[45958 views]

[]

[toggle ads]

Odi's astoundingly incomplete notes

New Entries

How not to design an API

Reading up on how to remotely connect to a JMX port, I wonder how one can possibly design such a horrible API. According to that document you need to create an URI string and pass that to the API. The URI string looks like this:
service:jmx:rmi:///jndi/rmi://hostName:portNum/jmxrmi
Utterly unintuitive, error prone and unreadable. And why assemble an URI string, pass it through an underpowered API and then parse that apart in the implementation again? Like somebody deliberately wanted to piss people off.

It could have been as simple as this:
JMXConnectorFactory.connect(host, port);
Because that's all people normally do! Yes, there may be one person in the Universe that wants to exchange the RMI transport with something else. But the API makes everybody pay with that:
MXServiceURL u = new JMXServiceURL(
  "service:jmx:rmi:///jndi/rmi://" + hostName + ":" + portNum +  "/jmxrmi");
  JMXConnector c = JMXConnectorFactory.connect(u);

posted on 2014-07-14 09:59 CEST in Code | 0 comments | permalink

Preventing systemd on Gentoo

With the latest upower upgrade portage may pull in systemd. If you are like me and think that systemd has grown beyond what it should do and you don't want it, do this:

/etc/portage/package.mask:
sys-apps/systemd
Then replace upower with the compatibility layer:
emerge -C sys-power/upower
emerge -1 sys-power/upower-pm-utils

posted on 2014-06-03 13:25 CEST in Code | 1 comments | permalink
Thank you! I really don't like systemd and the attitude of its developers. It just seems horrible all around, so thanks for helping me not install it on Gentoo!

bnx2 firmware and PXE bootable kernel

I am building a Linux kernel that is booted via the network with PXE. The machine that runs it has a Broadcom network card that uses the bnx2 driver. That card needs firmware to function, which is normally loaded into the card by udev.

As the kernel boots it obtains an IP via DHCP and mounts its root file system over NFS. For that it needs a working network card and hence the firmware. Of course the firmware can not be on NFS and there is no udev to load it yet. Hence the kernel must load it. If you don't want an initramfs (because it's a PITA to build), you need to build the firmware into the kernel.

The kernel has config options to build firmware blobs into the kernel. They are found under:
 Device Drivers
   Generic Driver Options
     [*] Include in-kernel firmware blobs in kernel binary
     () External firmware blobs to build into the kernel binary
     (/lib/firmware) Firmware blobs root directory
and they map to the .config variables FIRMWARE_IN_KERNEL, EXTRA_FIRMWARE and EXTRA_FIRMWARE_DIR.

EXTRA_FIRMWARE is a space separated list of file names of the firmeware blobs.
EXTRA_FIRMWARE_DIR is a slash terminated directory where those files are.

Now you first need to know which versions of these files are requested by the driver:
# cd drivers/net/ethernet/broadcom/
# grep \\.fw bnx2.c
#define FW_MIPS_FILE_06         "bnx2/bnx2-mips-06-6.2.3.fw"
#define FW_RV2P_FILE_06         "bnx2/bnx2-rv2p-06-6.0.15.fw"
#define FW_MIPS_FILE_09         "bnx2/bnx2-mips-09-6.2.1b.fw"
#define FW_RV2P_FILE_09_Ax      "bnx2/bnx2-rv2p-09ax-6.0.17.fw"
#define FW_RV2P_FILE_09         "bnx2/bnx2-rv2p-09-6.0.17.fw"
So you should list exactly these names in EXTRA_FIRMWARE. To make it extra difficult the kernel itself doesn't even contain these versions:
# ls firmware/bnx2
bnx2-mips-06-6.2.1.fw.ihex   bnx2-rv2p-06-6.0.15.fw.ihex  bnx2-rv2p-09ax-6.0.17.fw.ihex
bnx2-mips-09-6.2.1a.fw.ihex  bnx2-rv2p-09-6.0.17.fw.ihex
But fortunately the firmware is distributed separately and should already be in /lib/firmware. On Gentoo these files are installed by the ebuild sys-kernel/linux-firmware.
# ls /lib/firmware/bnx2
bnx2-mips-06-4.6.16.fw     bnx2-mips-09-5.0.0.j3.fw  bnx2-rv2p-06-6.0.15.fw
bnx2-mips-06-5.0.0.j3.fw   bnx2-mips-09-5.0.0.j9.fw  bnx2-rv2p-09-4.6.15.fw
bnx2-mips-06-5.0.0.j6.fw   bnx2-mips-09-6.0.17.fw    bnx2-rv2p-09-5.0.0.j10.fw
bnx2-mips-06-6.0.15.fw     bnx2-mips-09-6.2.1a.fw    bnx2-rv2p-09-5.0.0.j3.fw
bnx2-mips-06-6.2.1.fw      bnx2-mips-09-6.2.1b.fw    bnx2-rv2p-09-6.0.17.fw
bnx2-mips-06-6.2.3.fw      bnx2-mips-09-6.2.1.fw     bnx2-rv2p-09ax-5.0.0.j10.fw
bnx2-mips-09-4.6.17.fw     bnx2-rv2p-06-4.6.16.fw    bnx2-rv2p-09ax-5.0.0.j3.fw
bnx2-mips-09-5.0.0.j15.fw  bnx2-rv2p-06-5.0.0.j3.fw  bnx2-rv2p-09ax-6.0.17.fw
So you must set EXTRA_FIRMWARE_DIR = /lib/firmware/.

With these options correctly set, such a kernel boots perfectly over PXE.


posted on 2014-05-02 16:56 CEST in Code | 1 comments | permalink
merci Odi

Eclipse crashes in KDE

If your Eclipse (Kepler) crashes a lot in KDE it may be due to a bug in the Oxygen GTK theme. Simple solution: set a different theme.

In Gentoo first install more themes with
emerge -av gtk-engines

Then go to KDE's System Settings an chose the Application Appearance App. In the GTK Tab, select the Clearlooks GTK2 theme (and the Default GTK3 theme). I also recommend the font setting Sans Serif 10.

posted on 2014-04-21 11:14 CEST in Code | 0 comments | permalink

My favourite .kshrc

/bin/bash

posted on 2014-03-18 14:38 CET in Code | 0 comments | permalink

Apache hickup after glibc update

Gentoo recently updated glibc. After that I saw this in Apache's error_log:
/usr/sbin/apache2: relocation error: /lib64/libresolv.so.2: symbol __sendmmsg, version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference


Re-emerge apache to fix it.

posted on 2014-01-30 18:36 CET in Code | 0 comments | permalink

Drag and drop files into KDE's konsole

I just discovered an extremely handy feature of konsole, KDE's primary terminal emulator. cd to a path in konsole and drag'n'drop a file from Dolphin file manager directly into the terminal, and the file will be copied into the current working directory.

posted on 2014-01-22 09:39 CET in Code | 1 comments | permalink
Cool , works from Konqueror too. :-)

Google still doesn't care about crypto

It still uses weak crypto during SMTP transfers:
Received: from mail-qc0-x244.google.com (mail-qc0-x244.google.com [IPv6:2607:f8b0:400d:c01::244])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
Those algorithms were deprecated years ago for a reason.

posted on 2014-01-21 11:24 CET in Code | 0 comments | permalink

Getting rid of python-3.2 in Gentoo

Gentoo currently has support for Python 2.6, 2.7, 3.2 and 3.3. You only need one of each 2.x and 3.x branch (some ebuild support 2.x only).

So if you currently have:
$ equery l python
 * Searching for python ...
[IP-] [  ] dev-lang/python-2.7.5-r3:2.7
[IP-] [  ] dev-lang/python-3.2.5-r3:3.2
[IP-] [  ] dev-lang/python-3.3.2-r2:3.3
Select 3.3 only:
$ eselect python list --python3
Available Python 3 interpreters:
  [1]   python3.2 *
  [2]   python3.3
$ eselect python set --python3 2
$ eselect python list --python3
Available Python 3 interpreters:
  [1]   python3.2
  [2]   python3.3 *
Rebuild python packages:
$ python-updater

Check what still depends on the unneeded 3.2 slot:
$ qdepends -Q python:3.2
dev-python/pyparsing-2.0.1
dev-python/dbus-python-1.2.0
x11-proto/xcb-proto-1.8-r3
Re-emerge these to eliminate the dependency:
$ emerge -1av pyparsing dbus-python xcb-proto

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] dev-python/pyparsing-2.0.1  USE="-doc -examples" PYTHON_TARGETS="python2_7 python3_3* (-pypy2_0) -python2_6 -python3_2*" 0 kB
[ebuild   R    ] x11-proto/xcb-proto-1.8-r3  ABI_X86="(64) (-32) (-x32)" PYTHON_TARGETS="python2_7 python3_3* -python2_6 -python3_2*" 0 kB
[ebuild   R    ] dev-python/dbus-python-1.2.0  USE="-doc -examples {-test}" PYTHON_TARGETS="python2_7 python3_3* -python2_6 -python3_2*" 0 kB
Mask python 3.2 in /etc/portage/package.mask:
dev-lang/python:3.2
Now python:3.2 should no longer be required and get removed with
$ emerge --depclean
If it is not offered for removal, remove it manually and then check which packages still pull it in and rebuild those. Repeat the world update and rebuilding the offending python packages until it works:
$ emerge -C python:3.2
$ emerge -uavD world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  NS   #] dev-lang/python-3.2.5-r3:3.2 [2.7.5-r3:2.7, 3.3.2-r2:3.3] USE="ipv6 ncurses readline sqlite ssl threads (wide-unicode) xml -build -doc -examples -gdbm -hardened -tk -wininst" 0 kB

Total: 1 package (1 in new slot), Size of downloads: 0 kB

The following mask changes are necessary to proceed:
 (see "package.unmask" in the portage(5) man page for more details)
# required by dev-python/pycurl-7.19.0-r3[python_targets_python3_2]
# required by app-admin/system-config-printer-common-1.4.3
# required by app-admin/system-config-printer-gnome-1.4.3
# required by kde-base/print-manager-4.11.2
# required by kde-base/kdeutils-meta-4.11.2[cups]
# required by kde-base/kde-meta-4.11.2-r1
# required by @selected
# required by @world (argument)
# /etc/portage/package.mask:
=dev-lang/python-3.2.5-r3
$ emerge -1 pycurl

posted on 2014-01-15 10:15 CET in Code | 0 comments | permalink

Configure forward secrecy

Chosing you SSL cipher suites is one thing. But configuring various services is  another.

Please note that the following algorithms are considered completely broken nowadays: RC4, MD5, 3DES.

OpenLDAP: /etc/slapd.conf:
TLSCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Apache httpd:
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Courier-Imap: /etc/courier-imap/imapd-ssl
TLS_CIPHER_LIST="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
OpenSSH server: /etc/ssh/sshd_config
Protocol 2
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
OpenSSH client: /etc/ssh/ssh_config:
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Postfix: important only for mandatory TLS, as there is no end-to-end encryption in SMTP anyway. Email to/from your local system may go through many hops that are not under your control.
/etc/postfix/main.cf:
smtpd_tls_eecdh_grade=ultra
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Openswan:
For protostack=netkey make sure to enable all relevant crypto algorithms in your kernel, for all crypto is done by the kernel and Openswan can only configure what's supported.
To get a list of supported algorithms: ipsec auto --status | less
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048

The algorithms are configured like so (Openswan documentation is very incomplete!):
        # PHASE 1
        # negothiation mode
        aggrmode=no
        ike=aes-sha2_256;modp2048
        # PHASE 2
        type=tunnel
        phase2=esp
        phase2alg=aes_gcm_c-256-sha2_256;modp2048
        salifetime=8h
        pfs=yes
        auto=ignore
The lenth of the PSKs in /etc/ipsec.secrets is very relevant. The minimum safe size depends on IKE hash, but you can always choose longer keys of course:
posted on 2013-11-25 12:25 CET in Code | 0 comments | permalink