JADDOG

***UPDATE***: See the comments, turns out there is capability in F13 to do this that I was unaware of, thx marcanoonline.com!

Got a pair of MotoRokr S9-HD headphones today, pretty cool. Pairing with my iPhone was cake. Pairing with Fedora 13 had an extra couple steps. Getting the headphones paired was not the problem, huge props to Fedora 13 for making that super easy. The issue was getting the headphone to operate in an A2DP configuration.

There is not a place that I could find to select what kind of profile to use with with output device and the device was assigned a mono configuration upon initial pairing. I found one lone post related: http://forums.fedoraforum.org/showthread.php?t=223323

$ sudo yum install pavucontrol

pavucontrol shows the headphones configured for uses as a handsfree phone device (which it can do):

Fedora already had A2DP support installed, just had to select it:

Now I have stereo output on my shiny new headphones.

Just uploaded a tarball of Nushus 0.12.2 to the Nushus fedora hosted site.

Docs and tickets are still being transferred out to the fedora hosted trac site.

Nushus (pronounced new shoes) is a package and file repo release management tool. It has a web interface and cli client to aid in isolating in and promoting packages through a release engineering process.

Right now you can import two types of files:

1. rpms with auto generation of yum metadata, acls management and promotion to other nushus instances on a per-repo basis
2. simple files with acls managment and promotion to other nushus instances on a per-repo basis

An instance of Nushus can be established in multiple environments. (ex: QA, Stage, Prod) The instances are then configured to talk to one another so that they can transfer files from environment to environment.

The problem:

I was using mod_auth_kerb to authenticate and ProxyPass to pass off the request to another server. I’m trying to support Kerberos Authentication but split the infrastructure into a proxy/app tiering using ProxyPass because I needed the ProxyPassReverseCookieDomain directive. Problem is I need to pass the user that had been authenticated along with the ProxyPass (ie. the value of REMOTE_USER) and found no configs to let me do that with mod_auth_kerb and ProxyPass.

What I tried:
I found a bunch of pages that referenced using a lookahead (LA-U:REMOTE_USER) to get the value of REMOTE_USER. Take that value and set an environment variable. Then use the env var to set a header, say, X-Forwarded-User. This didn’t seem quite right since this was being implemented at the rewrite stage (pre authentication, hence the lookahead’s subrequest) and spawned the overhead of another subrequest to get the initial value. I tried all kinds of permutations of some rewrite configs that looked something like this:

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* – [E=RU:%1]
RequestHeader set X_REMOTE_USER %{RU}e

http://n2.nabble.com/SSO-with-SSPI-and-SSL-LA-U-REMOTE-USER-always-null-td4086748.html et al.

In spite of the “not quite right” of the subrequest to env var to header I always got a value of (null) back from the lookahead. So this never even worked in combination with mod_auth_kerb (I’ve been told it does with basic auth or with mod_auth_kerb + RewriteRule [P]). Further it seemed inefficient to do all this subrequest to env to header stuff. I figured the most efficient thing to do (relative to processing the requests) would be to write a simple apache module that was in the module chain after auth but before proxy. Turns out that it didn’t take too long to do either.

The Solution:

I started with a tutorial at threebit.net where I just wanted to compile an apache module and insert it into the module chain. This worked like a champ (Thanks Kevin!) and I was logging to my error_log via stderr in no time at all. After reading though some apache code I figured out that r->user was the variable that mod_auth_kerb was populating the authenticated user to and that the ap_hook_handler method was inserting this module into the chain after proxypass. This location in the module chain was a problem because when I turn on proxypass the request was being proxied before the module was being executed. After a bit more docs and code reading I found ap_hook_fixups, which is in a stage between the auth and proxy modules. So that diff would look something like this:

< ap_hook_handler(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);
> ap_hook_fixups(mod_tut1_method_handler, NULL, NULL, APR_HOOK_LAST);

Finally, the method_hander’s code was changed from the stderr functionality to these two lines to use the r->user variable:

apr_table_set(r->headers_in, “X-Forwarded-User”, r->user);
apr_table_unset(r->headers_in, “Authorization”);

This sets the X-Forwarded-User header with the user the proxy has authenticated and strips out the Authorization header to be sure that your not passing any basic auth information (passwords in clear text!) from server to server.

I don’t have a complete set of code anywhere for you to download at this point, though, hopefully there’s enough here that all you’d have to do is swap a few pieces of code out, compile it (I had to update the automake stuff on the tutorial cuz it’s kinda old) and install it according to the tutorial’s directions.

Words of Warning:
1. Secure your app!
If you open your app up to accept X-Forwarded-User and trust that header as a source of an already authenticated user you must make sure that the only host that can pass that header to your app is your proxy! It would not be hard to install this custom module elsewhere (or use the lookahead stuff), slap basic auth on it and pass the header to your app completely ignoring your authoritative authentication infrastructure.

2. This will be applied to every request on your proxy.
There is nothing in this module that will only apply this to a specific vhost or anything. Every request that your proxy processes will get your custom header.

Future?
A nice addition to this would to let you configure the header name in your vhost config (ProxyUserHeader “X-Custom-Header-Name”) or even to submit a patch to mod_proxy so it’s not a separate module but built into mod_proxy (ProxyPassUserHeader “X-Custom-Header-Name”). Seems intriguing to do a bit more with it.

I’m working on a feature for a project that I’m getting ready to open source. (more to come on it being open sourced when it happens) I’ve never taken the time to try and use pdb to debug a python program. I fell into a situation that seemed plausible to try it.

Found this post and was quite delighted to be able to dive right into debugging my app. Also of worth to note, the post references this link which once you have the basics of using pdb expands a little on what else you can do.

<3 pdb

At work we got talking about Dvorak a little while back. I’ve been picking through this tutorial as I get time and really enjoying it. Just google Dvorak to read up on what so different about it. The main point I like is that people claim it reduces stress on your wrists. I figure with how much I’m on a computer it’s worth a try. I haven’t found any scientific evidence that it actually helps. Maybe I’ll get to the point of using it full time one day and have my own claim.

You can reconfigure your keyboard to use this layout regardless of it’s labelling. I’ve got my fedora and mac configured so I can swap between qwerty and dvorak very easily. There’s plenty of info on google on how to set this up. Once it’s setup on a mac just select your layout from the keyboard notification icon near the date/time on your menu bar. On fedora I use L-shift+Caps-Lock and it switches in and out of dvorak. I assume you can do it on windows too, but I don’t have a windows machine to try it on.

Still on lesson 17 in the tutorial so I can’t really do anything with it other than the tutorial yet… but I’m sure I’ll post a blog post in dvorak when I get to that level

ABCD: A Basic Course in Dvorak :: http://gigliwood.com/abcd/

*** UPDATE ***
This hack is probably unnessesary, I found that wp-mu has a sites framework that is not exposed, there is a plugin that’s trying to accoplish the same thing I am. Just google ‘wordpress mu sites’
*******

I need to have multiple wordpress instances installed, but I want them each to have their own vhost, I also want an easy way to maintain them (upgrades and such). I thought wordpress mu could do this… but out of the box it only supports wildecards on a single domain. (blog1.example.com and blog2.example.com and blog3.example.com) Turns out you can change 2 lines (3 if you want to clean up a view cosmetically) and you seemingly can use wordpress-mu to host multiple domains. www.blog1.com and www.blog2.com and www.blog3.com

I’ve not deployed this yet… so use at your own risk. I’ll post again later with results after I’ve migrated a couple sites to it.

The problem: wp-mu assumes in vhost mode that all your blogs are of convention {something_here}.example.com. It does this by concatenating the domain you configure at install time onto the name of any new wordpress site you setup.

The solution: tell it not to append your installed time configured domain when you setup a new site. No special magic seems to happen with a new wordpress site’s configured domain after install time.

To show how this works this we’ll setup an example.com instance of wordpress mu and replace the wildcard magic so that not-example.com is hosted by the same code base.
1. download and and install wp-mu just as they tell you to, use example.com (set a hosts record to point example.com to your localhost) You’ll now have a fresh new wp-mu blog at example.com.
2. patch the files to remove the wildcard vhost magic
a. This change will remove the hardcoded base domain and will assume the domain name you’re accessing wordpress with is the current domain. Without amking this dynamic the authentication would fail on some or all of the configured sites.

wp-config.php
@@ -38,7 +38,7 @@
-define(‘DOMAIN_CURRENT_SITE’, ‘example.com’);
+define(‘DOMAIN_CURRENT_SITE’, getenv(‘HTTP_HOST’));

b. This is the concatenation magic that we want to prevent from happening. It undoes the “force append install-time configured domain” or in our example case, don’t force .example.com on the back of my new blog.

wp-admin/wpmu-edit.php
@@ -147,7 +147,7 @@
if( constant(‘VHOST’) == ‘yes’ ) {
-                       $newdomain = $domain.”.”.$current_site->domain;
+                       $newdomain = $domain;

c. This last one is optional. It’s just removes the domain name below the test box on the form for a new blog. This is a pure cosmetic change.

wp-admin/wpmu-blogs.php
@@ -582,7 +582,7 @@
<?php if ( constant( “VHOST” ) == ‘yes’ ) { ?>
-                                                       <input name=”blog[domain]” type=”text” title=”<?php _e(‘Domain’) ?>”/>.<?php echo $current_site->domain;?>
+                                                       <input name=”blog[domain]” type=”text” title=”<?php _e(‘Domain’) ?>”/>

3. Add a new wp site at not-example.com (add the hosts record that points to localhost again to test)
4. use the dashboard -> tools -> export to get an xml dump of a single instance blog that you can import into a wp-mu managed blog.

Like I said I’ve not actually deployed this yet, but authentication in and out of the two domains dashboard and frontend seem happy. I’ll be sure to update this post with any other issues I come across. let me know if you try it and if it works!

I documented this a while back and never posted it. Had to use it again today so I figured it would be fun to post it.

Compiled these steps using these urls:

http://www.mail-archive.com/centos@centos.org/msg08928.html

http://www.howtoforge.com/linux_resizing_ext3_partitions_p2

1. use dd to create a 1 GB file

[root@virtserver os]# cd /var/lib/xen/images/os
[root@virtserver os]# dd if=/dev/zero of=Tempfile bs=1024 count=1000000

3.  backup your disk image

[root@virtserver os]# cp somehost.example.com-disk0 somehost.example.com-disk0.bkup

4.  append the tmp file to virtual image file

cat Tempfile >> somehost.example.com-disk0

5. attach to the disk image

[root@virtserver os]# modprobe xenblk
[root@virtserver os]# pwd
/var/lib/xen/images/os
[root@virtserver os]# xm block-attach 0 ‘file:/var/lib/xen/images/os/somehost.example.com-disk0′ xvda w

if you try and mount a file that doesn’t exist you’ll get output like this:

Error: Device 51712 (vbd) could not be connected.
File /var/lib/xen/images/os/notreal.example.com-disk0 is read-only, and so I will not
mount it read-write in a guest domain.
Usage: xm block-attach <Domain> <BackDev> <FrontDev> <Mode>

Create a new virtual block device.

if you copy and paste you may have to fix your single quotes. when I copy and pasted this I got a weird ascii error.

6. fsck

[root@virtserver os]# e2fsck -f /dev/xvda1
e2fsck 1.39 (29-May-2006)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/boot: 42/524288 files (2.4% non-contiguous), 28805/524112 blocks

[root@virtserver os]# e2fsck -f /dev/xvda2
e2fsck 1.39 (29-May-2006)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/: 43523/2097152 files (0.9% non-contiguous), 487769/2096482 blocks

7. Strip out the ext3 fournal

[root@virtserver os]# tune2fs -O^has_journal /dev/xvda1
tune2fs 1.39 (29-May-2006)

[root@virtserver os]# tune2fs -O^has_journal /dev/xvda2
tune2fs 1.39 (29-May-2006)

8. delete and re-add the last partition on the disk using the new end cylinder

[root@virtserveros]# fdisk /dev/xvda

The number of cylinders for this disk is set to 1156.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/xvda: 9514 MB, 9514450944 bytes
255 heads, 63 sectors/track, 1156 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/xvda1   *           1         261     2096451   83  Linux
/dev/xvda2             262         783     4192965   83  Linux

Command (m for help): d
Partition number (1-4): 2

Command (m for help): p

Disk /dev/xvda: 9514 MB, 9514450944 bytes
255 heads, 63 sectors/track, 1156 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/xvda1   *           1         261     2096451   83  Linux

Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (262-1156, default 262):
Using default value 262
Last cylinder or +size or +sizeM or +sizeK (262-1156, default 1156):
Using default value 1156

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

8. fsck and recreate the ext3 journals

[root@virtserver os]# e2fsck /dev/xvda2
e2fsck 1.39 (29-May-2006)
/: clean, 62190/1048576 files, 860683/1048241 blocks

[root@virtserver os]# tune2fs -j /dev/xvda2
tune2fs 1.39 (29-May-2006)
Creating journal inode: done
This filesystem will be automatically checked every -1 mounts or
0 days, whichever comes first.  Use tune2fs -c or -i to override.

[root@virtserver os]# tune2fs -j /dev/xvda1
tune2fs 1.39 (29-May-2006)
Creating journal inode: done
This filesystem will be automatically checked every -1 mounts or
0 days, whichever comes first.  Use tune2fs -c or -i to override.

9. Resize the filesystem

[root@virtserver os]# resize2fs -f /dev/xvda2
resize2fs 1.39 (29-May-2006)
Resizing the filesystem on /dev/xvda2 to 1797271 (4k) blocks.
The filesystem on /dev/xvda2 is now 1797271 blocks long.

10. detach the disk image and get on with your day with more space

[root@virtserver os]# xm block-detach 0 xvda

Coldfusion was the first programming language that actually did something with. I haven’t been writing it too much latley (yay django) but I still have code written in coldfusion that is faithfully running. I love open source and saw a while back that railo was going open source and being shipped with jboss. Went to the Railo site recently and found that Railo 3.1 had in fact been released so I thought I’d give it a spin. Rail 3.1 is downloadable with a copy of resin. I’d not ever heard of resin, seems like a lighter-weight java app server kind like jboss. Hope that’s not too far off base from what it really is. So here’s my experience getting Railo 3.1 to run on CentOS 5.3.

When you first download you need to compile… Found a post that said to download the railo-resin-no-jre and get sun’s jre, of course after I tried it with the jre and couldn’t get mod_coucho to compile. So in the root of what I unpacked (this assumes that you’ve installed things to build with):

$ ./configure –with-java-home=/usr/java/jre1.6.0_15

Got a warning on java JNI not existing. Couldn’t figure it out quicly but I think this is just performance related. Skipping it for now as I don’t need the performance yet. After configuring I ran make and make install. Going to use apache, the main compile didn’t seem to compile the apache module so did that. (this is the piece that failed when I tried to use the included jre) Also copied it to apache’s modules dir.

$ cd modules/c/src/apache2/
$ make all
$ cp .libs/mod_caucho.so /etc/httpd/modules

Now configure apache to use railo. I use virtual hosts heavily so went ahead a configured a couple to test with.

/etc/httpd/conf.d/railo.conf

LoadModule caucho_module modules/mod_caucho.so
DirectoryIndex index.cfm index.php index.htm index.html index.html.var
ResinConfigServer localhost 6800
<VirtualHost *>
ServerName site1.local
</VirtualHost>
<VirtualHost *>
ServerName site2.local
</VirtualHost>
<Location /caucho-status>
SetHandler caucho-status
</Location>

The resin config file had defaults that would use virtual hosting if you just create the proper directory structure. This is done in the root of what was unpacked.

$ mkdir -p hosts/site1.local/webapps/ROOT
$ mkdir -p hosts/site2.local/webapps/ROOT

I also stuck an index.cfm file in each root directory for testing… just a cfoutput with #now()# in it and a site identifier. The hosts/${domainname}/webapps/ROOT structure I think is the standard directory resin expects to do the virtual hosting. Finally start resin.

$ bin/httpd.sh start

I’ve used all the defaults here. There’s some docs on the virtual hosting stuff here. My next step is to integrate it with my existing server setup to see if I can customize this to the point I’d consider replacing AdobeCF with RailoCF. I’ve already tested a simple app written in CF7 on it. No problems.

I’m writing a kerberos enabled tool at work. The primary interface is the web ui which we will forward our kerberos tickets to apache and use gssapi to authenticate. The secondary interface is a cli that we use to push data into the server. In interest of kinit letting us login though the web ui or the cli without having to type our password again I wanted the cli to also be able to pass the nessesary headers to apache for a password-less authentication. I’m not the most experienced programmer at kerb implementations so I figured I’d just figure it out and learn how to do it. I found there was a distinct lack of tutorials on how to implement a kerberos client. So here’s my experience.

Pre-established kerberos infrastructure would include you being able to kinit and have firefox login to a kerberos enabled website using your ticket. If you have a valid service principal and you have a valid ticket make sure that firefox knows the domain is trusted. Visit about:config and set network.negotiate-auth.trusted-uris to the trusted domain you’re logging into. Don’t use a widecard. So use example.com, not *.example.com. For example sake I’ll use HTTP/myhost.example.com and myuser@EXAMPLE.COM as my principals.

From here I would recommend using python-kerberos. I was browsing the code of another kerberos enabled cli app today. It implemented krbV and I think the server side also did. I also think this was a custom implementation that did not match gssapi’s implementation. From here the code is quite simple using python-kerberos, here’s a quick little example using httplib.

import kerberos
import httplib

# setup kerb
_ignore, ctx = authGSSClientInit(‘HTTP@myhost.example.com’, gssflags=GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG)
_ignore = authGSSClientStep(ctx, ”)
tgt = authGSSClientResponse(ctx)

# setup http connection
servername, port = (‘myhost.exmple.com’, 443)
h = httplib.HTTPSConnection(servername, port)
h.connect()

# Setup Headers
http_conn.putrequest(“GET”, “/XMLRPC/”)
if tgt:
h.putheader(‘Authorization’, ‘Negotiate %s’ % tgt)
h.endheaders()

# Make http call
resp = http_conn.getresponse()
if resp.status != 200:
print “Error: %s” % str(resp.status)
return None

#Check for kerb header
krb_reply = resp.getheader(‘WWW-Authenticate’)
if not krb_reply:
print “Server did not send kerberos reply”
return None

# print html contents
print resp.read()

There’s all kinds of validation and such missing here. This just worked so I figured I post it for reference. The _ignore variables get populated with a 1 or a 0. You can read more about those in the python-kerberos docs. There is another example in the python-kerberos package that is more in depth on using these properly and validating other things. I think my biggest problem ended up being the choice of syntax and flags to pass to authGSSClientInit. My next issue is that I’d like to pump this through xmlrpclib instead of httplib. Though, I think that there are some better examples out there on how to add the header to xmlrpclib. Hope this simple snip helps someone with getting a proof of concept runnning.