Zakame::Blog

Off We Go...

2009-09-30T14:53:00Z

Arrived at Manila yesterday. At least in the parts we passed through (Pasay, Makati, and Malate,) everything seems back to normal, with almost no sign of the previous storm's havoc. And nary a raindrop in sight.

I'm staying at my cousin Deng's place, as usual with my Manila trips. We found it in a bit of chaos, as ondoy's flooding reached here, recalling the water being almost knee-deep. The water's gone now though, but a lot of things that were not brought up to the apartment's second floor are still wet. Hopefully they will be dry before the next storm comes in...

A little history: the last time I lived in Manila was in September 2006, when Orange & Bronze got me for a 3-month contract work on a project. At the time, I was fresh off my GSoC work, and I was raring to whet my skills as a software developer. That job gave me that opportunity, as well as opportunities to meet new friends, participate in a bit of commercial software development, and get used to Manila life again.

Then awhile later I got into the Morph Labs bandwagon to become its first Systems Administrator, working from Daet via telecommuting. It was here that I began the long road to unrecovery^H^H^H^H^H learning the ropes of being a sysadmin, building some cool stuff in the process as well as maintaining it.

Now, I'm back here in Manila, to work for Orange & Bronze again, but this time in a more permanent position, as Systems Administrator Lead. I look forward to reconnecting with my old pals as well as meet new ones, use the valuable experience I've had over the years in my new job, and get back to the long road of unrecovery^H^H^H^H^H building more cool stuff.

And I start doing that tomorrow. Good times ahead.

Help Ondoy Victims

2009-09-29T13:33:00Z

Hey $WORLD, Philippines needs your help!

We just got hit by ondoy, and there seems to be a couple more storms coming in.

You can help out via donations to the Red Cross/Red Crescent. If you have friends or family in Manila, you can check the RescueHub and Sahana lists for persons missing and in distress.

And lastly, pray to your $DEITY for us (or do what works best for you.)

UPDATE: Google is helping out too. The local Red Cross is also accepting donations.

UPDATE 2: There's a new site up with additional info on the relief efforts.

Moving to Manila, Take 2

2009-09-28T14:14:00Z

Ok, so I'm going ahead with my trip to Manila tomorrow, after my earlier delay. With a lot of relief efforts going on, I hope Manila's recovering now from Ondoy's onslaught. I'm both glad that the worst seems over, but sad for the loss of my fellow Filipinos, and worried about what seems to be more storms coming ahead.

Thanks to everyone praying for Manila's recovery, and for me and my companions' safety. I'll be offline the whole day tomorrow as we make the 9-hour trip. I hope nothing bad happens.

(Not) Moving to Manila

2009-09-27T14:57:00Z

So, I'm moving back to Manila tomorrow. I hope the flood's subsided by then.

UPDATE: Delaying this, after hearing some more news. I hope it gets better and not worse, as I hear there are a couple more storms coming in.

0x19

2009-09-22T15:22:00Z

zakame++;

I have much to be thankful for reaching a quarter-century, so me and my family went to Naga city to give thanks to $DEITY and our patron (which just had its 300th year feast this weekend.) This past year saw me moving on from my old job, doing odd bits here and there, and letting me rediscover my interests. And to top it off, I found a new job. :-)

I'm looking forward to what the next quarter-century brings to me, and what I could bring to it. I already have a few in the works ;)

Thanks, $WORLD!

vrms

2009-09-12T06:56:00Z

Got caught by a meme bug from Planet Ubuntu, so Mr vrms, here goes:

zakame@perlis:~/blog/memes$ vrms
               Non-free packages installed on perlis

autoconf-doc              automatic configure script builder documentation
emacs23-common-non-dfsg   GNU Emacs shared, architecture independent, non-DFSG i
firmware-iwlwifi          Binary firmware for Intel Wireless 3945, 4965 and 5000
make-doc                  Documentation for the GNU version of the "make" utilit

  4 non-free packages, 0.3% of 1524 installed packages.

This is on my laptop running Debian Sid. Here's my /etc/apt/sources.list:

deb http://ftp.us.debian.org/debian/ sid main
deb-src http://ftp.us.debian.org/debian/ sid main

I installed the non-free packages manually. As seen on the list, its just mainly non-free GFDL documentation for the GNU tools (oh, the irony,) and firmware files for perlis' Intel 3945 wireless. Interestingly, there's no corresponding -doc package for automake, due to its documentation having no invariant sections and cover texts, passing muster to vrms' (nee Debian's) interpretation of the GFDL.

New Server

2009-09-11T15:45:00Z

Site was down for almost a week, due to my provider being DDoSed. Email was broken more so as SMTP was the target, but it was rather odd that the data center decided to block outgoing SMTP connections from a block of IPs, where my VPS is unfortunately a member of.

I've since switched to a new provider. This makes my third OpenVZ VPS, though I was meaning to move on to Xen. At 6 US dollars a month though, it seems quite a bargain, so I'll have to see where this goes.

The move also afforded me to change some stuff under the hood. Apache is gone, replaced by nginx (although this required having blosxom running under a thttpd backend, until I can whip up a FastCGI equivalent.) BIND gave way to maradns, cutting down significant memory usage. And dropbear replaces the OpenSSH server. Exim 4 and dovecot remain though, as they seem to quite big (or small) enough for my purposes.

I'll document more about the changes in later posts. In the meantime, I need to catch up on emails and packaging...

Returning to the fold

2009-09-01T13:05:00Z

Hi again, blog. Its been a long time. Like, almost a year.

How was I? Great, I guess. Mostly out of touch with the rest of the worlds I used to visit, being at work, but after leaving work (and searching for a new one now,) that's going to change. Hopefully. :)

I've started by updating some stuff for Debian I should have updated long ago. In the process, I've reformatted my laptop to be Windows-free, containing only Debian sid and OpenBSD-current, and its been very pleasant so far.

I've also taken up a couple of new old stuff for Debian, fixing them up, and getting comfortable with their insides^Wcode. So much so that I'm even in the process of fixing a 5-year-old wishlist bug, although it still needs testing.

I'm looking forward to rejoining the communities I once missed, and maybe joining a new one too.

Broken Comment Posting Fixed; New #olpc-ph Grassroots Group

2008-09-24T00:31:00Z

Thanks to Wolfger for pointing out an HTTP 500 while trying to greet me by comment. :D I totally forgot about upgrading Net::Akismet to the new version that comes with my patch, as described previously. All the while I was thinking Net::Akismet was doing too good of a job keeping out comment spam, when it may as well have kept out all comments :( But its my fault, really.

Among other things, Jerome has finally started a new grassroots group for the OLPC effort here in the Philippines, fresh from the success at the recently-concluded SFD. There's now an IRC channel up too, with logs available locally (text-only, until I can set up a web and fileserver frontend.) I'm personally interested on running a port of Inferno and perhaps help out on the TODOs for it.

Turning 0x18

2008-09-23T16:37:00Z

zakame++;

There should be a picture of me above, following the Me(me), but its late. And I have to get up early tomorrow to catch the bus to Manila for next day's Cebu flight (work calls.)

I look forward to another roller-coaster year. This year had been a ride through new stuff mostly at work, picking up CentOS and Ruby along the way, although remaining faithful to my Perl roots. And quite recently, it has come back full circle with a renewed interest in Debian again. However, I've been also coming back at exploring Plan 9 from Bell Labs and Inferno, rekindling my lost interest in distributed systems and showing me just how bad Unix and friends have become (current meme: tell me why any xterms, mine or yours, has a baud rate, as told by stty.)

Still, I can't forget my roots; yesterday's "save" was a subtle reminder that I should come back to Debian again. I'll do what I can, and maybe learn something or two in the process ;) I guess that's how $DEITY works; always moving in indeterministic ways.

Ok, off to sleep...

Saving Tagalog from d-i Translations Removal

2008-09-21T10:01:00Z

Thanks to pabs's and bubulle's notice on both IRC and planet, I got wind on Tagalog's impending removal from the Debian-Installer translations. Having been quite inactive on my Debian work for a while, this provided me an opportunity to get back to it, even if it were only small stuff (compared to packaging.)

In the nick of time, I submitted updates to sublevels 1 (505 translations) and 2 (511 translations) of the d-i tl_PH translations; doing it twice due to my first run missing out the fuzzy translation strings. I was fortunate that the missing and fuzzy string needing translation weren't many; most of the work has already been done by pusakat and the rest of the Debian-TL team. Kudos for them on starting this in the first place!

There's still a lot of work to be done, and even in d-i itself there are the other sublevels needing Tagalog translation (3 and 5.) Kung may alam ka sa Tagalog at gusto mong gamitin itong wika sa Debian, wag mahiyang kunin ang mga talakdang kailangang isalin! Others (even fellow Filipinos) may find it impractical, but I think its a worthwhile effort, to make it as accessible as possible to our fellowmen having difficulties in English.

All in all, it feels good to contribute again. :)

Making Net-Akismet play with TypePad AntiSpam

2008-06-04T10:18:00Z

I've been getting a lot of blog spam lately; it appears that Akismet is slipping. Fortunately, there's a new Akismet-compatible alternative at TypePad AntiSpam which I read about from Justin Mason's post. And it being perl, I decided to try it out here on my blog (never mind it being Blosxom, as long as it uses Frank Hecker's feedback plugin that in turn uses Net::Akismet.

But alas, the current version of Net::Akismet doesn't support user-supplied REST endpoints, so I added it, and promptly filed a report on the CPAN. Hopefully it gets included in the next release very soon.

As for the Blosxom feedback plugin, tweaking it to use the new feature in Net::Akismet was a cinch, so only the real test (of incoming spam filtered by TypePad) remains. Hopefully it does work.

[PS: Looks like the first line in blosxom posts don't like package-like names such as Net::Akismet (during editing my blog title disappeared on the render!) Needs to be looked at later...]

Where's the Open?

2008-05-14T11:31:00Z

Ok, so it seems that the whirlwind on OpenSSL has settled down a bit. Posts about it are coming from everywhere, ranging from rants on package maintenance to blame-pointing on both upstream and packager sides. And, of course, Slashdot.

Where does all this leave the end user with? Well, probably not much except to regenerate weak SSH keys with the new openssh-server (now enhanced with openssh-blacklist, see the new advisory) and hope to $DEITY all gets well soon. And maybe, just maybe, a minor suspicion that other Debian-packaged software may be "tainted" with a similar blemish (that being having patches that are supposed to fix something, applied with upstream's blessing, and yet not really audited enough to ensure functionality AND security of the system is maintained.)

Obviously, there's going to be some adjustments to be made on the Debian side. But I do hope to $DEITY that major revamps ought to happen on the OpenSSL side as well, in particular on clarifying their public channels to reaching upstream developers (read: publish openssl-team@openssl.org in a legitimate way, being the legitimate upstream contact endpoint it is,) and keeping a closer eye on the vendors who package their software (yeah, it may not be an obligation at all for OpenSSL, but heck, their vendors are users, too!) Upstream may be free not to partake on a social contract like Debian's, but it shouldn't escape from them the fact that vendors nevertheless aggregate continuing and potential users (aside from being users themselves) for their benefit.

More importantly though, is that delivering FOSS is a community effort. Sure, its easy to put blame now, but in the end, the blame isn't as important as the real cause and effects of the problem/bug/issue are. Better to move on and work together towards a real fix, rather than the bickering that currently passes as FOSS entertainment.

OpenSSL Ouch

2008-05-14T10:14:00Z

I won't repeat it here, but there's DSA-1571-1 waiting for your attention, especially if you made some material out of openssl over the last couple of years or so. Yes, you read it right: COUPLE.

Upgrading to the new OpenSSL is easy. Generating new keys is another story.

To save (or add to, depending on how you handle this) your pain, there is a simple checker that can currently see if your OpenSSH or OpenVPN public keys are weak enough to warrant replacement. I await a version that can handle X.509 certificates too (though I only just generated a new one today, before the announcement, so that means I have to do it again (and get its CSR to CACert for signing, etc.)

And yeah, if you're running openssh-server, consider regenerating your host RSA and DSA keys, e.g.:

# mv /etc/ssh/ssh_host_{dsa,rsa}_key* /some/place/else
# dpkg-reconfigure -plow openssh-server

That should regenerate your keys and restart openssh-server once the new keys are installed to /etc/ssh.

The hard part (of making sure all the keys of your systems are updated and tested) is still up to you, however.

UPDATE: The Debian wiki has up-to-date information regarding other packages that generate SSH/SSL keys at postinst. Please refer to that while the key-rollover page isn't up yet.

UPDATE 2: openssh-server is updated (with corresponding DSA-1576-1) that is linked to the updated OpenSSL library. Be sure to upgrade! The new package also pulls in openssh-blacklist, a new package that contains the database needed by the new ssh-vulnkey for checking SSH public keys.

Some Exim4 hacks

2008-05-11T06:44:00Z

Exim is the stock MTA in Debian, and rightly so, since its pretty much the most flexible MTA around (note: I did say "most flexible," not "most secure.") It is also very easy to set up, thanks to its debconf integration and sane configuration interface; however, there may be some bits that still needs that extra tweaking that a dialog or menu interface can't reach:

Setting the Right mailserver hostname

Most mailservers typically go by a hostname of "mail" or "mx," for various reasons. Of course, this requires setting the right DNS entry for your domain, but Exim may miss this and use the internal hostname of your mailserver instead. There are quite a lot of ways to set the "right" mailserver name in Exim, but in Debian, it is recommended that one DOESN'T set it via the primary_hostname variable, as this can mess up other places in the Exim configuration and complicate matters. Instead, one can use smtp_active_hostname in the global options:

smtp_active_hostname = mail.foobar.net

Changing Received: header

If one changes the mailserver hostname like above, then it also probably needs to change some headers as well, like the "Received:" header. Again, this is a global options setting, controlled by received_header_text:

received_header_text = Received: \
${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
{${if def:sender_ident {from $sender_ident}}\
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}} }}\
by $smtp_active_hostname \
${if def:received_protocol {with $received_protocol}} \
${if def:tls_cipher {($tls_cipher)\n\t}}\
(Exim $version_number)\n\t\
${if def:sender_address {(envelope-from <$sender_address>)\n\t}}\
id $message_id\
${if def:received_for {\n\tfor $received_for}}

Note that this changes the header when your Exim receives mail; when your Exim sends mail to another mailserver, you'll have to ensure that the header made by the destination mailserver has its hostname matching your own. Thus, you need to fix the "remote_smtp" transport a bit:

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
  # to disable TLS on outgoing connections, uncomment this
  # hosts_avoid_tls = *
  helo_data = $smtp_active_hostname    # use the variable we set earlier
  # use the interface our Exim is running on and where the mailserver name points to
  interface = 1.2.3.4

Changing Message-Id

Finally, one can change the "Message-Id" header to match the new hostname above, via another global options variable, message_id_header_domain:

message_id_header_domain = $smtp_active_hostname

Apache2 Worker MPM on Low Memory Servers

2008-05-11T06:44:00Z

If you're running Apache2 on a memory-constrained system (like in a virtual machine,) you may want to choose the prefork MPM to save memory at the cost of more process forks. However, if you have more than one CPU on that same machine, you may also want to consider using the threaded worker MPM and tweak its MaxClients and ThreadsPerChild settings from the default configuration.

On a typical apache2 installation on a Debian system, the worker MPM configuration looks like this:

<IfModule mpm_worker_module>
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

Using these default settings on a resource-constrained system (say a server with 128MB of RAM but with no swap) would be overkill, and the web server processes will definitely eat up all of that memory, leaving little or no room for even simple CGI scripts.

In my setup, I experimented with tweaking the values above to get apache2 to serve without eating up too much precious memory. I found that the important values to consider here are MaxClients, which dictate how many clients can connect simultaneously to my server, and ThreadsPerChild, which specifies how many threads of execution can run in a child/worker process. My resulting config becomes:

<IfModule mpm_worker_module>
    MaxClients           15
    MinSpareThreads       3
    MaxSpareThreads       7
    ThreadsPerChild       3
    MaxRequestsPerChild 200
</IfModule>

With this setup, I free up a significant amount of RAM from apache2's hold whle maximizing my thread usage in each worker process; at the same time, I avoid keeping each child process for too long by setting a maximum number of requests each worker can serve, preventing the workers to bloat too much when handling CGI.

I also tweaked the KeepAliveTimeout setting to just 2 seconds (instead of the default 15) so that each worker process can go to the next request quickly and preventing them from being tied up to a connection for too long. I also set the Timeout to 30 seconds.

Adding Some Blog Bling

2008-05-11T01:46:00Z

I added some more bling to this blog last night, like a spiffy new CSS theme (based on twocolumncss) and a handful of plugins to improve feed generation, readable and extensionless URIs, and support for comments and trackbacks. Blosxom indeed is such a flexible toolkit for making a blog! :D

That said, I did find one or two quirks in the plugins existing in the blosxom and blosxom-plugins CVS repository; I'll post patches to my git mirrors of these repositories. I'll probably add some more features on some of the plugins I used too (that reminds me, I should put up a list somewhere.)

Subdomains for Blog and Code

2008-05-10T07:39:00Z

I have reorganized the site a bit. This blog is now on its own subdomain (and www currently redirects to it.) My existing and new projects (under their own git trees) are now on the code subdomain, with gitweb as root.

I'll probably put up a wiki as the main www, and maybe even lists (in case some of my projects go gold heh.)

Hello, World

2008-05-10T07:30:00Z

You have reached my little site. There's not much here at the moment, but do drop by every now and then; its a work in progress.

As you can see, this site is quite spartan, and that's the way I like it. I'm currently using blosxom for this ephemeral blog site, despite the prevalence of database-backed blogging and CMS software with all the Web 2.0, AJAX, and Web Services bullshit. Those are not for me, at least for the moment; nor do I want to encourage a "community" around my site, whatever that is, as I have better things to do than exchange pleasantries.

That said, I know that the blosxom code is rather old and the plugins available for it seem to be disappearing. Since its in Perl, however, I think I can take a crack at writing my own plugins (and possibly improving blosxom itself.) I might probably rewrite it in CGI::Application, if it comes to that.

By the way, in case you're wondering: I'm Zak B. Elep, and I go by zakame on the Internets. I actually have an older, more dynamic, and friendlier weblog at spunge.org, where it all started; more on that later.

And yeah, the standard disclaimers for blogging applies: this site contains my own personal opinions on various matters (and maybe some real, hard facts, from time to time,) and in now way should these opinions be construed as official statements of organizations or companies I'm connected with. They have their own PR reps: talk to them if you need "official" shit.

That's all for the moment: I'll go play out with some code.