Wednesday March 30, 2005

rubypodder

I've been useing Ruby Podder lately to download podcasts to my Solaris laptop. Its a 172 line scripts in the Ruby language and a good example of the amount of functionality that can be achived in a good scripting language. Ruby isn't shipped with Solaris but can easily be installed from blastwave or compiled from source.

Ruby Podder is a simple program which consumes a configuration file of "tag, value" pairs. If it doesn't recognize the tag as special it assumes that it is a directory to dump any mp3 files found at the value interpreted as a url pointing to a rss feed. The only special tag currently defined is podcast-home which is interpreted as the base directory for podcasts.

An simple example configuration file (.rubypodder.conf) is:

podcast-home /export/home/mph/podcasts/
dsc http://live.curry.com/rss.xml

Two notes about the care and feeding of Ruby Podder. The first is that its weak on error handling. In one case it attempts to create log files before creating the directory they go into. In other cases it fails and doesn't provide any easy way to diagnose the problem other then looking at the source. But that source is short and easy to read. The second is that it is expected that podcast-home is terminated by a '/'. Otherwise you will end up with lots of directories up one level from what you expected and prepended with podcast-home. ( Mar 30 2005, 12:00:18 PM PST ) Permalink Comments [0]

Thursday February 24, 2005

depth of security

One of my neighbors writes a good blog on various software topics at baus.net. In a recent post he states his dislike for "depth of security" instead argueing for better centralized security policies. His argument is that by spreading rules around you increase the probability of administration error. Even if I accept the argument that you increase the probability of administration error, I don't believe that is your ultimate goal. Instead you are trying to reduce the average cost of an attack. The average cost of an attack (ignoring resources it takes to happen) is the probability of success multipled by the cost of the breakage when it happens. Having overlapping defense spheres decreases the probability that if somebody gets through one sphere that they can cause damage. The probability of hitting the parlay of the layers individual "administratively reduced" failure rates goes down rapidly. Thus the cost of the attack goes down.

Furthermore I'm not certain I agree that multiple layers is the cause of administration errors. Security is hard. There tends to be a large division between those who do it well and the rest. Those that will get sloppy because they have multiple layers are likely to just be sloppy administrators and are likely to make errors in the single layer case also. An example of sloppy administration is when latent misconfigurations are made (success in one layer preventing faults in another from being uncovered) A good administator will test his config in some way (for example with a scanner). Anything less then that is failure both in the multiple layer and single layer case. ( Feb 24 2005, 03:30:33 PM PST ) Permalink Comments [1]

Thursday February 10, 2005

blastwave

I've placed a build of freeradius on blastwave. If you find any problems please submit a bug there.

The package does some work in postinstall/preremove scripts to figure out if you are running on a s10 box or not in order to install the appropriate administration technology (rc script or smf description). I'd appreciate comments on how that works out for users. ( Feb 10 2005, 09:34:42 AM PST ) Permalink Comments [0]

Tuesday December 07, 2004

paid access business model

I had to be in Reno this morning at 8:00 for an appointment. I hate getting up early so I booked a cheap room at the Circus Circus. I checked in around 9:00 last night, played off the coupons they gave to me as a guest, wondered around the Silver Legacy, played a little limit O/8 at the El Dorado, and then went to bed around midnight. I was placed in the "Sky Tower" behind the main Circus Circus building. You get to this building via an automated elevated shuttle. When entering the separate building there is a small bar, curios shops, and some slot machines in a lobby area. In the lobby I noticed a gentleman surfing the web on a laptop. I checked and he was getting wifi service. In the morning before my appointment I turned on my laptop to see if I could see the wifi service. I was stunned to get 4 very weak signals lieing in bed. All were open. Standing near the window I got another 20 with only 2 of those being encrypted. Several of the open ones appeared to be capture and hold services ("HotSpotBroadband", "TahoeBoanzaAccess1"), but 15 of them were "SaintMarysPublicAccess". Saint Mary's is a hospital behind Circus Circus. I was on the 23rd floor and the signals we so weak as to be unusable. I doubt I would have to be much lower to get some access from Saint Mary's and I suspect there is going to be some point at which I would not to have to do it holding my laptop in front of the window.

On my way out of Circus Circus I had to wait in the lobby for a few minutes for the shuttle so I pulled out my laptop and checked out the service in the lobby. It was provided by airpath at the rates of $5.99 for 60 minutes, $9.99 for 24 hours, and $49.99 for 7 days. None of the other APs were visible probably due to the lobby being buried inside of the garage.

This evening I checked out what else might exist and got 382 hits for 500 N. Sierra, Reno NV, 89503 which didn't include any of the Saint Mary's APs as far as I could tell. I suspect most of those were transient or too far away from the Circus to be of any use to me. But it does show a remarkable amount of coverage.

Over thanksgiving I was visiting my niece in Davis, CA. After leaving my laptop in the hotel I was horrified to see the wireless router at my niece's house. But then I was saved when, back at the hotel, I found an open wifi network. I looked up who owned the subnet. That was an ISP. Unfortunately I couldn't find any information which would allow me to figure out if this network was intended for hotel patrons or not.

It seems to me that the business wireless (and wired indirectly) ISPs are going to see a lot of "free" competition over the coming years. Its hard for me to imagine that rates like $10/day are maintainable as people become more educated about their options. OTOH I suspect that some form of internet access will become expected in most hotel environments. Hopefully, instead of fighting it out by jamming signal and the like, wireless ISPs will find other forms of payment (direct coverage from the local hotel, coffee shop, city, etc. proprietor). But even if there is a little pain in the short run I hope governements will figure out a way to allow this to happen quickly. Allowing Verizon another few years of monopoly before they are beaten back by public outcry would really be counterproductive for our society. ( Dec 07 2004, 05:09:51 PM PST ) Permalink

Wednesday November 03, 2004

New Laptop boot config

I recently purchased myself a new laptop. A Dell 8600 with the WUXGA display option, a 100G HD, a 2G processor, etc. I'd looked around for a while as I needed something for the road that fulfilled several different uses. My two main requirements were: 1) enough resources to be used for medium weight development, and 2) enought screen realestate to be used for online poker. The first drove a reasonable processor, memory, and disk config and the second drove having a dense and/or large screen. Secondary concern were size, power usage, and head dissapation (lap burn). The 8600 drew my attention due to its 1920x1600 display option. Enough to lay out 4 games and have some room left over for lobby display, etc. Once there choosing processor, memory, and disk configuration covered the rest of my needs. I was somewhat concerned about its size but after having hauled it around for a few weeks I think its fine. Now my biggest complaint is the cost of bluetooth peripherals.

Once I got the machine I needed to get it configured to meet my needs. I would need to keep some small windows installation (easiest way to play online), install Solaris 10 with enough space for two live upgradable roots and a reasonable sized home, and maybe install Linux/JDS for experimentation. I've set up other multi boot system (dual in all cases) and was aware of the solaris partition number colliding with the linux swap partition number but was wondering what other issues I might run into installing 3 OS'. I found several resources but probably the best public one is the Multiboot Solaris x86 page. I followed the "Single hard disk, Solaris, Linux, Windows NT" instructions somewhat haphazardly and ended up with a system that would boot windows or linux or windows or solaris but I couldn't get it to like all three. I had wanted to use the Solaris boot manager but in the end was happy using grub. The trick was to boot the machine off the JDS first CD into recovery mode and then to rework the grub configuration. I ended up doing something like:

# mount /dev/hda5 /mnt
# chroot /mnt
# cd /boot/grub
# vi menu.lst
##====>make it look something like the following.
##Note that grub numbers things from 0 so the first
##partition is 0 (see windows below)
color white/blue black/light-gray
gfxmenu (hd0,1)/boot/message
default 2
timeout 10
title Windows XP
   root (hd0,0)
   makeactive
   chainloader +1
title Linux/JDS
   kernel (hd0,1)/boot/vmlinuz root=/dev/hda2 hdc=ide-scsi vga=791
   initrd (hd0,1)/boot/initrd
title Solaris
   root (hd0,2)
   makeactive
   chainloader +1
title failsafe
   kernel (hd0,1)/boot/vmlinuz.shipped root=/dev/hda2 ide=nodma apm=off acpi=off vga=normal nosmp noapic maxcpus=0 3
   initrd (hd0,1)/boot/initrd.shipped
##<====end of menu.lst
# exit
# grub
GRUB> root (hd0,1)
GRUB> setup (hd0)
GRUB> quit
#reboot

There is other configuration work to do but this gets the basics working. ( Nov 03 2004, 02:28:21 PM PST ) Permalink

Thursday October 28, 2004

protocol independent name and service resolution As a member of the IPv6 team I worked on the basic and advanced IPv6 APIs. Both of these are updates of previous RFCs and as such contain a fair bit of already understood material. One aspect of the basic API which has existed since its first apperance in RFC 2133 but doesn't appear to be used as much as it should be is getaddrinfo(3SOCKET).

In the ancient past one might do something like:

    hp = gethostbyname(host, &res, buf, &h_error);
    if (hp == NULL) {
        return -1;
    }
    addrp = (struct in_addr **) hp->h_addr_list;
    ipv4_addr = (*addrp)->s_addr;

    memset((char *)&him4, 0, sizeof(struct sockaddr_in));
    him4.sin_port = htons(PORT);
    him4.sin_addr.s_addr = (uint32_t) htonl(ipv4_addr);
    him4.sin_family = AF_INET;

    len = sizeof(struct sockaddr_in);
    himP = &him4;

    if (connect(fd, (struct sockaddr *)himP, len) == -1) {
        return -1;
    }

And we didn't even lookup the service in all of that. getipnodebyname(3SOCKET) came along and allowed us to specify an address family but pretty much caused the same amount of pain as far as managing the address and the complete lack of help in looking up a service.

getaddrinfo(3SOCKET) wraps this up into a nice API which reduces the amount of work the programmer has to do while allowing control over the result.

    rc = getaddrinfo(nodename, servname, &hints, &res);
    if (rc != 0) {
        exit(EXIT_FAILURE);
    }

    for(r = res; r != NULL; r = r->ai_next) {
        fd = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
        if (fd == -1) {
            continue;
        }
        if (connect(fd, r->ai_addr, r->ai_addrlen) == -1) {
            close(fd);
            continue;
        }
        close(fd);
    }

getaddrinfo(3SOCKET) allows the user to lookup a nodename and service returning a set of protocol independent address structures. Those can be used to build a socket and attempt communication without the programmer getting involved in the protocol details. The amount of grungy detail is reduced. Note the "hints" structure passed to getaddrinfo(3SOCKET)? Normally the address types and protocols used are those which make sense for the current context but if the programmer wants to specify contraints on what is returned he can do that in the hints structure. Further information is available on the getaddrinfo(3SOCKET) man page. ( Oct 28 2004, 04:17:35 PM PDT ) Permalink

daily SMF Tobin and Stephen Hahn have been writting about SMF a fair bit lately. I didn't have anything to do with the development of SMF but I do have to work with the new management framework. Today I was bringing up a new machine and ran across a service issue. After getting the machine up and upgrading it from some pre SMF image to a very recent one nis wasn't coming up.

# ps -ef | grep ypbind
    root 100455 100218   0 15:00:41 console     0:00 grep ypbind
# svcs | grep nis
maintenance    15:00:06 svc:/network/nis/client:default
# svcs -d network/nis/client
STATE          STIME    FMRI
disabled       14:59:46 svc:/network/nis/server:default
online         14:59:49 svc:/system/filesystem/minimal:default
online         14:59:56 svc:/system/identity:domain
online         15:00:06 svc:/network/rpc/bind:default
# svcadm enable network/nis/server
# Oct 28 15:01:15 ipng60 svc.startd[100004]: network/nis/server:default misconfigured
# cd /var/svc/log
# ls *nis*
network-nis-client:default.log  network-nis-server:default.log
# cat network-nis-server:default.log 
[ Oct 28 15:01:15 executing start method ("/lib/svc/method/yp") ]
/lib/svc/method/yp: domain directory missing
[ Oct 28 15:01:15 Method "start" exited with status 96 ]

So in a few short commands I figured out what was wrong and went on to correct it. ( Oct 28 2004, 04:00:24 PM PDT ) Permalink Comments [4]

Tuesday October 12, 2004

The purrfect... gift. Now I only have to convince my wife. ( Oct 12 2004, 09:43:19 AM PDT ) Permalink

Friday September 24, 2004

Sun IPv6

Sun was early to the IPv6 party with Solaris 8. With Solaris 10 we've released a set of features intended to make our offering useful for deployment in todays networks. I spent the last few years working on the Sun IPv6 team and thought I would list some of the new features available in Solaris Express.

BIND 8.4.2 and BIND 9.2.3 (There are some incompatibilities between BIND 8 and BIND 9 so we offer BIND 8 (which has IPv6 support) and BIND 9 to our customers.)

Newer API support - RFCs 3493 and 3542 (The "basic" and "advanced" APIs) are supported

Default Address Selection - RFC 3484 is supported

IPSec/IKE supports IPv6

New IPv6 installation smarts will make sure that if you enable IPv6 that naming is setup correctly.

Configured and automatic IPv6 over IPv4 tunnels are supported.

6to4 automatic tunnels are supported.

In addition Java 1.4.0 supports IPv6 in a transparent manner. With not source or bytecode changes applications can use IPv6.

( Sep 24 2004, 04:41:20 PM PDT ) Permalink