. It is a windows executable that allows you to generate a bootable USB key that contains the firmware updater for the disks. I also used the underlying DOS environment to apply the firmware update for the PERC 6/E, and our brand new PERC H800 that came from Dell with ancient firmware.

Tuesday, June 14, 2011

Apple DNS cache, and a bourne revelation [to me]

I learned a couple of interesting things today. The first is that Mac OS X, or at least some applications, cache DNS results. This is irritating, but fortunately there is a way to clear out the cache. Run the following command in a terminal to clear out the cache.

dscacheutil -flushcache

On the FreeBSD side of life, I had a minor revelation related to bourne (sh) scripting. I have occasionally wondered if it was possible to build the name of a variable dynamically. When I've wondered aloud, the answer I've received has always been that this is not possible. Today, I was reading through /etc/network.subr and I happened upon this bit of code.

if [ -n "${static_routes}" ]; then
for i in ${static_routes}; do
eval route_args=\$route_${i}
route add ${route_args}
done
fi

Like a beam of light from Heaven, I suddenly realized that this little eval statement is the answer to my hopes. It allows you to build a variable name on the fly!

Friday, April 22, 2011

FreeBSD CARP+BRIDGE+VLAN=BAD

Bridge, good. VLANs, great. CARP, awesome. BRIDGE+VLAN+CARP, pwned. We decided to purchase a pair of atom-based systems for use as the office firewalls. The only thing we weren't completely pleased with was the single Ethernet port. Given that we have been using vlans elsewhere on the network, we didn't expect that there would be any problems using vlans for all interfaces. It turned out to be a big box of pain. In addition to routing problems, we also appear to have aggravated a bug that hangs the system.

VLAN+CARP is a fairly common configuration on firewalls. Our office and DC LANs use the same subnet and are bridged over an OpenVPN tunnel. Trying to incorporate VLAN+CARP into into a bridge seems to cause problems. This diagram illustrates our logical network setup.



After a lot of trial and error, a number of conclusions were drawn.

  • Routing over the bridge doesn't work the same when using vlans. The VPN server pushes a route to our production network when clients connect. When the office firewall was using a physical Ethernet interface for the LAN, this route would refer to the LAN interface as the outgoing interface for this connection. This seems counter-intuitive, but it worked just fine. When the Ethernet LAN interface was replaced with a vlan, the tap (VPN) interface was referenced by the route to production. This seemed to be more logical, except that the Production network became unreachable.
  • After some troubleshooting, I figured out that access to the production network could be fixed by adding a static route to the DC firewall (next-hop to production network) pointing out the tap interface. This seemed to allow traffic to flow smoothly to production.
  • Adding CARP into the above configuration caused the firewall to hang randomly. There seemed to be no indication of a crash, no excessive resource use or network traffic.
  • Routing traffic between tagged vlans and the underlying physical interface may be problematic. This was an earlier configuration I tried, and it seemed to have issues. However, at the time I had not identified CARP as the source of the system hangs, so this may be a non-issue.

The routing issue was reported in a PR that can be found here. The routing tables mentioned above can be found here.

Sunday, April 17, 2011

Enabling Audigy SPDIF in Windows 7

Reinstalled Windows 7 the other day and spent an hour figuring out how to enable digital audio output for my SoundBlaster Audigy Platinum. When you open the Sound properties you will see "Speakers" and "SPDIF Out" listed as playback devices. Futz with SPDIF all you want, but you won't get any audio output from digital. I finally opened the properties for "Speakers" and found the magic option under the "Custom" tab. The only option listed is a check box for "Digital Output Only". Click that box, hit apply, and enjoy digital output.

Wednesday, April 6, 2011

Apache startup problems

After spending the better part of a day trying to track this problem down, I figured I'd be nice and share the fix, since google wasn't helpful. I was trying to fix a previously working apache installation and found that I was unable to authenticate using LDAP. With the apache logging set to debug, I received the following messages.

At apache startup:
[Wed Apr 06 08:56:30 2011] [debug] mod_authnz_ldap.c(1010): [2999] auth_ldap url parse: `ldap://ldap.blissfulidiot.com/ou=people,dc=blissfulidiot,dc=com?uid?sub?(clxEnabled=TRUE)', Host: ldap.blissfulidiot.com, Port: 389, DN: ou=people,dc=blissfulidiot,dc=com, attrib: uid, scope: subtree, filter: (clxEnabled=TRUE), connection mode: not using SSL

At authentication attempt:
[Wed Apr 06 08:57:58 2011] [debug] mod_authnz_ldap.c(403): [client 10.0.3.6] [5604] auth_ldap authenticate: using URL ldap://ldap.blissfulidiot.com/ou=people,dc=blissfulidiot,dc=com?uid?sub?(clxEnabled=TRUE)
[Wed Apr 06 08:57:58 2011] [info] [client 10.0.3.6] [5604] auth_ldap authenticate: user tom authentication failed; URI / [LDAP: ldap initialization failed][Unknown (private extension) error]

The solution for me on FreeBSD, rebuild the apr port.

Friday, April 1, 2011

Multiple Ambient Temp sensors in the Dell R610

The Dell R610 servers we have report a status for three different "Ambient Temp" sensors.

tom@R610:~-> sudo ipmitool sdr type "Temperature" | grep -i ambien
Ambient Temp | 07h | ok | 10.1 | 22 degrees C
Ambient Temp | 08h | ok | 10.2 | 20 degrees C
Ambient Temp | 0Eh | ok | 7.1 | 25 degrees C

The three sensors appear to be the redundant PSUs (10.1 & 10.2), and the main chassis sensor (7.1). Doing some checking around, it appears that all our Dell boxes list the "main" ambient temp in category(?) 7.1, but the actual sensor address is not always 0Eh. Category 10.<1|2> seems to always refer to the PSUs on the 610s.