mmm... RAM

Upgraded the MacbookPro to 4GB of RAM. Now I can run Parallels and whatever else without any hint of running out of memory. With the cost of ram being ridiculously low, I couldn't see any reason to suffer with Parallels and less RAM. Vista Business is crashing something fierce, but XP seems solid for now. Now I have to work on getting everything off ye olde PC to turn it into a shiny new linux box.



This time, it stands for "yet another computer cliche" - specifically I've 'switched'. My job got me a new 15.4" MacBookPro and I love it. OS 10.5 ('Leopard' as all the 'in' mac geeks call it) is extra slick. With this 2.4Ghz Core 2 Duo, Spaces and Expose are wicked fast and impressive looking. However, I realize how required they are. With Windows you can always see every instance of every window in the taskbar, even if it's barely there and you can see only half an icon. I can't imagine how a Mac user found running apps before Expose. For IM, Adium is great. At it's core, I believe it's a port of GAIM, but the one thing that's missing is IRC. For that, I use Colloquy - a nice, beautiful looking client. Wifi and OpenVPN were a snap. Connecting to my samba shares on the Linux server was also easy, but the printer was more complex. The biggest gotcha so far has been HEAT... it is running damn hot. I've installed Temperature Monitor and smcFanControl based on a co-worker's recommendation and a message board thread. It mostly heats up running Parallels, but I've also had a Dashboard widget go bonkers on me too.

I've also recently purchased a slice, but more on that when I get to do something with it.


cacti + C = graphing goodness

I recently setup cacti at work and at home. The rpmforge yum repository made it easy to install and a snap to setup. At work, with an assist from the other guys on the Systems team, there are 143 hosts - over 1500 data sources - being polled and the setup was pretty damn quick. However, it initially scaled like a pig - it brought a dual-core Opteron 242 with 2GB of RAM to it's knees. However, moving to using cactid and tweaking the proc/threads/php max memory helped a ton. What I especially liked is that when php crapped out due to the default memory restrictions, I didn't lose all the data for the hour or so it took me to debug the problem. It was "cached" in the MySQL database and then flushed to the RRD files once php was working again.

Additionally, I wrote an "apache_stats" plugin in C that polls apache's server-status page using libcurl and easyregex. I'd like to release the code to the public, but I'll have to discuss it with my new employers.

At home, I'm seeing some odd results when polling the net-snmp agent on my wireless routers. The old WRT54Gv2.2 is just fine, but my WRTSL54GS is very inconsistent when returning data... whole hours of the day are missing. I'll have to investigate more.


bad timing

Previously, I had my fileserver sync time with my primary wireless router and some pool.ntp.org servers. Then I noticed this:
Jul  7 08:41:10 remote  /usr/sbin/ntpd[521]: skew change 255.181 exceeds limit
Jul 7 08:56:48 remote /usr/sbin/ntpd[521]: skew change -34.707 exceeds limit
Jul 7 09:24:28 remote /usr/sbin/ntpd[521]: adjusting local clock by -0.159868s
Jul 7 09:24:28 remote /usr/sbin/ntpd[521]: skew change -32.121 exceeds limit
Jul 7 09:39:06 remote /usr/sbin/ntpd[521]: adjusting local clock by 0.465410s
Jul 7 09:39:06 remote /usr/sbin/ntpd[521]: skew change 132.634 exceeds limit
Jul 7 09:44:23 remote /usr/sbin/ntpd[521]: adjusting local clock by 0.727679s
According to the documentation, there's no real-time clock on most OpenWrt compatible hardware. I guess when you consider the minimalistic setup of these devices, you can't expect everything.

I've now switched it around. My routers now sync with my fileserver and us.pool.ntp.org. My fileserver ignores the access points and syncs with:
server timex.cs.columbia.edu
server ntp-2.cso.uiuc.edu
server ntppub.tamu.edu
server ntp-1.vt.edu
server ntp3.cs.wisc.edu
server 0.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.us.pool.ntp.org
Those are the same NTP servers I use at work, with 3 pool.ntp.org servers thrown in. It just annoys me that OpenNTPD doesn't have the equivalent of "ntpq -p" to check the status of the NTP sync.


Remote backups with rdiff-backup

I set this up a while back, but I needed to make some notes on my setup of rdiff-backup that backs up my colo'd PC to my home fileserver. I've been using it for more than 3 months and it has done a great job - space efficient, time efficient and bandwidth light. I followed the recommended unattended HOWTO and it was easy to setup - even with different OSes (Solaris x86 vs. CentOS), versions of ssh and versions of rdiff-backup itself. Only modifications were:
  • In the authorized_keys2 on the source system, I didn't include the from="kitty" bit as the destination PC that I'm pulling from has a dynamic IP
  • I included --print-statistics in the cron job's command line, redirected the output to a logfile
  • I setup the three config files/scripts setup to have LogWatch tell me the daily summary of the rdiff-backup results. i.e.:
    • /etc/log.d/conf/logfiles/nyc-backup.conf
    • /etc/log.d/conf/services/nyc-backup.conf
    • /etc/log.d/scripts/services/nyc-backup
My next step is to get rdiff-backup setup to backup by local fileserver. Right now I have a simple rsync from one drive to the other. The reason I haven't done it yet is that the filesystems were setup without LVM (what was I thinking!). So, I need to clean up, reformat with LVM and then get rdiff-backup setup - maybe even with the snapshot recommendations on the unattended HOWTO page.


done! (mostly)

At this point, I've mostly finished my WRTSL54GS project. The only thing left is the DMZ subnet, but as I don't have a server to put in it yet, it's not a big deal.

As I'm an ubergeek, I've created a network diagram of the new setup. As I'm a lazy geek, the diagram is, of course, not 100% accurate. I actually allocated a physical port on each OpenWrt box to be in the wifi vlan (vlan3), which I've been using to attempt to penetrate my wireless network with a knoppix install & nmap. Next I'll try something else - nessus or something more "black hat".

I intended to keep more notes here, but like I said, I'm lazy. Here's the highlights -

  • shfs absolutely rules. it's easy to setup and makes backups a snap. the most difficult part was trying to get the passwordless auth to work. I *believe* I ended up generating the keypair with ssh-keygen on my CentOS box, compiling dropbear on CentOS and following some notes on how to convert the OpenSSH keys to the dropbear format using dropbearconvert. However, I did it on my previous OpenWrt install and since the backups worked so well, I've been using the same keys ever since.
  • I'm being absolutely draconian about the usage of the wifi subnet, so I've setup iptables rules to DROP all packets from the wifi subnet to the other private subnets. For some reason, packets kept flowing when adding the -j DROP rules to the FORWARD table, so I've added them to the INPUT table (input_rule table on OpenWrt) and that's done the trick. I *think* it might be because they're coming from the bridge interface (wifi is br0 - a bridge between eth2 and vlan3) and not a direct interface.
  • I have to sing the praises of OpenVPN once again, as well as the OpenVPN GUI for Windows. Reliable, secure, flexible, simple - what more could one ask for? I made the VPN'd wifi subnet one number higher in the third octet of my lan subnet, so it's now a /23 in my hosts.allow, etc. etc. instead of the /24 it used to me. Simple, yet secure.
  • Setting up the second OpenWrt box as a WDS repeater was pretty simple, as the instructions are good. The major tweaks were:
    • Had to comment out portions of /etc/init.d/S05nvram, as it kept on putting back default variables I wanted un-set
    • Disabled S35firewall, S50httpd, S50telnet and S60dnsmasq as the other OpenWrt box is doing the majority of the work
    • Created an S35noipforward script with the contents being "echo 0 > /proc/sys/net/ipv4/ip_forward" as we don't want to do routing across vlans on the repeater here - let it shuffle the packets on to the primary one.
    • And of course, the vlan setup for the WDS repeater:
      root@remote:~# nvram show | sort | grep ^vlan
      size: 1782 bytes (30986 left)
      vlan0ports=0t 2 3 4 5*
      vlan3ports=0t 1 5
      To be complete, here's the config for the primary router:
      root@lightsaber:~# nvram show | sort | grep ^vlan
      size: 3887 bytes (28881 left)
      vlan0ports=0 3t 5*
      vlan1ports=4 5
      vlan2ports=1 5
      vlan3ports=2 3t 5
      OpenWrt port 3 of the primary is connected to OpenWrt port 0 of the WDS repeater. vlan tagging is awesome.


100 hits and OpenWrt updates

I recently got my 100th hit on WheresGeorge.com. I'm an ubergeek for sticking with it, but hey - it's addictive.

I've also made progress on my OpenWrt install. Thanks to mbm's awesome switch/interface diagram, I've gotten all my VLANs setup and thrown my WRTSL54GS live with WhiteRussian 0.9. I've got my old WRT54G 2.2 mostly setup as well to be the switch/repeater in the other room, but I want to test my iptables rules that prevent the wifi network from accessing the local lan, except if you're using OpenVPN. The only reason for the trepidation is that they changed to iptables from a simple "-i $WAN" setup of setting the interface to a "-A prerouting_wan" chain and I want to be sure I don't foul it up.

P.S. I didn't end up using the flash memory card on my WRTSL54GS. I had to give the flash reader to my in-laws for their digital camera. Maybe one day I'll resurrect that end of the project for more storage there.


xubuntu issues, round 1

the notebook was not powering off after shutdown. in some message board threads, "acpi=off" or "acpi=force" as grub args were recommended. what worked was adding the line "apm power_off=1" in /etc/modules.

what's next is to find out what's wrong with the pcmcia xircom network card. i still have to eject & insert the card in order to make it pick it up.


giving xubuntu a try

I'm nuking my crappy WindowsXP install on ye olde notebook - a Toshiba Satellite 4090XDVD. Since I fixed the VPN at work with OpenVPN, I don't need it to connect to the stupid Firebox PPTP (pronounced "PoPToP") VPN anymore. So I'm giving Xubuntu a try because it's supposed to be a lighter desktop.

One gotcha that I encountered on the install is that it didn't initially like my Xircom 10/100+56k modem network card. But I found a tip buried deep in a message board - eject the card, re-insert in and then tell the installer to redetect the network, and it works fine.

Another gotcha was the software dependencies. I am not exactly sure what went wrong, but it failed to install all the dependencies correctly on the first pass. I just told it to re-install again and it was fine. (shrug)

what time is it, redux?

Well, after my last vacation where every photo taken by my Canon PowerShot SD800 IS Digital ELPH was off exactly by one day, I hunkered down and wrote the code to edit the meta information in all the photos using Image::ExifTool. Below is the code:

#!/usr/bin/perl -w
use strict;
use Image::ExifTool qw(:Public);
use Time::Local;
open(F,"list"); my @files = ; close(F);
my $oneday = 60 * 60 * 24;
foreach my $file (@files) {
chomp $file;
my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks)
= stat($file);
my $newmtime = $mtime + $oneday;
# Create a new Image::ExifTool object
my $exifTool = new Image::ExifTool;
my %options;
# Extract meta information from an image
$exifTool->ExtractInfo($file, \%options);
# Get list of tags in the order they were found in the file
my @taglist = $exifTool->GetFoundTags('File');
TAG: foreach my $tag (@taglist) {
next TAG if $tag !~ /date/i;
# Get a tag description
my $description = $exifTool->GetDescription($tag);
# Get the group name associated with this tag
my $group = $exifTool->GetGroup($tag);
# Get the value of a specified tag
my $value = $exifTool->GetValue($tag);
# 2007:01:05 12:26:43
my ($year,$mon,$mday,$hour,$min,$sec) = $value =~ /(\d\d\d\d):(\d\d):(\d\d) (\d\d):(\d\d):(\d\d)/;
$mon -= 1;
my $oldtime = timelocal($sec,$min,$hour,$mday,$mon,$year);
# let's do the time warp agaaaaain
my $newtime = $oldtime + $oneday;
my ($newsec,$newmin,$newhour,$newmday,$newmon,$newyear,$newwday,$newyday,$newisdst) = localtime($newtime);
$newmon += 1;
$newyear += 1900;
my $newvalue = sprintf("%04d:%02d:%02d %02d:%02d:%02d",$newyear,$newmon,$newmday,$newhour,$newmin,$newsec);
# set a new value and capture any error message
my ($success, $errStr) = $exifTool->SetNewValue($tag, $newvalue, Replace => 1);
if ( ! $success > 0 ) {
print "***\n";
print qq!ERROR: $file - $tag ($description) $group '$errStr'\n!;
print "***\n";

Ratings and Recommendations by outbrain