Archive for the ‘Fedora’ Category

ZNC awayping plugin (now with improved “antiping”)

Monday, June 22nd, 2009

Code: http://jonmasters.org/pub/util/awayping/awayping.txt

Do you constantly get harassed on IRC with “ping?” (insert no context whatsoever here), of course you do. And then you come back later with a bunch of “ping” and no idea what the person wanted.

For those who just bought a computer ten minutes ago (I know there are still a few people out there), here’s an example of fail:

<someone> jonmasters: ping

That is utterly useless. It results in a ping/pong/ping cycle that can go on at some length, and then probably an accompanying email cycle, and maybe worse. Multiply that by a half dozen-dozen different pings and you’ve wasted a fair chunk of time just to find out what someone wants – and have no ability to prioritize or even know if the issue is still even an issue when you read a ping even a few minutes later. Here’s an example of non-fail:

<someone> jonmasters: some useful contextual message here?

I know many of you gave up even listening to these contextless “ping” messages years ago (because we’ve spoken about it at some length), or you don’t bother to leave anything connected to IRC if you’re not in front of it, or you just don’t care (hoping that people will learn how to use a computer and try again). But in case you still do care, I would like to share a plugin I wrote for ZNC called “awayping”. Away ping texts (a single line), emails you (full IRC transcripts), and tweets you (by private message) when you are detached or after a configurable idle period. It’s better than simply “autoaway”.

Awayping is getting slightly more clever over time, and the new “antiping” feature enhances awayping by also politely educating those who “ping” you (by private message) that leaving a message is infinitely more helpful later than simply 5 “ping”s on the screen. It might also encourage a few people to consider that they could send you email instead.

Here’s an example “antiping” reply:

<jonmasters> *********************************************************
<jonmasters> *** This user is marked as busy. A text message just  ***
<jonmasters> *** got sent with your 'ping'. But 'ping' alone isn't ***
<jonmasters> *** useful in a text/log message. Can you let me know ***
<jonmasters> *** what your ping was about? Your reply will be sent ***
<jonmasters> *** along so I can respond appropriately upon return. ***
<jonmasters> *********************************************************

With “awayping”, you can get email or text alerts of pending “ping” messages, and encourage people to use the internet responsibly, so you don’t have to constantly check IRC and can do something more useful instead. Because, let’s face it, they’re just going to email you anyway.

Jon.

Announcing kernelpodcast.org

Tuesday, June 16th, 2009

I recently registered and setup kernelpodcast.org, where you can find links to the RSS feeds (podcast, and the transcripts), comment, and a lot more besides.

Jon.

Linux Kernel Podcast

Monday, May 4th, 2009

So I’ll freely admit, I’m obsessed with Podcasts. I love listening to news – the New York Times Front Page, Wall St. Journal Today, NPR News, APM’s Marketplace, On Point, etc. I particularly like those Podcasts that provide a quick summary of what’s going on, since we don’t all have time to be subject experts on everything in life.

I recently pondered whether it would be useful to have a similar podcast for the Linux Kernel Mailing List. I was actually pretty surprised at the lack of existing podcasts (other than the excellent one from TimeSys), especially considering folks are often travelling and away from email – and then there are many people who are interested but don’t have a reason to follow the list so closely. Since I do already read the list, I decided it wouldn’t be much additional effort to make a quick recording based on what I had read that day. Look upon this as an experiment to gauge interest – and to see if there are enough volunteers to help make this a regular thing.

Today’s episode took 15 minutes to prepare and record, and 1 hour to get staged and setup with the right XML, etc. That’s hopefully 15-20 minutes per day on an ongoing basis, which isn’t much, and might help someone. I would especially like it if there were enough people who were interested in helping out that we could farm this out between a few of us on a weekly basis – but that’s predicated on this being useful. I’ll watch the logs, listen for feedback, and this will last as long as it provides something useful to the wider community.

Linux Kernel Podcast

Remote fencing with the IP Power 9258

Friday, May 1st, 2009

Photo: IP Power 9258

A little while ago, I picked up one of these units on eBay for around $125USD. I needed something that was slightly cheaper than the regular range of higher-end APC Masterswitch and had heard that this was an embedded Linux device. It is (though that doesn’t excuse the horrific web UI). This afternoon, I setup a new Real Time kernel test box and decided to get the fencing done right this time around – so I wrote a simple script. It allows one to do a few simple things: power on, power off, and report status:

[jcm@perihelion ~]$ ippower
Usage: ippower <status> | <target> <command>

TARGETS: perihelion apohelion power5 light
COMMANDS: on off status

[jcm@perihelion ~]$ ippower status
perihelion: on
apohelion: off
power5: off
light: off
[jcm@perihelion ~]$ ippower apohelion on
on
[jcm@perihelion ~]$ ippower apohelion on
unchanged
[jcm@perihelion ~]$ ippower apohelion off
off
[jcm@perihelion ~]$ ippower status
perihelion: on
apohelion: off
power5: off
light: off

You can download my ippower fencing script if you would like to use it with a similar device.

Building Embedded Linux Systems – Second Edition

Thursday, July 31st, 2008

So without further ado, I give you Building Embedded Linux Systems – Second Edition, written by several talented authors, and also yours truly. I take overall responsibility for this edition, and I hope that you enjoy reading it.

The book is going to be hitting bookstores “really soon now”, just as soon as it’s done being printed. The update includes lots of changes to upstream kernel and embedded components that have happened since 2003, brand new material on the Real Time patchset and related technologies, as well as various other changes. It’s intended to be an overall insight into embedded Linux rather than a programmer’s guide – for that, you want to be reading the other O’Reilly books on the Linux kernel and Linux Device Drivers – but it will get you pointed in the right direction, even if you’re coming from a non-Linux background. If you know Linux, but don’t know much about embedded Linux and its unique constraints, you will enjoy this book.

Buy a copy, and make my day!

I love SELinux (part IV)

Wednesday, July 2nd, 2008

So I’ve been writing about a couple of weeks as a user of SELinux on Fedora. I thought I’d give an update about the experience.

After a week as a user of SELinux in enforcing mode, I had learned a few things. I had learned that it isn’t always possible (without using command line utilities) to download a CD image and use it to install a virtual machine, or to use an alternate location for virtual machine images, and a number of other (minor) issues. By this, I mean that none of these things can be done trivially by end users or developers who don’t know about commands like chcon, and their use. To many end users, this simply means these (seemingly quite straightforward) activities are now “impossible”, since they simply will not properly understand why they are not working in the way they had intended. In this case the appearance of us being secure has trumped over general functionality.

Late last week, I decided to allow my laptop to apply the latest Fedora updates. I rebooted into the updated environment (new kernel image) and tried to connect to my corporate VPN using VPNC. Although it was able to connect, the connection script generated repeated errors trying to run commands like “ip” and “ifconfig”. So, I spent roughly 6 hours on Sunday night reading SELinux documentation, books, whitepapers, commands, and the Fedora SELinux “targeted” policy itself. I concluded that the update had disallowed the VPNC domain access to the sysnetwork domain in which those various networking commands exist.

Without getting into specifics too much (BZ453236 has my analysis attached), NetworkManager is able to start VPNC because it runs in a system context (which has a specific policy item to allow access to network commands), whereas regularly started tty incantations of VPNC will run unconfined. In that case, audit2allow suggested adding:

role unconfined_t types ifconfig_t

Which was actually in a pending update to the policy (it hadn’t made the changelog so I hadn’t noticed it when skimming recent koji builds). I installed the new build, and lo-and-behold my VPNC worked again. I wasn’t particularly bothered by this experience – I learned a lot about SELinux policy, the different files, and how it all goes together that I’m sure has changed since I looked at this stuff nearly a decade ago. But I’m not blogging about this because of me, I’m thinking about the end-user experience. The user facing this problem might have filled a Bugzilla, and they might even have realized this was due to SELinux (no AVC denial messages given) and tried fixing the problem for themself. But they probably instead decided that something was broken with Fedora and just went away frustrated. Security trumped over functionality of a generic laptop system.

All I can do is hope that, in time, the community will realize the many uses that SELinux has, and the many that it does not. It’s great if you work for the NSA, have lots of servers to protect from the Interwebulous Tubes of the Internet, or are just a paranoid type. In those cases, SELinux has many advantages – especially if you’re running a timesharing system and distrust all of your users, to varying or equal amounts. This is one of many compelling justifications for SELinux to exist in Enterprise Linux products, and as an optional installation item on various other spins of Fedora – for example, for server targets. These are also good reasons to offer end users the option of turning on SELinux, if they desire.

But for the average Desktop user (you know, the type that we, as a community occasionally like to encourage…) SELinux often ostensibly gets in their way. You don’t have to choose to believe this if you don’t want to, but it can’t be managed graphically (that’s where most people will give up), the policy is highly complex (I’ve read bits of it), and what exactly does the average laptop user sitting behind a firewall with only a few non-external-facing Desktop applications need it for anyway? To protect them from themself? In case the guy in Starbucks is a l33t h4×0r? To protect them from a relatively minor subset of possible security attack vectors unlikely to be used against them at home? I’m still waiting to be convinced that it should *always* be on by default.

As a final note, remember that I’m not criticizing the Fedora community, SELinux developers, or other individuals. I’m saying that the end user experience is lacking in a few fixable ways. Mainly by bringing back an obvious option during installation that explains why Fedora offers this feature, and gives users who don’t want it a choice of turning it off.

Jon.

I love SELinux (part III)

Friday, June 27th, 2008

So today, I allowed my laptop to upgrade to the latest F9 packages. Shortly afterward, VPNC could no longer run its connection script to connect to my corporate VPN connection.

I looked for an AVC denial message in my GNOME notification area (it was only later that I’d be paranoid and check that the sealert and friends were actually being allowed to run, which they were), but there was none. And none of the system logs readily showed any SELinux problem, so I decided it wasn’t time to Just Blame SELinux. A half hour of hacking at the VPNC script later, and getting confused why the commands within that script would run via sudo but didn’t seem to be running when called by VPNC, and I had myself an answer. Obviously it must be SELinux at fault, somehow, somewhere, sometime.

Calling setenforce 0 before running VPNC results in no errors and the VPN comes up just fine, whereas turning SELinux back on immediately results in a failure to run the connection script. The RPM itself reports context information that is consistent with that on the actual files, and again, there are no denial messages being reported – running sealert manually would seem to confirm this, and there are no messages in obvious log files. So it comes down to this: something is broken in F9, I can’t yet determine where it is, but a simple update has resulted in SELinux causing yet more pain that it’s ever possibly worth.

I’ve almost learned my lesson. I listened to certain people when they suggested that using SELinux was a great idea, and that doing this on F9 is super cool because it wouldn’t get in the way, and that it’s all great because we can protect ourselves from ourselves and our own evil actions. But all these people have forgotten one minor point – SELinux policy is so complex and/that we get these random failures. This is a highly undesirable user experience for a desktop. I’m about ready, once again, to hurtle SELinux out of the window as far as humanly possible. Way too overly intrusive to be actually useful.

Yes, I’m sure there’s a BZ somewhere, and I could just wait for another set of package updates that I’m sure will resynchronize policy with package, but let’s please notice that in the meantime, Joe User has long since given up and gone out to play with Little Billy and his friends. I’m trying to write these entries here to convey the undesirable user experience, and not whether I personally know enough to work around it. The average Fedora/Linux user doesn’t have 14 years of experience at dealing with this kind of thing.

Time for some (decaf) coffee.

Jon.