Matthew Sporleder's website

NetBSD hackathon results

noreply@blogger.com (matthew sporleder) — Fri, 26 Feb 2010 01:38:00 +0000

Hackathon 13 Results

Update! I'm editing the text of this post because it makes me sound a lot more important than I was. :)

I managed to participate a little bit in the hackathon, replied to a few PR's trying to get some feedback/closure, so I'm pleased.

Thanks to HUGE efforts by hardcore developers, GNATs shows a really great result!

GNATS Bug Database Summary
State Count (before) Count (after)
open 4418 4322
analyzed 155 155
feedback 200 225
suspended 61 60
dead 6 11
closed 35081 35180
TOTAL 39921

NetBSD hackathon now!

noreply@blogger.com (matthew sporleder) — Fri, 19 Feb 2010 23:25:00 +0000

Quick!! Point your irc client at freenode (freenode irc servers) and join #netbsd-code for a weekend of interesting stuff.

IRC Link

One more NetBSD security advisory

noreply@blogger.com (matthew sporleder) — Thu, 04 Feb 2010 01:49:00 +0000

azalia(4)/hdaudio(4) negative mixer index panic

Don't turn your volume to -1!

NetBSD - hackathon + two security advisories

noreply@blogger.com (matthew sporleder) — Tue, 02 Feb 2010 20:52:00 +0000

The 13th Hackathon February 19-22 2010,
come and join us on IRC channel #netbsd-code at FreeNode (irc.freenode.net).

OpenSSL TLS renegotiation man in the middle vulnerability <-- everyone

File system module autoloading Denial of Service attack <-- current-only

NetBSD network tuning thread

noreply@blogger.com (matthew sporleder) — Wed, 27 Jan 2010 14:46:00 +0000

The recent thread Why is my gigabit ethernet so slow? shows application of old recommendations found here. (NetBSD 2-era; also includes tips for freebsd, linux, and windows!)

This thread also shows NMBCLUSTERS cropping up again as the first part of solving a performance problem. I wonder why it isn't dynamicially tunable. It looks like freebsd can pass it on the boot options, at least.

NetBSD - still fun

noreply@blogger.com (matthew sporleder) — Sat, 23 Jan 2010 03:07:00 +0000

the register says that 75% of linux coders get paid to work on linux. This reminds me of a study I wanted to see a few years ago of how much of linux was corporate sponsored development and, truly, not very much fun anymore.

Now, I only know of one NetBSD developer who definitely got paid to work, and I helped pay for it by donating! So remember when you're using NetBSD that it truly happened (and continues to do so) by miracles, charity, and general insanity which I find more appealing than cubicles. I'm in one of those all day anyway. :)

NetBSD postfix to gmail relay

noreply@blogger.com (matthew sporleder) — Tue, 19 Jan 2010 04:06:00 +0000

Over the weekend I decided to configure my NetBSD system to stop sending emails to the local mbox (where I never read them) and start sending emails correctly to the internet. I also wanted to do so using my gmail account. Most of my info came from here but it's a little verbose for my tastes. Basically I had to do the following:

/etc/mk.conf


PKG_OPTIONS.postfix+= sasl
ACCEPTABLE_LICENSES+= postfix-license

build and install pkgsrc/mail/postfix

install (I used a binary) pkgsrc/security/cyrus-sasl

install (I used a binary) pkgsrc/security/cy2-plain-2.1.23

cp /usr/pkg/share/examples/rc.d/postfix /etc/rc.d/

modify /usr/pkg/etc/postfix/main.cf


relayhost = [smtp.gmail.com]:587

#use ssl/tls
smtp_use_tls = yes
smtp_tls_policy_maps = hash:/usr/pkg/etc/postfix/tls_policy

#Now add a username and password
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/pkg/etc/postfix/sasl_passwd
smtp_sasl_security_options=

add /usr/pkg/etc/postfix/tls_policy


smtp.gmail.com         MUST

add /usr/pkg/etc/postfix/sasl_passwd


[smtp.gmail.com]:587              username@gmail.com:password

/usr/pkg/sbin/postmap /usr/pkg/etc/postfix/tls_policy

/usr/pkg/sbin/postmap /usr/pkg/etc/postfix/sasl_passwd

/etc/rc.d/postfix start

Now test with mailx someone@something.com and watch the maillog. I do get a warning about not liking the thawt cert, so I may figure out how to import it, but other tutorials all talked about needing your own CA and other insanity. I would hope the MUST in tls_policy insured that I was using SSL. I'll tcpdump and see sometime, but for now this seems to be all that's needed.

(Can we get SASL in base? I know LDAP, kerberos, and NFSv4 would appreciate it)

UPDATE!
To fix the ssl cert warning, add the following package:
mozilla-rootcerts
then
cd /etc/openssl/certs
mozilla-rootcerts extract
mozilla-rootcerts rehash

And add the following to your main.cf:
smtp_tls_CApath = /etc/openssl/certs

NetBSD on wikipedia

noreply@blogger.com (matthew sporleder) — Fri, 15 Jan 2010 23:24:00 +0000

Call for improvement of NetBSD on wikipedia. If you have some free time feel free to improve the NetBSD articles on wikipedia. I've added the NetBSD template and some stubs that could use some example usage screenshots (netpgp for sure).

Improve everything linked here!

NetBSD, MAC, etc

noreply@blogger.com (matthew sporleder) — Thu, 31 Dec 2009 16:42:00 +0000

recently, Elad Efrat has been sending in a lot of patches to move closer to full integration with veriexec, secmodel, and apparently MAC as a whole.

I expect to see a lot of increased interest in kauth, secmodel, veriexec, and friends as some of these integrations efforts continue to work their way through the entire system. -current should be interesting for a while, at least. :)

cygwin update

noreply@blogger.com (matthew sporleder) — Thu, 24 Dec 2009 13:02:00 +0000

Cygwin, a system I've been using for years at work to make my windows PC more usable, has been updated.

It claims to support files with :'s in the name, but I'll have to see. This is a nice feature when someone checks in a bunch of CPAN docs from a unix machine into your svn repo.

mod_geoip2 added to pkgsrc

noreply@blogger.com (matthew sporleder) — Mon, 14 Dec 2009 01:46:00 +0000

I've added mod_geoip2 to pkgsrc-wip so if you want to do some geographic-based redirection with apache, give it a try!

This was a funny package because it didn't have a Makefile. I probably need to add a message about configuring apache, downloading the actual geoip database, etc. I think it's a good start, though.

Xen 4 and NetBSD

noreply@blogger.com (matthew sporleder) — Wed, 09 Dec 2009 22:57:00 +0000

Some NetBSD patches have been approved upstream by Xen. This is a good thing for Xen 4 on NetBSD. :)
Xen 4.0 on NetBSD

NetBSD terminfo and curses improved

noreply@blogger.com (matthew sporleder) — Tue, 08 Dec 2009 15:46:00 +0000

Roy Marples has recently completed his work to make the NetBSD curses implementation more useful and compatible. So if you're a fan of NetBSD's games, vi, etc, check it out.

iChat with NetGear SPI (stateful packet inspection) is problematic

noreply@blogger.com (matthew sporleder) — Sat, 05 Dec 2009 12:15:00 +0000

So for a while now I've noticed that when Girl X is online from home I am unable to hit my website or ssh to my house. I thought this was related to my office's firewall but last night noticed that it was happening locally to.

The problem seems to be that netgear's SPI is triggered when iChat (not adium) signs into AIM and it decides to SHUT DOWN ALL INCOMING TRAFFIC! So if this website had extended outages during the day, that could have been a potential reason. Anyway, netgear's SPI sucks and I should put my soekris back in the firewall hotseat.

BSDCan 2010 announced - represent NetBSD

noreply@blogger.com (matthew sporleder) — Sat, 05 Dec 2009 01:30:00 +0000

FYI- BSDCan 2010

If you're going to be in Canada, go to BSDCan. I went to NYCBSDCon and had a pretty good time meeting all kinds of people I see on mailing lists, irc, etc. (Hello, Christos, jlam, and Brian S.), listening to talks about various things, and having something to do when I go somewhere and travel.

Also if you're doing something interesting, give a talk! NetBSD does tons of amazing work that no one knows about. :)

NetBSD and NFS v4

noreply@blogger.com (matthew sporleder) — Sat, 21 Nov 2009 16:32:00 +0000

One area in the larger BSD world where I am disappointed is the lack of NFSv4 support. Redhat has had it for a while, solaris (of course) has it, etc. Anyway, I found this link: My BSD/Mac OS X NFS Version 4 and I was wondering what makes nfsv4 support so difficult? I know that 100% compliance is probably quite a hurdle as it promises many things (full acl support, kerberos, sctp, world peace) but partial support would be a huge win.

I know a lot of people "don't like nfs" for whatever weird reasons, but it's impact on the enterprise is massive and it's still really the best and most portable way to share storage. In my experience it's also much more stable and safe than SAN with clustered filesystems.

programming jrobin on the command line

noreply@blogger.com (matthew sporleder) — Sat, 14 Nov 2009 20:53:00 +0000

So at work we recently upgraded our OpenNMS system and noticed that it switched from normal RRDtool (which is awesome software) to the pure java alternative jrobin. This makes sense because opennms is java software and it's generally easier to keep things in the family. They even took over the development of jrobin! However, we run a few custom reports requiring custom graphs.

So, now we're working with traditional rrdtool files and jrobin files, which are not compatible. For one-time generation, you can convert between the two (at least, jrobin claims to do that) but for on-the-fly use it's handy to have a command-line interface to produce these graphs.

Okay, jrobin comes with a class called the RrdCommander, which is supposed to offer an rrdtool-compatible interface to jrobin files. RrdCommander's info, create, etc all seem to work as advertised, except of course the GRAPH function!!! Now, I'm not expert java programmer, but the NullPointerExceptions in org.jrobin.cmd.RrdGraphCmd are so prevalent that trying to create a patch is pointless. The only sane advice is "try again".

Now that our five-line java program is out of the question we must try the next interface- the XML Template. Luckily, I have found that this basically works, but it has some quirks. The method to tell you if it's reading your template variables (hasVariables()) simply does not work. Using a '-' for the filename creates an "in memory graph", but then doesn't leave you a way to get at the graph data and, say, dump it to stdout like using - would imply. (luckily, I figured out how to implement this myself despite being told it was impossible in freenode's ##java) The second quirk is that it uses your height and width for the actual graph, but then pads on the legends, leaving you with a somewhat random image size. Anyway, I now mostly have what I need so I hope to move forward with my life.

NetBSD defaulting to more security, then the normal amount, then back again!

noreply@blogger.com (matthew sporleder) — Sat, 14 Nov 2009 13:12:00 +0000

HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386

Later on in the thread, however, it's revoked because of performance concerns.

UPDATE! Re-enabled!

NetBSD over git- call for collaboration

noreply@blogger.com (matthew sporleder) — Tue, 10 Nov 2009 02:05:00 +0000

my git testing shows that the git server needs to be fast!

If anyone would like to retry what I did, please read the above-mentioned email and look at the commands after you checkout netbsd's src from git:
git clone http://ftp.netbsd.org/pub/NetBSD/misc/repositories/git/src

The NetBSD src tree is roughly four-times larger than the linux kernel and dragonflybsd, so it's definitely one of the larger projects to take on git. Let us know your findings.

greed in apache rewrite rules

noreply@blogger.com (matthew sporleder) — Sat, 31 Oct 2009 19:44:00 +0000

In modern apache, mod_rewrite uses PCRE instead of your system's regexp. One thing to watch out for in rules is greediness. Basically, each matching rule will attempt to match the maximum amount allowable to satisfy a rule. This, however, is rarely what you want when using statements like (.*) in the middle of a RewriteRule. (although it's usually exactly what you want at the end of a rule).

Here's a basic demonstration (watch how $1 takes the largest possible string):
#Rewriting with two greedy capture anything statements split by a '/'
RewriteRule ^/test/(.*)/(.*)$ /foo?one=$1&two=$2 [R,L]

Results:

request
> GET /test/foo/bar/moo HTTP/1.1

response
< HTTP/1.x 302 Found
< Location: http://mspo.com/foo?one=foo/bar&two=moo

Now switch to non-greedy mode:
#Rewriting with one non-greedy capture anything followed by a greedy (see how $1 takes the smallest possible string)
RewriteRule ^/test/(.*?)/(.*)$ /foo?one=$1&two=$2 [R,L]

Results:

request
> GET /test/foo/bar/moo HTTP/1.1

response
< HTTP/1.x 302 Found
< Location: http://reallygothic.com/foo?one=foo&two=bar/moo

When using aggressive captures (.+) or (.*) in the middle of your rule, think carefully about using the ? to modify greed characteristics to make sure you get exactly what you want.

For extra testing confusion, a test with just two parameters (GET /test/foo/bar HTTP/1.1) would have shown these two rules to be exactly the same.

pkgsrc openjdk7 gets better java font support

noreply@blogger.com (matthew sporleder) — Wed, 21 Oct 2009 13:59:00 +0000

Fonts in java have always been a challenge for everyone involved as java is supposed to provide a portable environment for programs to run- including GUI!

Java in netbsd has always been even more of a challenge, but now its font support is getting improved: font support in openjdk7 from pkgsrc

NetBSD gets usb device access from userland

noreply@blogger.com (matthew sporleder) — Sat, 17 Oct 2009 12:43:00 +0000

USB device support in userland: kernel usb device driver support in rump

This already works for usb storage devices, so let's try to get some sound cards, network devices, and input devices moved into userspace.

monitoring systems and the sysadmin intranet

noreply@blogger.com (matthew sporleder) — Wed, 09 Sep 2009 11:40:00 +0000

Recently at work I got myself involved in revamping our monitoring system. This got me thinking about all of of the things a monitoring system should do for you and the needs of systems people for internal tools. Basically, for each type of system you want to monitor (os, jvm, webserver, etc) certain aspects should be defined on both the front-end and back-end of the app.

Reporting

entity	Collection	Storage	Thresholding	Alerting	Display	Trending
OS	SNMP	RRD	disk too full? CPU too high?	snmp traps, email	RRD for cpu, disk, net	Monthly rollup/curve extrapolation
Apache httpd	curl/mod_status	RRD,csv	values out of whack?	snmp traps, email	apache-specific template	Monthly rollup
JVM	JMX	RRD	GC too long? Old Gen too full	snmp traps, email	increase heap?

And that doesn't even start to get into the front-end needs for OLAP-style reporting needed for all of this stuff, a wiki to document everything, an admin interface to define new templates and collections, etc etc etc.

Another important aspect is a decent live console for 24/7 operations to watch for all of those Alerting things.

some gcc flags

noreply@blogger.com (matthew sporleder) — Tue, 08 Sep 2009 15:55:00 +0000

This is how I compiled openldap once. It allowed me to have all the dependencies available when I tar-ed up the openldap dir and distributed it around.

export LDFLAGS="-L/usr/lib/lwp/64 -L/lib/64 -L/usr/lib/64
-L/usr/sfw/lib/sparcv9 -Wl,-R/usr/lib/lwp/64 -Wl,-R/lib/64
-Wl,-R/usr/lib/64 -Wl,-R/usr/sfw/lib/sparcv9
-L/usr/local/openldap64-ol2.3.23-bdb4.2.52/lib
-Wl,-R/usr/local/openldap64-ol2.3.23-bdb4.2.52/lib -m64"

export CPPFLAGS="-I/usr/local/openldap64-ol2.3.23-bdb4.2.52/include"

export CFLAGS="-m64 -O2"

NetBSD developer David Maxwell to defend the BSD license

noreply@blogger.com (matthew sporleder) — Sat, 29 Aug 2009 00:57:00 +0000

NetBSD developer David Maxwell to defend the BSD license