Archive
You are currently browsing the archives for the ideas category.
By cormander
I grew up with the year being annotated with AD (short for Anno Domini), which is Latin for In the year of our Lord. Growing up a Christian, this made perfect sense to me – start the next era of time with the birth of Christ.
Today, however, I’ve started seeing dates annotated with CE (short for Common Era). This strikes me as odd; what’s so “common” about the year Christ was born? If they’re going to change the way we state the year (which is really just political correctness in disguise), why not change the year itself? After all, the movie Titan A.E. reset the year with a new annotation of AE – short for After Earth – since, according to the movie, Earth was destroyed by the Drej in 3028 AD (0 AE).
If I got to choose when we reset the year, I’d do it on December 21st, 2012. Why? Because it’s the end of the Mayan calendar, which is all about time cycles. Why not celebrate this end of an era with resetting the year? Besides, if the doomsday prophecy specific to this date actually comes true and Earth is destroyed on that day… we can just re-use the AE annotation from Titan A.E. and not have to come up with a new one. Assuming, of course, that any of us survive it.
Now I’ll enter the issue of the 2038 computer problem. For those of you not familiar with it – it’s like the Y2k problem, but much worse. 32bit machines time will overflow to a negative number on that day, causing all sorts of time problems. If we reset the year, we can solve this problem by making a new epoch, and having it start at the 0 of the new year count. While we’re at it, make this new epoch an unsigned integer, so we don’t run into this same problem again in 2106 (assuming we still have 32bit machines at that point).
It would be debatable, though, on whether or not to start this new epoch on Dec 21st, or just wait until the end of the year to reset it. If you ask me, the winter solstice really should be the end of each year, not December 31st. But people are so resistant to change that none of this is ever going to happen anyway.
By cormander
Earlier this week I had discovered that my method for determining the runtime of a process in a program I had written about a month ago had quite an innate flaw; I was checking the timestamp of the /proc/PID/cmdline file and using that as the start time. “Surely”, I thought, “this file is only written to once”. After all, a program’s arguments don’t change after it was ran, right?
Well, I was wrong. I’m not sure why, but the all timestamps on the files inside proc get updated at what currently appears to me to be a random event. I imagine I could figure out the cause if I did a little digging, but that would be just futile curiosity at that point; the bottom line is the timestamp of any files inside /proc/ it seems is unreliable to tell you much about runtime of programs.
So I dug through the source code of ps, or more specifically, the procps package. As it turns out, the system keeps track of uptime, and runtime of programs, in terms of what is called “ticks”. The value of number of ticks per second comes from the defined _SC_CLK_TCK value out of the sysconf function. This way the system knows how long it has been running, and when processes started, regardless of time changes and clock drift. In fact, its the micro differences in the clock-tick to time ratio that causes system clock drift in the first place, and why the ntp protocol exists.
It makes total sense, of course, and I’m a little embarrassed to admit that in over 8 years of using and developing on linux, I never really realized this.
So I learned how to get these values and calculate them into real time values. But it all makes me wonder; when programs use the time() function (and a LOT of programs do this), it returns the current “time”, and opens up a whole maddening class of problems associated with incorrect time calculations, especially if the program runs for any length of time. Just think of it; the ntp daemon wakes up and detects a 2 second time difference, and adjusts the system clock while a program is running. The program thus recorded that a particular operation that should have taken a split second to run, instead took a split second + 2 full seconds to run, when it really didn’t. The metaphorical rug was just pulled out from under it.
So now that program has a tainted data entry. Could cause corrupted results or fire off a false-positive alert of some kind, all because the calculation relied on system time, rather than system ticks.
By cormander
In case anyone else finds this useful, here is a regular expression to match (and extract) name, release, version, and arch from an RPM name (in perl):
if ($rpm =~ /([a-zA-Z0-9_\-\+]*)-([a-zA-Z0-9_\.]*)-([a-zA-Z0-9_\.]*)\.(.*)/) {
my $name = $1;
my $version = $2;
my $release = $3;
my $arch = $4;
...your code here...
}
Note that you can use this regex for sed as well, but in that case you’ll need to put a \ in front of the parentheses in order for it to work. Also, the default query format for rpm -q doesn’t include the arch on older systems, so if that is the case on your system, simply remove the last part of the regex: \.(.*)
I know, I know, a-zA-Z0-9 can be shortened, but I’m too lazy to be lazy.
By cormander
The following is a non-elegant, non-standard, don’t-ever-do-this-unless-you-know-what-you-are-doing way of creating an RPM based off of what you have installed on your system. If I get some time later I’ll create a more “proper” script and update this article with a link to it.
Say you have kernel-xen-2.6.18-92.el5 installed on your system, but don’t have the RPM for it. Say all centos mirror servers simultaneously combusted; poof, gone. Say you wanted to roll out the kernel to other nodes, but wanted to do it with RPM. Here is how you’d create a hack-n-slash RPM file with all the files from the RPM:
Create this file: /tmp/filelist
/lib/modules/2.6.18-92.el5
/boot/config-2.6.18-92.el5
/boot/initrd-2.6.18-92.el5.img
/boot/symvers-2.6.18-92.el5.gz
/boot/System.map-2.6.18-92.el5
/boot/vmlinuz-2.6.18-92.el5
The above is a list of files and directories you want to copy into the RPM. With the following script, if you list a directory, do not list any subdirs. I haven’t even bothered testing that yet. I’ll refine that if I ever take another, more in-depth whack at this.
Create this script: mkRPMfromBinaries.sh
(be sure to edit the name/version/release values with what you want your package to be)
#!/bin/bash
name=kernel-xen
version=2.6.18
release=92
filelist=/tmp/filelist
if [ ! -f $filelist ]; then
echo "Please create a list of files to make the RPM from in: $filelist"
exit 1
fi
cat << EOF > /tmp/$name.spec
Name: $name
Version: $version
Release: $release%{?dist}
Summary: CHANGEME
Group: System Environment/Base
License: CHANGEME
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
AutoReq: on
%description
CHANGEME
%prep
%build
%install
rm -rf \$RPM_BUILD_ROOT
for i in \$(cat $filelist); do
mkdir -p \`dirname \$RPM_BUILD_ROOT/\$i\`
cp -a \$i \$RPM_BUILD_ROOT/\$i
done
%clean
rm -rf \$RPM_BUILD_ROOT
%files -f $filelist
%defattr(-,root,root,-)
%changelog
EOF
rpmbuild -bb /tmp/$name.spec
Make it executable, and run it (as root). Assuming you have the 2.6.18-92.el5 kernel-xen package installed, it’ll create a RPM for you.
Note that the RPM it generates doesn’t have the pre or post scripts, and is nothing more than a container for all the files you specified. It’s a very hackish way to create an RPM. Don’t ever do this. Not ever! I’m serious! And since you’re doing it anyway, don’t come crying to me if you get unintended results.
Have a great day.
By cormander
With a lot of companies going to digital phone service now, I think that it’s only a matter of time before someone acquires a botnet of phones by hacking the pbx software/firmware. Once done, the hacker would be able to do denial of service attacks against company’s telephone customer support. Just imagine having hacked even just a few thousand phones; just by having them all dial the 1-800 number, go through the menu to speak to a representative, and sit in the wait queue would cause a lot of trouble for businesses.
It wouldn’t hurt the big companies as much as the smaller ones, but it does scale. What if a hacker had a botnet of 35,000 phone numbers? That would create problems for even companies as big as AT&T, Verizon, DirecTV, etc.
By cormander
I’ve been getting complaints that my blog posts make no sense. These people like to stay in touch with me and know what I’m up to, but considering these complainers aren’t technical people the majority of my posts aren’t what they had in mind.
So, any post that I deem “readable” by normal people, I’ll tag with the new “plain” category.
Oops, I must have offended everyone. I just called technical people “not normal” and non-technical people “plain”. That’s not how I meant it, so if it bothers you, get over it.
By cormander
Here is my proposed architecture for Xen being incorporated into RavenCore:
* Everything is based on a resource, eg; CPU, memory, disk, IP addresses, etc
* Resources are “detected” when you add a dom0 (xen host) to the cluster
* The total number of resources in the cluster are put into the “Administrative Resource Pool”
* The admin user create clients, and can assign them resources. The total number of client resources cannot exceed the amount in the admin pool (for obvious reasons)
* The clients can then use those resources to allocate as many virtual machines as they like – one big virtual machine using it all, or many small ones using a small portion each.
* A virtual machine, if desired, can be defined as a “shared host” and that client then has administrative rights to the provisioning of domains, email, etc on that virtual host. Basically, they get RavenCore as it is today on that VM
* If you add a server to the cluster that is not a dom0, it can still be defined as a “shared host” and either assigned to a client (who will become the admin of it) or just create clients on it directly.
What I want to stay away from in this design, for now, is hardware dependency. In particular, dependency on storage. To start with anyway, I’m not going to build in logic in the interface for things like a SAN. If you have one – great – you will be able to use it, but disk configuration is manual. Basically, when you install the control panel, you tell it what disk(s) you’d like to put into the admin pool. You have to manually create them (either fs files with dd, or a physical disk itself, or LVM logical volumes) and then point to them from the interface.
By cormander
A few weeks ago I learned of the Linux Hater’s Blog, and I’ve got to say, the author makes a lot of very good points. Now for those of you who are unfamiliar with some of the terminology used there that I’m sighting here; “luser” is “Linux User” (L user), and “freetard” is, well, a “retarded user of free software”. I’m not fond of the choice of the word “retard”, but I do see the humour in it and have since gotten over it.
Linux is far from perfect, Open Source is not the saviour of the world, and as much of a “freetard” and “luser” that I am, I actually use Windows XP as my choice for desktop environments in most situations. Right now my laptop is running Fedora 9, but only because I have a very specific need for it, but all my other desktops I’ve ever had have had a windows OS on them 99.9% of the time.
Microsoft is a software giant for a reason- they aren’t all bad- and there is a lot of very innovative people who work there. One of my college professors (an avid luser) used to work at Microsoft, and I’ve never once heard him speak poorly of his experience there.
What sparked me to write this post is a Challenge a luser put up against Linux Haters. GOD! How stupid can you be? The person who writes these rants has _obviously_ kicked everyone’s ass in debate in high school, and unless you’ve done the same, be prepared to get ripped a new one. I mean, it’s like Godzilla on a rampage and you go and throw a rock at it. It’s going to stop, look you in the eye, and then squash you like a bug.
Linux Haters, whoever you are, keep it up. I enjoy reading the imperfections of Linux. After all, it’s the imperfections that I learn from. I’ve spent so much of my carrier fixing things in GNU/Linux and various software that runs on it that I have a very deep understanding on how operating systems work. Seven years of being a system administrator and programmer certainly has made me witness the good, the bad, and the ugly.
Oh, and If you’re reading this Linux Hater, this comic strip about Firefox reminded me of what you stand for. I mean, what IS the hell wrong with us freetards? Sometimes I have to wonder if the people at the heart of the Free Software Foundation are Socialists; but I don’t have the energy to write about that tonight. Maybe another day.
By cormander
I’m an avid user of CentOS and really like having an enterprise operating system for free. Don’t get me wrong – I’d use the upstream vendor in a heartbeat if I could – but since it’s the service they charge money for, and I don’t need the service, I currently don’t buy their products.
Two things that have always irked me about CentOS, though, are these:
1) 100% binary compatibility
2) there are still traces of “redhat” in the signatures of the binary files
Regarding the first one – it’s more of a “bitter sweet” thing then anything. There are several real good reason why they do it, and I don’t at all contest it; it just makes my life a little more inconvenient when I want to install software that isn’t included. For this there are things like rpmrepo.org which takes most of the pain away, but it nonetheless still irks me 
I usually end up grabbing a source RPM from the latest fedora distribution or rawhide and recompiling it on my system. Perhaps I’d like gentoo linux because they recompile everything – but then again, I don’t want to recompile EVERYTHING.
Regarding the second one – this has to do with the compiler (gcc) and the package manager (rpm). Compiled into gcc is the version number with “Red Hat” (and the RPM release of the gcc rpm) inside of it; and when it builds binaries it puts that version string inside it. Also, inside the rpm library there are default macros; one of them is %_vendor which is still set to “redhat” on the CentOS systems which gets put inside the RPM file’s signature, and often is passed to ./configure for things that are platform-specific (gcc, glibc, kernel, etc).
If you look at any binary on a CentOS system you’ll see one or both of these trace elements of the upstream vendor.
I decided to see if I could have these removed from the binaries I build, so I downloaded the gcc source RPM and rebuilt it with the version to not contain “Red Hat”. After it was done (it took over 6 hours!) I rebuilt a package and had a look at the binary with a hex editor.
Success! Well, mostly. Of the 18 or so “GCC” version strings embedded in the binary, three of them still said “Red Hat”. I decided to get creative and run strace on the build process and saw it using ld against these files:
/usr/lib/crti.o
/usr/lib/crt1.o
Those contain the “Red Hat” string and are part of the glibc-devel package. I went to rebuild that from the source RPM but got this build error:
/tmp/ccIC829t.s: Assembler messages:
/tmp/ccIC829t.s:58: Error: suffix or operands invalid for `fnstsw'
And this is where I am stuck for the moment. Almost there, but not 100%.
Once I’m done with this I’ll see what the CentOS guys have to say. I doubt the above changes take away from the “100% binary compatibility” but I could be wrong.
By cormander
I’ve been poking around for a while now for ideas on how to manage system-wide default policies with the grsecurity RBAC system while still being able to use the learn utility. I came across this:
http://linuxcc.de/grtool/
Its advertised feature is exactly what I’m looking for. I plan on playing around with it probably this weekend. It’s good place to start as for converting the learning-config to a directory.d like policy structure.
Anyway, I was thinking about going in a direction of a ton of different “default” policies, all turned off by default. A tool I’ll be writing, probably named “grpol”, will use a separate configuration set full of booleans that’ll determine which policies it puts into grsecurity. Kind of like the approach here:
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
A sample conceptual command:
grpol --enable service_restart_httpd
This would allow the root user to use the “/sbin/service” command to restart the apache service. The –disable switch would remove the policy.
If a change is made to grsecurity policy, it reloads the RBAC system (if running), and running the tool will only work under an admin role (unless rbac is off).
The idea here is to get more people using the grsecurity RBAC system, because it’ll then be shipped with working default policies that are easily configurable, which is probably one of the reasons why SELinux is gaining momentum.
