Planet Linux Australia

Syndicate content
Planet Linux Australia - http://planet.linux.org.au
Updated: 1 hour 1 min ago

Sonia Hamilton: SaltStack Essential Reading

3 hours 1 min ago

A list of ‘Essential Reading’ for SaltStack. A collection of useful links, mostly for myself but possibly helpful to others.

Craige McWhirter: Converting an Instance to an Image in OpenStack

4 hours 2 min ago

This documents how to convert an existing VM instance into an OpenStack image which can be used to boot new instances. In particular it documents doing so when you are using volume backed instances.

Assumptions: Create a snapshot of the instance

Check the status of the source VM and stop it if it's not already:

$ nova list +--------------------------------------+-----------+--------+------------+- ------------+---------------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-----------+--------+------------+- ------------+---------------------------------------------+ | 4fef1b97-901e-4ab1-8e1f-191cb2f75969 | Tutorial1 | ACTIVE | - | Running | Tutorial=192.168.0.107 | +--------------------------------------+-----------+--------+------------+- ------------+---------------------------------------------+ $ nova stop Tutorial1 $ nova list +--------------------------------------+-----------+--------+------------+- ------------+---------------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-----------+---------+-----------+- ------------+---------------------------------------------+ | 4fef1b97-901e-4ab1-8e1f-191cb2f75969 | Tutorial1 | SHUTOFF | - | Running | Tutorial=192.168.0.107 | +--------------------------------------+-----------+---------+------------+- ------------+---------------------------------------------+

Take a snapshot and check the result:

$ nova image-create --poll Tutorial1 Tutorial1Snapshot Server snapshotting... 100% complete Finished $ nova image-list +--------------------------------------+-------------------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+-------------------+--------+--------+ | 47e192f8-32b2-4839-8392-a18e3be1b9a6 | Tutorial1Snapshot | ACTIVE | | +--------------------------------------+-------------------+--------+--------+ Convert that snapshot into an image

Obtain the snapshot ID from cinder:

$ cinder snapshot-list +--------------------------------------+------------------------------------ --+----------+-------------------------+------+ | ID | Volume ID | Status | Display Name | Size | +--------------------------------------+------------------------------------ --+----------+-------------------------+------+ | 6a09198d-3b14-438d-a8e2-0473331fa0b7 | 616dbaa6-f5a5-4f06-9855-fdf222847f3 e | deleting | snapshot for Tutorial1 | 10 | +--------------------------------------+------------------------------------ --+----------+-------------------------+------+

Create a volume from that snapshot:

$ cinder create --snapshot-id 6a09198d-3b14-438d-a8e2-0473331fa0b7 2 +---------------------+--------------------------------------+ | Property | Value | +---------------------+--------------------------------------+ | attachments | [] | | availability_zone | MyZone | | bootable | false | | created_at | 2014-09-23T02:19:48.414823 | | display_description | None | | display_name | None | | encrypted | False | | id | 8fc9e82d-bb57-4e74-a48a-93e20c94fe2f | | metadata | {} | | size | 2 | | snapshot_id | 6a09198d-3b14-438d-a8e2-0473331fa0b7 | | source_volid | None | | status | creating | | volume_type | block | +---------------------+--------------------------------------+

Create and upload an image from that volume:

$ cinder upload-to-image 8fc9e82d-bb57-4e74-a48a-93e20c94fe2f TutorialInstance +---------------------+------------------------------------------------------ ----------------------------------------------------------------------------- --------------------------------------------------------------------+ | Property | Value | +---------------------+------------------------------------------------------ ----------------------------------------------------------------------------- --------------------------------------------------------------------+ | container_format | bare | | disk_format | raw | | display_description | None | | id | 8fc9e82d-bb57-4e74-a48a-93e20c94fe2f | | image_id | 83ec0ea1-e41e-475e-b925-96e5f702fba5 | | image_name | TutorialInstance | | size | 2 | | status | uploading | | updated_at | 2014-09-23T02:19:52.000000 | | volume_type | {u'name': u'block', u'qos_specs_id': None, u'deleted' : False, u'created_at': u'2014-08-08T04:04:49.000000', u'updated_at': None, u 'deleted_at': None, u'id': u'7a522201-7c27-4eaa-9d95-d70cfaaeb16a'} | +---------------------+------------------------------------------------------ ----------------------------------------------------------------------------- --------------------------------------------------------------------+

Export your network UUID and image UUID:

$ export OS_IMAGE=83ec0ea1-e41e-475e-b925-96e5f702fba5 $ export OS_NET=c4beeb1d-c04d-43f4-b8fb-b485bcfcf005

Boot an instance from your new image to ensure it works:

$ nova boot --key-name $OS_USERNAME --flavor m1.tiny --block-device source=image,id=$OS_IMAGE,dest=volume,size=2,shutdown=remove,bootindex=0 --nic net-id=$OS_NET --poll Tutorial0 +--------------------------------------+-------------------------------------------------+ | Property | Value | +--------------------------------------+-------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | MyZone | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | - | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | adminPass | Riuvai8PvHu3 | | config_drive | | | created | 2014-09-23T02:25:14Z | | flavor | m1.tiny (1) | | hostId | | | id | ec354ce2-fed9-4196-829e-483ab7759203 | | image | Attempt to boot from volume - no image supplied | | key_name | DemoTutorial | | metadata | {} | | name | Tutorial0 | | os-extended-volumes:volumes_attached | [] | | progress | 0 | | security_groups | default | | status | BUILD | | tenant_id | djfj4574fn478fh69gk489fn239fn9rn | | updated | 2014-09-23T02:25:14Z | | user_id | hy95g85nmf72bd0esdfj94582jd82j4f8 | +--------------------------------------+-------------------------------------------------+ Server building... 100% complete Finished

Your new image should now be waiting for you to log in.

Jan Schmidt: Mysterious Parcel

16 hours 4 min ago

I received a package in the mail today!

Everything arrived all nicely packaged up in a hobby box and ready for assembly.

Lots of really interesting goodies in the box!

After a little while, I’ve got the first part together.

The rest will have to wait for another day. In the meantime, have fun guessing what it is, and enjoy this picture of a cake I baked on the weekend:

See you later!

Andrew Pollock: [life] Day 236: Groceries, a photo shoot, some piracy and a search for gold

Mon, 2014-09-22 21:25

I thought today was going to be relatively quiet, but it ended up being quite a full.

Sarah dropped Zoe around in the morning, and after some TV, we went out to do the grocery shopping, as I didn't get a chance to do it on the weekend because I was at my rock climbing course for the entirety of both days.

It was really nice doing the grocery shopping fresh on a Monday morning instead of towards the end of a Saturday or Sunday like we normally do. I love doing the grocery shopping with Zoe at the best of times, but this morning felt particularly wonderful. We always chat away about what we're buying, about how healthy stuff is, what's in stuff and that sort of thing. Zoe likes to help put stuff in the trolley and get it out and put it on the belt at the checkout.

After we got home, we made some lunch. I made a beetroot salad, which I needed to know how to make for Thermomix demonstrations, and Zoe helped. It was remarkably easy to make. I've not bothered with any of the salads in the Everyday Cookbook until today, not being a big salad eater.

Hannah Photography had had a promotional special at the Hawthorne Markets for an 11" x 11" photo on canvas, and I thought that was a great opportunity to get a nice photo with Zoe. Our shoot was booked for this afternoon, and Hannah was really keen for us to bring Smudge too. The old never work with children or animals quote immediately popped into my head, but I thought it'd be interesting to see what happened anyway.

Zoe was really excited as soon as we got to the studio, and Smudge was happy enough to go sniffing around. Pretty early into the shoot though, Smudge clawed Zoe in the leg rather badly as Zoe was trying to hold her, and I thought the whole thing was going to derail spectacularly, but Zoe recovered quickly. A packet of Jelly Belly jelly beans helped.

We had a really fun hour doing a lot of fooling around, and I'm really looking forward to seeing the results next week. Hannah sent through a sample photo later this afternoon, and she's captured a great shot of Zoe. Unfortunately, I look like I'm grimacing.

I made the most of having Smudge out in the car, and swung by the Bulimba Vet on the way home to get her microchip registered, which seemed to merely entail the vet scanning her chip (I already knew her chip ID) and writing it on a form and giving it to me to complete and lodge. I could have just got the form and done that myself. At least it only took 5 minutes, and I got to show Zoe what a pet microchip looked like.

After we got home, Zoe wanted to continue playing pirates from Friday, when it was International Talk Like a Pirate Day. I've got an eyepatch and earring that I use for such occasions. On Friday we'd made a raid on the corner store looking for chocolate gold coins, but had been unsuccessful, so today we headed out to Overflow to see if they had any. They didn't, and suggested we try K Mart. K Mart didn't either, so we had to go to Westfield Carindale to try the lolly shop there.

We finally got some at Carindale, which made the outing quite lengthy in the end and it was later than I'd have liked by the time we were heading home. We had a late dinner, but I managed to somehow make up the lost time and still get Zoe to bed a little early. She was certainly tired from the busy day, and nearly fell asleep on the way back from Carindale.

linux.conf.au News: LCA 2015 conference schedule and prices...

Mon, 2014-09-22 17:28
  • The CFP went extremely well - lots of fantastic proposals
  • The Papers Committee had a hard time whittling them down to the number that we need
  • We had a great deal of fun planning the structure, then loading it into the database (although that part, not so much)
  • Now the schedule is live on the website - read ‘em and weep, my friends!

We think that we have an amazing schedule, and we have you - the LCA community to thank for that. We would have nothing if this wasn’t as important to you as it is to us.

We also have our prices set. Please see the pricing page for more information.

Very soon we will be opening registrations, and all of your LCA2015-related questions will be answered. (If not, you know how to reach us).



Yours always

The LCA 2015 team

Mark Terle: Oh Canada!

Mon, 2014-09-22 01:25

Dear readers,

In my last instalment I left you having left Brisbane and arrived into Sydney ready to depart Australia.  Apologies for the lack of updates for the past few weeks, I’ve been enjoying the trip, devoting my all my brain cycles to my adventures, and spare moments to catching sleep and relaxing.

After a very long Thursday (courtesy Air Canada), was met at the other end by long time friends, A and E.   Had to remember, or be reminded, to get in the correct side of the car for Canada.  Canada not being of the 76 countries that drive on the left.   Was entertaining for the A and E to watch my reactions to being taken in traffic in the front passenger seat for the first time.

Headed off to A and E’s apartment to freshen up after the long flight.  As A famously boasts, “Closer to the airport than the nearest hotel!”.   Their apartment has a birds eye view looking out over the Vancouver Airport.  The area of Richmond that they live in is being slowly developed and turned into apartment towers.   I’m slightly jealous of the view and that it would be a nice place to spend a lazy winters afternoon looking out of the window.

Of my Vancouver experiences, two stick in my mind.

The first was ringing at my bell tower in a foreign country [1] at the Holy Rosary Cathedral.  I managed to ring there twice, once for a wedding and once for service.   Unsurprisingly, ringers are not a diverse bunch, easily spotted lurking outside towers, and fit into some stereotypes.    That said I had a great time and would love to visit them again.

The second was a trip out to the Richmond Night Markets with A, E and Z.   We worshipped at the stall supplying Rotatos (potatoes cut in a swirl on a stick and covered in cinnamon).  Yum!   Wandered past lots of other delicious food smells coming from the other vendors.   Looked at the dozens of stalls selling iPhone covers and shaking my head.   It was a great market experience.

Sadly, I had to leave Canada for the rest of my trip into the the US of A and crossed the border at of all places, Vancouver Airport.   I think I get bonus points for avoid LAX

[1] No, Queensland doesn’t count.

Mark Terle: South of the border one day, Queensland the next

Mon, 2014-09-22 01:25

Arrived into Brisbane late morning on Saturday 4th August, it was great to finally get out of the chilly parts of Australia back into a nice, warm sunny part of the country.

First memorable experience of my time in Queensland was getting dragged along to a publicity sing for QUMS at the University of Queensland (UQ) Open Day.   Having participated in UWA Open Days I had some idea of what to expect.   Given it was a publicity sing and they needed all the voices they mustered, joined in and sung a lot of the usual songbook repertoire.   Several people were impressed at the sound tech controlling his rig with an iPad, and he was impressed with the volume that we made when we sang Bogoridtyse Deyvo.

I managed to also attend a couple of QUMS Rehearsals and Coffees during my extended stay in  Queensland.   The coffee at S place was enjoyable with lots of spirited post rehearsal conversation, scheming about BIV and working out QUMS fundraising ideas.  Hot dog, anyone?

Catching up with friends in Brisbane was also important.   Had lunch with R at the local golf club that is near his place, unfortunately in the electorate of that awful Campbell Newman person, but a good afternoon with chats about trains, choristers and beer.

The second lunch that was organised was going out to Brisbane’s Worst Vegetarian restaurant, the Norman Hotel, with I and colleague.  A nice T bone steak was consumed and a lot of very geeky conversation ensued and some discussion on careers.

I also got the chance to cook during one of my evenings in Brisbane.  I’ve grown quite fond of cooking bangers and mash.

Celebrated K’s birthday by heading out to dinner at Southbank.   The food was excellent and was the company.

Lots of ringing, rehearsals, service and even a quarter peal behind.  I’m looking forward to visiting more towers later in London.  I, K and M were excellent company during my ringing in Brisbane.

The second weekend in Brisbane was spent with a trip up to Mount Tambourine with S and K to eat lunch at the Fox and Hounds.   A very good faux English Pub   The trip also involved a wander around the markets, buying avocados, eating cheese, drinking beer and purchasing some very sinful fudge.

Packing and preparing for the overseas trip became the focus of the last few days in Brisbane.  I’m growing more accustomed to travelling with less, but there were decisions to be made about what ended up getting packed in the back pack and what got left behind.     This also meant the end of the driving trip across Australia, I’d covered somewhere around 7000 km (will need to check fuel records) over the length of the whole journey.    I don’t think I’ll undertake another long drive for a while again, although I’ll need to head down to Busselton for my school reunion when I get back to Australia.

Driving around Brisbane was much nicer than Sydney or Melbourne, just as long as you get the right exit and don’t disappear off onto the Inner City Bypass…. 25 minutes later ….. anyhow, hills are still exciting for a flat town person like me.

Woke up on the morning of the 16th August and took the taxi out to Brisbane Airport.   A mixture of sadness at leaving Brisbane with the excitement of heading onwards to Vancouver for the first leg of my international trip.  The trip down to Sydney with Qantas was uneventful but otherwise enjoyable.   I’ll leave off here and will continue to write about the next part of my trip in another post.

 

Mark Terle: The United States of New South Wales

Mon, 2014-09-22 01:25

This blog entry has taken some time to put together and write up as other things have been keeping me occupied and enough time for reflective thoughts and writing has been proving elusive.

Drove out of Sydney heading out into regional New South Wales with a mission to get to Parkes in one day.  This is only 400 or so kilometres.  On WA roads, it would be easily achievable and quickly.   I managed it however, but NSW does have a different idea of what a highway is.

Passed through Bathurst, on the way to Parkes, indulged my inner motor head and drove around the Mt Panorama circuit.   Head onwards to Orange and then continued to Parkes.

My GPS decided to take me the dirt track way to get to the telescope and managed to arrive about fifteen minutes before closing at the gift shop.  Took some photos, bought some merchandise and indulged the geek in me.  Collected some geeky telecommunications photos too.   I’m a bit sad that I arrived there several days early, I think it would have been a much more exciting time as the Curiousity Rover was landing.

Returned to Orange for the evening and caught up with J and her band of ringers at Holy Trinity.   A very fun ring with some practice of call changes.   J and her husband put me up overnight which I was thankful for.

It would have been remiss of me to visit Orange without going and seeing B M OAM.   Had a lovely cuppa with him and chatted about all things choral and IV, and then let him return to his home renovations.

Drove onwards and arrived just after dusk in Tamworth.   Found a motel to stay in, after some confusion with the GPS, and settled for the night.   The meal at the restaurant attached was notable for its blandness.

The next day started with a visit to the Big Guitar and was then onwards through Armidale, down the side of the mountain at Dorrigo to Bellinen, a cut across inland to Varley and then onwards to Coffs Harbour.

The motel at Coffs Harbour felt like something out of survivor, but it had a stove and I took the opportunity to cook for myself for a change whilst travelling.   In the morning, the Big Banana was visited and then onwards to Bryon Bay.

Byron Bay reminded me very much of Margaret River, however with something mildly wrong and much more exploitative of the tourist.  In quaint country town style I had arrived on the day of the Coffs Cup and some stores that I wished to use were closed.   Egads!

At K’s suggestion, went and wandered up to the lighthouse and looked out into the Pacific Ocean.  Wandered down the hill to the most easterly point of the Australian continent.   I then head back into town and found a nice BnB with the most blue room ever to stay for the night.

The next day was the final major driving leg of this trip to Brisbane, and crossing the border into Queensland.

Returning back to the topic of this post, one of my favourite bits of trivia about the east cost of Australia (as opposed to Western Australia) is that Tasmania, South Australia, Victoria, Queensland and the ACT were all part of New South Wales at some point in their history.

Driving around the east coast of Australia you can see this influence, both current and historic, of Sydney and New South Wales pervade the built environment and culture.

As I crossed the mountains outside of Sydney and got back onto the plane, the areas there felt like a completely different state.   Victoria, now in comparison, seems lost elsewhere in time.   Canberra and ACT seem schizophrenic, not knowing if they want to be New South Wales or Victoria.

I’ve enjoyed seeing the bits of Australia in between and may go and visit there again.

 

 

 

Mark Terle: Crossing the coathanger

Mon, 2014-09-22 01:25

Arrived Sydney late Wednesday afternoon into Paramatta.  Visited ringing practice at All Saints.  Lovely bells and a nice band, then headed onwards onto D’s place in Petersham.

Understandably snoozed a lot on the Thursday.    Friday, I first visited a contact who works for AARNet and touched based on a couple of projects that are under way and caught up with D and Q after they got home.

Saturday was catching up with geek friend, M.

A very good evening was had with L and A and their friend M.  M and her friend M also turned up.  Met A?.  A also dragged M along.  Lots of very yummy home made pizzas were made

Sunday was catching up with S and G for lunch, briefly met their son D.   Lots of change in their life with a new house and a change in employment situation.   The Sunday evening was spent with the cousins, who are always great company.

Monday night was ringing practice at St Andrews, and then Tuesday was getting back on the road again.

Crossed the harbour via the bridge and tunnel multiple times and got used to driving in Sydney… not that scary!

Mark Terle: The woman from snowy river

Mon, 2014-09-22 01:25

This slightly delayed post covers Canberra.   Delayed mostly from not having very much computer time over the past few days to reconnect back into the geeksphere.

Have now done a lot of the tourist things in Canberra – National Carillion, National Portrait Gallery, National Library, Old and New Parliament Houses, Royal Australian Mint and the very solemn Australian War Memorial.   There are still a few left like the place with the miniature things.

Enjoyed wandering around the Parliament Houses and looking at the architecture.   Shall have to visit again when the House of Representatives is sitting.

Rung for service at St Pauls in Manuka.  Nice bells and a sociable bunch of ringers, including a Canberra chorister that I already knew.

Went with S and L to a bonfire over the border in New South Wales for Sunday night.  Was a fun experience on a cold winters night and had lots of yummy Vegan food.

Organised a dinner gathering on the Monday night at a cafe called Cream.  N, K, A, C, G, M, R, P, S, D, L, S all turned up throughout the course of events.  Introduced M to P and I’m sure they’ll enjoy going for motorbike rides and honing their ninja skills.  S came with myself, L and S to get soy fried ice cream elsewhere in Canberra.  It was a great experience to introduce completely (for values of Canberra) separate friends to each other and have them get along.

Departed Canberra and headed off to Jindabyne.  Saw snow again in the distance (I’m progressively getting closer…) and caught up with D.  Had some excellent Indian, chatted about life, IV and floristry     Continued heading onwards to Sydney but that is for another post….

Mark Terle: Inland cities….

Mon, 2014-09-22 01:25

Continued travel up from Melbourne through Albury, Gundagai, Yass and onwards to Canberra which is where I am currently writing to you from.

Having lived all my life effectively on the coast, inland population centres both fascinate and confuse me.   Why would anyone life so far from the ocean?   What do you do with the extra land that is in one of your four compass directions?

From this visit to Canberra, in comparison to previous ones, the place seems to be going through a bit of a growth spurt.   Talking with the lovely P last night, I was amazed at the comparatively low housing costs compared to Perth.   This is probably making the place attractive to live for some.

Didn’t do as much tourist stuff as I had hoped today.  Was a bit sad when I visited the Telstra Tower to hear that the museum that was there is no more.

Notable achievement for the day was organising a catch up with all my favourite Canberra folk on Monday night.

Mark Terle: Walking ’round the rainy city

Mon, 2014-09-22 01:25

This was about my eight visit to Melbourne (as far as I can remember/work out) and I’ve finally worked out the zen of the city.  This time was different, I had a car and was able to drive around the city.

Melbournians seem unware of the impact that geography has on their perceptions of their own city and desire to look outside it.   One thing I noticed was that the distances that I was travelling were tiny by Perth comparisons but similar travel times.  Everything seemed close and easily reachable.  Melbourne being a large city also has everything.

Being able to see this is difficult if you are only travelling on foot or public transport.  It is reflected in the nature of the roads and traffic of the city.

I’ve got a lot more rants about Melbourne driving, but I’ll spare you ..

I left today and drove to Albury.  Saw the cultural change the moment I crossed the bridge over the Murray.

Really enjoyed my time at IV.  The Berlioz was special, the Brahams a wonderful challenge.   Looking forward to AIV and the Rachmaninoff Vespers.

I’m onto the next major phase of my trip – the meandering via Canberra and Sydney up to Brisbane.  Looking forward to that too. Need to catch up on some of the administrivia of life over the next couple of days post IV.

Mark Terle: Climbed one mountain.

Mon, 2014-09-22 01:25

Had the concert for the 63rd Intervarsity Choral Festival peformance of the Berlioz Requiem on Saturday night.   It was a great sing and it did literally feel like I sung my lungs out.  It will go down in my memories as one of my favourite concerts ever.

Dragged C along to the PCP where he provided medicinal cider for my vocal chords and was told to join MonUCS by one and all.

Attended the AIVCC meeting on Sunday.  Why do I keep doing this to myself?   Apart from that, the meeting went well.

Monday, I, like the rest of the choir, have hit the wall of exhaustion.  Rehearsals for the Brahams is going to take a lot of willpower to climb that next mountain.   I’m knackered so I’m going to try and get what little sleep I can.

Mark Terle: The Big O

Mon, 2014-09-22 01:25

Had the first orchestral rehearsal with the orchestra for the Berlioz last night.

At one point, the hairs on my neck stood up and my knees began to melt. A truly special musical moment.

Any folk in Melbourne who miss the performance tonight in the Town Hall are going you feel sorry fit themselves. (More details about tickets at http://www.miv.aicsa.org.au/

Anyhow, off to the dress rehearsal.

Mark Terle: In the most isolated capital in the world ….

Mon, 2014-09-22 01:25

I’ve been back in Perth for about a month now and am only starting to re-adjust to it.   After having travelled around the world, I still feel very much like a visitor in town (admittedly, one who knows how to get around)

I’ve been extremely lax about writing up my international adventures. It was hard during the trip due to constantly being on the move with sucky internet access and a case of writers block.    I’ve decided to write up some of the international sections as vignettes so based on requests I’ll write something about those cities first.   In order, Vancouver, San Francisco, Chicago, Grand Rapids, Boston, New York, London, Amsterdam (Haarlem), Oslo and Hong Kong (with a bonus Brisbane and Sydney in there too)

I still have to complete my other journey that requires leaving a very familiar place after 19 years, but I suspect that will happen in the new year.  (ask me in person and I’ll be less cryptic)

Anyhow, comments and requests welcome.

 

 

Sridhar Dhanapalan: Twitter posts: 2014-09-15 to 2014-09-21

Mon, 2014-09-22 00:27

Andrew Pollock: [life] Day 233: An abortive attempt at bowling and a vet visit

Sat, 2014-09-20 20:25

Taking Zoe bowling has been on my to do list for a while, and yesterday the schedule was pretty open, so I thought I'd try doing it first thing in the morning.

Who would have thought that a bowling alley would be booked solid with senior citizens from 9am onwards? I certainly didn't. So I was a bit disappointed when we rocked up at 9:30am and were told that there weren't any lanes available until 11am.

We stuck around and watched for a little bit anyway, so I could explain stuff to Zoe. There were three lanes that weren't in use the entire time we were there, so I don't know what was up with that.

We had to be home at 11am for a vet visit for Smudge, and so after a brief stop off at the Garage to grab some tomatoes for lunch, we got home just as the vet arrived.

Dr Anthony is the most lovely and charismatic vet you could ever hope to have in your home, and Zoe took to him straight away. She wanted to show him all sorts of random stuff, and had to show him her bedroom before he left. It was very cute, and he was very nice and played along.

I'd asked him to come out to take a look at Smudge because I'd noticed excessive fur missing on the insides of her back legs. Turns out she's just over-grooming, which is probably a stress reaction. Not sure if it's related to reducing her food portions or maybe some random construction in the neighbourhood. The prescription is some Feliway, which like everything else in Australia is exorbitantly expensive. $11.99 on Amazon, $56.70 at Petbarn. Absolutely outrageous.

After lunch, we returned to the bowling alley for our bowling game. Zoe found a 6 pound ball a bit heavy to swing, and didn't really have enough oompf to get it down the lane. We ended up with quite a few balls stuck in the gutter. She did much better with the ball ramp.

I was disappointed that the technician couldn't take us out the back to see the behind the scenes workings, as I thought Zoe would have liked seeing that. I also forgot to get a printout of our score.

She had a great time "playing" on all the car racing arcade games, and we had a game of air hockey, which she was a good height for playing before returning home.

I had a few things that I had to get done, so I let Zoe watch some TV while I did them, and then Sarah arrived to pick her up. I then spent the rest of the night furiously trying to finish off all the written exams I needed to do for my weekend rock climbing course.

linux.conf.au News: Linux.conf.au 2015 welcomes the Deploying OpenStack Miniconf

Sat, 2014-09-20 15:27

OpenStack is Open Source software for building public and private clouds through a series of Infrastructure as a Service building blocks. OpenStack offers virtualized infrastructure -- compute, networking and storage -- as well as orchestration and management tools. Built with the support of a large number of organizations, many of whom sponsor linux.conf.au, there are now thousands of installations around the world. You quite possibly know someone running OpenStack right now.

This year's linux.conf.au miniconf is going to try taking a new approach -- we're going to cover the issues that are important to a System Admin in deploying OpenStack into their environment, while attempting to tell the story of a hypothetical OpenStack deployment from end to end. How does OpenStack integrate with your existing LDAP or Active Directory? What choices need to be made about how to configure storage on your compute nodes? How does scaling your object storage work? What are the networking options you might like to consider? What hypervisor is the right choice for your needs?

We'll also cover the existing configuration management options, including puppet, chef and HP's deployment system tripleo.

The focus of this year's miniconf is explicitly on the deployers of OpenStack, rather than the developers of it. We won't cover developer-centric issues like the latest tweaks to our CI system, or what the state of development is with the Kilo release. We pinky swear there will be no talks on the governance of the OpenStack Foundation.

So, are you interested in deploying cloud infrastructure at your organization? If so, the OpenStack miniconf is the event for you. Also, we'll have stickers. Just sayin'.





linux.conf.au News: Writing Openly; Open Source Documentation Miniconf at Linux.conf.au 2015

Sat, 2014-09-20 11:27

People often complain about the quality of open source project documentation. At the same time, documentation is a great place to get started contributing to an open source community.

This miniconf will explore practical aspects of Open Source documentation, with an eye to applying them right away.

We will look at:

  • popular markup languages (Docbook, DITA, markdown, etc)
  • version control systems for writers (SVN, git, etc)
  • getting started as a contributor (how to pick a project, getting an account, meeting the community, your first commit, etc)
  • documentation skills and methodologies (topic-based authoring, single sourcing, minimalism, etc)

We'll then be able to start contributing documentation. The pacing of this session will be largely driven by participant interest. It might be that we fly through the concepts straight to a frenetic docs hack fest. It might be that we get a lively argument about the best markup language, or whether minimalism is all hype.

Tim Hildred was a technical writer at Red Hat. Before that a barista at the Linuxcaffe in Toronto





Andrew McDonnell: Evaluating the security of OpenWRT (part 2)

Sat, 2014-09-20 01:26

In my last post I covered how I setup an OpenWRT build, to examine  a small subset of indicators of security of the firmware.

In this follow-up post we will examine in detail the analysis results of one of the indicators: specifically, the RELRO flag.

A first look – what are the defaults?

The analysis here is specific to the Barrier Breaker release of OpenWRT, but it should be noted that during experiments with the OpenWRT development trunk the results are much the same.

Before diving into RELRO, lets take a look at the overall default situation.

Here is the checksec report for the Carambola2 device (MIPS processor) build.

It is a sea of red…

The ‘run as root’ errors can be ignored: those programs are actually absolute symbolic links which do not resolve in the host system. Relative symbolic links resolve correctly but are filtered out of the analysis.

The x86 build paints a similar picture:

(Notably for x86, the NX flag is correctly set, but that is a topic for another time.)

Note, the rest of this post describes how to modify OpenWRT to enable RELRO.  There may be perfectly valid reasons to not enable the flag (for example, using RELRO may have a performance impact, and for a given system the adverse security risk may be judged low), so I have ensured that the suggested mitigation if applied remains a choice in the configuration menu of the system.  For the moment my patch also retains backward compatibility by defaulting to off.

Inside the OpenWRT build system

After a brief look at the build logs, the reason is obvious: the typical gcc linker command is missing the flags needed to enable RELRO:  -Wl,-z,relro -Wl,-z,now (or the direct linker equivalents, -z relro -z now)

What could be done to address this?

OpenWRT provides a hook for appending to the global compiler CFLAGS but there is no similar hook for the linker stage. We could add those flags to the global CFLAGS and they can in fact flow through to the linker for many programs, but that would also be redundant as the flags are irrelevant to the compiler.  In the end I decided I would modify the OpenWRT source to add a new global CONFIG option, which adds -Wl,-z,relro -Wl,-z,now to the global LDFLAGS instead.

The following patch achieves that (note, I have left out some of the help for brevity):

diff --git a/rules.mk b/rules.mk index c9efb9e..e9c58d8 100644 --- a/rules.mk +++ b/rules.mk @@ -177,6 +177,10 @@ else endif endif +ifeq ($(CONFIG_SECURITY_USE_RELRO_EVERYWHERE),y) + TARGET_LDFLAGS+= -Wl,-z,relro -Wl,-z,now +endif + export PATH:=$(TARGET_PATH) export STAGING_DIR export SH_FUNC:=. $(INCLUDE_DIR)/shell.sh; diff --git a/toolchain/Config.in b/toolchain/Config.in index 7257f1d..964200d 100644 --- a/toolchain/Config.in +++ b/toolchain/Config.in @@ -38,6 +38,19 @@ menuconfig TARGET_OPTIONS Most people will answer N. + config SECURITY_USE_RELRO_EVERYWHERE + bool "Enable RELRO and NOW for binaries and libraries" if TARGET_OPTIONS + default n + help + Apply -z relro -z now flag to the linker stage for all ELF binaries and libraries. menuconfig EXTERNAL_TOOLCHAIN bool

Having attched OpenWRT, and enabled the new flag, lets rebuild everything again and run another checksec scan.

What a difference!

The results shown above are for x86, the picture is similar for the Carambola2 MIPS image.

The new results indicate that the RELRO flag is present on some binaries but not all of them. From this we can predict that some packages do not fully honour the global OpenWRT build system linker flags. I soon confirmed this**; the implication is that the new flag CONFIG_SECURITY_FORCE_RELRO  is useful, however, a caveat in the Kconfig help is required. In particular, a statement to the effect that the efficacy depends on proper coding of OpenWRT packages (with ideally all packages maintained by the project being fixed to honour the flag.)

** For example: the package that builds libnl-tiny.so does not pass LDFLAGS through to the linker; this and some other base system packages needed patching to get complete coverage.  it is likely that there are other packages that I did not have selected that may also need tweaking.

Another notable package is busybox.  Busybox it turns out uses ld directly for linking, instead of indirectly via gcc, and thus requires the flags in the pure form -z relro -z now. (The busybox OpenWRT package Makefile also happens to treat the global TARGET_LDFLAGS differently from the TARGET_CFLAGS although I am unsure if this is a bug; but that turned out to be a red-herring.) Oddly, this solution worked for MIPS when I tried it previously, but is presently not successful for the x86 build, so further investigation is needed here; possibly I incorrectly noted the fix in previous experiments.

Fun and Games with uClibc and busybox

The other recalcitrant is the uClibc library. I spent quite a bit time trying to work out why this was not working, especially having  confirmed with verbose logging that the flags are being applied as expected. Along the way I learned that uClibc already has its own apply RELRO config item, which was already enabled. Even more oddly, RELRO is present on some uClibc libraries and not others, that as far as I could tell were being linked with identical linker flag sets.

After some digging I discovered hints of bugs related to RELRO in various versions of binutils, so I further patched OpenWRT to use the very latest binutils release.   However that made no difference.  At this point I took a big diversion and spent some time building the latest uClibc externally, where I discovered that it built fine using the native toolchain of Debian Wheezy (including a much older binutils!)  After some discussion on the uClibc mailing list I have come to the conclusion that there may be a combination of problems, including the fact that uClibc in OpenWRT is a couple of years old (and additionally has a set of OpenWRT specific patches.)   I could go further and patch OpenWRT to use the trunk uClibc but then I would have to work through refreshing the set of patches which I really don’t have time or inclination to do, so for the moment I have deferred working on resolving this conundrum.  Eventually someone at OpenWRT may realise that uClibc has undergone a flurry of development in recent times and may bump to the more recent version.

Comments

Along the way, I discovered that Debian actually runs security scans across all packages in the distribution – take a look at https://lintian.debian.org/tags/hardening-no-relro.html.

It is worth noting that whenever changing any build-related flag it is worth cleaning and rebuilding the toolchain as well as the target packages and kernel; I found without doing this, flag changes such as the RELRO flag don’t fully take effect as expected.

For maximum verboseness, run with make V=csw although I had to dig through the code to find this out.

I was going to repeat all the testing against a third target, another  MIPS-based SOC the  RALINK 3530 but at this point I don’t really have the time or inclination, I am sure the results will be quite similar.  It would probably be useful to try with an ARM-based target as well.

I should also try repeating this experiment with MUSL, which is an alternative C library that OpenWRT can be built with.

Conclusion

Out of the box, OpenWRT has very limited coverage of the RELRO security mitigation in a standard firmware build.  By applying the suggested patches it is possible to bring OpenWRT up to a level of coverage, for RELRO, to that approaching a hardened Gentoo or Ubuntu distribution, with only a small subset of binaries missing the flag.

References

My Github account includes the repository openwrt-barrier-breaker-hardening. The following branch include the completed series of patches  mentioned above:  owrt_analysis_relro_everywhere  I hope it will remain possible to apply these changes against the official release for a while yet.

The patch that enables the latest binutils is not in that branch, but in this commit.