JADDOG

I setup a couple VMs over the past day or two on my desktop machine I recently built. Had to use this MacVTap thing and I really like it.

To do this I used virt-manager in Fedora 16. Initially virt manager didn’t give me an option to bridge the network interfaces, it was greyed out. I wanted to be able to ssh into these VMs inside my home network without having to go through the virt host. Turns out there’s an option to customize settings in the details panel just before you start the installation. Select it and bring up the VM’s detail panel to take advantage of MacVTap.

When the details panel comes up you can monkey with the networking of course. I selected the macvtap that my bare metal uses and set it to bridge mode.

Using this method both VM’s got a dhcp address from my home router and are able to talk to each other now.

Word of warning, don’t use VEPA mode. It’s something special that most router’s don’t haveyet that, from what I can gather, let’s the swtich do the bridging instead of the virt host.

Learned about this stuff here: http://virt.kernelnewbies.org/MacVTap

I passed a milestone in my Dvorak endeavor yesterday. I had some one looking over my shoulder at what I was doing while I was typing in Dvorak… on a contoured keyboard.

Work bought me a Kinesis Advantage keyboard in May. (Manufacturer’s Page) These are hard enough to get used to in a qwerty layout. It has a native Dvorak mode on it so I made the Kinesis my Dvorak keyboard and the keyboard I was using my qwerty. I had been using both since May. Unplugged the qwerty keyboard the first of September.

This pic is from before I unplugged the qwerty keyboard:

I’ve been using Fedora 15 and Gnome 3 for a little over  2 months now. I’ve learned a few things that have made my daily workflow a little easier, thought I’d share.

1. the alt key switches the Suspend menu item to “Power Off”
I infrequently need it, but the alternative was to logout and power off from the login screen or to add a gnome-shell-extension.

2. gnome-tweak-tool
There’s a couple settings in there that I was glad to be able to tweak

3. Drag to top of the screen to maximize.
I keep a couple things maximized, It’s nice to just drag the window to the top of the screen and have it maximize.

4. gsettings
I haven’t had too much need for this yet, but understanding it is relevant to writing extensions.

5. gnome-shell-extensions-dock
yum install gnome-shell-extensions-dock
gsettings set org.gnome.shell.extensions.dock position left
alt-f2
r
enter

6. wrote a gnome-shell-extension

Part of my team at work is in Pune, India and our company also pass lots of times around in utc. The Fedora 14 Clock applet that listed what time it was in other timezones was helpful. So I set out last week to put something together in gnome 3 that would serve the same purpose.

In the process I also found some code to add apps to the top panel and decided to post the little bit of code I put together here: https://github.com/radez/gnome-shell-extensions

Here’s what my “clocks” extension looks like. It’s not much but it suits my needs. I need to plug into gsettings as some point so that Pune and UTC arn’t hard coded.

At work I use Loki to manage my buildbot infrastructure. It’s deployed on apache via mod_wsgi. Recenlty I’ve been having trouble with Apache crashing with one of two single error lines in the logs:

[notice] seg fault or similar nasty error detected in the parent process
or
[emerg] (28)No space left on device: Couldn’t create accept lock

I came across this post and found it very helpful. Start with seeing if there are left over semaphores when you stop apache:

# ipcs -s | grep apache

If that’s the case then first clear them:

# /usr/bin/ipcs -s | grep apache | awk ‘ { print $2 } ‘ | xargs ipcrm sem

Then tell the kernel to allow more semaphores by adding the followings lines to /etc/sysctl.conf

kernel.msgmni = 1024
kernel.sem = 250 256000 32 1024

then run

# sysctl -p

Once I start everything back up this seems to have fixed my issues.

Went ahead an updated to Fedora 15 this evening.
Though Gnome 3 will take some time to get used to, I think I’ll like it over time.

***UPDATE***: See the comments, turns out there is capability in F13 to do this that I was unaware of, thx marcanoonline.com!

Got a pair of MotoRokr S9-HD headphones today, pretty cool. Pairing with my iPhone was cake. Pairing with Fedora 13 had an extra couple steps. Getting the headphones paired was not the problem, huge props to Fedora 13 for making that super easy. The issue was getting the headphone to operate in an A2DP configuration.

There is not a place that I could find to select what kind of profile to use with with output device and the device was assigned a mono configuration upon initial pairing. I found one lone post related: http://forums.fedoraforum.org/showthread.php?t=223323

$ sudo yum install pavucontrol

pavucontrol shows the headphones configured for uses as a handsfree phone device (which it can do):

Fedora already had A2DP support installed, just had to select it:

Now I have stereo output on my shiny new headphones.

Just uploaded a tarball of Nushus 0.12.2 to the Nushus fedora hosted site.

Docs and tickets are still being transferred out to the fedora hosted trac site.

Nushus (pronounced new shoes) is a package and file repo release management tool. It has a web interface and cli client to aid in isolating in and promoting packages through a release engineering process.

Right now you can import two types of files:

1. rpms with auto generation of yum metadata, acls management and promotion to other nushus instances on a per-repo basis
2. simple files with acls managment and promotion to other nushus instances on a per-repo basis

An instance of Nushus can be established in multiple environments. (ex: QA, Stage, Prod) The instances are then configured to talk to one another so that they can transfer files from environment to environment.

The problem:

I was using mod_auth_kerb to authenticate and ProxyPass to pass off the request to another server. I’m trying to support Kerberos Authentication but split the infrastructure into a proxy/app tiering using ProxyPass because I needed the ProxyPassReverseCookieDomain directive. Problem is I need to pass the user that had been authenticated along with the ProxyPass (ie. the value of REMOTE_USER) and found no configs to let me do that with mod_auth_kerb and ProxyPass.

What I tried:
I found a bunch of pages that referenced using a lookahead (LA-U:REMOTE_USER) to get the value of REMOTE_USER. Take that value and set an environment variable. Then use the env var to set a header, say, X-Forwarded-User. This didn’t seem quite right since this was being implemented at the rewrite stage (pre authentication, hence the lookahead’s subrequest) and spawned the overhead of another subrequest to get the initial value. I tried all kinds of permutations of some rewrite configs that looked something like this:

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* – [E=RU:%1]
RequestHeader set X_REMOTE_USER %{RU}e

http://n2.nabble.com/SSO-with-SSPI-and-SSL-LA-U-REMOTE-USER-always-null-td4086748.html et al.

In spite of the “not quite right” of the subrequest to env var to header I always got a value of (null) back from the lookahead. So this never even worked in combination with mod_auth_kerb (I’ve been told it does with basic auth or with mod_auth_kerb + RewriteRule [P]). Further it seemed inefficient to do all this subrequest to env to header stuff. I figured the most efficient thing to do (relative to processing the requests) would be to write a simple apache module that was in the module chain after auth but before proxy. Turns out that it didn’t take too long to do either.

The Solution:

I started with a tutorial at threebit.net where I just wanted to compile an apache module and insert it into the module chain. This worked like a champ (Thanks Kevin!) and I was logging to my error_log via stderr in no time at all. After reading though some apache code I figured out that r->user was the variable that mod_auth_kerb was populating the authenticated user to and that the ap_hook_handler method was inserting this module into the chain after proxypass. This location in the module chain was a problem because when I turn on proxypass the request was being proxied before the module was being executed. After a bit more docs and code reading I found ap_hook_fixups, which is in a stage between the auth and proxy modules. So that diff would look something like this:

< ap_hook_handler(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);
> ap_hook_fixups(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);

Finally, the method_hander’s code was changed from the stderr functionality to these two lines to use the r->user variable:

apr_table_set(r->headers_in, “X-Forwarded-User”, r->user);
apr_table_unset(r->headers_in, “Authorization”);

This sets the X-Forwarded-User header with the user the proxy has authenticated and strips out the Authorization header to be sure that your not passing any basic auth information (passwords in clear text!) from server to server.

I don’t have a complete set of code anywhere for you to download at this point, though, hopefully there’s enough here that all you’d have to do is swap a few pieces of code out, compile it (I had to update the automake stuff on the tutorial cuz it’s kinda old) and install it according to the tutorial’s directions.

Words of Warning:
1. Secure your app!
If you open your app up to accept X-Forwarded-User and trust that header as a source of an already authenticated user you must make sure that the only host that can pass that header to your app is your proxy! It would not be hard to install this custom module elsewhere (or use the lookahead stuff), slap basic auth on it and pass the header to your app completely ignoring your authoritative authentication infrastructure.

2. This will be applied to every request on your proxy.
There is nothing in this module that will only apply this to a specific vhost or anything. Every request that your proxy processes will get your custom header.

Future?
A nice addition to this would to let you configure the header name in your vhost config (ProxyUserHeader “X-Custom-Header-Name”) or even to submit a patch to mod_proxy so it’s not a separate module but built into mod_proxy (ProxyPassUserHeader “X-Custom-Header-Name”). Seems intriguing to do a bit more with it.

I’m working on a feature for a project that I’m getting ready to open source. (more to come on it being open sourced when it happens) I’ve never taken the time to try and use pdb to debug a python program. I fell into a situation that seemed plausible to try it.

Found this post and was quite delighted to be able to dive right into debugging my app. Also of worth to note, the post references this link which once you have the basics of using pdb expands a little on what else you can do.

<3 pdb