So today I was trying to mount an NFS export from a machine that was behind a NAT 1. The “/etc/exports” file was correct but I kept getting “access denied” errors.
It turns out that, by default, the NFS server is only allowing access to clients when the originating port is a reserved port (< 1024) but the NAT machine in the middle was mangling the originating port to something else.
Adding “insecure” to the exports for that machine did the trick.
Notes:
First blog post for a long time, let’s try post interesting stuffs I find during my work as GNU/Linux system administrator at Inuits.
I was looking for a clean and easy way to manage network interface configuration on Debian-like system (the /etc/network/interfaces file) using Puppet.
Puppet currently doesn’t have a resource type to handle network interfaces and unlike Redhat-like systems where the network configuration is split in a different file per interface, the ”interfaces” configuration file under Debian is monolithic making it difficult to manage.
So here comes Augeas to the rescue. Augeas is a configuration file parser that map a configuration file into a tree. Puppet provides a native Resource type you can work with it in your puppet recipes.
Let’s say you want to generate the following stanza in ”/etc/network/interfaces” (this create a bond interface):
auto bond0
iface bond0 inet static
address 192.168.110.42
netmask 255.255.255.0
network 192.168.110.0
gateway 192.168.110.240
slaves eth0 eth1
bound_mode active-backup
bond_miimon 100
bond_downdelay 200
bond_updelay 200
You can define the following ressource:
augeas{ "bond_interface" :
context => "/files/etc/network/interfaces",
changes => [
"set auto[child::1 = 'bond0']/1 bond0",
"set iface[. = 'bond0'] bond0",
"set iface[. = 'bond0']/family inet",
"set iface[. = 'bond0']/method static",
"set iface[. = 'bond0']/address 192.168.110.42",
"set iface[. = 'bond0']/netmask 255.255.255.0",
"set iface[. = 'bond0']/network 192.168.110.0",
"set iface[. = 'bond0']/gateway 192.168.110.240",
"set iface[. = 'bond0']/slaves 'eth0 eth1'",
"set iface[. = 'bond0']/bound_mode active-backup",
"set iface[. = 'bond0']/bond_miimon 100",
"set iface[. = 'bond0']/bond_downdelay 200",
"set iface[. = 'bond0']/bond_updelay 200",
],
}
and Puppet will take care of creating the resource and updating it. Be aware that the interfaces and options not managed by puppet are left untouched.
I’m currently deploying redmine for a customer, and today we ran into a strange issue.
People were able to login, but for certain operations some of them get an “Invalid form authenticity token” error. Moreover redmine was setting more that one cookie with different values and paths in firefox. After some time I figure out that RAILS_RELATIVE_URL_ROOT was set in the apache configuration but was empty. It looks like firefox and IE behave differently if the path of the cookie is empty, firefox considers that the path is the current directory and IE thinks it’s ‘/’ Now everything seems working.
I will try to blog a little more about what I’m doing at work
The Belgian senator Philippe Monfils (MR) has presented a few weeks ago a project (in french) for a ??HADOPI|Haute autorité pour la diffusion des œuvres et la protection des droits sur internet??-like 1 law in Belgium. This law aims at condemning people who share copyrighted works without going to court. If an internet user’s connexion is used for illegal filesharing, she will first receive a warning, then a fine. The third step proposes a limitation of bandwidth. The last one is the complete suppression of that person’s internet connection (but she still has to pay for that connection).
In the facts this arises a lot of questions and fears about the freedom to access the Internet but also about the means used to prove the facts. An IP address isn’t enough to prove anything, considering how easy it is to break into a WiFi access point, even a secured one. It also raises the problem of the conviction that will affect a group of people (whole families, businesses,…) for the crime of a single person. There is also a chances of double penalty (the obligation to continue to pay the fees for a suspended Internet access) and there is also the possibility that somebody gets convicted for counteracting while his neighbour only gets a warnings for the same infraction and thus breaking an equal justice.
Also, will such a law really help artists (or the entertainment industry)? There is no proof that it will encourage people to buy more discs and moreover how can anybody buy anything from legal sources without an internet access? What is sure is that this will cost lot of money for results that are not proven.
Hadopi Mayonnaise is a group of concerned citizens that want to open the dialogue about this law. If you want to help them you can visit NURPA 2 website. They are currently looking for translation for both websites in Dutch.
This week-end somebody has broken into my apartment in Heppignies and stole my brand new laptop 1 containing my cryptographic keys. I’ve revoked my GPG key and issued a new one.
New GPG key fingerprint: 1827 E04D 04E5 8F43 1D4D E889 7647 8107 233B 9EA0
Please also remove all ssh keys other than: 22:1d:b6:2b:df:cd:72:2e:42:84:c8:45:45:8c:62:69
Notes:
Comme certains d’entre vous le savent peut-être, je suis actuellement une formation FOREM/Cefora en “Administrateur Système Linux, certifier LPI” au centre TechnofuturTic à Gosselies. Le stage se termine aux environs de début novembre et est suivit d’un mois de stage en entreprise.
Je suis donc en recherche de ce dit stage, si quelqu’un accepterait ou connaît une entreprise dans la région de Bruxelles qui accepterait de me prendre en stage, vous pouvez me contacter en laissant un message sur ce blog ou en m’envoyant un mail
Edit: Mon cv est disponible ici
I’m now officially a Debian developer. My account has been created yesterday in the night and I had a good surprise this morning when I woke up. I would like to thank Simon Huggins for his help during my NM process
Pour la première fois en 6 ans de guindaille, j’ai perdu ma penne 
. Il s’agit d’une penne Cercle informatique 3 étoiles (1 doré, 2 argentées, oui je sais…) au nom de “bigon”. Si quelqu’un la trouvée je serais heureux de la racheter.
Edit: merci au pigeon (un vrai hien) qui m’a rapporté ma penne au cercle \o/
A partir de 2009 la STIB 1 va passer à un nouveau système de titre de transport appelé MoBIB. MoBIB est une carte RFID qui permettra de centraliser les différents titres de transport et abonnements dans la capitale. Si le but est louable (simplification pour les voyageurs et impacte écologique) une question se pose cependant, la STIB va-t-elle pouvoir suivre ses voyageurs?
À première vue, la carte semble nominative (ce sera d’office le cas pour les abonnements). À chaque compostage, le lecteur RFID aurait la capacité d’enregistrer le numéro de la puce et il serait possible (sans trop d’effort) d’obtenir l’identité de la personne. Actuellement avec les cartes jetables il serait également possible à la STIB de faire le même genre de chose mais dans une moindre mesure car par définition une carte jetable est non-nominative… et jetable.
La question est donc, que va enregistrer la STIB? la police aura-t-elle accès aux informations, combien de temps ces infos seront gardée, aucune réponse disponible sur le site de la STIB pour le moment
Edit: J’ai retiré le lien vers la STIB, car celle-ci ne veux pas d’hyperliens pointant vers son site sans son accord préalable.
Notes:
La semaine dernière lors de son meeting bi-annuel, le RIPE 1 a déclaré l’urgence concernant la migration à l’IPv6. D’après eux, il ne reste que 2 à 4 ans d’adresses à allouer. Le risque pour l’utilisateur λ est de voir son FAI lui attribuer une adresse privée et de NATé sa connexion avec tous les problèmes qui vont avec…
L’IPv6 est déjà disponible pour le commun des mortels via des tunnels, en Belgique sixxs proposent des tunnels avec de bonnes performances. Il est également possible d’obtenir un subnet de 2^80 adresse!! Malheureusement il n’y a que très peu de FAI (que ce soit en Belgique ou ailleurs) qui proposent de l’IPv6 en natif.
Espérons que cette chanson fera migrer les gens en masse 
Notes: