I recently installed Linux Mint (ubuntu with some goodies) on a laptop and wanted an encrypted whole disk. In order for this to be truly secure, you need encrypted swap. Well most of the HOWTOs for encrypting swap use a randomized key. This breaks hibernate to disk for laptops because the linux kernel has no way to decrypt a randomized cipher (of course). So I referenced a separate howto and combined the two approaches. I can now hibernate to disk using an encrypted swap partition that is protected with a passphrase in the same as way as root and home partitions.

It should be apparent this howto is non-trivial.  The config file changes I supply in it are in diff -u format so this is deliberately written for a technical audience. My research indicates that there is some interest in getting this into distributions in a more elegant fashion, but that kind of deep integration takes time. I needed something that works for me now.

Anyway, here’s the link in the Linux Mint user forums: ]]> http://www.scottharney.com/2009/09/17/linux-with-encrypted-root-and-swap-with-working-hibernate-to-disk/feed/ 0 http://www.scottharney.com/2009/09/08/wordpress-upgrade/ http://www.scottharney.com/2009/09/08/wordpress-upgrade/#comments Tue, 08 Sep 2009 14:27:01 +0000 scotth http://www.scottharney.com/?p=174 Well Twitter was all abuzz about a WordPress worm and sure enough a worm had been circulating attacking old versions of wordpress.  Well obviously I pretty much never post on this blog these days.   And wordpress is notorious for security issues.  This is partly due to the popularity of the product, partly due to problems with php itself, and probably partly due to some flaws in WordPress’s on code. But, to their credit, they update quickly and the word doess get out.  And, to their credit, upgrading was really simple despite the many customizations I have done.  So kudos to the wordpress team.  What I didn’t want was for this thing to get hacked and have spam links spread all through it and have it ruin my google search ranking.  So there it is.

On a more fun note, we’ve been spending the past year trying to learn to lindy hop.  Maybe someday we’ll get as good as this:

Oh, and I’ve had my problems with Legato, er, EMC NetWorker over the past few years, but none of the above was NetWorker bug-related and it handled all that mess far more gracefully than I would’ve expected. It failed and restarted backups automatically, and recoving indexes was a simple process. I’ve done some bootstrap recoveries for DR tests in the past, but this was the real deal. So hoorah for NetWorker for doing something right and not being the cause of sleepless nights (yes. 7.3.3 is very stable in our busy,big, and hopelessly complex environment).

And of course there has been the inevitable management foolishness. Most of the above didn’t affect anything outside of “my world” but as soon as some manager sees a status update, they try and correlate some technical issue they’re having to my event and I have to answer all this foolishness. Politely. With little or no sleep. Not to mention, more foolishness sending me out of town for what looks to me like pure politics and little technical merit, but maybe I’m missing something. Nah, probably not. it’s a dog and pony show. I wonder if I’m a dog, or a pony?

Anyway, if anybody out there has some really super secret vacation ideas they want to share, send em my way. My wife and I really haven’t been on a vacation alone since 2004, our honeymoon. And, apparently, travel is, like, really expensive right now.

Vegas a few weeks ago didn’t do much for me for the vacation side, as mentioned below. But as a technical/educational trip, it was pretty cool. I’m not much of an EMC fanboy. We use both Netapp and Sun/HDS storage here in addition to EMC. There are things about those platforms I like a lot better than the mish-mash of storage options EMC presents.

I attended a ton of technical sessions. There was a large VMWare presence there, which was pretty cool. We are deploying VMWare ESX, though I’m not directly involved in that activity. We handle the storage for ‘em though as well as the backups. To that end, I got really interested in Avamar for doing our VMWare guest backups. We did an eval here and it looks pretty good and it looks like we’re actually going to get it. I went to several sessions with that as well and feel a lot more comfortable with having stuck my neck out for this solution.

I’m sure there will be headaches in the deployment, but it should help. And I’ll be able to remove some complexity from our Networker deployment and free up some index space, by potentially removing 100 or more clients and putting them in Avamar. File servers, vmware guests, and some DMZ-resident hosts are all good candidates for that. Unlike a lot of EMC NetWorker customers, we aren’t initially interested in using NetWorker 7.4 with nominally-integrated Avamar. One of my goals is to reduce my complexity and index space in our huge NetWorker setup. So dividing and conquering actualy simplifies things for me rather than having one global namespace. I had some conversations with some EMC techies (and not sales techies) and they said that was unique in their experience.

But the reality for me is, even if the software can technically scale to 1000+ clients processing 100s of terabytes/week of backups (and DR copies), can it really be managed by humans at that point?  At such a scale, can you even get a window to patch things, do upgrades, etc? And if you do have a problem, the pain you have and the pain that problem can cause can be quite big indeed.  Obviously for me it already is with ~800 clients and about 70TB/week. (see paragraph one)
I’m still digesting material from the convention and looking forward to getting my hands on the presentation material. Like I said, it was pretty interesting stuff. If you’re, ya know, a geek.

Note: Yes. this is the most technical/geeky thing I’ve posted in years.

So I found myself scrambling first to get my friend’s site back up since he makes some part of his livlihood off of the machine. Working with the hosting vendor, it appears to have been a hardware problem. The server shut down and started spontaneously rebooting. It wouldn’t come back up.

What makes this particularly ironic is that my day job consists largely of running the backup and disaster recovery infrastructure for a major corporation. So it would have been wildly embarassing if I had not kept reasonably current backups of my own site. I did, of course. (phew!) But this event definitely pushed me to make some changes I had long been considering.

The first was related to email. Even if I let the website dissapear, I couldn’t get rid of the scottharney.com domain that I had been using since 2000. We had always run our own mail server on this machine. Back years ago, this was no big deal: slap qmail or postfix on a box (boo sendmail), point your MX records at it, and stand up a pop3 listener and away you went. It grew into a beast over the years. The commercial side used generic addresses like “sales@” and “help@” to support its customers. They received tons of spam. so we had to implement spamassassin with bayes learning server wide. I layered in tmda on certain addresses. Eventually their was qmailadmin, squirrelmail, IMAP, SSL, and an MDA listener on port 587.

Still, 95% or more of SMTP traffic was spam. As it turns out, google hosts mail at Google Apps. You point your DNS MX records at them and they will host your domain. At no cost. It includes POP3, IMAP (over SSL of course), mail transfer on port 587, and of course web-based gmail. gmail does a fine job of spam filtering. so I scrambled to point domains at it. Pretty quickly I added google calendar sync and a gmail client to my work blackberry. It’s really feature rich and I should have done it a LONG time ago.

The other thing I did was start putting my pictures on Flickr instead of locally. I still like album, but flickr is just plain easier and more feature rich.

Then I finally got around to getting wordpress back up. It was actually pretty easy, just copy back over all the website parts that were their before, create an empty database, and then import my sql backup. At some point, I may go ahead and pay the piper and move all this to slicehost, but for now, I’m settled again.

So, just a little reminder to take freqent backups and think really hard about how you would recover in the event of a worst case, server go belly up, kind of disaster. It can happen to you.

Denyhosts is pretty much the same idea as mine but it uses python rather than a shell script. Python is common enough on most platforms but some non-linux platforms may not have it within installing 3rd party resources. The attacks on non-vulnerable machines with sshd running are harmless enough, but the extra layer can’t hurt. And if a later vuln is discovered, you’ve already got a list of compromised hosts blocked out via tcp_wrappers.

Serving data with http and ftp is is not very CPU intensive, but over time the amount of rsync traffic being fed by the kernel.org server continued to increase, and rsync is CPU intensive. “That’s what rsync does” Peter said, “it trades bandwidth for CPU horsepower. We were getting to the point where we had all the bandwidth, but the Dual PIII 1.1′s couldn’t really keep up.” He noted that the load average kept growing, well into triple digits. Referring to 32-bit systems, Peter noted, “we learned that the Linux load average rolls over at 1024. And we actually found this out empirically.”

That’s fairly amazing. Also noteworthy is the bare number of software optimizations they’ve thrown at the problem, which basically consisted of mounting their filesystems with the noatime attribute. Have to double check that one on some of my busier http boxes.

Slashdot has an article in their FAQ, detailing their hardware and software mix as well. It probably hasn’t been updated in a while but the basic config described probably remains as detailed in the FAQ entry.

The PJB was the first hard drive MP3 player. The one I have has a 20G hard drive. It’s about 4 times larger than an ipod, roughly the size of a cassette walkman. The functionality and the interface is very nicely done. The sound quality is excellent. My rechargeable battery doesn’t hold much of a charge these days, but I mostly use it in my car. The headphone jack is a little worn but I could just fix it with a quick solder. And it’s USB1.1 which mean transfers to it are SLOW.

Still, I can’t bring myself to replace a box that just works. By and large, I have the same functionality as an ipod and have had it since 2001. All the excitement about random play on a really large hard drive was rather amusing to me since I’ve been doing that for years. The PJB was a wonderful device to have when I was driving all over the state for work. I still carry my “antique” every day. And until it goes belly up, I see no reason to change. (or I can’t get a working kernel module anymore )

Wikipedia has a detailed entry on the PJB-100. One of the coolest features mentioned is one I take for granted: gapless playback. That means that if there is no gap on an album’s tracks, then there is no gap in the playback from the PJB as intended. There are still several ways of getting music on (and off) a pjb. My preferred method of upload is through an emacs mode of all things. The Table of Contents (TOC) is a text file after all, so it actually makes a lot of sense.

In fact, any change can be made. Software can be added. And further, those changes can be incorporated with Knoppix’s existing persistent home dir feature. So every time you boot it, it picks up your mods. Knoppix already has so many uses and so much functionality. And it keeps getting better.

First read about it on oreillynet.

Lots of folks think a re-install might not be necessary; just apt-get upgrade to happiness. But, honestly, I’ve got a mess of old packages, configs, etc form having a nearly 4 year old desktop, unstable installation. If this box were a server with a stable-testing, it would be a different story. There are times when a clean install makes sense. And it would give me a chance to get re-aquainted with the “Debian way” and new tools they have built — just recently I discovered the rather handy modules-assistant for rebuilding nvidia-kernel and alsa-src on my 2.4-kernel unstable Debian box.

References

• http://people.debian.org/~jgoerzen/dfs/html/dfs.html
  – DFS documentation
• http://julien.danjou.info/article-apt-build.html
  – apt-build tutorial (translated from French). Gives (overly) fine-grained build customization ala Gentoo.