The past few days people in Linux blogosphere have been bringing back up the noatime/nodiratime mount options. These options disable the updating of file and directory access times. On many standard systems when you read file a “last read,” or access time, timestamp is written to disk. Disabling the writing of access times can provide performance increases in some conditions. Probably in a lot of conditions. Disabling the writing of these access times can be accomplished with the noatime and nodiratime mount options on a typical FS on a Linux system. Well in OS X and hfs+ nodiratime doesn’t exist but noatime does.

These options are old news to some. I had used them in Linux in the past - heck I think it was even in the standard Gentoo install docs - but I had never them a second thought since I moved to OS X. If you know me personally you know I can’t leave something untweaked. And those recent discussions got me to thinking…

Be forewarned, I haven’t gone to great lengths to explain the concepts of the notes below so if you’ve never seen a terminal this isn’t going to be comprehendible.

I wanted to mount my filesystems with the noatime option in OS X to disable the updates to access times for files. Problem is that, at least in 10.5, OS X no longer honors /etc/fstab for system disks, only for automount disks.

After wrestling with it for awhile I gave upon trying to find a location where I could specify mount options for system disks. I decided to just remount the disk later with the correct options. I created a StartupItem entry to remount the disk. I created a directory:

# mkdir /Library/StartupItems/spencer_boot

Then I created the StartupItem plist. Pretty straight forward.

# cat /Library/StartupItems/\
spencer_boot/StartupParameters.plist

{
Description = “Spencer’s Boot Script”;
Provides = (”spencer_boot”);
OrderPreference = “None”;
Messages =
{
start = “Starting Spencer’s Boot Script”;
stop = “Stoping Spencer’s Boot Script”;
restart = “Restarting Spencer’s Boot Script”;
};
}

Now I needed the shell script that would be run on boot.

# cat /Library/StartupItems/spencer_boot/spencer_boot

#!/bin/sh

. /etc/rc.common

case “$1″ in
start)

ConsoleMessage “Starting Spencer Boot: remounting root fs noatime”
mount_hfs -o noatime /dev/disk0s2 /

;;
esac

exit 0

This solved the problem for the root fs but I also use Filevault. If you don’t use Filevault you can stop reading here. How would I go about this? Same problem as before, no where to add mount time options. Additionally the fs is mounted upon login, not boot. So our previous method of creating a StartupItem won’t work. We’re going to have to do it later after it has been mounted - again.

<redacted> I did have some other information here but after review I wasn’t happy with advocating the “hack” I’m using. But the gist of it is to run something like this: /sbin/mount -u -o noatime,nosuid,nodev /dev/disk1s2 /Users/spencer/ after the volume is mounted. This happens after you enter your password. So a good place would be login items if you can figure out how to run mount as root from a user’s startup scripts.</redacted>

After you login and the system has completely finished running your startup apps open a terminal and type “mount”. You should see “noatime” listed as a mount option for you system and Filevault disks.

spencer_boot shell script
StartupParameters.plist for the spencer_boot StartupItem
remount_filevault for noatime in Filevault volumes

My favorite BASH shell completion of all time is hostname completion for all of my favorite commands:

SSH_COMPLETE=( $(cat ~/.ssh/known_hosts | \
cut -f 1 -d ‘ ‘ | \
sed -e s/,.*//g | \
uniq | \
egrep -v [0123456789]) )

complete -o default -W “${SSH_COMPLETE[*]}” ssh scp sftp rsync nmap traceroute ping nslookup dig host nmap nc

I find most of the hosts I ssh into I use for basic network diagnostics. So performing completion for traceroute, ping, etc based on the contents of known_hosts works great. Just add it to your .bashrc.

Update: 2008/11/04

I’ve modified it to support completion of SVN commands leveraging the hostnames expanded during the SSH completion above:

SVN_COMPLETE=( $(svn -h|grep -e '^ '|awk '{ print $1; }') $SSH_COMPLETE )
complete -o default -W "${SVN_COMPLETE[*]} ${SSH_COMPLETE[*]}” svn

Adding these may lengthen your shell exec tasks.

I test at work. I work from home. But I will not test from home. Fix it yourself. (trademark pending).

I was trying to connect to RHN from Yum/up2date in Red Hat Enterprise Linux 5. I kept getting fatal invalid SSL cert errors. The strange part - out of all of the machines I tested it was only occuring on a single RHEL 5 laptop. The really strange part - it was happening on the host as well as inside a guest in a VM running in VMware Player.

If you get this:


[root@rhel5-vm ~]# yum search openoffice
Loading “rhnplugin” plugin
Loading “installonlyn” plugin
Traceback (most recent call last):
File “/usr/bin/yum”, line 29, in ?
yummain.main(sys.argv[1:])
File “/usr/share/yum-cli/yummain.py”, line 85, in main
base.getOptionsConfig(args)
File “/usr/share/yum-cli/cli.py”, line 199, in getOptionsConfig
errorlevel=opts.errorlevel)
File “/usr/lib/python2.4/site-packages/yum/__init__.py”, line 134, in doConfigSetup
self.plugins.run(’init’)
File “/usr/lib/python2.4/site-packages/yum/plugins.py”, line 153, in run
func(conduitcls(self, self.base, conf, **kwargs))
File “/usr/lib/yum-plugins/rhnplugin.py”, line 88, in init_hook
login_info = up2dateAuth.getLoginInfo()
File “/usr/share/rhn/up2date_client/up2dateAuth.py”, line 139, in getLoginInfo
login()
File “/usr/share/rhn/up2date_client/up2dateAuth.py”, line 98, in login
li = server.up2date.login(systemId)
File “/usr/share/rhn/up2date_client/rhnserver.py”, line 64, in __call__
raise up2dateErrors.SSLCertificateVerifyFailedError()
up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The SSL certificate failed verification.


Check the date/time on the machine. Mine was a VM syncing w/ a host clock with a bad CMOS battery. Caused it to think it was 2005 and the cert wasn’t valid yet. Also explains why it happened in both host and guest.

Ran into a problem with Exchange. I created a server-side rule to place spam messages in a folder that didn’t exist. All spam was instead going to the root folder, the folder above my inbox. Well if you use Entourage to access Exchange you will not be able to access this folder. If you go into Outlook Web Access (OWA) you can navigate to the root user folder by clicking on “Folders”.

Unfortunately by this point I had like thousands and thousands of messages. There is no “Delete All” option in OWA. Craptacular. So moving on I mounted the server via WebDAV in finder (cmd+k). The URL to mount will look something like:
http://exchange.servername.com/exchange/username

If this folder is large navigating to it in Finder will be a horrific experience. Open Terminal.app and navigate to the mountpoint.

~/> cd /Volumes/username

Once again, if the folder is large rm *.EML will not work as the wildcard expansion done by bash will exceed the length of the command-line itself (32K by default IIRC). Try this:


/Volumes/username> SRC=./*.EML
/Volumes/username> for i in $SRC; do rm "$i"; done


This will cleanup most, if not all, of the mess. Some files will not be removed due to escape characters and escaped escaped characters etc. Open the folder in Finder and delete the rest. There are def. more elegant ways to handle this from a scripting standpoint but this was quick and worked.

Just finished updating WordPress to 2.5 from 2.3.3. Ran into a few problems. Normally I diff the old version of WP to the new version and just apply the generated patch to my “custom” install. Somewhere along the line I must have deleted extraneous files like license.txt because the patch failed to apply because some files listed in the diff didn’t exist in the directory I was applying it to… this is the first time this method of non-destructively updating Wordpress had failed me. I could have edited the patch by hand but it was 100K lines so I wasn’t particularly interested in this method.

So I finally ended up actually following the upgrade instructions, deleted wp-admin and wp-includes, and copied all the files from 2.5 into my existing install. The database update took about 1 second to complete. The upgrade was technically complete at this point but of course it wreaked havoc with my theme.

One thing about the Wordpress theme architecture is that if a failure occurs in a custom theme it kinda falls back to the default theme, this is due to CSS I guess. Problems with a theme, like my Binary Blue bastardization, also show up in the strangest ways.

For example, my last.fm plugin’s cache directory got blown away. The plugin could no longer find the image cache and was throwing a (fatal?) error to Apache’s logs. The site was being styled by what looked like a combination of the default classic and my own customized Binary Blue theme. What I do to fix this is an utter hack, I move the default theme out of the way and symlink the directory of my theme to wp-content/themes/default. Then when things go wrong it is still pulling from my theme. Then I go back and fix the actual problem.

The upgrade is complete. It took me about 30 minutes to migrate total. But I am more concerned about “corner cases” this time since my traditional method of just merging in the diff between releases failed. I also haven’t stress tested all of the widgets and plugins. Overall I would suggest upgrading. The experience was worse than usual, but not terrible.

I just noticed when writing this post that the “Preview this Post” feature in WP 2.5 must pull from the auto-saved draft. When I click preview I don’t see the content that hasn’t been saved yet. Small potatoes, remind me to open a bug.

Update (4 hours later): I figured out why my theme was getting butchered into some combination of the default and my own - I had some absolute URLs in my header.php where I forgot to use the template path variables.

I know the idea of robots in space sounds cool but lets think this through.

First of all the robot is fucking huge, “11-foot arms, a shoulder span of nearly 8 feet and a height of 12 feet”. It doesn’t have legs but with arms like that you don’t actually need appendages on the bottom half. Plus when you’re in space legs aren’t especially useful. I hope they programmed “I will crush you pesky human fly” into it’s voice synthesizer.

Second, robots will take over the world. It is just a matter of time. I had come to grips with that. But now we’re handing them space on a silver platter. Brilliant.

Third, they named the thing Dextre and call it Dexter. Dexter, as in the socialized sociopathic serial killer from the book and more recently Showtime. Thats right, they named the ginormous metal machine of death after a serial killer. If you’re going to create a peaceful, human loving robot you name it Buny or Elff or some other cute variation on something “nice”. If you’re going to create robots bent on obliterating humans, a la Dextre, then this might be an acceptable naming convention. Also note that Dexter the serial killer is nice and gets along with people - right up until he kills them. So don’t trust this Dextre lest you fall into a similar trap.

Fourth, last week we, the US, are telling China and the international community as a whole we’re not trying to militarize space. This week we’re launching Terminator’s great grand pappy. Sounds like militarization to me.

Finally, this (selective) quote from astronaut Garrett Reisman troubles me: “we’re worried it’s going to go run amok and take over the space station or turn evil”. If astronauts are worried than I’m worried.

Updated 2008-03-16 to add pictures of our destructor.

It’s been three years since we upgraded the hardware that hosts our various sites. I contacted my provider (Crucial Paradigm) and got some competitive offers. Stefan, my friend in Berlin that I split the server with, and I agreed on the following specs:

• Athlon 64 x2 4000 (2 cores @ 2.1GHz, 512K L2 each)
• 4GB RAM, 160GB SATA, 100Mbps
• CentOS 5
• Apache, BIND, MySQL, Postifx, Spam Assassin, ClamAV, Cyrus IMAP
• SELinux enforcing

Once again this is going to be a dedicated, remote, hosted server. A few days later and they contacted me with the login information. I’m going to describe the move from a high-level. I’m not going to go through the individual config file modifications or how to dump a Cyrus database.

Read the complete article »

I’m visiting Australia for business. This is only my second trip down here but last time I was relegated to Surfer’s Paradise and Brisbane. Great, beautiful beaches but it was still a beach. This time I’m down in Canberra (then Melbourne, then Sydney) and was lucky enough to visit over Australia Day (American’s think the Fourth of July).

Believe it or not this was all burnt to a crisp back in 2003.

Josh’s envy has spun out of control. First he puts OS X 10.4 on his Dell:

I really don’t know why people think it is soooo hard to get OS X onto a Dell.

Josh has been running 10.4 like this for about 6 months.

Now he upgrades to Leopard:

At this point I just had to play with the hackintosh. In all honesty I think his Leopard install might be more stable. His install only crashes when he drops his laptop and it is too much for the adhesive to handle. My Leopard only crashes when I have 10 important things going on… note to self - scotch tape can prevent kernel panics.

Disclaimer: No Dell’s were harmed in the creation of this blog entry… so far. We still haven’t removed that last sticker, ahem, “we have yet to downgrade to from 10.4 to Windows”.

Lately conversations keep turning up new slogans for SELinux. I figure this is as good a place as any to keep a running list so here we go:

• SELinux - Because users do weird shit.
• SELinux - Fuck root.
• SELinux - Hampering administrators since before it was cool.
• SELinux - Take revenge against the BOFH
• SELinux - High-security gone haywire.
• SELinux - Turning it off is like removing the batteries from a smoke detector. Sure it sounds better but you might get burned.
• SELinux - Because life is too simple.
• SELinux - AppArmor sucks.
• SELinux - It’s too early in the morning to be cleaning up after 11-year old kiddies.
• SELinux - Too powerful for our own good.
• SELinux - Here’s our root password, what’s yours?
• SELinux - Didn’t they teach you about using protection in high-school?
• SELinux - Blind faith not required

Thinking about slogans actually got me thinking about “short reasons to use SELinux”.

• SELinux will save you tons of money, your TCO will go down and your ROI will go up.
• SELinux supports 3-letter acronyms out of the box, no complex policy changes required.
• Zero day vulnerabilities are a fact. Do something about it.
• Trusted Solaris has been end-of-lifed and you’re not in the government space to begin with.
• Path-named based access control is weak.
• Implicitly trusting admins doesn’t have to be SOP.
• You’re not a security expert, let us do the hard work.
• The US military (and others) trust SELinux with their information, shouldn’t you? [1]

These are just a few.

[1] The answer to this question might actually be a resounding “no!” Don’t worry, I’m not offended.