Off you go... into the purple yonder!

zuneral: DRM is dead!

Posted on May 25, 2008 by ward

DRM died on April 29th, 2008 when Microsoft announced it would be shutting down its ‘Plays for sure’ DRM validation servers on August 31st, 2008. All DRM’d music bought under the ‘Plays for sure’ system will become permanently tethered to the device it is currently ‘authorized’ on. When those devices fail or are replaced the DRM’ed music on them will be permanently lost.

While there are still many services with DRM out there, the de-activation of the ‘plays for sure’ system illustrates the core problem with DRM very clearly – somebody else holds the keys to your DRM’d music/movies/books. If they decide you can’t use them anymore – for whatever reason – your media become unusable.

Even those people who don’t know or don’t care about DRM will now think twice, particularly if they are burned by ‘plays for sure’.

Ergo, DRM is dead.

DRM’s funeral – the zuneral – was held this evening in Cambridge, MA. About 20 people attended the tasteful ceremony that ended with the submersion of the deceased in the Charles.

A plaque was revealed on the Weeks bridge to commemorate the event:

DRM is dead, rejoice!

More info about the death of DRM will become available on http://drmisdeadtome.org shortly. Check out my zuneral photos or all zuneral photos on flickr.

Posted in DRM | Leave a comment

coreboot update

Posted on April 18, 2008 by ward

The coreboot symposium in Denver was a success. As I announced during my talk there, Silicon Mechanics has pledged to ship servers with coreboot preinstalled – more in particular, their Rackform nServ A236 model, which is a 1U pizzabox with a nice dual-socket F Opteron board by supermicro. I’ve got a bunch of those machines in production running coreboot, and they’re pretty awesome.

Marc’s AMD talk [PDF] was fascinating – AMD’s really behind coreboot, and there is a lot of hardware support in the pipeline. Awesome stuff.

Finally, we also ported a new board to v3: support for the PC Engines Alix.2C3 is now in the coreboot v3 tree. It’s not perfect yet – there’s an irq conflict between the usb ports and eth2 that needs to be sorted out, but we hope to fix that shortly and other than that it works great.

Update 2008-04-18: this is the Silicon Mechanics press release.

Update 2008-05-09: the irq issues on the alix.2c3 are resolved. Get revision 680 or higher.

Posted in coreboot | Leave a comment

the PDF from hell

Posted on April 7, 2008 by ward

I came across a nice PDF today. It caused an HP 4100 to just hang ‘processing job’; a Xerox 4500 printed it but overlayed the page with a lovely postscript error, and an Imagistics im2520f (a rebadged Minolta, really) just printed “Error: configurationerror”.

So I ran it through pdf2ps, after which it printed fine. Nice error message, no?

$ pdf2ps SAMSUNG13MIRsApr01Apr3008cd12.pdf

   **** Warning: Fonts with Subtype = /TrueType should be embedded.
                 The following fonts were not embedded:
                        Arial-Black
                        Arial-BoldMT
                        ArialNarrow-Bold
                        ArialNarrow-BoldItalic
                        TimesNewRomanPSMT

   **** This file had errors that were repaired or ignored.
   **** The file was produced by: 
   **** >>>> Acrobat Distiller 7.0.5 (Windows) < <<<
   **** Please notify the author of the software that produced this
   **** file that it does not conform to Adobe's published PDF
   **** specification.

Posted in Completely clueless | Leave a comment

nokia E70 + bluetooth + evince

Posted on March 31, 2008 by ward

I’m going to the Coreboot symposium 2008 in a few days, where I’ll give a talk titled ‘the view from the FSF’.

I rarely give presentations so I figured I’d better spend some time to configure my laptop (a Dell 1420N) properly. The first step was easy – the Fn-F8 CRT/LCD button just works – it duplicates the LCD output onto the external VGA connector. I had never tried this before

I’m writing my talk in OpenOffice.org Impress, which I then export to PDF and show in Evince‘s excellent presentation mode.

I wanted to be able to control the slideshow via Bluetooth with my phone, a Nokia E70 – and it turns out that’s easy with the excellent anyRemote software. I already had bluetooth working for obex file transfers between the phone and the computer.

While connecting to the phone from the computer worked fine for file transfers, I could not connect from the phone to the computer. The phone gave me the message that the computer was an ‘unsupported device’. Redoing the bluetooth pairing seemed to fix that, I’m not sure yet why.

Making sure that the computer is discoverable can be done with:

hciconfig hci0 piscan

I also had to tell the computer to switch to ‘security mode 3′ and enable authentication and encryption:

hciconfig hci0 auth
hciconfig hci0 encrypt

Here’s what I did:

* installed anyremote, anyremote-docs, anyremote-j2me-client and ganyremote debian packages from the anyRemote download area on sourceforge.
* copied /usr/share/anyremote-J2ME-client/anyRemote64.jar to the phone via obex, and installed it on the phone. This is the anyRemote client.
* copied nokia-e70.cfg and keyboard.cfg from the cfg-data subdirectory of the anyremote tarball to /etc/anyremote (these files are not in the anyremote debian package for some reason)
* started up ganyremote, and pointed it at /etc/anyremote for config files; made sure to have it show ‘examples’ in the application list
* start anyRemote from ganyremote
* use the gAnyRemote device browser to locate the phone; configured it to always run the nokia E70 sample application when it sees the phone
* started up the anyRemote client on the phone; searched for computer, found it, connected to it

With the E70 application selected, you essentially get bluetooth keyboard functionality. With the ‘keyboard’ application selected, you get a few keys mapped to the numeric phone keypad.

With this, I can put Evince in presentation mode and move between slides by using the phone’s joystick. If I leave the gAnyRemote application running I just have to connect to the computer from the phone, fire up the anyRemote client, and I’m in business.

Posted in coreboot | Leave a comment

why aren’t my svn repository hooks working?

Posted on March 29, 2008 by ward

The SVN FAQ has an entry with the title why aren’t my repository hooks working?. It describes some debugging tips for svn hooks.

Unfortunately it does not mention a few very important SVN ‘features’:

1. stdout of all repository hooks goes to /dev/null, always
2. stderr of post-commit repository hooks goes to /dev/null, always
3. stderr of all but post-commit repository hooks goes to /dev/null unless the hook script returns with a non-zero exit code

I would argue that those are three glaring bugs, and I hope that they will be fixed soon. There is absolutely no reason for that output to be thrown away – at the very least it should be logged somewhere on the server. If people don’t want output for a specific script, they can always redirect it to /dev/null from the script itself.

In the mean time, I think that FAQ entry deserves an update…

Posted in Free Software/Open Source | Leave a comment

of how XFS saved the day

Posted on March 15, 2008 by ward

Io, one of my mailservers, is a Xen instance. It’s moderately busy – a normal day sees about 12000 accepted messages and about 24000 rejected delivery attempts (spam). It’s an Exim/clamav/dspam setup, and a significant proportion of the 12000 accepted messages ends up quarantined as spam.

I recently moved this instance to a new Xen dom0 with significantly faster CPUs. On the old host, the domU ran off a disk image on a pair of fast 10K rpm Western Digital Raptors in software raid-1, connected to a crappy (in terms of performance) SII 3114 sata chipset. On the new host, the domU runs on a pair of Seagate Barracuda sata2 drives (also in raid-1), connected to an Nvidia MCP55 sata chipset. So the drives are slower, but the chipset is considerably better.

The mailserver began having intermittent performance issues soon after the move. The load on the system went high enough for Exim to queue new mail rather than deliver it immediately. In other words, mail got stuck on the mailserver until the load dropped sufficiently for Exim to start delivering it.

The problem turned out to be heavy disk IO – the disks were not keeping up with the rest of the system, leading to bad iowait and a sluggish system:

$ sar 1 0
01:04:35 PM     CPU      %user     %nice   %system    %iowait    %steal     %idle
01:04:35 PM     all      2.08      0.00      1.04     46.88      0.00     50.00
01:04:36 PM     all      0.00      0.00      0.00    100.00      0.00      0.00
01:04:36 PM     all      0.00      0.00      0.00     50.00      0.00     50.00
01:04:37 PM     all      0.00      0.00      0.00     15.69      0.00     84.31
01:04:38 PM     all      0.00      0.00      0.00     49.75      0.00     50.25
01:04:38 PM     all      0.00      0.00      0.00     51.53      0.00     48.47
01:04:39 PM     all      0.79      0.00      1.59      8.73      0.00     88.89
01:04:40 PM     all      1.00      0.00      1.00     26.87      0.00     71.14
01:04:41 PM     all      0.00      0.00      0.00    100.00      0.00      0.00
01:04:42 PM     all      0.00      0.00      0.43     41.13      0.00     58.44
01:04:43 PM     all      3.49      0.00      0.00     52.33      0.00     44.19
01:04:44 PM     all      0.00      0.00      0.00     49.75      0.00     50.25
01:04:45 PM     all      0.00      0.00      0.00     49.75      0.00     50.25
01:04:46 PM     all      0.00      0.00      0.00     49.75      0.00     50.25
01:04:47 PM     all      0.00      0.00      0.00     49.75      0.00     50.25
01:04:48 PM     all      3.47      0.00      0.99     44.06      0.00     51.49

The host has 2 CPUs; every time the iowait approximated 50% in the above table, one of the CPUs was 100% busy waiting for disk IO to complete. At 100%, both were fully tied up waiting for the disks.

The iowait was directly correlated with mail delivery – as mail came in, the iowait jumped up as it was processed. Strangely it seemed to stay high for a few seconds even after the mail was delivered.

Curiously enough, this iowait did not translate in a sluggish dom0, or even in significant iowait there.

I immediately suspected Xen to be the problem, but that turned out to be false. After having stopped Exim (which reduced iowait to zero), I ran hdparm on both the dom0 and the domU:

(dom0)
# hdparm -tT /dev/md2

/dev/md2:
 Timing cached reads:   3808 MB in  2.00 seconds = 1904.67 MB/sec
 Timing buffered disk reads:  194 MB in  3.02 seconds =  64.25 MB/sec

(domU)
# hdparm -tT /dev/sda1

/dev/sda1:
 Timing cached reads:   1850 MB in  2.00 seconds = 925.51 MB/sec
 Timing buffered disk reads:  186 MB in  3.02 seconds =  61.50 MB/sec

The cached reads are half of what they are in the dom0, but the buffered disk read performance was pretty much on par. So that was all pretty good.

So since the actualy disk performance looked fine – at least for reading – that meant the problem was likely to be higher up. The filesystem, or some process doing something stupid.

Time to figure out which process, exactly, was causing the slowness. The kernel allows us to see just that:

echo 1 > /proc/sys/vm/block_dump

and then

dmesg | awk ‘/(READ|WRITE|dirtied)/ {activity[$1]++} END {for (x in activity) print x, activity[x]}’| sort -nr | head -n 10

Note: you may want to disable syslog while you enable the block_dump logging so it does distort the results.

That generated the following output, after a few seconds (I repeated the dmesg command quite a few times to make sure I was getting an accurate picture over time – this is a sample result):

wc(3500): 1
sshd(3483): 5
sshd(3481): 2
pdflush(25494): 2
mysqld(26063): 9
mesg(3495): 1
kjournald(1624): 582
find(3499): 28
exim4(3520): 2
exim4(3508): 2

I had expected the problem to be caused by mysql, which is heavily taxed by dspam. But no, it was quite clearly caused by kjournald. Kjournald is a kernel thread that deals with ext3 journalling. I googled around a bit, looking for ext3 optimizations that I might have overlooked but did not find anything concrete. The filesystem was already mounted with noatime. This being a Xen system upgrading the kernel is a bit of a problem, so I could not try that.

So I ran some tests on another dom0: I created 2 new domUs, one with ext3 as the root filesystem, and one with xfs. I then ran bonnie++ on both and compared the results. The XFS system seemed to have a much lower CPU load as reported by bonnie++, especially for its Sequential Create and Random Create tests.

So I converted Io to XFS, and the problem went away altogether. It’s as responsive as it used to be, and a good deal faster when a lot of mail is flowing through.

And that’s how Io, the mailserver (named after one of Jupiter’s moons), got significantly improved disk IO.

Posted in Sysadmin, Xen | Leave a comment

and audio books are following suit

Posted on March 3, 2008 by ward

The New York Times is reporting that several major book publishers are starting to do away with DRM on their audio books.

Wonderful news, indeed.

Posted in DRM | Leave a comment

wireless mac address cloning on WRT54GL

Posted on February 27, 2008 by ward

I have a bunch of WRT54GL units that still run OpenWRT Kamikaze 7.07 (latest version is 7.09).

I needed to swap out a unit that is one half of a WDS pair, but preferred not to touch the other half. Cloning the wan mac address on these things is easy, but cloning the wifi mac address seems entirely undocumented.

Here’s how you do that on these units:

nvram get il0macaddr
nvram set il0macaddr=your-desired-address
nvram commit
reboot

This is a little odd: first of all Kamikaze supposedly does not use nvram anymore (seems like that’s not true), and secondly there is also a wl0_hwaddr variable that seems to be unused.

For completeness, you can list all nvram variables and their values like this:

nvram show

Anyway, now you know how to do this on Kamikaze 7.07. At some point I’ll figure out if 7.09 behaves in the same way or not.

Update 2008-07-13: this also applies to Kamikaze 7.09.

Posted in Sysadmin | Leave a comment

xen 3.2 serial

Posted on February 18, 2008 by ward

Getting access to the serial port in a Xen 3.2 dom0 is somewhat complicated. This is the magic incantation for your grub menu.lst file to get console at 115200 bps on the first physical serial port, as well as on the screen.

serial --unit=0 --speed=115200
terminal --timeout=5 serial console

title Xen 3
root    (hd0,0)
kernel    /boot/xen-3.gz com1=115200,8n1 console=com1,vga
module    /boot/vmlinuz-2.6.18.8-xen root=/dev/md0 ro xencons=ttyS0 console=tty0 console=ttyS0,115200n8
module    /boot/initrd.img-2.6.18.8-xen
boot

The ‘com1=115200,8n1 console=com1,vga’ arguments on the kernel line make sure that xen writes its output to the serial port (with the right speed, stop bit etc) as well as to the vga device. The ‘console=tty0 console=ttyS0,115200n8′ on the first module line tells the kernel to do the same. Xen controls the serial port hardware at this point (that’s the default in 3.2: XEN_DISABLE_CONSOLE is set in the dom0 kernel config!), and in order for the dom0 kernel and Xen to share that serial port, we have to tell the kernel to use the xencons virtual console driver – hence the ‘xencons=ttyS0′ parameter.

Debugging Xen with Serial Console has it almost right, but the xencons parameter is missing. Without xencons you’ll see serial output until the dom0 kernel taks over; that kernel won’t see any serial ports, which makes (m)getty very unhappy…

Posted in Sysadmin, Xen | Leave a comment

sanitizing /var/log

Posted on February 13, 2008 by ward

I don’t know about you, but I like to have my system logs split day by day, particularly on busy machines. I also like to have a full timestamp (including year and timezone thank you) in system log files.

The venerable syslog package can not do these things – but syslog-ng can.

On Debian/Ubuntu, the default syslog-ng config file is set up to mimic the old way of logging – dump everything in various files under /var/log/, and let logrotate rotate the logs. That’s understandable from an upgrade path perspective but it does not exploit syslog-ng’s strengths at all.

Here’s how I configure syslog-ng for a machine that logs locally as well as to a remote syslog-ng server:

options {
  check_hostname(yes);
  keep_hostname(yes);
  chain_hostnames(no);
};

source inputs {
  internal();
  unix-stream("/dev/log");
  udp();
};

destination logpile {
  file("/var/log/$FACILITY.$YEAR$MONTH$DAY"
        template("$ISODATE $MSG\n") template_escape(no)
        owner(root) group(root) perm(0600)
        create_dirs(yes) dir_perm(0700));
};

destination remote { tcp("the.ip.of.your.very.secure.syslog.server"); };
log { source(inputs); destination(remote); };
log { source(inputs); destination(logpile); };

This config puts logfiles in /var/log but splits them up per day with a filename like syslog.YYYYMMDD. It also makes sure that the first element on each line is a fully qualified timestamp.

I also have a small script that runs from cron

#!/bin/sh

# This script moves log files older than 3 days from /var/log/ to
# /var/log/archive/, in bzip2 format. It assumes you've set up syslog-ng to
# split logs per day and put them in /var/log. The script also maintains a
# symlink to the most recent logfile in /var/log/.
#
# Run this script from cron, ideally as close to midnight as possible so that the
# symlink points to the current logfile, always.
#
# Ward Vandewege, 2008-02-12

THREEDAYSAGO=`date --date='3 days ago' +%Y%m%d`
YEARTHREEDAYSAGO=`date --date='3 days ago' +%Y`
MONTHTHREEDAYSAGO=`date --date='3 days ago' +%m`
TODAY=`date +%Y%m%d`

if [ ! -d /var/log/archive ]; then
  mkdir /var/log/archive
fi

if [ ! -d /var/log/archive/$YEARTHREEDAYSAGO/$MONTHTHREEDAYSAGO ]; then
  mkdir -p /var/log/archive/$YEARTHREEDAYSAGO/$MONTHTHREEDAYSAGO
fi

for LOG in syslog mail cron daemon auth authpriv; do
  if [ -f /var/log/$LOG.$THREEDAYSAGO ]; then
    bzip2 /var/log/$LOG.$THREEDAYSAGO
    mv /var/log/$LOG.$THREEDAYSAGO.bz2 /var/log/archive/$YEARTHREEDAYSAGO/$MONTHTHREEDAYSAGO
  fi
  if [ -h /var/log/$LOG ]; then
    rm -f /var/log/$LOG
  fi
  ln -s /var/log/$LOG.$TODAY /var/log/$LOG
done

This script keeps 3 days worth of logs in /var/log. Older logs are compressed and archived under /var/log/archive/YYYY/MM/. The script also maintains a symlink in /var/log for each log file syslog-ng generates, pointing to the current log file. I run this script from cron a few minutes after midnight.

You’ll also want to remove /etc/logrotate.d/syslog-ng, since that file serves no purpose anymore.
The combination of syslog-ng and this maintenance script keeps /var/log in order with log files split up per day. It also keeps the most recent log files available right in /var/log, and the rest only a few keystrokes away.