Cademuir

Recent Tweets

Browsing Posts published by albertw

Bye Bye eircom. A letter I sent to my local TD recently

May 24, 2010 No comments

Today eircom implemented their three strike rule. Here is a letter I sent to my local TD recently on the subject.

Dear Ciaran,

Thanks for your tweet regarding the judicial decision regarding the so called ’3 strike rule’ being implemented by eircom at the request of the music and movie industries. I hope you have the time to read this reply.

You mentioned that ‘false accusations are problematic’. That is true, but there are many other issues.

The success of the Irish economy has largely been driven by our well educated workforce, and that’s whats going to help us going forward. Many Irish businesses innovated and major multinationals set up in the country (Microsoft, IBM, Oracle, SUN Microsystems, etc.) in part thanks to the experience of the Irish workforce with information technology. We are now some 20 years on from when the internet first appeared in Ireland. And while we still have embarrassingly bad infrastructure compared to other European countries the internet is a vital part of our lives. Access to government information and banking are now predominantly done online, much educational content is internet dependent, and it is not even possible to fly with some airlines now without internet access. The Irish government needs to recognise the importance of the internet and establish rights for citizens to have unrestricted and unfiltered access to it.

The three strikes rule is fundamentally flawed for several reasons.

The music and movie industries claim that they can identify the IP address of an offending computer. This raises an important privacy concern, in order to do this they need to monitor the activity of millions of law abiding citizens, and this monitoring is done by private companies not by an accountable public law enforcement agency. Furthermore this activity may take place outside of Ireland and as such may be illegal. The company that the music industry has previously used, MediaSentry, has a track record of false accusations and has been found to be operating illegally in several US states.

Assuming that the industry can identify an IP address, this does not identify a specific computer or individual. For home users the IP address actually identifies the broadband modem and so can identify the account holder. However may computers may use this single IP address, all members of a family may have their own phones and computers connected, as well as visitors. And that’s before we consider the kid next door hacking into your network! It is also possible to fake IP addresses which would also make reliable identification impossible.

But lets assume the unlikely, that the industry has correctly identified the IP address of an offender. They would then be in a position to begin the process to cut the users internet connection. The user identified would be the billpayer, but the culprit could potentially be anyone else. For example a child who despite being told its wrong, continues to download songs. In this case the child could cause the household internet connection to be cut; no one in the house would be able to do online banking, access government websites, shop online, or fly with certain airlines; furthermore a parent may be forced out of work if any part of their job involves working remotely – even though they have done nothing wrong.

So while copyright infringement is a crime, principles of law are being violated here. The punishment is disproportionate, infringing copyright should not result in the user and those they live with being punished as outlined above – a roughly equivalent crime to downloading illegally, stealing a CD or DVD, would result in a minor shoplifting offense – not the banning of the accused and their entire family from using shops! When accused of a crime the accuser must be able to prove guilt and the accused must be given an opportunity to defend themselves; no such mechanism exists with the music and movie industry deal with eircom since it is a private deal that acts outside and above the law.

In short, the 3 strikes rule should be made illegal in Ireland and the EU because: its unreliable, it’s disproportionate, and it affects innocent 3rd parties.

The government needs to follow the example of other nations in recognising the rights of citizens to uncensored and unmonitored internet access. Ireland’s future as a digital economy needs this. By doing so it would bring this deal within the law – since no citizen could be disconnected without a court ordering it.

The music and movie industries have failed for 15 years to deal with the internet. Only in the last couple of years have they embraced digital downloads, and that push has come from from companies like apple (a computer manufacturer), amazon (a online bookstore) and last.fm (started as a project in the University of Southampton) – NOT from the music industry. If copyright is so important to them then they should simply work within the law – bring the evidence to the gardai and have the offender prosecuted in court.

Best Wishes,
~Albert White

General , ,

Upgrading Opensoalris Guests and Virtualbox

February 17, 2010 1 comment

At Home I run windows 7 on my laptop. And in order to run Opensolaris I use virtualbox. Virtualbox in case you dont know about it basically allows you to run an operating system within your main OS. You can also run windows on an opensolaris machine for example.
I had fallen behind a bit with my virtualbox and opensolaris versions so decided to upgrade everything over the past couple of days. First I upgraded virtualbox to 3.1.4 then Opensolaris to build 132. And my graphical login failed to work. Here’s the error from the X log:

(II) LoadModule: “vboxvideo”
(II) Loading /usr/X11/lib/modules/drivers/vboxvideo_drv.so
dlopen: ld.so.1: Xorg: fatal: relocation error: file /usr/X11/lib/modules/drivers/vboxvideo_drv.so: symbol resVgaShared: referenced symbol not found
(EE) Failed to load /usr/X11/lib/modules/drivers/vboxvideo_drv.so
(II) UnloadModule: “vboxvideo”
(EE) Failed to load module “vboxvideo” (loader failed, 7)

Alan Coopersmith helped me work out what was going wrong here. When you install the guest additions on virtualbox they create an xorg.conf file. The existing conf file I had from build 127 and VB 3.1.1 worked fine, and build 127 with vb 3.1.4 worked fine. But due to changes around Xorg 1.7 things broke when I upgraded opensolaris to build 132 – even though virtualbox has support for this.

The solution?

  • Remove the guest additions package.
  • Remove the xorg.conf file
  • Re-install the guest additions
  • Reboot

All works fine now!

Solaris none

What else to install…

February 12, 2010 No comments

I’ve just installed windows 7 on my laptop. Heres what else gets installed:

Firefox (and firebug and delicious plugins)

Virtualbox

Cygwin

Tweetdeck

itunes

picasa

Sony Vegas Movie Studio

Filezilla

AVG Anti Virus

GSAK

Garmin Mapsource

Gimp

Google Earth

And when I find the install disks (!) :

Canon Digital Photo Pro

Starry Night

General

A new door opens

January 27, 2010 No comments

We’ve had some eventful days. We had fun and we kicked butt as Scott would say. We changed the world. We were part of the greatest technology company the world has ever seen. We changed computing forever – repeatedly.

And in a few minutes we’ll learn what the future holds with Oracle. I hope Oracle is ready for Sun!

Solaris none

Browsing the support and extras Opensolaris repos in Firefox

May 6, 2009 3 comments

Opensolaris users may be familiar with browsing repositories in firefox. To look through the latest Develpoment repo for example you just open up http://pkg.opensolaris.org/dev in your browser.

Things are a little more complicated for the extras and support repos though.

Firstly you need to register to get access to these repos. Anyone can get access tot he extra repo, only supported customers can get access to the support repo. Go to http://pkg.sun.com/register and follow the instructions there to get your key and certificate and verify that you can connect to the repo through the pkg command.

To set up firefox to be able to browse the repo take a little more work. Danek Duvall from the IPS team provided these instructions on how to do it:

Run:

openssl pkcs12 -in /var/pkg/ssl/OpenSolaris_extras.certificate.pem \
-inkey /var/pkg/ssl/OpenSolaris_extras.key.pem -export > \
/tmp/OpenSolaris_extras.certificate.pkcs12

In the case of the support repo use the support key and cert in place of the extras ones above instead. That will prompt you for a password with which to encrypt the pkcs12 file.

Now in firefox add the  pkcs12 file: Edit -> Preferences -> Advanced -> Encryption -> View Certificates ->
Your Certificates -> Import -> choose file (/tmp/OpenSolaris_extras.certificate.pkcs1) -> enter password.

Then point your browser at https://pkg.sun.com/opensolaris/extra/ (or https://pkg.sun.com/opensolaris/support for the support repo).  There’s
a dialog box that pops up saying that the site has requested you identify
yourself with a cert, and gives you a list of possible certs to use.
Choose the right one, click OK, and then you can browse the repo.

Solaris ,

Interactive Jumpstart – asking for time

December 2, 2008 No comments

I hit an interesting problem tonight with jumpstart. Or old timeserver has gone away and the jumpstart clients are now going into interactive installs asking for the user to set the time. We rely heavily on automated installs so this needed to be fixed.

The solution was obvious I thought. I’ll just set up one of our servers as a ntp server and tell the jumpstart clients to query that in the sysidcfg files.

The only problem is that jumpstart doesn’t query ntp. After snooping on the server for a while it was clear that the packets reqesting the time were not NTP, they were TIME.

Heres how I diagnosed it.

First snoop the install.

snoop -v -o /tmp/snoop.op clientname

Then once your install has gone interactive you can convert that to a readble format:

snoop -i /tmp/snoop.op -v > /tmp/snoop.op.as

Examining the file you can find the time request:

TCP:  Source port = 32773
TCP:  Destination port = 37 (TIME)
<snip>
TCP:
TIME:  ----- TIME:   -----
TIME:
TIME:  ""
TIME:

So, whats port 37 exactly? /etc/services tells us that the time server runs there. (duh!)

The service that runs this is in Solaris 10 svc:/network/time:stream

On solaris 10 you need to do

svcadm enable svc:/network/time:stream

To check that is working ok you can telnet to the server and see if you get any output; if its not running you will get connection refused. This is basically what your jumpstart client is doing.

$ telnet patchtest-231 37
Trying 123.156.231.103...
Connected to patchtest-231.
Escape character is '^]'.
Connection to patchtest-231 closed by foreign host.

We are now back to fully automated jumpstart installs!

Solaris ,

Opensolaris Code Swarms

November 20, 2008 5 comments

Recently I had a discussion with some folks about ways to identify
change in a workspace. In particular if there were ways where we could
judge the risk associated with changes without needing to know the
specifics of the changes or being told by the engineers.

In Opensolaris for example there are flag days. These coincide with
putbacks where a project team has identified major change and tells you
about it. We have something similar for Solaris Update releases.
Sometimes this is great, if there is a big zones or zfs change for
example we know to check patching extra carefully on systems using
zones or zfs. However this isn’t always enough. Every now and again
there will be a putack that causes a regression somewhere and catches
us all by surprise.

Before getting to involved in looking into this problem in detail we
did what all good engineers do. Go and see if someone else has solved
the problem already! And that’s when I got distracted. You see I started
wondering if there was some way to visualise the changes to a workspace
and literally see where risk was introduced.

That led me to Michael Ogawa’s page. There he has
several videos produced from code swarm. In the videos the names of the
engineers are displayed and the files that they are hanging are
represented by dots that swarm around them. Now while this isn’t really
what I started out looking for it does allow you to see the number of
files changed over time. More importantly Michael’s videos looked cool
so I thought I’d give it a go for Opensolaris.

Codeswarm is available from http://code.google.com/p/codeswarm . It will generate lots of png files which you can then use ffmpeg to make into a movie.

There was one problem though; it doesn’t work with mercurial workspaces
out of the box. However  Baptiste Lepilleur worked out a way to get a
compatible xml file from a mercurial repository.

Anyway here are a couple of videos I made. The first is of the Image
Packaging System. The music is from Dom The Bear (CC by-sa)


Image Packaging System Code Swarm.

Next up the ON gate! Music this time from Alexander Blu (CC by-sa). Vimeo will
only let me embed the SD version here – visit it’s Vimeo page if
you want to see the HD version; its worth watching in HD imo. While you are there you can search for
other code swarm videos – there are nearly 100 up there.


Opensolaris Code Swarm.

Solaris none

Earth Hour – Ireland 9pm March 29th 2008

February 15, 2008 No comments

It started with a question: How can we inspire people to take action on climate change?

The answer: Ask the people of Sydney to turn off their lights for one hour.

On
31 March 2007, 2.2 million people and 2100 Sydney businesses turned off
their lights for one hour – Earth Hour. This massive collective effort
reduced Sydney’s energy consumption by 10.2% for one hour, which is the
equivalent effect of taking 48,000 cars off the road for one hour.

On
29th March 2008 we’re doing it again WorldWide! Friends of the Irish
Environment and the Irsh Light Pollution Awareness Campaign are asking
everyone to do their bit for the environment and turn their lights off
for one hour on March 29th.

In Ireland te event will take place from 9pm to 10pm
rather than from 8-9pm. This is because at Ireland’s latitude it won’t
really be dark by 8pm so in order to see the difference in the night
sky the event will start at 9. Astronomical Societies around the country will be holding events so please be sure to check for details at www.irishastronomy.org/boards.

We need all of you, across the world, not just Ireland, to turn non essential lights off for this hour. Do you really need your porch light on? Does your building really need to be floodlit? And longer term you can think about whether your security lighting is really efficient. Does it allow light to spill above the horizon causing light pollution? Is the bulb too bright for the purpose? Are you using a motion sensor to ensure the light  only goes on when needed? Have a look at the Institution of Lighting Engineers document on Domestic Security Lighting to see how best to use security lighting.

 Heres what the Lord Mayor of Dublin, Councillor Paddy Bourke, had to say about Earth Hour when he announced Dublin’s participation:

"Earth Hour is an international campaign and Dublin
is one of the latest cities to get behind this important event where on
March 29th all non-essential lights will be switched off for an hour. This
campaign is important and everyone from citizens up to Government has a
duty to do what they can against global warming. It is up to us all to
do what we can to reduce our CO2 emissions. Through one simple action,
turning off our lights for an hour, we can deliver a powerful message
about the need for action. I am thrilled that as
Dublin Lord Mayor I will be leading our capital city in its
participation in this international event. It was estimated during the
Sydney Earth Hour last night demand for electricity dropped by 10 per
cent. It would be fantastic if we could do the same in Dublin. I would urge businesses and homes to join in and take part in the campaign."

Earth Hour in Ireland is fully supported by the Irish Light Pollution Awareness Campaign. For further information on the project in Ireland please contact the Friends of the Irish Environment. For global information please visit www.earthhour.org.

Finally here is the promotional video for Earth Hour. Enjoy!

General none

Patch Blog

January 29, 2008 No comments

Recently my Manager started blogging. Despite my initial cynicism it’s actually turning out to be a pretty good blog, and the comments are great.

Communication about patches is an area that Sun could improve in. What they are, how they are created, how they can be installed, when they can be installed, and when and what you should patch are all areas that I’ve received customer queries about.

Patch Automation Tools is Gerry’s most commented post to date. And I’m not surprised. And to be honest I agree with most of the comments – pca is damn good. Hopefully Sun Connection Satellite will be a big improvement on previous offerings.

Astronomy none

Testing patches for Live Upgrade compliance

January 28, 2008 No comments

Live Upgrade is a feature of Solaris that lets you create alternate boot environments. This makes it easy to switch between OS builds at boot time, but also make upgrading much easier, less risky, and quicker. This extends to patching too.  

I recently received a query from a customer asking how we ensure that patches installed via live upgrade do not interfere with the running system. As well as ensuring that the patch applies correctly to your alternative boot environment you need to be sure that the patch is not changing any files or killing processes on tour running system.

 In Solaris 8 and 9 we use an interposition library to check this. We check all the open*, creat*,*link* calls to ensure that they are dealing with files on the correct boot environment; we allow changes in /tmp etc. and commands also need to load libraries from the running environment so we make exceptions for these. We also check the kill calls to ensure that processes are not being killed on the running system. An interposition library is one that is usually preloaded using LD_PRELOAD so that when a call is searched for the call as defined in our library will be matched rather than the system call. Heres a snippit of how we check for creat calls:

 int

creat(char *path, mode_t mode)

{        char *cwd;        char *cmdname="creat";        typedef (*realcreat_t)(char *p, mode_t m);        static realcreat_t prealcreat;        if (prealcreat == NULL){                prealcreat=  (realcreat_t)dlsym(RTLD_NEXT, "creat");                if (prealcreat== NULL){                        (void) printf("dlopen: %s\n", dlerror());                        return (0);                }        }        parsepstname(path,cmdname);        return ((*prealcreat)(path, mode));}   

 

Our creat() call takes the same arguments as the system call. The first thing we do is look for the real system call by calling dlsym(3C) and we store it. We then write out the file thats being created to a log file and call the real creat() call. The parsepstname() function works out the full path to the file and then filters out our exceptions (/tmp etc).

Similar functions need to be written for any calls that we want to examine.

One issue we came up against when designing this was that shell script often call /sbin/sh when they need to run other scripts. /sbin/sh is statically linked so our interposition library will not work. In the case of pkgadd the environment was also being cleared. We get around these problems by catching the call to execute /sbin/sh, reloading our environment variables from a file and then execing /bin/sh instead. It works but it’s a bit invasive. Also if we need to make changes to the test we need to recompile the library and reinstall it on the test machines. If only there was some way to dynamically trace what was happening on the system…

Well in s10 we can use dtrace for this. The procedure is basically the same; we check for certain system calls, filter out exceptions and flag an error if something is happening that should not be. Heres the dtrace script 

#!/usr/sbin/dtrace -qs

int x;BEGIN{/* set it to something that wont match a pid for   the syscall prov. below */x=-1;}

/* The process that we are interested in */proc:::create/execname == "patchadd" || execname == "patchrm"/{        x=pid;        self->called_proc_create = 1;}

syscall::open*:entry,syscall::creat*:entry,syscall::unlink*:entry,syscall::link:entry,syscall::symlink:entry/progenyof(x)/{     self->path = copyinstr(arg0);     printf("%s:%s:%s:%s\n", probefunc, self->path, cwd, execname);}

We check for patchadd and patchrm processes being started and note the pid. Although you use the luupgrade command to do the patching it ultimately calls patchadd and patchrm to do the work. Then when we examine a system call we check that it is from the patchadd process tree with the progenyof() test. If it is we log the function and arguments. Rather than having dtrace handle the parsing we have a perl script in our test harness that filters out the exceptions and warns us of any errors.

We also check for kill calls in Solaris 10, but if a patch needs to start or stop a process it should really do so by svcadm. So we check expecially for any calls to that:

proc:::exit/execname == "svcadm"/{   printf("%s:%d:%s:%s\n", probefunc, arg0, execname,execname);}

The dtrace is much more straightforward and easier to implement. It’s also tracing everything so we don’t have to worry about someone clearing the environment or calling statically linked commands.

This test has caught quite a few problems in patches. The majority of these are down to errors in the patch and package scripts where patch creators are allowed to write their own scripts; sometimes these are written by product teams that have not considered patching in a live upgrade scenario.  We rarely see any issues with this test anymore. It seems that once we introduce a test we get an initial peak in test fails, the issues are fed back upstream and corrected and we then see a steady tailoff in failures.

Astronomy none
Powered by WordPress Web Design by SRS Solutions © 2012 Cademuir Design by SRS Solutions