Monotrematica: June 2010

Friday, June 25, 2010

Tonido kernel with NAT (and no su to non-root user)

My "could not su to non-root user" problem with building a kernel with NAT support on the tonidoplug is solved.

On the tonido support forums (requires login, but I'm posting the link here anyway) aleinss helpfully pointed at Logging into tonido as a non root user.

Apparently, with 2.6.31 kernels and later, /proc/sys/vm/mmap_min_addr needs to be 32768 (instead of the previous 65536).

I tested it with sudo echo "32768" > /proc/sys/vm/mmap_min_addr but that didn't work. Reboot required, I guess. The solution was to edit /etc/sysctl.d/10-process-security.conf and edit the vm.mmap_min_addr line to say

vm.mmap_min_addr = 32768

Many thanks to aleinss for pointing that out.

cssh feature wishlist -- clicking on one cssh window brings all related cssh windows to the front

It might be possible to do this already (I've customized .csshrc a *little* bit, mainly just to set the default window sizes and locations), but as in the title, what I'd really like is a toggle so that when I click on one of a set of related cssh windows, all of them (including the window into which I type commands to execute on all related servers) should come to the front.

Either that or another two monitors.

Or three monitors and a computer that can support four monitors altogether :-).

Tuesday, June 22, 2010

php file handle GC and flock

I was confused for a bit because I had code similar to this (details elided):


function myFunc() {
  $h = fopen (MYLOCKFILE,"r");
  return flock($h, LOCK_EX);
}

And when I would call it and sleep (e.g., myFunc();sleep 300;) and then run the same program in another shell the second shell wasn't blocking at the flock call.

strace showed an flock(4, LOCK_UN) being called in the first running instance. Apparently, since I don't return the handle nor do I assign it to a variable that's passed by reference, php decides that $h can be GCed immediately upon function return. That closes the file and releases the lock, so the second instance wouldn't block since there was no lock there.

Wednesday, June 16, 2010

Toshiba Satellite A75 temperature control -- Maybe

I've had a problem forever with the Toshiba Satellite A75. It's got a 3.3Ghz CPU in there but I could only ever run it at one of the two lowest speeds (1.8GHz, 2.1Ghz) because any faster (even with ondemand having me run mostly at 1.8Ghz) if the CPU ever ran too long at high speeds the kernel wouldn't notice and it couldn't speed the fans up.

The whole machine is old too, so I wouldn't be surprised if the fans they're just not working too well anymore.

I just found the omnibook kernel module project though. And after

git clone, make 
sudo make install 
sudo modprobe omnibook ectype=12

It loads correctly and cat /proc/omnibook temperature says 56C. And once or twice I heard the fans spin up faster (they're on all the time these days). So I'm testing (by setting my maximum CPU speed at 3.3Ghz, but still ondemand).

If the machine is stable this way, I'll scale down to 2.4Ghz or a bit higher maybe. It'll be good to be able to do useful things at a reasonable speed again on this machine. 1.8Ghz was getting so old :-).

Sunday, June 13, 2010

Transmission blocklists

I thought I'd setup some blocklists for Transmission. After some googling and looking at this and that blocklist, I decided to go full paranoid and used a whole bunch of blocklists from IBlockList.

The blocklists are gleaned from other tools (Bluetack, PeerGuardian, etc).

I don't care too much about performance (there's a warning on IBlocklist that using too many rules will affect broadband performance :-), so I decided to just install a whole bunch of (possibly redundant) lists.

To get the blocklists and install them in transmission-daemon's blocklists directory (on my machine, ~/transmission/blocklists) I use (not yet in cron, will be soon):


#!/bin/bash

cd ~/transmission/blocklists

URLS="http://list.iblocklist.com/?list=bt_level1 http://list.iblocklist.com/?list=bt_level2 http://list.iblocklist.com/?list=bt_level3 http://list.iblocklist.com/?list=bt_edu http://list.iblocklist.com/?list=bt_rangetest http://list.iblocklist.com/?list=bt_bogon http://list.iblocklist.com/?list=bt_ads http://list.iblocklist.com/?list=bt_spyware http://list.iblocklist.com/?list=bt_proxy http://list.iblocklist.com/?list=bt_templist http://list.iblocklist.com/?list=bt_microsoft http://list.iblocklist.com/?list=bt_spider http://list.iblocklist.com/?list=bt_hijacked http://list.iblocklist.com/?list=bt_dshield http://list.iblocklist.com/?list=bcoepfyewziejvcqyhqo http://list.iblocklist.com/?list=cslpybexmxyuacbyuvib http://list.iblocklist.com/?list=pwqnlynprfgtjbgqoizj http://list.iblocklist.com/?list=ijfqtofzixtwayqovmxn http://list.iblocklist.com/?list=ecqbsykllnadihkdirsh http://list.iblocklist.com/?list=jcjfaxgyyshvdbceroxf http://list.iblocklist.com/?list=lljggjrpmefcwqknpalp http://list.iblocklist.com/?list=nxs23_ipfilterx http://list.iblocklist.com/?list=soe http://list.iblocklist.com/?list=ccp"

for u in $URLS
do
  wget -t 10 -c --limit-rate=128k -w 10 -nd --ignore-length -N "$u"
  gzip -d *.gz
done

Unfortunately transmission-daemon doesn't notice new blocklists added while it's running, so I also have a separate script to restart transmission-daemon (not in cron yet either since I'm just playing around with this stuff for now :-). I haven't tested kill -HUP yet.

Tuesday, June 08, 2010

Tonidoplug kernel with NAT

I bought a Tonido plug computer and have been playing with it at home. I want it to be a dnsmasq, squid, openvpn and ssh server. It'll also do some other things, but those are the main things I'll run on it. I don't need the tonido software running there (although that may change if the people at home need to support themselves instead of me setting everything up via the command line).

I'm very happy with it since it's so much faster and easier to work with than my NSLU2 (which is 1/10th the CPU freq and 1/16th the RAM). There was one problem though, I couldn't load the NAT modules. After some investigation it turns out that the kernel doesn't have routing configured and it's missing a whole bunch of modules that Tonido (or sheeva, not clear about which exactly) decided they didn't need to provide.

Fortunately, I'm booting from a USB drive, and it's very easy to make a bootable drive. If I make a mistake and make the USB drive unbootable, I can just extract the rootfs and modules tarballs back onto the drive (before or after mkfs, according to taste) and it'll be bootable again. I would never try to modify the kernel (or even install modules) on the NAND since I don't want to risk bricking the plugcomputer. Although I did do a bunch of sudo apt-get [packages] on the NAND before I realized what I was doing and stopped :-).

Mikestaszel suggested building the module and copying it over, to get ppp working. Taking that hint, I downloaded the source for the kernel I was using and after some misadventures due to forgetting techniques from long ago, I finally got the modules I needed built and installed.

The tonido runs the 2.6.30-rc6 kernel so I downloaded 2.6.30.6 from kernel.org. I used the config file for this kernel from sheeva.with-linux.com. My first try at building the kernel didn't work because of bad magic. After some googling I realized/remembered that I needed to modify the kernel makefile so that EXTRAVERSION would match the one from the running kernel, so EXTRAVERSION=-rc6.

A second try at building the kernels got me closer but it still didn't work. The bad magic error was gone, but some symbols were missing.

I didn't particularly want to build the kernel itself since I'd hoped that just building and installing relevant modules would be sufficient. Unfortunately, NAT requires CONFIG_IP_ADVANCED_ROUTER, and that can't be built as a module. So there was no way around it, I'd have to build a kernel.

After the kernel was configured and built along with the modules I needed (make menuconfig;make;make modules), I needed to make a uImage (google pointed me at this generate uImage for sheevaplug page). That required:

sudo apt-get install uboot-mkimage make uImage cp arch/arm/boot/uImage /boot make modules_install reboot

modprobe iptable_nat finally succeeded and some testing proved that the plugcomputer was working correctly as a NAT router.

-- UPDATE --
When I installed and rebooted with the new kernel, I found myself unable to run processes as a regular user. The processed would be killed immediately. I can't see how it would have been a problem with how I built the kernel since all I did was allow advanced router features and NAT/MASQUERADE. But there it is. I don't mind running as root on the tonidoplug since everything I do there I'd need to run sudo anyway, but I've switched back to using the NSLU2 for now so I can play with the tonidoplug, building kernels, rebooting at will and possibly eventually getting this latest problem fixed :-).

-- UPDATE 2010-06-22 --
I'm wrong. I *do* mind running everything as root on the tonidoplug. I don't mind running openvpn or sshd as root, but I don't want to run squid or transmission-daemon as root since any successful remote attack instantly gets root privileges.