http://saintaardvarkthecarpeted.com/images/whiteboard_unix_software_upgrade_flowchart_small.jpg

Note that the snide comment about NetBSD is just a joke...couldn't come up with anything else to say. Everything else, of course, is the gospel truth.

Last day at my old job was Friday, and as a going-away present I got not only a lovely universal gift certificate from my co-workers, but this t-shirt from the sysadmin I hired a little while back:

http://saintaardvarkthecarpeted.com/images/omg_ponies_hugh.jpg

Arlo and Clara are doing well:

http://saintaardvarkthecarpeted.com/images/100_9710.jpg

I have been peed on twice now, which I'm told is fairly good for the first week of a new parent.

So:

Arlo Maxwell Reginald Cristofaro, ne Trombone, was born on Saturday July 1st, 2006 at 2.26pm. Clara had a pretty damn good labour once things got going, and horsed him out after only 13 minutes of pushing. As labour stories are, by ancient right, public property, I'll let her post the details.

Both she and Trombone^WArlo are doing quite well. They've both learned how to nurse, and I've learned that the index finger does a lot to calm him down. We've managed to pick up a couple hours of sleep here and there, so we're not too punchy.

For those who haven't seen, here are a couple pix:

• Me and Arlo
• Clara and Arlo

Oh, and you know what also calms him down? A slightly modified version of Fat Joe's Lean Back:

My Arlo, he don't know how to dance
He just leans back and he fills up his pants
He does the Rockaway! He does the Rockaway!

It also sends Clara into hysterics, so that's good too.

Up until today, I would've told you that the stupidest thing I'd read on the Internet was a white paper titled "Is PowerPoint An E-Learning Solution?" But OMG ponies, the bar has been raised.

Precisely why a made-up word making it to Google should be considered news is never really explored. Wired's whole-hearted gushing about someone who "has registered freedbacking domains and plans to aggregate freedbacking comments on a new website next week" is also a nice touch -- way to accelerate the IPO! Finally, you've got the thoughtfully-placed-last obligatory OTOH about how "consumer ignorance and laziness could also keep the value of the suggestions low."

<headdesk /> <headdesk /> <headdesk />

So Pouxie, my new OpenSolaris box, started displaying the same let's-shut-down-randomly-'cos-it's-Friday problems it previously did -- guess it's not the case after all. No problem, 'cos I happen to have a spare mobo and CPU that I've been itching to try out.

As it happens, it's got an onboard Intel ethernet interface which is detected just fine (iprb0, thank you) by Belenix/OpenSolaris, but fails to be brought up properly during boot. The problem is that while the interface is assigned an IPv4 address, it's not actually up, which means that adding the route fails, and /lib/svc/method/net-physical (which surprised me by being a simple shell script) declares failure. (I think it's just the route command that fails, but I should check this out.)

No idea why this happens on iprb0 and not nfo0, but what the hell. Looking around the script shows that it does do ifconfig plumb up on IPv6 interfaces -- but when I tried touching /etc/hostname6.iprb0 and running the script again (yeah, I know, probably a horrible thing that makes Bill Joy cry) it created a duplicate iprb0 interface with only an IPv6 interface. It was up, the IPv4 version was still down, and the IPv4 route command failed.

In the end I just edited the script to make it run ifconfig plumb up like it does with IPv6, and it seemed to do the trick just fine. I'm currently trying to see if there's a similar bug already filed on OpenSolaris.org; looks like I have a lot of slogging.

In other news, I thought I'd be posting this using BlogFS, but I'm running into library problems. First, I had to change import xmlrpc to importxmlrpclib. No biggie, even I can do that, but now I'm getting this when I try to create the directory that would mount the blog:

# mkdir foo:bar@saintaardvarkthecarpeted.com/blog/xmlrpc.php
mkdir: cannot create directory `./foo:bar@saintaardvarkthecarpeted.com/blog/xmlrpc.php': No such file or directory

Not sure what's going on.

In preparation for my new job, I've installed OpenSolaris on Pouxie, my wife's old desktop machine (a nice 2GHz Athlon). I've used Belenix, a live CD that includes a driver for Pouxie's onboard NForce ethernet interface.

So far I'm having a lot of fun. It took me three hours (spread over four days...damn this commute) to get a static IP address assigned to the thing, and then to get DNS working. But after a reinstall (a newer version of Belenix had come out that included the Sun packaging tools, which should let me use Blastwave to grab Emacs...a good first project, I think), I had it up and running in just a few minutes. Progress!

For those playing the home game, here's what I had to do:

1. modinfo | grep nfo: yep, the module has been loaded.
2. ifconfig -a | grep nfo0: Not there.
3. dladm show-link: But it is here.
4. echo "192.168.23.40 pouxie-2" >> /etc/inet/hosts
5. echo "pouxie-2" > /etc/hostname.nfo0 ; echo "netmask 255.255.255.0" >> /etc/hostname.nfo0
6. echo "192.168.23.254" > /etc/defaultrouter
7. reboot -- -r: to get Solaris to find the new interface (?)
8. ifconfig -a: Now it shows up configured.
9. svcadm --disable svc:/network/inetmenu: Otherwise, it interferes with the change to nsswitch.conf I'm going to do up ahead.
10. svcadm --enable svc:/network/dns/client: I long to know what this actually turns on.
11. cp /etc/nsswitch.dns /etc/nsswitch.conf
12. echo "nameserver 192.168.23.254" >> /etc/resolv.conf
13. ping www.saintaardvarkthecarpeted.com: It's alive!

Happy birthday, OpenSolaris!

Let's not worry now
Let's not worry now
Cos we're right
And they're wrong
And it's over.

Sometimes it's just all about Swell.

Some days are fun days. I got this error on a Debian workstation when starting X:

Xlib: Connection to ":0.0" refused by server
Xblib: Protocol not supported by server.
Xrdb: Can't open display ':0'

Turns out that an .xsession file, with one commented-out line, caused that. Remove the line (so now it's empty) and everything works.

Next we got the same user, who's had his home directory moved around on the machine. Machines mounting his home dir via amd (FreeBSD, Debian) work fine, but the SuSE machines running autofs fail miserably with "permission denied" and the ever-popular:

$ cd
-bash: cd: /home/foo: Unknown error 521

Which, if you look up /usr/include/linux/errno.h -- which, you know, is the logical thing to do -- you see this:

/* Defined for the NFSv3 protocol */
#define EBADHANDLE 521 /* Illegal NFS file handle */

Another weird thing with AutoFS: I was running cfengine on a machine, and it hung when querying which RPMs were installed. strace on the rpm command shows its trying to lock a file and failing; looking at /proc/number/fd shows that, yep, it's trying and failing to lock /var/lib/rpm/Packages, the Berkeley DB file that knows all and sees all. So lsof to see who's holding it open, and that hangs; strace shows it's hanging trying to access the home directory of a user whose machine is down right now for reinstall. Try to unmount that directory and it fails. So I bring up the machine with the user's home directory, which allows me to unmount his home directory on the SuSE machine, which allows cfengine to run rpm, which succeeds in locking the Berkely DB file. Strange; possibly similar to this problem.

On top of everything else, someone asked me if I could be a "network prime". I think they mean "person we can talk to with authority to make network changes", or possibly "network contact". Not entirely sure.

But on the other hand: figured out how to run wpkg, package manager for Windows of the elder gods, as a service using Cygwin's cygrunsrv. The instructions are on the wiki for your viewing enjoyment.

I've finally got Danconia up and running OpenBSD 3.9. It's now officially my firewall box, taking over duties from Rearden (Debian desktop machine). As always, the simplicity and featurefullosityness of pf just astounds me. A simple thing like not loading the rules if there's a syntax error is such a butt-saver, I'm amazed it hasn't been implemented in iptables or ipfw. (Of course, pf loads all the rules at once, rather than one at a time, so it's a different approach...but still.)

Next step is to get my IPv6 tunnel from HE up and running. I hadn't realized it, but OpenBSD does not use stf, the 6to4 IPv6 interface, because of security concerns. I'm gonna have to do some reading on this, I think. (Incidentally, why does this link say RFC 3694 is a "Threat Analysis of the Geopriv Protocol"?)

I've ordered a replacement power supply for the dying XBox I'm using for a MythTV frontend. It had been behaving badly for a while after the move, and then finally it just would not find the hard drive at all. The HD was fine -- I could plug it into another box and it'd work great (though in the process I had another hard drive actually catch fire -- 3" flame and all -- which was a pisser) -- and it could boot from a CD just fine. What's left? That's right, the power supply. Well, I hope so, anyhow. Inna meantime, I've set up the backend as a frontend; other than some occasional odd slowness deleting previously recorded shows, it's working fine.

Finally, as of last Friday my wife and I have been married five years. Since we're such hopeless romantics, I gave her a cupcake from Tim Horton's, and she gave me this fine dollar-store sculpture. We saw it a few weeks ago and it cracked me up. And then I read the label. As I have, as instructed, planted the elucidation, I will be posting pictures as I witness the up long grass.

We are also less than one month from The Due Date. I am busy doing practical things like putting up smoke alarms, baking food to put in the freezer, and insisting that we pack the hospital bag now. Clara has shown amazing patience with my sudden neurotic compulsion to be A Responsible Adult(TM).

I'm still trying to get Heartbeat all working on the two file servers at work. The bit that's getting me down is STONITH -- in particular, the apcmastersnmp plugin.

For some reason, it just will not send out the SNMP request saying "reboot that there outlet". It's not very specific about why, either. The weird thing (well, one of a few) is that running the stonith command will send the request (once you figure out the goddamned syntax for the config file...Christ on a crutch, the documentation is poor), but the hearbeat process itself, which just calls the library directly rather than using the stonith command, does not.

strace shows that heartbeat forks off a child to send the request. That child then goes about closing all its file descriptors, then trying to sendto(2) on a file descriptor (socket descriptor?) that's one of the bunch it just closed. We get EBADF, then it logs the failure.

(This is a little further than I was getting, BTW; it turns out to be essential to put the MIB file for the PDU into /usr/share/snmp/mibs. I didn't think about that, but it makes sense.)

So I've compiled a debug version of heartbeat (Debian rocks: DEB_BUILD_OPTIONS=debug,nostrip dpkg-buildpackage -rfakeroot and away you go), and it turns out to be snmp_synch_response that's failing. Of course, that's in the NET-SNMP library, so now I'm preparing to compile a debug version of that and see what's going on.

I'm of two minds on this. Failover would really be a good thing, and I can't do it w/o STONITH. And I hate like hell to just give up and say, "Oh, it's too hard for me." OTOH, this is just taking so damned long, and it is an older version (though it is the one in stable). I may take a look at the 2.0 series and see how that works...just hope I don't have to throw away all this work. <grumble / >

Came across a weird problem on the firewall at work last week. It's running 4-STABLE, and was last updated about a month ago. It's got fxp0 for an outside interface, and em0 plus a bunch of vlan devices for inside interfaces.

When I added either of these two rules:

ipfw allow tcp from 192.168.16.34 to 192.168.19.33 1230,1236 keep-state via vlan19
ipfw allow tcp from 192.168.19.33 to 192.168.16.34 1230,1237 keep-state via vlan19

then suddenly DNS queries from inside our main LAN (192.168.0.0/24 on em0) to outside servers -- say, our main inside nameserver doing recursive queries for A records for Google -- stopped working: queries would pass through natd and go out with the source address changed, but the reply from the server would be accepted by the firewall box, rather than passed to natd and then back inside to the machine that'd made the query. Since the firewall box hadn't made the request, it would send back an ICMP port-unreachable packet to the outside nameserver. In other words:

1. 192.168.0.2 -> ns.google.com: www.google.com A?
2. 192.168.0.1 (firewall box) passes that to natd
3. natd changes packet to...
4. firewall outside IP -> ns.google.com: www.google.com A?
5. ns.google.com -> firewall outside IP: www.google.com A 1.2.3.4
6. firewall accepts that packet...
7. ...but realizes it doesn't have anything listening for a UDP packet from ns.google.com...
8. ...and rejects it:
9. firewall outside IP -> ns.google.com: ICMP port-unreachable

Took me most of the day to figure this out, because I found a separate problem and was convinced that these rules had nothing to do with it. And they don't, really -- wrong protocol, wrong interface, wrong addresses -- but remove the rules and everything's fine. Freakin' bizarre.

I spent a lot of time checking out state rules and such, and I'm pretty certain that's not it. At this point, I'm assuming that it's either a bug in ipfw (possibly related to this PR, or my upgrade from 4.8 to 4-STABLE did not go as cleanly as I thought. I'm going to try installing FreeBSD here and see if I can duplicate this...maybe get another one-character patch into FreeBSD. Woot!

The second release of oz2remind is now available for your GPL'd pleasure. Now, it'll convert from Remind format to OpenZaurus format: it'll either parse your .reminders file directly, or (recommended) parse the output of remind -n -b1 -s. You can check out the Freshmeat page, or just go and grab it now.

Spent some time this weekend trying to get wireless working. I've got the WRT54G on the second floor, and my wife's iBook on the first. The iBook will pick up the signal more or less fine, but if you put it to sleep and come back in an hour (say), it won't find the signal anymore. I suspect it's the iBook's fault, but I can't be sure since I haven't got another wireless notebook to check it with.

As I mentioned, the signal the iBook gets is decent, but it surprises me how much depends on the orientation of the antennae -- which, on the iBook, means what angle you've got the monitor at. I built a couple of these antennas, and that does seem to help a bit. Plus it's just fun making something with cardboard and tape and aluminum foil...feels like I'm in grade one again. :-)

On Friday I had to set up a new Windows workstation for the first time in a while, and I remembered these guys. They've done a metric buttload of work since I last checked in with them (Lord, a year now?) We use this program at work to automate software installs on Windows machines, and even though we had problems setting it up (mainly getting it to run as a service using Cygwin's cygrunsrv) it's saved us a ton of time getting new workstations ready. I think it's time I took another look at using it for ongoing maintenance, rather than just first installs.

Slowly getting my OpenBSD firewall put together. It'd be cool to use the WRT, of course, but then I wouldn't get to use the 3.9 CD set I just bought. It still amazes me that I can put together a firewall using pf and not lock myself out.

Marcin posted recently that he got Linux working on his own WRT1133 clone. Rather than bother uploading an image to flash, though, he used OpenOCD to write the image to memory using a JTAG cable. I hadn't heard of OpenOCD before, and this raises the possibility of getting Flash writes working from Linux by watching what the original bootloader does when it loads another image.

My father has started a blog. I was going to write, "Now if only my uncle would post again...", but he beat me to it.

Oh, and the favicon comes courtesy of Chris. Many thanks!

Finally, my friend ZenRender has just got a haircut after, like, at least eleven years of rampant hippiedom. (He did get it partly cut last year, but I call that chickening out.) Of course, he still looks like a damned Communist.

I've been setting up OpenVPN on my wife's iBook, using 3.0-RC2 of Tunnelblick. It works well, but I did come across one bit of weirdness.

I'm using OpenVPN in bridging mode. The network looks like this:

iBook <-> WRT54G <-> Home Network <-> Firewall <-> Internet

When OpenVPN bridging is going on, the iBook appears to be sitting on the Home Network. During testing, I was able to ping the Firewall box and other boxes on the Home Network, but I was unable to connect to websites on the Internet, and pinging Internet hosts got me this error:

ping: sendto: No buffer space available
ping: wrote www.google.ca 64 chars, ret=-1

I've run into this problem before, but the last time it was because one end of the tunnel went down -- not the case now.

I tried looking at netstat -m but it all looked good:

98 mbufs in use:
94 mbufs allocated to data
3 mbufs allocated to socket names and addresses
1 mbufs allocated to Appletalk data blocks
145/368 mbuf clusters in use
760 Kbytes allocated to network (41% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

...which pretty much matches what I've seen when I've had this message before in other situations. netstat -s was a little more interesting:

icmp:
266 calls to icmp_error
0 errors not generated 'cuz old message was icmp
Output histogram:
echo reply: 2
destination unreachable: 266
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
echo reply: 865
destination unreachable: 284
routing redirect: 18
echo: 2
2 message responses generated
ICMP address mask responses are disabled

"Destination unreachable"? WTF? I had a look at the interfaces, and saw three tap instances. Not only that: tap1 was the one being used by Tunnelblick, but tap0 was the default gateway. That can't be right, right? Right. Turned out there was another, older instance of OpenVPN running that should've been killed long ago. Kill that, kill Tunnelblick, restart Tunnelblick, and all is well.

I'm hoping I won't have this crop up again; it's not in my wife's nature to start looking for rogue tap interfaces screwing up the routing tables if her Internet connection goes down. :-)

One other problem I had with the WRT54G was bridging and setting the time. See, OpenVPN starts at boot on this thing, and it needs a tap interface. Since we're doing bridging, it needs to be bridged to the outside interface -- vlan1 on OpenWRT, the Linux firmware I'm using. In order to make that work, I get the firewall script to create the bridge right before it runs all the firewall rules. That happens right before OpenVPN starts, which happens right before OpenNTPD runs, which happens right before the boot scripts finish and we're open for business. Firewall, then OpenVPN, then OpenNTPD. Got it?

Setting the time is important because otherwise OpenVPN will complain that the iBook is connecting using an SSL certificate that's not valid yet, and refuses to connect. Well, no problem -- ntpd -s takes care of that, right? Wrong: every time I checked the date, the time was 1999. (Yeah, I could've tried to set the hardware clock to something more reasonable, but that's a stupid hack.)

ntpd -s was running but not setting the time. tcpdump on my NTP server showed that there were no NTP requests coming from the WRT after it booted. Yet I could kill ntpd, start it up again, and it would set the time right away. I tried ntpclient, but it behaved in exactly the same way.

In the end, I couldn't find out what was going on. I suspect it's a problem related to the bridge I set up -- ntpd binds to vlan1, then for some reason things stop working once the bridge is set up. I can't be sure without a serial port, though -- still haven't figured out logging on this thing -- so I used a slightly less awful hack: running ntpclient to set the time just before bridging starts, then running openntpd after as usual. It just dodges the problem, rather than fixing it, but it works.