Category Archives: Tech

Sometimes not _everything_ is about Linux..

Securing Linux with Ansible

Leave a Reply

The Ansible Hardening role from the OpenStack project is a great way to secure Linux boxes in a reliable, repeatable and customisable manner.

It was created by former colleague of mine Major Hayden and while it was spun out of OpenStack, it can be applied generally to a number of the major Linux distros (including Fedora, RHEL, CentOS, Debian, SUSE).

The role is based on the Secure Technical Implementation Guide (STIG) out of the Unites States for RHEL, which provides recommendations on how best to secure a host and the services it runs (category one for highly sensitive systems, two for medium and three for low). This is similar to the Information Security Manual (ISM) we have in Australia, although the STIG is more explicit.

Continue reading

Manage and tweak Fedora with Ansible (and apply Korora settings by default)

7 Replies

Korora Project is a Linux distro I created over 13 years ago, which (since 2010) takes Fedora and applies dozens of tweaks in an effort to make it more usable “out of the box” for every day users.

Even with one or two others helping, it has been a lot of work so I’ve taken a break from the project for the last year to focus on other things. There has been no release of Korora since and so lately I’ve been running stock Fedora 29 Workstation (GNOME) on my laptop.

I enjoy the Korora defaults though and given that my family also runs Korora, I wanted a way to be able to move them to stock Fedora while keeping the same packages as well as the look and feel.

So, I created a Korora Ansible Role (it’s also on Ansible Galaxy) to apply the same Korora tweaks for stock Fedora Workstation (GNOME) plus an example playbook which uses it.

I tried to make it flexible by using variables so that users can change default package lists and settings for each machine, as required.

Running it on your local machine is pretty trivial, there’s a shell script with a sample inventory for localhost.

Continue reading

Resurrect Nexus 4 with red light of death by using wireless charger

Leave a Reply

I should have posted this ages ago. There is a well known problem which may affect Nexus 4 devices where it powers off and won’t power on again. When you plug it into the USB charger you get a solid red light and it never recovers.

If you search for the problem the main advice is to return the phone for a factory fix, however there’s an easier trick that’s worked for me; using a wireless charger.

Every time I’ve had this problem (on a few different Nexus 4 phones) I’ve been able to bring the phone back by sitting it on my Nexus wireless charger for a few minutes, then pressing the power button and it springs to life.

After that, you can charge and use the phone as normal. I am writing this now because I was reminded after using this trick to fix a friend’s phone tonight (he’d been googling the problem for a while with no luck).

Maybe someone still has one in their bottom drawer and can make use of it again by using this trick!

Playing with Ubuntu Touch on Nexus 4

2 Replies

I figured it was time to re-visit Ubuntu Touch on my Nexus 4 and see how it was going.

I was already running stock Lollipop and just kicked up the Ubuntu 14.10 GNOME live image under KVM on my Korora 21 laptop and passed the USB device through.

Following the instructions was really easy to get it going. Actually it was just one command and I was soon booting into Ubuntu, so that was quite impressive.

It booted up and asked me the usual things, connected to Wifi, etc. The interface is still the same as it was last time I checked, unsurprisingly, however it seems to work much better now. The animations are smooth and it’s quite clean looking. The Apps screen is easy to follow and you can easily filter by app group.

apps

Apps


Continue reading

Creating a DMZ in OpenWRT

21 Replies

In computing, a DMZ (demilitarized zone) is a method for separating untrusted traffic from a trusted network. One of the most common implementations of this would be for supporting a publicly accessible server (such as web) on a local internet connection. The server sits in the DMZ and can be accessed from the Internet, but it cannot access the trusted network.

OpenWRT probably needs no introduction, the brilliant open source and community driven Linux based embedded router stack. I run it on my Netgear WNDR3800.

Netgear WNDR3800 running OpenWRT

Netgear WNDR3800 running OpenWRT

I have an ODRIOD-U3 (little ARM box) running Fedora, which runs a web server. This is what I want to make publicly available in my DMZ.

So, how to create a DMZ in OpenWRT? Some commercial routers have a single button “make a DMZ” and everything is handled behind the scenes for you. Not so with OpenWRT; it’s powerful, transparent, and only does what you tell it to, so we have to create it manually.
Continue reading

TRIM on LVM on LUKS on SSD

19 Replies

Update2: systemd now has support for enabling trim on luks partitions by passing in the rd.luks.options=discard option and rebuilding grub config
Update: The latest versions of Fedora now support the discard option in crypttab, not allow-discards.

I have an (unfortunately too small) Samsung 840 Pro in my laptop and it’s been a long time since I’ve re-installed (no time for Korora for months) and I’ve noticed it getting a little sluggish. Most noticeable is long pauses while the drive goes nuts. I figured it was probably time to get some TRIM action on the drive, something I never bothered with before because I didn’t really care.

My setup is reasonably common, I imagine. I have a regular old boot partition and a second encrypted partition which is used as a physical volume for lvm. Hence any and all lv are automatically encrypted. If you’re using encryption, it’s possible that enabling trim could give an attacker insight into what blocks have/haven’t been used, but for me it’s just to make it harder for someone to get my data if I lose the laptop or it’s stolen.

Filesystem
First things first, the file system needs to support trim (ext4 does). If you’re using Fedora 18 you may have to edit your /etc/fstab and add the discard mount option to any partition you want to trim.
/dev/sda1 /boot ext4 defaults,discard 1 2

Under Fedora 19, my non-encrypted, non-lvm /boot partition works with fstrim out of the box (I didn’t have to set the discard mount option), so that’s good.

chris@localhost ~ $ sudo fstrim -v /boot
[sudo] password for chris:
/boot: 407 MiB (426762240 bytes) trimmed

With my / and /home partitions however it’s a different story, I get this:
chris@localhost ~ $ sudo fstrim -v /home
fstrim: /home: FITRIM ioctl failed: Operation not supported

So, problem is that somewhere along the way the discard commands aren’t reaching the device.

I have filesystem, lvm, luks, block layers I guess and I know it’s not the first or the last, so that leaves lvm and luks. Thanks to this post, it was pretty easy to enable on the latter two.

LVM
I edited the /etc/lvm/lvm.conf file and enabled the issue_discards option:
issue_discards = 1

LUKS
Now to ensure that discards are sent to my crypto layer by adding the allow-discards option to /etc/crypttab
luks-blah-blah-blah UUID=blah-blah-blah none allow-discards

Note: Thanks to chesty for pointing out that on Debian and other distros the format of that file and discards option may be different. Check man crypttab for the right option, but it may be something like this:
luks-blah-blah-blah UUID=blah-blah-blah none luks,discard

Initramfs
OK, so config files are in place, no as both of these configs are included in the initramfs, time to rebuild it:
chris@localhost ~ $ sudo dracut --force

Note: For Fedora 18 I had to tell dracut to include the crypttab file, as per this bug report.
chris@localhost ~ $ sudo dracut --force -I /etc/crypttab

Note2: Again, on Debian updating initramfs is different, try the update-initramfs command.

You can confirm that crypttab is in the initramfs with:
chris@localhost ~ $ sudo lsinitrd |grep crypttab

Test
After a reboot, I can test out fstrim again, which now works! (By the way, it’s fast.)
chris@localhost ~ $ time sudo fstrim -v /home
/home: 332.6 MiB (348778496 bytes) trimmed
 
real 0m0.194s
user 0m0.007s
sys 0m0.015s

Cron it
Finally, set this as an hourly cron job and enjoy the benefits.
root@localhost ~ # echo -e "fstrim /\nfstrim /home\nfstrim /boot" > /etc/cron.hourly/fstrim

ricci and libvirt with luci = error

2 Replies

If you’re setting up a cluster on RHEL with ricci and the machine is also a virtual host, you might have problems adding it to the cluster in luci (even though everything looks good – firewall is open and you can communicate on the port).

The error is something like:
unable to receive header from server on 11111

This is because the server is looking for a .libvirt configuration directory for the ricci user, but it doesn’t exist. Simply log onto the node and perform the following as root:
mkdir /var/lib/ricci/.libvirt
chown ricci:ricci /var/lib/ricci/.libvirt

Now you can successfully add the node to the cluster using luci.

-c

CyanogenMod and a Telstra Samsung Galaxy S (GT-I9000T)

13 Replies

My brother has been complaining about his slow phone since.. well the day he bought it, so I’ve been recommending CyanogenMod since, well, the day he bought it.

Finally yesterday I had a chance to go over for lunch and a Linux hacking afternoon, but in the end I spent the whole time trying to get CyanogenMod (CM) on his phone. Finally, some 8 hour later, I got it working.

It was meant to be straight forward:

  • turn on USB debugging
  • root his phone
  • install ClockworkMod
  • backup
  • flash CM via recovery

Rooting the phone

CM has some great instructions on their wiki, but they don’t cover how to root the phone. I did some research and found z4root which is supposed to root his Froyo 2.2 based phone, but it just didn’t work no matter which version we tried. His slow phone was running anti-virus which caused all sorts of “problems” and was quite frustrating, but we were still full of hope when we moved on.

Then I came across SuperOneClick, a .NET application that is supposed to run under Mono, but ends with a windows.forms crash when you click a button. So, we found a dualbooting laptop and went to Windows.

That was a whole other level of pain.

Windows frustrations aside, SuperOneClick turned out to be SuperOneMillionClick, but it did root the phone, yay!

3 hours had passed and we had a rooted phone – that was meant to take 3 minutes.

Installing recovery
So now we had a rooted phone, time to install ClockworkModRecovery (CWM). This installed just fine, but we could never get it to flash the recovery to do a backup. Gosh darn it. This also meant I couldn’t flash CM either.

My plan of doing everything nicely, as safely as possible, with backups, goes out the window at this point. Time to flash a kernel (with CWM) directly onto the device, another method to get recovery on there (so that we can flash CM).

Needed to get Heimdall, but there’s no RPM for it. Could compile it, but I’ll just grab the deb. Where’s alien? No package for alien and it’s a deb package, too. OK. Just extract the deb, good, now do I have the dynamic libraries installed for it? Yes.

So, I flashed the kernel which completed successfully and rebooted the phone… into an infinite loop. Great, broke the phone. Fortunately, I could still get to the “Download” mode, which AFAIK is like a dumb serial mode that lets you flash stuff (no adb here).

So I hit #cyanogenmod telling them what I was doing and was told:

so then you *didn’t* follow the instructions
they clearly state to start from from stock 2.3

Which isn’t actually true, but fair enough. So I had a rooted (as in root access) rooted (as in broken) phone.. what to do next? I knew the Download mode still worked, because I could re-flash the kernel. Advice was to find a stock ROM and flash that.. but for the life of me I couldn’t find the right stock kernel. Apparently it doesn’t really matter, but 6 hours had now passed and I didn’t want to make things worse (like break the radio or something).

Then I had an epiphany. If I flashed a Gingerbread kernel (with CWM) and it broke, maybe I can find an earlier kernel that was for Froyo and flash that to unbreak it. I did some more digging and found one! I flashed this onto the device and…. and… infinite loop again. This time however I somehow managed to get into recovery, which was progress!

Flashing CM
Right, now that I had recovery I could try and flash CM7 to see if I could boot. First problem was, getting into recovery only worked 3/4 of the time. Second problem was, getting CM zip onto the phone. Fortunately I now had adb access (phew) so I pushed the zip onto the phone.

There were more issues with permissions and writing to the right card, browsing to the card under recovery, su that didn’t work, but I won’t bore you further with all that. In the end, flashing CM was successful and I was able to boot into it. Almost happy. The flash was a bit weird (it rebooted the phone halfway through, then continued flashing) and some things weren’t quite working like the SIM card (probably important in a phone) and the screen wouldn’t wake up from sleep, blah blah.

Fortunately, flashing CM7 put on a new kernel and new version of recovery. So I booted to recovery and re-flashed CM. This time it worked as expected and I booted up to a working CM7 – it prompted for the SIM pin and everything seemed to be running well.

So, after some 8 hours it was almost midnight, but I finally had CM7 on the phone. I went to bed.

More problems
I woke up pretty happy and couldn’t wait to tell my brother, so I SMS’d his wife but never got a reply. Called later and he checked the phone. No SMS! D’oh 🙁

SMS wasn’t working, but 3G and voice were. Time to re-hit Google.

Turns out some other people have the same problem and I need to enter the SMS Messaging Centre number into the phone. You do that by dialing:
*#*#4636#*#*

Which brings up the Testing program, where you can browse to Phone Info, scroll down and enter the SMCS number.

For Telstra it’s supposedly +61418706700 but that didn’t work. Fortunately, I was able to get the number from my sister-in-law’s phone via the same method, which worked.

So, how to do it next time

Enjoy.

Microsoft “licenses its patents” to Android manufacturers, sues if they don’t agree

2 Replies

There’s never been any evidence that Microsoft goes after Linux based products, right? Hog wash.

Well, now it’s just Tom Tom all over again. So, we know that Microsoft has numerous patent licensing programs in place, including exFAT, FAT, .NET (Novell), and now Android. We know that Microsoft claims that Linux violates a few hundred of their patents. We know that as a part of these licensing agreements, companies sign a Non Disclosure Agreement so that they can’t let everyone else know the details. We know that if companies don’t agree to this extortion, Microsoft sues them.

Despite all this evidence, people still think .NET technology in Linux is not a risk. Wake up and smell the bananas, you morons.

Microsoft states that Android infringes on their intellectual property:

The Android platform infringes a number of Microsoft’s patents, and companies manufacturing and shipping Android devices must respect our intellectual property rights.

Microsoft has a patent licensing program in place for Android, which companies like HTC have signed:

To facilitate that we have established an industry-wide patent licensing program for Android device manufacturers. HTC, a market leader in Android smartphones, has taken a license under this program.

Microsoft is suing Barnes & Noble, Foxconn and Inventec (link above) because they did not take a license.

Microsoft Corp. today filed legal actions…against Barnes & Noble, Inc. and its device manufacturers, Foxconn International Holdings Ltd. and Inventec Corporation, for patent infringement by their Android-based e-reader and tablet devices that are marketed under the Barnes & Noble brand… We have tried for over a year to reach licensing agreements with Barnes & Noble, Foxconn and Inventec. Their refusals to take licenses leave us no choice but to bring legal action to defend our innovations and fulfill our responsibility to our customers, partners, and shareholders to safeguard the billions of dollars we invest each year to bring great software products and services to market

You know what will happen now. They will settle and Microsoft will continue this racket.

-c