Odi's astoundingly incomplete notes

After running some updates I noticed that sshd (including active sessions) were somehow killed sometimes. After much debugging I found the reason: udev and cgroups. It looks like udev can send kill signals to all members of its cgroup if it thinks that it's a systemd system. But on OpenRC systems that just does a lot of harm.

That udev triggering happens for example during:

• grub-install
• startup of qemu with kvm

The problem occurs after restarting udev with: /etc/init.d/udev -D restart. The culplrit being the -D flag. The flag causes cgroups to be not set. So udev ends up in the main cgroup!

Note the absent udev directory under /sys/fs/cgroup/openrc

This also explains why the problem is fixed by a reboot.

posted on 2019-04-08 08:37 CEST in Code | 0 comments | permalink

iptables -t mangle -A INPUT -i eth0 -d 255.255.255.255 -j TEE --gateway 10.1.1.255

The above iptables rule copies broadcast traffic received on the eth0 network interface to another network interface (the one whose broadcast address is 10.1.1.255). Note that this is one-way only. We can't add a second rule for the other direction without creating an infinite packet loop. We need to play tricks with the TTL for that!

Incoming broadcast packets typically have a TTL of 64 or 128. TEE uses the kernel function nf_dup_ipv4() to copy the packet, which already decrements the TTL if the rule is in INPUT or PREROUTING. Note that a packet with TTL=0 will still be accepted by the destination, but will no longer be routed. But TEE itself does not check for TTL=0 and happily copies such packets. So we need to prevent that too, since what we do is effectively routing.

The improved rule adds TTL sanity check:

iptables -t mangle -A INPUT -i eth0 -d 255.255.255.255 -m ttl --ttl-gt 0 -j TEE --gateway 10.1.1.255

If we want to add a rule for the other direction as well...

iptables -t mangle -A INPUT -i eth1 -d 255.255.255.255 -m ttl --ttl-gt 0 -j TEE --gateway 10.1.0.255

then we easily create a packet loop, since the copy of a packet on eth0 will now also match the rule on eth1. To prevent that we need to ensure that the copied packet has TTL=0. We can do that by simply setting the TTL=1 of all incoming broadcasts before passing them to TEE. Then no more loops should occur. The complete rule set for merging a broadcast domain across networks is then:

iptables -t mangle -A INPUT -i eth0 -d 255.255.255.255 -m ttl --ttl-gt 0 -j TTL --ttl-set 1
iptables -t mangle -A INPUT -i eth1 -d 255.255.255.255 -m ttl --ttl-gt 0 -j TTL --ttl-set 1
iptables -t mangle -A INPUT -i eth0 -d 255.255.255.255 -m ttl --ttl-gt 0 -j TEE --gateway 10.1.1.255
iptables -t mangle -A INPUT -i eth1 -d 255.255.255.255 -m ttl --ttl-gt 0 -j TEE --gateway 10.1.0.255

Make sure to monitor your broadcast traffic to detect any misconfiguration after that change:

tcpdump -vnpi eth0 ip broadcast

posted on 2018-12-18 18:36 CET in Code | 0 comments | permalink

Add Unix groups to CUPS:
/etc/cups/cups-files:

SystemGroup lpadmin root

Set permissions to access the local secret:

chgrp -R lpadmin /run/cups/certs

This directory contains a secret that is read by CUPS utilities like cupsenable. They pass that secret in HTTP Authorization headers to the local HTTP socket when sending command.

Add your user to that group:

usermod -a -G lpadmin myuser

posted on 2018-10-29 15:48 CET in Code | 0 comments | permalink

Be careful when doing something stupid!

CNAME records are useful. Especially together with external hosting services.
You run your domain and control DNS yourself but you host a website on an external service. They manage the IP of that site and give you a name that may look like examplesite383.hostingprovider.biz and already points to the correct IP. You want to map it into your DNS zone with a nice name like www.fancyproduct.com so creating a CNAME that points tha name www to your hosting provider's name is a practical way to go. You also want to do the same without the www prefix, but mind you! Creating a CNAME for fancyproduct.com would redirect the complete zone to a different one!

Never create a CNAME record for the zone name!

Also when caches start picking up the SOA information of the wrong zone, they apply the TTL values of that zone. So getting control of your zone back may not be easy and is not under your control anymore.

Also any secondary DNS server will pickup the zone redirect and may completely stop updating the zone from your authorative server. You need to manually fix that on the secondary DNS!

posted on 2018-10-02 10:01 CEST in Code | 0 comments | permalink

If your Oracle database does not register with the listener, you get ORA-12505. Normally the DB registeres automatically after a while. But you can force it to do that.

As SYS:

ALTER SYSTEM REGISTER;

However, if it did not register automatically, chances are that this does not help either.

Check the listener status:

lsnrctl status

Check the listener's log file (filename is in the status output).

Check which listener the DB wants to register with:

select name, value from v$parameter where name in ('local_listener', 'remote_listener');

This gives you a TNS name. Check that this TNS name is defined in $ORACLE_HOME/network/admin/tnsnames.ora Such an entry looks like:

LISTENER_SID = (ADDRESS = (PROTOCOL = TCP)(HOST = oracle.example.com)(PORT = 1521))

posted on 2018-09-12 15:09 CEST in Code | 0 comments | permalink

In Oracle 12.2.0.1 the following call leaks an imageio file in /tmp. Not nice.

ORDImage.processCopy(pImageBlob, 'maxscale='100 100', destBlob);

posted on 2018-08-29 13:38 CEST in Code | 0 comments | permalink

Have you ever seen GUI code that has no leaks? Me neither.

posted on 2018-08-20 11:14 CEST in Code | 0 comments | permalink

Are they sure they want to run all sorts of crap as root without any limits?

top - 15:12:11 up 12 min,  1 user,  load average: 98.10, 40.27, 17.04
Tasks: 271 total, 112 running, 159 sleeping,   0 stopped,   0 zombie
%Cpu(s): 17.0 us, 81.7 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.7 hi,  0.6 si,  0.0 st
GiB Mem :    0.113 total,    0.008 free,    0.066 used,    0.039 buff/cache
GiB Swap:    2.000 total,    1.801 free,    0.199 used.    0.006 avail Mem

  PID USER      PR  NI    VIRT    RES %CPU %MEM     TIME+ S COMMAND                                                             
 8000 root      20   0   61.2m   4.8m  1.1  4.2   0:00.79 R synoscgi_SYNO.Core.Package.Thumb.Server_1_get                       
 8014 root      20   0   61.2m   4.8m  1.1  4.2   0:00.79 R synoscgi_SYNO.Core.Package.Thumb.Server_1_get                       
 8020 root      20   0   61.2m   4.8m  1.1  4.2   0:00.80 R synoscgi_SYNO.Core.Package.Thumb.Server_1_get                       
 8022 root      20   0   61.2m   4.8m  1.1  4.2   0:00.78 R synoscgi_SYNO.Core.Package.Thumb.Server_1_get                       
 8024 root      20   0   61.2m   4.8m  1.1  4.2   0:00.78 R synoscgi_SYNO.Core.Package.Server_1_get_timestamp                   
 8025 root      20   0   61.2m   4.8m  1.1  4.2   0:00.85 R synoscgi_SYNO.Core.Package.Thumb.Server_1_get                       
 7994 root      20   0   61.2m   4.8m  1.1  4.2   0:00.74 R synoscgi_SYNO.Core.Package.Thumb.Server_1_get                       
 7995 root      20   0   61.2m   4.8m  1.1  4.2   0:00.85 R synoscgi_SYNO.Core.Package.Thumb.Server_1_get    

posted on 2018-08-16 15:16 CEST in Code | 1 comments | permalink

Gentoo has given more love to its sys-firmware/intel-microcode package. It's now easier than ever to update microcode automatically early on boot. This is a valuable alternative to shipping microcode within the BIOS. I mean honestly, who regularly checks for BIOS updates? Much easier by doing that through an ebuild.

The new USE flag initramfs now builds a cpio archive at /boot/intel-uc.img ready to be used by grub. In /boot/grub/grub.cfg:

menuentry 'Gentoo Linux 4.14' {
  root=hd0,1
  linux /boot/linux-4.14.12 root=LABEL=ROOT ro rootfstype=ext4 net.ifnames=0
  initrd /boot/intel-uc.img /boot/initrd.img
}

Note how the microcode intitramfs is simply prepended to the boot initramfs (initrd). A kernel that has microcode laoding support enabled will find it there, upload the microcode into the cpu and then discard the initramfs blob, and continue booting with the initrd.img. The first line in your dmesg output will show:

microcode: microcode updated early to revision 0x80, date = 2018-01-04

posted on 2018-01-15 10:10 CET in Code | 0 comments | permalink

Gentoo has new profiles that require you to "recompile everything". That is technically not really necessary. Only static libraries really need recompiling.

Here is why:
A static library is just an archive of .o files (similar to tar), nothing more, and linking against a static library is roughly the same as just adding more .o files to the linker line. You can also link a static library into a shared library - the code in the static library is then just copied into the shared library (but the code then must be compiled with -fPIC, as with all other code that is used in shared libraries).

You can find static libs like so:

equery b $(find /usr/lib/ /lib/ -name *.a) | awk '{ print $1; }' | sort | uniq

Typically this yields packages like elfutils, libbsd, nss, iproute2, keyutils, texinfo, flex, db, numactl.


posted on 2017-12-07 11:59 CET in Code | 0 comments | permalink