We Do It For the Children

I’m staying in a hotel chain in London only to find a firewall that throttles interesting stuff like BBC iPlayer and YouTube. I tried going to my VPN provider. That the website is blocked to protect children and vulnerable people. What?! Meanwhile I have no trouble connecting to #4chan because they only care so much about children.

Untitled

Of course Tor is blocked also, well for other people, I got it to work anyway and now I’m writing this using it out of spite.

If I give them the benefit of the doubt, I would say that they want to keep bandwidth usage down and the best way to do that is to throttle big streaming websites and they want to close loopholes by blocking ways around that.

However the explanation kills me: to help keep children and vulnerable people safe. So this provider says that they want to help make the internet a better place by taking away the anonymity of trolls and online creeps? That makes no sense. Why even provide have internet access at all? I think the real case is above, they need to cut bandwidth costs and that’s fine but leave the nonsensical rhetoric out of it.

My Day with Fedora

I used Fedora 28 today for work instead of my usual OpenSUSE Leap 15 installation. Here’s how it went.

My setup:

  • Intel© Core™ i7-4500U CPU @ 1.80GHz × 2
  • 16GB Ram
  • 250G SSD

Here’s the software that I needed for work today:

  • Synergy
  • LibreOffice > 6.0
  • Chromium Browser
  • Spotify
  • NFS
  • virt-manager
  • Graphical multi-tab text editor
  • Tilix
  • Pidgin
  • Hexchat
  • KeepassXC

I use Synergy as a virtual KVM between my home server machine that handles my storage, email, etc. and this brings us our first real problems. The “software” application in Gnome doesn’t list Synergy even when I search for it and I was wondering if I would have to go download the RPM it’s creator (I have a valid license so that’s not really a problem). I ran ‘dnf search synergy’ and there it was. If your software installation tool only covers “best of” software but not everything then it’s usefulness is only marginal at best.

I installed Synergy and when I ran it I received an error that I shouldn’t close it because there is no systray available. This is a pet peeve that I have with a lot of distros who use Gnome 3. Either the systray isn’t enabled or isn’t available at all. The fact is that a lot of applications still use it. Of the ones that I use, Synergy, Pidgin, KeepassXC, and Hexchat all fall into those categories. I like having a clean work environment and being able to minimize apps to the systray helps with that. And so I said goodbye to the pure Fedora experience and installed Cinnamon (It also wasn’t available from the GUI software application) and the rest of the apps from the CLI.

Everything else went as expected. I didn’t have any more hiccups as long as I used the dnf command to install the apps. I mounted the directories from my home server to my workstation with NFS so I didn’t have to worry about data loss. I did notice lag from the time that some apps were launched until they were ready that I didn’t notice with OpenSUSE, but I didn’t do a real measurement so that was entirely subjective.

There really wasn’t anything keeping me from doing my work that couldn’t be worked around in a matter of minutes.

Suggestions for Fedora:

  • Bring back the systray into Gnome 3
  • Remember yumex? It was an awkward but very powerful graphical tool for Yum. Bring it back at make it your primary software installation tool.

I need a new open source project

A few years ago I wrote this rousing email about the Linux Documentation Project and I made waves in a mailing list that lay mostly dormant for years. After the list was rejuvenated, I set out to learn git, then then to find pieces of Linux documentation all around the web and add it. The idea was, find a central place (i.e. TLDP) to store all of the documentation from here and there and then replicate that central store all over the globe for redundancy so it is never lost. I had big goals and then nothing really came of it.

sigh

Why did nothing happen? 99% was me and my own laziness/busyness/etc. The other 1% was that there isn’t a community there. The mailing lists are dead. The wiki is never updated. New documents are rarely added and old ones are never retired (not deleted, just retired). I felt almost alone in this huge wasteland of a site with so much potential.

I need a new open source project

I want to find a project that I can help with, can make a difference in, and that has a community that is actively working in it.

I have a few projects in mind. I’ll post more when I make a decision.

Adventures with Kubeadm on OpenSUSE Kubic

This video is a little kludgy.  It was literally my first time putting together the cluster and if you notice at the end, it doesn’t actually work. None of the worker nodes are actually usable. Hopefully that will be fixed soon.

linux-3q2c:~ # kubectl get nodes
NAME         STATUS     ROLES     AGE       VERSION
linux-3q2c   NotReady   master    3m        v1.11.1
linux-fykp   NotReady   <none>    1m        v1.11.1
linux-gbv8   NotReady   <none>    51s       v1.11.1    

In the meantime, thanks to this post, I’ve reinstalled with cri-o and now have a fully functional cluster.

jsevans@jserver:~> kubectl get nodes
NAME STATUS ROLES AGE VERSION
linux-3q2c Ready master 2h v1.11.1
linux-fykp Ready <none> 1h v1.11.1
linux-gbv8 Ready <none> 1h v1.11.1

What have I been doing with my new cluster?

I installed the Kubernetes dashboard, Helm, and WordPress with Helm. I’ve also had to really dig into what it means to use RBAC.  In CaaS Platform 1-3, a lot of your RBAC stuff was already done for you. Now I’ve had to specifically set RBAC to get the Dashboard credentials working as well as to get Tiller working. It’s a learning experience and it’s good to get these fundamentals down pat.

Screenshot from 2018-08-21 20-56-47

Screenshot from 2018-08-21 20-58-13

LattePanda

I picked up a new toy this week to replace my aging and rarely-used Raspberry Pi 3 (original). It came with Windows 10 already on it and I immediate went to the forums for a howto on installing Linux. There is a guide on how to install Ubuntu 16.04 but it seems to require a lot of extra steps (special kernel, etc).  I figured it couldn’t hurt to try it with OpenSUSE. At worst it would fail and I would be left with Ubuntu.

To my surprise, it worked and it was easier than the steps that were provided. The thing with the LattePanda is that it is UEFI-only.  There is no legacy boot mode so if your distro doesn’t have a UEFI-enabled installer, then you are out of luck.

Edit: It’s not just UEFI only, it’s Trusted UEFI only.  That means that if your distro doesn’t have a trusted EFI key, then the bios won’t even recognize it. Canonical/Ubuntu, Redhat/CentOS/Fedora, and SUSE/OpenSUSE have trusted EFI keys and work. Mostly, I think because they have corporate sponsorship and they have a vested interest in working with hardware vendors.

Here’s the basic steps:

  1. Flash the “Ubuntu” bios (this will allow you to boot the Linux USB key)
  2. Burn the OpenSUSE iso to a USB 3.0 Key
  3. When trying to boot with the key, it froze when the installer brought up the GUI.
    Workaround: Reboot and add “textmode=1” to the boot loader for the installer.

Screenshot at 2018-08-18 15-23-30

  1. Install using ncurses installer. It’s a little clunky but all of the options are there.

ss3
5. Reboot after the installer finishes. Everything is as it should be. No more freezes, no special kernel, everything works great.

One last thing. The LattePanda has both HDMI and composite. Linux assumes composite out is Display 1 and HDMI is Display 2.  If you are running headless, then this is fine. If not, you will need to with your desktop environment to disable Display 1. I tend to use the i3 desktop for work and this was easy for me to workaround. It can be a hassle for others. I think this will be the case no matter which distro you use.

Fixing Archive.org’s PDFs

Here’s the webpage for a very early edition of Huckleberry Finn. If you open the PDF using a modern PC or tablet, it will look fine though a little slow to load. If you open it on your Kindle, Nook Color, or some other older Ebook reader that displays PDFs, you’re in for a shock.

Each page in these PDFs are actually 3 images. When put together by a modern PDF reader, they make one nice scanned PDF page. If you’re not suing a modern reader, you see all 3 layers separately. This makes the book unreadable. Even if you are using a modern reader, these PDFs have a noticeable lag time compared to other documents because it is loading 3 images per page.

This guide which show you how to eliminate the first two images and reverse the third image to be white on black. Will this 100% fix the book?  No. However if you value text over presentation, it does make the book readable on any device including the good old E-ink Kindle.

Step 1. Install the applications (OpenSUSE)

sudo zypper in pdfmod imagemagick pandoc grename

Step 2. Convert the PDF to images. Create a directory for the files to go to first:

mkdir huck
pdfimages huckleberry.pdf huck/

Step 3. The files that are created are all -xxx.ppm and .pbm: Bash doesn’t like this. I use grename to rename every file so that they don’t begin with a hyphen

Step 4. cd to the directory and delete the extra image files:

cd huck
rm *.ppm

Step 5. Reverse the images of the .pbm files. This will create a new copy of the files with inverted colors.

for i in *; do convert -monochrome -colors 2 -depth 1 -negate $i in-$i; done

Step 6. Move the completed files to a next directory and delete the originals

mkdir finished
mv in* finished/
rm *.pbm

Step 7. cd to the finished directory and create a new pdf. This will take time and may freeze your computer. Be patient.

cd finished
convert `ls -v` huck_bw.pdf

Step 8. Shrink your newly created PDF because it is far too large right now.

gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen \
-dNOPAUSE -dQUIET -dBATCH -sOutputFile=huck_bw_final.pdf huck_bw.pdf

Your new PDF is complete. It is not a pretty as the original but it is more handy.

I then use pdfmod to edit the metadata so the ebook is easier to work with in calibre.

I’m very interested if anyone has found a better way to do this with open source software that retains the color of the original but without the multiple layers.

Create a complete Tor Onion Service with Docker and OpenSUSE (EXPANDED)

I wrote this presentation on the weekends in April and May and it’s didn’t have quite the details that I wanted to put into it. Mostly I wanted it to be short and engaging. Putting in every detail that I wanted would have (I thought) been long and boring. I would like to take the time here to expand what went into the presentation and to make it a little more interesting.

htw1 (1)

I don’t really like these diagrams. They already existed on tor-project.org and were made by the EFF but it’s too high level and they don’t really tell the story that I wanted to tell. The actual description on how onion services with is here: https://www.torproject.org/docs/onion-services.html.en

I could have done a better job than what I did. The way that I prefer to describe it is like this:

After configuring your /etc/tor/torrc file, you run systemctl tor start and the local Tor daemon reaches out to the Tor networks and lets it know that you are running a local onion service. This creates a two-way link between your machine and the Tor network which is UDP traffic rather than TCP/IP as the Tor network never sees your actual local IP.

If I’m honest with myself, this is still pretty weak but it’s better than what I had. The best thing would be to take the information from Tor website almost verbatim and made slides but I didn’t do that.

Screenshot_20180527_142714

I glossed over this when I should have made more slides to help fill out the presentation. The brief anecdotes and really touch on a lot of reason why I think people should be using onion services such as:

Screenshot_20180527_143138

Being in the spotlight might just mean having a job where people know who you are. No matter who you are, there is a good chance that your political ideas will offend someone. Personally, I keep a strict no religion/no politics policy for myself at work. I just nod my head to everyone like I agree and/or understand. At home, it’s a different story. I am a political person and I care deeply about politics but I don’t want that interfering with my role at my company and I’m not alone. This is the point that would have had more punch than what I made and would have been a better case study on why onion sites are useful and needed.

Screenshot_20180527_144036

The first two should have been one topic and the last should have been a call back to a better description of how the onion routing and encryption works.

Silk_Road_Marketplace_Item_Screen

Nefarious websites such as Silk Road and the Playpen were better case studies on how onion services are misused.

Finally, I think more details on how the docker-compose files are built would have been more useful as well as some hands-on interaction. Those file are all at my Github but I ran through them so quickly I didn’t really give the audience time to see them during the presentation.

What is a CVE and How Can It Benefit Me?

Like a lot of the things that I write here, this is a question that came up in a ticket that I worked on recently. A customer recently received a message like this:

Samba is a freely available file- and printer-sharing application maintained and developed by the Samba Development Team. Samba allows users to share files and printers between operating systems on UNIX and Windows platforms. Samba is prone to a security-bypass vulnerability because it fails to properly enforce SMB signing when certain configuration options is enabled. Successfully exploiting this issue may allow attackers to bypass security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. The following versions are vulnerable: Samba 3.0.25 through 4.4.15 Samba 4.5.x versions prior to 4.5.14 Samba 4.6.x versions prior to 4.6.8.

This doesn’t actually tell us a lot. I could ping one of the Samba developers and ask them if they are aware of this vulnerability, if we’ve ever patched it, and if not what the status of it is. That’s could be a lot of time waiting for a reply and taking time out of the developer’s day to answer a fairly straightforward customer service question. However, there is an easier way.

When a software vulnerability is detected, it is reported as a CVE (Common Vulnerabilities and Exposures) number for that specific application. In this case, I found the CVE number that best matched the description that I was given and I was able to show the customer that we had patched it and which patch it was in.

One famous example was the “Heartbleed Vulnerability” from a few years ago which is CVE-2014-0160. SUSE retains a list of all CVE’s that we review and patch here: https://www.suse.com/security/cve/. As you can see here: https://www.suse.com/security/cve/CVE-2014-0160/ Heartbleed was patched in all versions of SLE 11 and 12 as well as OpenSUSE 12, 13, Leap, and Tumbleweed.

For those concerned about their system’s security, CVE’s are a great way to make sure that newly found vulnerabilities have been patched in their OS of choice.

More information:

About Patching: What is a Patch in SLE and OpenSUSE?

A while back I wrote a post on why you should patch your servers. I think it surprised some people. I got at least one comment from twitter saying, “I’m surprised you get so many tickets on this topic since security is so important in enterprise server environments.” And yet, we do. At any current time, we have multiple tickets asking for RCA (Root Cause Analysis) for a server crash or hang when the server has not been patched in month, years, or even ever. Sometimes they never register the server to receive patched and so never patch their server beyond what is in the base version that we ship in the beginning.

This post isn’t to complain. Its to help alleviate the problem. The first step is to discuss, what are patches and what do they do. Using a SUSE Customer Center (SCC) account, you can go to https://scc.suse.com/patches to view detailed information on all of our patches. I can get a list of them so far using this command:

jsevans@linux-rtf9:~> sudo zypper patches
Refreshing service 'Containers_Module_12_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_12_SP2_x86_64'.
Refreshing service 'SUSE_Package_Hub_12_SP2_x86_64'.
Loading repository data...
Reading installed packages...
Repository | Name | Category | Severity | Interactive | Status | Summary
--------------------------------+-----------------------------------------+-------------+-----------+-------------+------------+----------------------------------------------------------------------------------
SLES12-SP2-Updates | SUSE-SLE-SERVER-12-SP2-2017-990 | security | important | --- | needed | Security update for glibc
SLES12-SP2-Updates | SUSE-SLE-SERVER-12-SP2-2017-994 | security | critical | reboot | needed | Security update for the Linux Kernel
SLES12-SP2-Updates | SUSE-SLE-SERVER-12-SP2-2017-998 | security | important | --- | not needed | Security update for openvp

As you can see, I need to apply three patches to this server.  Since patch, “SUSE-SLE-SERVER-12-SP2-2017-994” is listed as a critical update, we’ll review what makes this so important:

jsevans@linux-rtf9:~> zypper patch-info SUSE-SLE-SERVER-12-SP2-2017-994
Loading repository data...
Reading installed packages...



Information for patch SUSE-SLE-SERVER-12-SP2-2017-994:
------------------------------------------------------
Repository : SLES12-SP2-Updates
Name : SUSE-SLE-SERVER-12-SP2-2017-994
Version : 1
Arch : noarch
Vendor : maint-coord@suse.de
Status : applied
Category : security
Severity : critical
Created On : Mon 19 Jun 2017 05:28:39 PM CEST
Interactive : reboot
Summary : Security update for the Linux Kernel
Description :

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.



The following security bugs were fixed:

- CVE-2017-1000364: The default stack guard page was too small and could be "jumped over" by userland programs using
 more than one page of stack in functions and so lead to memory corruption. This update extends the stack guard page
 to 1 MB (for 4k pages) and 16 MB (for 64k pages) to reduce this attack vector. This is not a kernel bugfix, but a
 hardening measure against this kind of userland attack.(bsc#1039348)

The following non-security bugs were fixed:

- There was a load failure in the sha-mb encryption implementation (bsc#1037384).
Provides : patch:SUSE-SLE-SERVER-12-SP2-2017-994 = 1
Conflicts : [10]
 kernel-default.nosrc < 4.4.59-92.20.2
 kernel-default.x86_64 < 4.4.59-92.20.2
 kernel-default-base.x86_64 < 4.4.59-92.20.2
 kernel-default-devel.x86_64 < 4.4.59-92.20.2
 kernel-devel.noarch < 4.4.59-92.20.2
 kernel-macros.noarch < 4.4.59-92.20.2
 kernel-source.noarch < 4.4.59-92.20.2
 kernel-source.src < 4.4.59-92.20.2
 kernel-syms.src < 4.4.59-92.20.2
 kernel-syms.x86_64 < 4.4.59-92.20.2

In other words, this patch was written to avoid a possible security issue from a rogue application.

A quick and easy way to review what patches are needed for your system, simply run:

zypper patches | grep needed | grep -v "not "

This will allow you view the complete summary of all of your needed patches, you can run:

for i in `zypper lp | grep -i needed | awk '{ print $3 }'`; do zypper patch-info $i; done

If you haven’t patched in a while, this can be a lot of information. However, if you need to justify why you should patch, this is a great way to summarize the information. Another option is to visit https://www.suse.com/support/update/ which is a web-based repository for specific packages with much of the same information.

In my next post, I’ll discuss ways to intelligently apply patches to minimize downtime. In the meantime, here are some more resources.