New iMac
I mentioned the other day in the comments of my Ubuntu post that my girlfriend decided to get herself a iMac, this weekend we went to pick it up from the Apple store in Regents Street.
After the traumatising walk through soho carrying a computer in my arms when we got it home all seemed fine to begin with, but then when it came time to test out the iSight the thing was dead. It produced either pure white or pure green but nothing else.
I was really dreading taking it back as it would mean she would be without a computer for a while and just general be a total pain, I searched the Apple support forums and they got me nowhere but then I searched the forums and came across someone who had the same problem, they unplugged their iMac from the wall for 30 seconds and that fixed it, I did the same and voila, one happy mac.
So not too bad, but still a bit infuriating.
While we were there I also picked up a iPod Nano for Emma, I've not really looked at these in detail before and must say it's a very sexy bit of kit. Though comparing it to my 3 year old iPod I have doubts about the build quality, for example the plug where the power/doc goes in doesn't nicely click into place it's more a matter of forcing it in, not sure if that is normal but it sure is annoying.
FreeBSD Stability
I'm in the middle of decomissioning some old sites and thought I'd post some info about our FreeBSD 4.x based firewalls that we were running.
Barry and Neil put these together when they were still with iTouch, they are FreeBSD machines running ipfw, modified natd, IPSec and jails for nameservers using bind. They've proven incredibly reliable more reliable than anything I've every seen before, first some uptimes:
4.3-RELEASE-p28 FreeBSD 4.3-RELEASE-p28 #0
8:56AM up 1175 days, 14:25, 1 user, load averages: 0.01, 0.00, 0.00
4.3-RELEASE FreeBSD 4.3-RELEASE #3: Thu Aug 9 08:24:10 SAST 2001
8:55AM up 1353 days, 13:07, 1 user, load averages: 0.07, 0.03, 0.00
4.3-RELEASE FreeBSD 4.3-RELEASE #3: Thu Aug 9 08:24:10 SAST 2001
8:57AM up 1636 days, 12:16, 2 users, load averages: 0.01, 0.02, 0.00
That last machine was put in the 2nd day I arrived in the UK almost 4.5 years ago now. There has been a few security issues since these were put in, the biggest were Bind issues and a IPSec issue, but none of them really huge deals for us due to the nature of these issues.
Some packet counts through their diverts:
11000 14873464727 9086343964578 divert 8668 ip from any to any via sf0
11010 2694675129 2230790516204 divert 8668 ip from any to any via sf2
11020 21332945704 16515209189995 divert 8668 ip from any to any via sf1
11030 2190579388 1838075424554 divert 8668 ip from any to any via em1
11040 31142270005 26337236597684 divert 8668 ip from any to any via sf3
11000 12363062208 6728197633745 divert 8668 ip from any to any via fxp0
11050 13585672383 7625773331834 divert 8668 ip from any to any via sf0
11075 1672241479 943217267415 divert 8668 ip from any to any via sf1
11000 9709855806 3616673887622 divert 8668 ip from any to any via fxp0
11010 15438460240 7026578427847 divert 8668 ip from any to any in recv sf0
11015 18623997883 6347362524481 divert 8668 ip from any to any out xmit sf0
11020 7574307452 2981257820300 divert 8668 ip from any to any in recv sf1
11025 6957613786 2361008898017 divert 8668 ip from any to any out xmit sf1
11030 5520959014 1551914815579 divert 8668 ip from any to any in recv sf2
11035 8724539029 2097991945468 divert 8668 ip from any to any out xmit sf2
11040 2988122935 604858451646 divert 8668 ip from any to any in recv sf3
11045 3930006137 632095496483 divert 8668 ip from any to any out xmit sf3
11050 3842161713 3177937890519 divert 8668 ip from any to any in recv fxp1
11055 4106903810 3282379599303 divert 8668 ip from any to any out xmit fxp1
These aren't the bussiest machines by far, but they moved quite a bit of data, keep in mind these counters were probably reset quite a few times over the time to aid in debugging problems. One interface in the top bunch has done 23 TB.
I don't really like these long uptime machines, they are a constant cause of worry for me, you dont know if all the configs were saved, you dont know if they'll ever come up after a reboot etc, once you've gone over 500 days I think you're pretty much at a point where rebooting machines becomes a bit of a worry to me, as these are/were firewalls the problem is much worse since the impact of them not booting or configs going missing would be massive, arranging downtime though isn't always easy either, but I think worth the effort in hind sight.
Apache Vulnerability
This morning came news of a remote exploitable vulnerability in Apache mod_rewrite, the exploit is pretty difficult and requires weird setups on your side, but you should be upgrading all your kit.
More info at Secunia
A vulnerability has been reported in Apache HTTP Server, which potentially can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused by a off-by-one error in mod_rewrite and can be exploited to cause a one-byte buffer overflow.
Successful exploitation may crash the web server process or allow execution of arbitrary code.
Ubuntu is great.
So world and dog is nagging on about Ubuntu, how great it is and how they are switching from <insert anything on the planet> to Ubuntu.
I happened to have a spare 300gig drive lying around so I gave 6.06 a go. My machine is over 2 years old, its practically from the ark, you'd expect things to Just Work.
After install, screen resolution is absolutely dismal, slow refresh rate and random crashes while trying to set to a better resolutoin. Already here you've lost a large chunk of users.
Anyway, so I go off looking on Google using Firefox, it opens up with the familiar look of Firefox complete with Mycroft search box, except the search box does nothing by default, you can type into it, hit enter but nothing happens, by default it doesn't search, have to go fiddle with it to get it working.
Came across a post, that points to another post that points to Wiki for getting ATI cards going. I basically had to do this in a terminal:
sudo apt-get update sudo apt-get install linux-restricted-modules-$(uname -r) sudo apt-get install xorg-driver-fglrx sudo depmod -a sudo aticonfig --initial sudo aticonfig --overlay-type=Xv
and then reboot.
Yes, this distro is going places if it can't even support a crap old ATI Radeon card out of the box and require new users to do stuff in terminals just to get rid of a headache inducing low refresh rate.
Get Real, your grandmother is not going to do this. Give her a Mac and the thing just works.
Monitoring Bacula Jobs using Nagios
My previous homebrew backup system had a number of drawbacks, one of the biggest was that its daily emails were massive, listing all the files that was backed up.
With a lot of machines being backed up these mails can come to several MB per day but also general Human Nature means I just didn't pay them enough attention. For instance, I would need to somehow notice if on a given day the tar died half way through by manual inspection, this was pretty useless.
Bacula provides good one-page job status emails on a daily basis but still I tend to not look at them as I will get about 20 of them a day, the ideal situation is to have it only mail you on errors and it does support this. There is one problem with this though, if anything prevents the mail from getting to you, or in-fact if the whole Director process dies and no backups get run at all you just wont know about it.
I've written a per-job monitoring solution that uses Bacula's ability to run a script on the client after a successful backup has been run, it writes a small status file with a timestamp, this I pull into Net-SNMP and query over the network using Nagios.
Now if any of my jobs fail or if the whole backup system collapses Nagios will notify me via my already existing notification systems, email and SMS in my case. I will still get the Error mails from Bacula but I totally do not rely on them, they are merely there for information purposes so I can use them to quickly investigate a error once Nagios has alerted me.
I've documented this and put up the short scripts I use to achieve this, you can see this document in my wiki
SSL Enabling Bacula
I've been using the Bacula client/server backup system for my backups. Bacula is on par with commercial client/server backup systems, central control, supports auto changers etc. It is a opensource system and available for Linux, FreeBSD, OS X, Windows etc.
The configuration is pretty complex though and while right now I have mine working I do not have guides written up about it really. I wanted to SSL enable my installation though to give me secure transfer between the various clients and the storage server but found the Bacula documentation on the subject woefully lacking.
I've written up a bit of info on my Wiki about getting SSL going on a Bacula installation, you need to first have a fully working Bacula setup before attempting this, as starting from a known working system and then systematically SSL enabling it will ease in debugging and possibly increase your understanding of what is going on.
The full Wiki document can be found here.
Poor mans light box
I came across a article at Strobist detailing a very cheap light box setup and decided to build one.
It is basically a cardboard box, some tracing paper and a sheet of paper like you'd use to make a school poster on. I didn't have anything, not even the tape to stick the bits together or something to cut with, I also had to buy 30 sheets of tracing paper since that was the smallest they sold and it all came to about 14 pounds. I had a box here from when I moved to the UK almost 5 years ago so figured its about time I do something with it.
It took about 10 minutes to slap everything together, Pixel found it all very amusing so all round a lot of fun.
Using it is a snap, I've not tried it using a desk lamp or something but really cannot imagine why it won't work, with my SB-800 fully wireless remote flash I works a charm as you can see from the first shot above. The final results can be seen on flickr here with one of the shots below.
Location aware Bind
I have a client who needs to host graphic content closer to their audience, partly to speed things up for their audience but also to allow them to save some money on bandwidth bills by spreading it out to cheaper hosts.
The obvious answer is to just use Akamai, but unless you have a huge amount of bandwidth it does not really make financial sense. So I proposed we get a few UML / Virtual Machines at ISPs and host the images there. Typically we'd just round-robin the A record but this doesn't give us any geo-awareness.
I googled a bit and came across a guy who made a patch to bind 9.2.4. He bascially hooks the Maxmind GeoIP C Library into ISC Bind. As it turns out thats exactly the version RedHat uses in their Enterprise distribution so it seemed like a winner.
The basic idea is to setup a view that matches countries rather than just IP Blocks as is the default supported scenario. A sample view:
view "us" {
match-clients { country_US; };
zone "geotest.devco.net" {
type master;
file "data/us-geotest.devco.net";
};
};
view "other" {
match-clients { any; };
zone "geotest.devco.net" {
type master;
file "data/other-geotest.devco.net";
};
};
The above will serve us-geotest.devco.net to visitors from the United States and everyone else will get other-geotest.devco.net. These 2 zone files are stock standard bind zone files, my sample just set a different A record in each.
To see this in action, first a query from my UK hosted machine:
% host geotest.devco.net geotest.devco.net has address 193.201.200.135
and now a query from the states:
% host geotest.devco.net geotest.devco.net has address 72.21.58.28
So to make a long story short, I've patched the stock RedHat Enterprise 4 bind RPM with the GeoDNS patch and am making the files available here, first I have the source files up if you want to look through them to ensure I didn't put any funny stuff in them:
The actual patch from GeoDNS - I had to modify the file names in the patch since the one from the source site is made to patch from outside the bind source dir while RPM will change directory into the source directory before running the patch.
Changes made to the RPM Spec file
Sample config - this gets placed in the standard documentation directory
I've build a full RPMs of this on a CentOS 4.3 machine, the files are:
bind-9.2.4-2geodns.i386.rpm
bind-libs-9.2.4-2geodns.i386.rpm
bind-utils-9.2.4-2geodns.i386.rpm
bind-devel-9.2.4-2geodns.i386.rpm
bind-chroot-9.2.4-2geodns.i386.rpm
and finally a Source RPM that you can use to build this all on your own machine:
bind-9.2.4-2geodns.src.rpm
Before you can install these you'll need to get GeoIP on your machine, CentOS has an extras Yum repository that you can enable in /etc/yum.repos.d/CentOS-Base.repo. Once enabled you can install it with yum:
# yum install GeoIP GeoIP-data <snip> Running Transaction Installing: GeoIP ######################### [1/2] Installing: GeoIP-data ######################### [2/2] Installed: GeoIP.i386 0:1.3.14-2.c4 GeoIP-data.i386 0:20060501-2.c4
RedHat Enterprise has an extras CD, you can find GeoIP on there and install it using RPM.
The bind RPMs above should simply install on your standard CentOS/RedHat Enterprise box, be sure to remove all the old bind stuff especially bind-libs before installing these.
activeCollab
A year or so ago I had an account with Basecamp, the very successful project management system that spawned Ruby on Rails. I really liked it but the project manager at work didn't so it kind of fizzled out and eventually I cancelled the $99/month account that we had.
You can try Basecamp for free on a single project and I've used it on and off since then, but it's not been ideal for me to use a hosted service. I tried a number of other products like dotproject. Yesterday I came across a Digg article about activeCollab, it is a GPL licensed Basecamp like project management tool currently in Alpha release.
It requires PHP 5 which I didn't have on any machine as it seems each of my machines has some code on that only works on PHP 4 but I did a quick install of it on a VMware machine and fell in love with it then put in the effort to fix up a PHP 5 on one of my servers. It is great, even in its Alpha state it is usable and reasonably bug free. I came across one error in tasks which I sent a patch about back to the authors other than that it works a charm.
Click the screenshot below for a view of it, or grab it from http://www.activecollab.com/
Digital Image Sharpening
A problem with DSLR's seem to be that images tend to be a bit soft and fuzzy some times, this might just be because I do not spend 1000 pound on each lens or it might be a general problem. Regardless a solution exist in Photoshop.
Photoshop has a number of sharpening tools the most used one being the oddly named Unsharp Mask (USM). 100s of websites cover the USM and its drawbacks, a good one can be found at The Luminous Landscape. The short of it, too much sharpening a image leaves artifacts on your image like little halos and stuff.
Photoshops CS2 has a better sharpening tool called "Smart Sharpening" but I still prefer a bit of USM, I found a article that discusses both these sharpening tools and gives a sample technique for using the USM on edges of your image only, this effectively removes the problems with halos and so forth and means you can be more aggressive with sharpening your images.
I tried out the above edge sharp technique and really like it, I was considering buying a commercial sharpener but now I decided against it in favor of this technique.
I have a sample image up done with this method you can see the before and after.
I've made a Photoshop action for this technique, tested in CS and CS2. It's very simple it should be the last thing you do to your image right before putting it on the web. Don't sharpen your full size image then resize it, first resize and then sharpen. Sharpening is as easy as running this action and after some steps it will show a standard USM dialog with preview, you should immediately see the results by dragging the sliders.
The action can be found here, just drag it onto your Photoshop and look in the Actions Palette
Links
- @ripienaar
- Flashpolicyd
- Flickr
- London DevOps Group
- MCollective Plugins
- R.I.Pienaar
- Ruby PDNS
- The Marionette Collective
- Wiki
Tweets
- I love the E4 ipad ripoff ad http://srt.ly/epad
- RT @garnaat: The only accurate model of the system is the system itself. All other representations are a compromise. <- what he said
- Parallels announces support for Google Chrome Operating System http://bit.ly/aCXXCJ
- RT @brunns: RT @jaywgraves: This is pretty awesome. http://bit.ly/aJ12Gb
- Kelway are totally wicked hardware suppliers. Threw away a £100 cable by accident, they gave me a freebie replacement
- Police stop runaway Toyota Prius http://bit.ly/904jED
- Vagrant: EC2-Like Virtual Machine Building and Provisioning from Ruby http://bit.ly/cttcgQ
- RT @lochii: http://github.com/alandipert/ncsa-mosaic <-- mosaic now on github, yay!
- RT @littleidea: What does DevOps mean to me? http://bit.ly/alzrta #devops
- QCon presentation take #2 done I think, need to rehearse a few times now. Wonder if the iPhone remote for keynote is any good
Reading
Planned books:
- The Science of Fear: How the Culture of Fear Manipulates Your Brain by Daniel Gardner
- Relentless by Dean Koontz
- Mind Over Ship by David Marusek
- The New Space Opera by Gardner Dozois
- The New Space Opera 2 by Gardner Dozois, Jonathan Strahan
Current books:
-
Ariel: A Book of the Change by Steven R. Boyett
Recent books:
- Hacking Vim: A Cookbook to Get the Most Out of the Latest Vim Editor by Kim Schulz
- Beautiful Architecture: Leading Thinkers Reveal the Hidden Beauty in Software Design by Diomidis Spinellis , Georgios Gousios
Categories
Archives
Licence
