systemd integration in the “ps” command

In Debian, since version 2:3.3.10-1, the procps package has the systemd integration bits enabled. This means that now the “ps” command can display which (user) unit has started a process or to which slice or scope it belongs.

For example with the following command:

ps  -eo pid,user,command,unit,uunit,slice

ps-systemd

Debian GNOME/systemd sprint

Last weekend was a pretty busy weekend as we had our first joined Debian GNOME/systemd sprint.  10 people gathered at my employer office Inuits in Antwerp to work together on GNOME and systemd integration in Debian.

I worked mainly on GNOME packages, helping with transitions and packaging new bits for the GNOME 3.12 release. We also discussed a lot of things like the switch of the team repository from svn to git and the version of GNOME that we are planning to ship in Jessie.

I really think this was a very constructive sprint and such event should happen more often, we already planned to do this again near the release of 3.14.

The full log of the sprint can be found at: https://lists.debian.org/debian-devel-announce/2014/05/msg00001.html

Hide partitions in nautilus

If you want to hide a partition in nautilus (which uses udisks2), you can do that easily by setting the UDISKS_IGNORE environment to 1 in an udev rules file.

The following example hides all the partitions that have a logical volume name that finishes by “-sbuild”:

$ cat /etc/udev/rules.d/99-hide-lv-udisks.rules
ENV{DM_LV_NAME}=="*-sbuild", ENV{UDISKS_IGNORE}="1"

After that you need to run “udevadm trigger” as root, the disks should then immediately disappear from nautilus.

You can use “udevadm info” to see the different environment variables that could be used to identify a disk/partition.

 

Add a new CA certificate to the certificates stash in Debian

Since a few days, the CAcert root certificates have been removed from the ca-certificates package. While there was a discussion about whether it should be trusted by default in Debian, let’s see here how an administrator can trust CAcert again (or any other CA certificates).

In Debian, the certificates stash is located in /etc/ssl/certs/. This directory contains by default a series of symlinks that points to the certificates installed by the ca-certificates package (including the needed symlinks generated by c_rehash(1)) and a ca-certificates.crt which is a concatenation of all these certificates. Everything managed by the update-ca-certificates(8) command which is taking care of updating the symlinks and the ca-certificates.crt file.

Adding a new (CA) certificate to the stash is quite easy as update-ca-certificates(8) is also looking for files in /usr/local/share/ca-certificates/, the administrator just has to place the new certificate in the PEM format in this directory (with the .crt extension) and run update-ca-certificates(8) as root. All the applications on the system (wget, …) should now trust it.

Managing /etc/network/interfaces with puppet and augeas

First blog post for a long time, let’s try post interesting stuffs I find during my work as GNU/Linux system administrator at Inuits.

I was looking for a clean and easy way to manage network interface configuration on Debian-like system (the /etc/network/interfaces file) using Puppet.

Puppet currently doesn’t have a resource type to handle network interfaces and unlike Redhat-like systems where the network configuration is split in a different file per interface, the ”interfaces” configuration file under Debian is monolithic making it difficult to manage.

So here comes Augeas to the rescue. Augeas is a configuration file parser that map a configuration file into a tree. Puppet provides a native Resource type you can work with it in your puppet recipes.

Let’s say you want to generate the following stanza in ”/etc/network/interfaces” (this create a bond interface):

auto bond0
iface bond0 inet static
    address 192.168.110.42
    netmask 255.255.255.0
    network 192.168.110.0
    gateway 192.168.110.240
    slaves eth0 eth1
    bound_mode active-backup
    bond_miimon 100
    bond_downdelay 200
    bond_updelay 200

You can define the following ressource:

augeas{ "bond_interface" :
    context => "/files/etc/network/interfaces",
    changes => [
        "set auto[child::1 = 'bond0']/1 bond0",
        "set iface[. = 'bond0'] bond0",
        "set iface[. = 'bond0']/family inet",
        "set iface[. = 'bond0']/method static",
        "set iface[. = 'bond0']/address 192.168.110.42",
        "set iface[. = 'bond0']/netmask 255.255.255.0",
        "set iface[. = 'bond0']/network 192.168.110.0",
        "set iface[. = 'bond0']/gateway 192.168.110.240",
        "set iface[. = 'bond0']/slaves 'eth0 eth1'",
        "set iface[. = 'bond0']/bound_mode active-backup",
        "set iface[. = 'bond0']/bond_miimon 100",
        "set iface[. = 'bond0']/bond_downdelay 200",
        "set iface[. = 'bond0']/bond_updelay 200",
    ],
}

and Puppet will take care of creating the resource and updating it. Be aware that the interfaces and options not managed by puppet are left untouched.

Hadopi made in Belgium

hadopimayoThe Belgian senator Philippe Monfils (MR) has presented a few weeks ago a project (in french) for a ??HADOPI|Haute autorité pour la diffusion des œuvres et la protection des droits sur internet??-like 1 law in Belgium. This law aims at condemning people who share copyrighted works without going to court. If an internet user’s connexion is used for illegal filesharing, she will first receive a warning, then a fine. The third step proposes a limitation of bandwidth. The last one is the complete suppression of that person’s internet connection (but she still has to pay for that connection).

In the facts this arises a lot of questions and fears about the freedom to access the Internet but also about the means used to prove the facts. An IP address isn’t enough to prove anything, considering how easy it is to break into a WiFi access point, even a secured one. It also raises the problem of the conviction that will affect a group of people (whole families, businesses,…) for the crime of a single person. There is also a chances of double penalty (the obligation to continue to pay the fees for a suspended Internet access) and there is also the possibility that somebody gets convicted for counteracting while his neighbour only gets a warnings for the same infraction and thus breaking an equal justice.

Also, will such a law really help artists (or the entertainment industry)? There is no proof that it will encourage people to buy more discs and moreover how can anybody buy anything from legal sources without an internet access? What is sure is that this will cost lot of money for results that are not proven.

Hadopi Mayonnaise is a group of concerned citizens that want to open the dialogue about this law. If you want to help them you can visit NURPA 2 website. They are currently looking for translation for both websites in Dutch.

Notes:

  1. HADOPI is the name of the law that has made lot of noises in France
  2. the association behind Hadopi Mayonnaise

The Day The Routers Died…

La semaine dernière lors de son meeting bi-annuel, le RIPE 1déclaré l’urgence concernant la migration à l’IPv6. D’après eux, il ne reste que 2 à 4 ans d’adresses à allouer. Le risque pour l’utilisateur λ est de voir son FAI lui attribuer une adresse privée et de NATé sa connexion avec tous les problèmes qui vont avec…

L’IPv6 est déjà disponible pour le commun des mortels via des tunnels, en Belgique sixxs proposent des tunnels avec de bonnes performances. Il est également possible d’obtenir un subnet de 2^80 adresse!! Malheureusement il n’y a que très peu de FAI (que ce soit en Belgique ou ailleurs) qui proposent de l’IPv6 en natif.

Espérons que cette chanson fera migrer les gens en masse 🙂

Notes:

  1. Réseaux IP Européens

DRM de merde

L’autre jour, je discutais avec ma mère de l’achat prochain d’un enregistreur DVD. Elle voulait absolument un enregistreur qui faisait également lecteur de VHS pour pouvoir transférer les tonnes de souvenirs tournés avec notre bonne vieille caméra. J’y étais farouchement opposé. Outre le fait que le format VHS est pour moi mort 1, j’avais fortement peur des MTP 2 des enregistreur de DVD.

Je commence à lui expliquer, non sans mal, que transférer les vidéos en DVD de cette manière est dangereux pour leur pérennité, qu’on ne pourra pas faire ce qu’on veut avec et que si elle veux vraiment les copier sur DVD il faudrait passer par la case ordinateur. Sur ce elle me répond que ce sont des vidéos que la famille à tournées et pas des vidéos commerciales. Je lui explique que l’enregistreur ne sais pas faire la différence entre les deux et qu’il applique la ”protection” sans s’occuper de ces détails. Sur ce elle me répond: “On ne peut plus rien faire comme on veut dans ce pays de merde”.

Cette exemple (véridique) montre bien qu’une fois les gens mis au courant des implications (de l’existence) des DRM et autres MTP, ils n’en veulent pas et s’y montrent hostiles.

Conclusion, informons un maximum les gens et faisons les s’intéresser à la chose.

Notes:

  1. Il n’y a qu’à comparer le nombre d’offre pour les enregistreur VHS et pour les enregistreur DVD
  2. Moyens Techniques de Protection