Planet Linux Australia
We didn't have a lot planned for the day, and given that we were embarking on a camping trip the following day, I decided to keep it that way. As it was, we still managed to have a pretty busy day.
I started the day off with a run, and managed to do 10 kilometres for the first time in ages. It was a dreadful time, but I was going for progress over perfection.
I didn't realise I had a chiropractic adjustment, so I had to go straight to the chiropractor after my run and sweat all over everything. I felt so bad, but I haven't had an adjustment since before Christmas, so it was great.
Then Sarah dropped Zoe off, and I finally got to have a shower and some breakfast. After that, we headed over to the doctor for the obligatory weekly wart freezing appointment. I think it's been the production it has been because the doctor hasn't been able to give it a really decent hit with the liquid nitrogen, but it's definitely shrinking. She was super brave and even let the doctor give it a bit of a scrape with a scalpel to take off some of the top layers of dead skin. I'm grateful that we have the relationship that we do, because she was a bit scared, but she trusted me anyway, and it all worked out fine.
On the way home, we picked up some mail from the post office. I have to resubmit one unit of my real estate licence course, because I made a mistake, but I passed the other one. I think I'm waiting for one more unit to come back.
After that, we just hung out at home until after lunch, and then went to Woolworths to do some grocery shopping. We ran into Lachlan there, and Zoe and Lachlan had a great time hanging out while we did the grocery shopping.
Instead of getting ready for camping, I decided to have a crack at baking one of the things I want to put in Zoe's school lunchbox, some Hidden Veggie Lunchbox Scrolls. They turned out pretty good, like something you'd get from Baker's Delight. The challenge now is to make space for them in the freezer.
Interactive map for this route.
Tags for this post: blog pictures 20150118-mount_taylor photo canberra tuggeranong bushwalk trig_point
Related posts: A walk around Mount Stranger; Urambi Trig; Walk up Tuggeranong Hill; A quick walk to Tuggeranong Trig; Wanniassa Trig; Another lunch time walk
In computing, a DMZ (demilitarized zone) is a method for separating untrusted traffic from a trusted network. One of the most common implementations of this would be for supporting a publicly accessible server (such as web) on a local internet connection. The server sits in the DMZ and can be accessed from the Internet, but it cannot access the trusted network.
OpenWRT probably needs no introduction, the brilliant open source and community driven Linux based embedded router stack. I run it on my Netgear WNDR3800.
I have an ODRIOD-U3 (little ARM box) running Fedora, which runs a web server. This is what I want to make publicly available in my DMZ.
So, how to create a DMZ in OpenWRT? Some commercial routers have a single button “make a DMZ” and everything is handled behind the scenes for you. Not so with OpenWRT; it’s powerful, transparent, and only does what you tell it to, so we have to create it manually.Physical devices
My router has a bunch of physical interfaces:
- eth0 (switch)
- eth1 (ethernet)
- wlan0 (wireless card)
- wlan1 (5GHz wireless card)
The eth1 device maps to the physical WAN port on the back of the router. It’s important to note that the physical interfaces may differ from router to router, depending on the chipsets.The Switch
The switch (eth0) includes a number of ports, including the four physical ones on the back of the router, a fifth one that’s not used, as well as one that connects to the CPU.
The switch supports VLANs (virtual LANs), and by default OpenWRT puts all of those ports into VLAN 1. This means that physical connections in those four ports at the back are on the same virtual switch and are able to communicate with each other. You can imagine that if I changed the VLAN of one of those ports to VLAN 10, that the device plugged into that port would no-longer be able to communicate with other devices on the switch. This is the basis for our DMZ.
That VLAN 1 actually creates a new interface on the router:
- eth0.1 (VLAN 1)
The configuration of the switch (including the mapping of ports to VLANs) is available under the switch menu, Network -> Switch.
Note: The port numbers on the switch in OpenWRT do not necessarily map in the right direction to the back of the router. In my case, port 0 on the switch is port 4 on the back of the router.Creating a new VLAN
The first thing we want to do is create VLAN 10 and then assign one of the ports to that VLAN, removing it from VLAN 1.
- Browse to Network -> Switch
- Click Add to make a new VLAN entry
- Set this new entry’s VLAN ID to 10
- In the VLAN 1 row, change Port 0 to off
- In the VLAN 10 row, change Port 0 to untagged
- In the VLAN 10 row, change CPU port to tagged
Setting VLAN to untagged tells the switch to add the appropriate VLAN tag to each ethernet frame as the traffic exits that port. The setting tagged means that the switch should expect that traffic leaving the port has already been tagged, perhaps by the operating system running on the device which is attached to the port.
Port 0 (port 4 on the back of the router) is now in VLAN 10, while the remaining three ports are in VLAN 1 and so it is now isolated from the others. The CPU is also in VLAN 10, else we would not be able to pass any traffic to port 0.
That new VLAN 10 creates a new interface on the router:
- eth0.10 (VLAN 10)
In OpenWRT you create virtual network interfaces which map to physical devices on the router. These are available under the Network -> Interfaces menu.
For example, my router has:
- LAN (for my internal local area network)
- WAN (for the external Internet connection)
One or more physical devices are attached to these zones, for example in my case:
- LAN (bridges VLAN 1 eth0.1, wlan1 and wlan0 together)
- WAN (eth1)
The LAN bridge creates a new interface on the router:
- br-lan (bridged LAN)
Once we have created our new VLAN, we want to create a new a interface for the DMZ. In the same way that the VLAN 1 device, eth0.1, is attached to the LAN interface, we will attach VLAN 10 device, eth0.10, to our new DMZ interface.
- Browse to Network -> Interfaces
- Click Add New Interface to make a new DMZ zone
- Set the name of the new interface to DMZ
- Leave the protocol of the new interface to static
- Ensure bridge over multiple interfaces remains unchecked
- For the interface, select only VLAN Interface: “eth0.10″
- Click Submit
You should be presented with a new configuration screen for this interface.
- Set IPv4 address to something in a new range different to LAN, e.g. if your LAN is 192.168.1.1 then set DMZ to 192.168.0.1
- Leave the rest of the settings blank, you do not need to set routes, or IPv6 if you don’t want to
- Click on the Advanced Settings tab
- Ensure Bring up on boot is ticked
- If you don’t want IPv6, untick Use builtin IPv6-management
- Click on the Physical Settings tab, should already be set to eth0.10
- Click on the Firewall Settings tab
- Under Create / Assign firewall-zone select unspecified -or- create and type dmz
- Click Save and Apply
- If you want to run DHCP on your DMZ, then under DHCP Server click Setup DHCP Server button, leave default settings
We now have a new interface or zone called for the DMZ that’s set to use out DMZ VLAN. It has a new firewall policy assigned to it, dmz, which we now need to configure.Firewall
Now we need to configure the firewall to do a few things:
- Allow the DMZ to talk to the WAN zone, so that devices can access the Internet
- Allow the LAN zone to talk to the DMZ, but not the other way around
- Add some traffic rules opening ports 53 and 67, so that devices from the DMZ can access DNS and DHCP services on the router’s DMZ IP address
- Finally, forward the HTTP port (80) from external internet WAN interface onto a device in the DMZ
Let’s do zone settings first.
- Browse to Network -> Firewall
- Under the Zones section on General Settings page, edit the dmz zone
- Leave the name set to dmz
- Set input to reject, so that we drop all incoming packets by default
- Leave output as accept, although you could set this to reject by default but you’ll require specific outgoing rules as required (like for Yum updates)
- Leave Masquerading and MSS clamping disabled
- Under Covered networks ensure that only dmz is selected
- Under the section Inter-Zone Forwarding, ensure Allow forward to destination zones is set only to WAN
- ensure Allow forward from source zones is set only to LAN
- Click Advanced Settings tab
- If you don’t want IPv6, you can set Restrict to address family to IPv4 only
- Tick Enable logging on this zone, so that we can see what’s happening
Now let’s do port forwards.
- Click on the Port Forwards tab
- Under New port forward section, give a name, such as dmz-http
- Set Protocol to TCP
- Set External zone to WAN
- Set External port to 80
- Set Internal zone to DMZ
- Set Internal IP address to your DMZ server, e.g. 192.168.0.100
- Set Internal port to 80
- Click Add when you’re happy
- Repeat for HTTPS port 443 if you want to run a secure server
Finally, let’s finish with traffic rules.
- Click on the Traffic Rules tab
- Under Open ports on router, set a name like dhcp-dns
- Under Protocol, select UDP
- Under Port, set 53
- Click Add
- Find your new rule in the list and click edit
- Set Destination address to your router’s DMZ IP address
- Repeat for DHCP port 67 UDP if you want to use router’s DHCP server, but don’t set the destination address as DHCP is broadcast
If you want to be able to ping the router from the DMZ clients, do this.
- Set a name like ping-dmz
- Set protocol to Other
- Click Add
- In the new configuration page, set Protocol to ICMP
- Set Match ICMP type to echo reply
- Set Source zone to dmz
- Leave Destination zone to Device (input)
- Set Destination address to your router’s DMZ IP address
- Click Save
Remember we told the router to log the DMZ? Well now we can monitor the firewall rules by browsing to Status -> Kernel Log. Here you should be able to see any rejects that are happening, which is useful to work out why something isn’t happening as you expect on the DMZ.
For example, disable the dmz-ping rule and then try to ping the router from your DMZ server. Refresh the Kernel Log and you should see entries appear.Testing
Plug in a device, see if it gets an IP address. Try to ping 126.96.36.199 (Google DNS server), then try to ping google.com.
Set up a web server on your DMZ box, or use netcat to listen on port 80. Get your external IP address from the router, or Google “my ip”. Now get a friend to browse to your IP and see if you see your web server.
Update: This chart has been updated and I’ve added charts for C++11 Concurrency, C++14, and C++17 here.
One of the things I wanted to see was not just how support had advanced between versions of each compiler, but how compilers had changed relative to one another over time. I extracted the numbers for C++11 from Christophe’s document, found the release dates for each compiler, and created a chart that puts it all together.
It’s interesting to see how far behind Clang starts in comparison to the others, and that it ends up in a close dance with GCC on the way to full C++11 support. It also highlights how disappointing VC++ has been in terms of language feature advancement — particularly when VS2010 was ahead of Clang and ICC for C++11 features.
Creating the chart also served as an opportunity to play around with data visualization using Bokeh. As such, you can click on the chart above and you’ll see a version that you can zoom, pan, and resize (which is only a small part of what Bokeh offers). I intend to write about my experiences with Bokeh at a later date.
Release dates for each compiler were taken from the following pages:
- Visual Studio: http://en.wikipedia.org/wiki/Microsoft_Visual_Studio
- GCC: https://gcc.gnu.org/releases.html
- Clang: http://llvm.org/releases/
- ICC: http://en.wikipedia.org/wiki/Intel_C++_Compiler
The date used to mark the approval of the C++11 standard is taken from http://en.wikipedia.org/wiki/C++11
For the lazy among you the easiest Reaktor Synthesisers that can be built can be made as so. Right click in the workspace, Instrument -> Synthesizers -> Option and then hook up to correct/relevant Voice Combiner. My designs obviously start from scratch though, as I'd like to be able to design some both for educational purposes, for resale, and if that's not possible simply to give away.
You can download my updated experiments from here:https://sites.google.com/site/dtbnguyen/Multiple-Oscillator-Sawtooth-Triangle-Sine-Filter-Interface-Delay-4.enshttps://sites.google.com/site/dtbnguyen/Multiple-Oscillator-Sawtooth-Triangle-Sine-Parabol-Impulse-Pulse-Filter-Interface-Delay-5.enshttps://sites.google.com/site/dtbnguyen/Multiple-Oscillator-Sawtooth-Triangle-Sine-Parabol-Impulse-Pulse-Filter-Interface-Delay-Pan-6.enshttps://sites.google.com/site/dtbnguyen/Multiple-Oscillator-Polyphonic-Selector-Filter-Interface-Delay-Pan-7.ens
I've been looking to build some Android software applications for a while now (curious to know whether this is a viable long term option). It's interesting how many people actually Open Source their software on the various web stores.
I recently wanted to download al the applications/archives from a particular website, http://www.vst4free.com/ so I looked at various website download programs (HTTrack, Teleport Pro, wget, curl, etc...). In spite of the filters/wildcards that were available they were too slow to be realistic.
Use wildcards to exclude or include URLs or links. You can put several scan strings on the same line. Use spaces as separators. Example: +*.zip -www.*.com -www.*.edu/cgi-bin/*.cgi
+*.png +*.gif +*.jpg +*.css +*.js -ad.doubleclick.net/*
+*.zip +*.exe +*.msi +*.tar.gz +*.tar +*.rar
+*.css +*.js -ad.doubleclick.net/*
What did I do? I built something because I noticed patterns in the way files were encoded.
Range for Instrument VSTs
was the same as
which converted to
which could then be parsed for automated download.
Range for Effects VSTs
was the same as
which converted to
which could then be parsed for automated download.
Range for Midi VSTs
You can download my script from here:https://sites.google.com/site/dtbnguyen/download_date_sections.sh.zip
As I've stated previously I've been thinking of re-spinning some versions of Linux for fun and possibly profit. The irony is that it's actually much easier to go down than it is go up. Namely, the smaller distributions such as DamnSmall don't really lend themselves to customisation going up because there are too many dependencies that need to be remedied prior to being able to come up with something workable. This has led me to work on scripts to achieve the exact opposite on smaller (but large such as Knoppix) DVD/CD based live distributions. They work based on class of program based on yum or apt package information. It'll be interesting to see what we can do.
smallest damn thing that you can possibly get?
Several of the ways in which I was thinking about making revenue was:
- distributing/re-sale on chosen media such as USB, CD, DVD, etc... http://damnsmalllinux.org/usb.html
- creating custom versions for who ever wants them. After all, if I'm currently building the code to allow for this why not? (You need to send a portion of payment now and rest on delivery.) Working perferably only on smaller distributions at this point unless the project is really interesting.
- figuring out what the public wants and then attempting to build that for them
- figuring out what the best possible distribution is and attempting to build that for the public
- support via of these distributions
NoOps with Ansible and Puppet – Monty Taylor
- didn’t know it was a contentious term
- “devs can code and let a service deploy, manage and scale their code”
- I want to change the system by landing commits. don’t want to “do ops”
- if I have to use my root access it is a bug
- Cloud Native
- Ephemeral Compute
- Data services
- Design your applications to be resilient via scale out
- Cloud scale out, forget HA for one system, forget long-lived system, shared-nothing for everything. Cloud provides the hard scale-out/HA/9s stuff
- Great for new applications
- OpenStack Infra
- Tooling, automation, and CI for the openstack project
- 2000 devs
- every commit is fully tested.
- each test runs on a single use cloud slave
- 1.7 million test jobs in the last 6 months. 18 TB of log data
- all runs in HP and rackspace public clouds
- Create Servers manually at 1st
- Step 1 – Puppet
- extra hipster because it is in ruby
- If you like ruby it is awesome. If don’t is it less-awesome
- collaboration from non-root users
- code review
- problem that it blows up when you try and install the same thing in two different places
- 3 ways to run. masterless puppet apply. master + puppet agent daemon . master + puppet agent non-daemons
- Secret stuff that you don’t want into you puppet git repo
- Step 2 – Ansible for orchestration
- Control the puppet agent so it runs it nicely and in schedule and on correct hosts first
- Open source system management tool
- Sequence of steps not description of state like puppet
- ad-hoc operation. run random commands
- easy to slowly grow over time till it takes over puppet
- yaml syntax of config files
- Step 3 – Ansible for cloud management
- Ansible config currently mixed in with puppet under – http://git.openstack.org/cgit/openstack-infra/system-config/
- Steve Walsh wins Rusty Wrench award
- Preview of Linux.conf.au 2016 in Geelong
- Much flatter than Auckland
- Deakin University – Waterfront Campus
- Waurn Ponds student accomadation 15 minutes with shuttles
- Feb 8th – 12th 2016
- CFP 1st of June 2015
- Theme “life is better with linux”
- 4 keynotes confirmed or in final stages of discussion, 2 female, 2 male
- NFS keytags
- Announcement for Linux.conf.au 2017 will be in Hobart
- Add more detailed network information to the metadata server: review 85673 (approved).
- Add separated policy rule for each v2.1 api: review 127863 (requested a spec exception).
- Add user limits to the limits API (as well as project limits): review 127094.
- Allow all printable characters in resource names: review 126696 (approved).
- Consolidate all console access APIs into one: review 141065 (approved).
- Expose the lock status of an instance as a queryable item: review 127139 (abandoned); review 85928 (approved).
- Extend api to allow specifying vnic_type: review 138808 (requested a spec exception).
- Implement instance tagging: review 127281 (fast tracked, approved).
- Implement the v2.1 API: review 126452 (fast tracked, approved).
- Improve the return codes for the instance lock APIs: review 135506.
- Microversion support: review 127127 (approved).
- Move policy validation to just the API layer: review 127160 (approved).
- Nova Server Count API Extension: review 134279 (fast tracked).
- Provide a policy statement on the goals of our API policies: review 128560 (abandoned).
- Sorting enhancements: review 131868 (fast tracked, approved, implemented).
- Support JSON-Home for API extension discovery: review 130715 (requested a spec exception).
- Support X509 keypairs: review 105034 (approved).
- Expand support for volume filtering in the EC2 API: review 104450.
- Implement tags for volumes and snapshots with the EC2 API: review 126553 (fast tracked, approved).
- Actively hunt for orphan instances and remove them: review 137996 (abandoned); review 138627.
- Add totalSecurityGroupRulesUsed to the quota limits: review 145689.
- Check that a service isn't running before deleting it: review 131633.
- Enable the nova metadata cache to be a shared resource to improve the hit rate: review 126705 (abandoned).
- Implement a daemon version of rootwrap: review 105404 (requested a spec exception).
- Log request id mappings: review 132819 (fast tracked).
- Monitor the health of hypervisor hosts: review 137768.
- Remove the assumption that there is a single endpoint for services that nova talks to: review 132623.
- Allow direct access to LVM volumes if supported by Cinder: review 127318.
- Cache data from volumes on local disk: review 138292 (abandoned); review 138619.
- Enhance iSCSI volume multipath support: review 134299 (requested a spec exception).
- Failover to alternative iSCSI portals on login failure: review 137468 (requested a spec exception).
- Give additional info in BDM when source type is "blank": review 140133.
- Implement support for a DRBD driver for Cinder block device access: review 134153 (requested a spec exception).
- Poll volume status: review 142828 (abandoned).
- Refactor ISCSIDriver to support other iSCSI transports besides TCP: review 130721 (approved).
- StorPool volume attachment support: review 115716 (approved, requested a spec exception).
- Support Cinder Volume Multi-attach: review 139580 (approved).
- Support iSCSI live migration for different iSCSI target: review 132323 (approved).
- Cells Scheduling: review 141486.
- Create an instance mapping database: review 135644 (approved).
- Flexible cell selection: review 140031.
- Implement instance mapping: review 135424 (approved).
- Populate the instance mapping database: review 136490 (requested a spec exception).
- Initial specification: review 114044 (abandoned).
- Develop and implement a profiler for SQL requests: review 142078 (abandoned).
- Enforce instance uuid uniqueness in the SQL database: review 128097 (fast tracked, approved, implemented).
- Nova db purge utility: review 132656.
- Online schema change options: review 102545 (approved).
- Support DB2 as a SQL database: review 141097 (fast tracked, approved).
- Validate database migrations and model': review 134984 (approved).
- Migrate the Docker Driver into Nova: review 128753.
- Implement support for FreeBSD networking in nova-network: review 127827.
- Allow volumes to be stored on SMB shares instead of just iSCSI: review 102190 (approved, implemented).
- Instance hot resize: review 141219.
- Add config drive support: review 98930 (approved).
- Pass through flavor capabilities to ironic: review 136104 (approved).
- Add ephemeral disk support to the VMware driver: review 126527 (fast tracked, approved).
- Add support for the HTML5 console: review 127283 (requested a spec exception).
- Allow Nova to access a VMWare image store over NFS: review 126866.
- Enable administrators and tenants to take advantage of backend storage policies: review 126547 (fast tracked, approved).
- Enable the mapping of raw cinder devices to instances: review 128697.
- Implement vSAN support: review 128600 (fast tracked, approved).
- Support multiple disks inside a single OVA file: review 128691.
- Support the OVA image format: review 127054 (fast tracked, approved).
- Add Quobyte USP support: review 138372 (abandoned); review 138373 (approved).
- Add VIF_VHOSTUSER vif type: review 138736 (approved).
- Add a Quobyte Volume Driver: review 138375 (abandoned).
- Add finetunable configuration settings for virtio-scsi: review 103797 (abandoned).
- Add large page support: review 129608 (approved).
- Add support for SMBFS as a image storage backend: review 103203 (approved, implemented).
- Allow scheduling of instances such that PCI passthrough devices are co-located on the same NUMA node as other instance resources: review 128344 (fast tracked, approved).
- Allow specification of the device boot order for instances: review 133254.
- Allow the administrator to explicitly set the version of the qemu emulator to use: review 138731 (abandoned).
- Consider PCI offload capabilities when scheduling instances: review 135331.
- Convert to using built in libvirt disk copy mechanisms for cold migrations on non-shared storage: review 126979 (fast tracked).
- Derive hardware policy from libosinfo: review 133945 (approved).
- Implement COW volumes via VMThunder to allow fast boot of large numbers of instances: review 128810 (abandoned); review 128813 (abandoned); review 128830 (abandoned); review 128845 (abandoned); review 129093 (abandoned); review 129108 (abandoned); review 129110 (abandoned); review 129113 (abandoned); review 129116; review 137617.
- Implement configurable policy over where virtual CPUs should be placed on physical CPUs: review 129606 (approved).
- Implement support for Parallels Cloud Server: review 111335 (approved); review 128990 (abandoned).
- Implement support for zkvm as a libvirt hypervisor: review 130447 (approved).
- Improve total network throughput by supporting virtio-net multiqueue: review 128825 (requested a spec exception).
- Improvements to the cinder integration for snapshots: review 134517.
- Quiesce instance disks during snapshot: review 128112; review 131587 (abandoned); review 131597.
- Real time instances: review 139688.
- Stop dm-crypt device when an encrypted instance is suspended or stopped: review 140847 (approved).
- Support SR-IOV interface attach and detach: review 139910 (requested a spec exception).
- Support StorPool as a storage backend: review 137830.
- Support for live block device IO tuning: review 136704.
- Support libvirt storage pools: review 126978 (fast tracked, approved).
- Support live migration with macvtap SR-IOV: review 136077.
- Support quiesce filesystems during snapshot: review 126966 (fast tracked, approved).
- Support using qemu's built in iSCSI initiator: review 133048 (approved).
- Volume driver for Huawei SDSHypervisor: review 130919.
- Allow portions of an instance's uuid to be configurable: review 130451.
- Allow the resize of ephemeral disks during resize: review 145736.
- Attempt to schedule cinder volumes "close" to instances: review 130851; review 131050 (abandoned); review 131051 (abandoned); review 131151 (abandoned).
- Dynamic server groups: review 130005 (abandoned).
- Improve the performance of unshelve for those using shared storage for instance disks: review 135387 (requested a spec exception).
- A lock-free quota implementation: review 135296 (approved).
- Automate the documentation of the virtual machine state transition graph: review 94835.
- Fake Libvirt driver for simulating HW testing: review 139927 (abandoned).
- Flatten Aggregate Metadata in the DB: review 134573 (abandoned).
- Flatten Instance Metadata in the DB: review 134945 (abandoned).
- Implement a new code coverage API extension: review 130855.
- Move flavor data out of the system_metadata table in the SQL database: review 126620 (approved).
- Move to polling for cinder operations: review 135367.
- PCI test cases for third party CI: review 141270.
- Transition Nova to using the Glance v2 API: review 84887 (abandoned).
- Transition to using glanceclient instead of our own home grown wrapper: review 133485 (approved).
- Enable lazy translations of strings: review 126717 (fast tracked, approved).
- Add a new linuxbridge VIF type, macvtap: review 117465 (abandoned).
- Add a plugin mechanism for VIF drivers: review 136827 (abandoned).
- Add support for InfiniBand SR-IOV VIF Driver: review 131729 (requested a spec exception).
- Neutron DNS Using Nova Hostname: review 90150 (abandoned).
- New VIF type to allow routing VM data instead of bridging it: review 130732 (approved, requested a spec exception).
- Nova Plugin for OpenContrail: review 126446 (approved).
- Refactor of the Neutron network adapter to be more maintainable: review 131413.
- Use the Nova hostname in Neutron DNS: review 137669.
- Wrap the Python NeutronClient: review 141108.
- Dynamically alter the interval nova polls components at based on load and expected time for an operation to complete: review 122705.
- A nested quota driver API: review 129420.
- Add a filter to take into account hypervisor type and version when scheduling: review 137714.
- Add an IOPS weigher: review 127123 (approved, implemented); review 132614.
- Add instance count on the hypervisor as a weight: review 127871 (abandoned).
- Add soft affinity support for server group: review 140017 (approved).
- Allow extra spec to match all values in a list by adding the ALL-IN operator: review 138698 (fast tracked, approved).
- Allow limiting the flavors that can be scheduled on certain host aggregates: review 122530 (abandoned).
- Allow the remove of servers from server groups: review 136487.
- Cache aggregate metadata: review 141846.
- Convert get_available_resources to use an object instead of dict: review 133728 (abandoned).
- Convert the resource tracker to objects: review 128964 (fast tracked, approved).
- Create an object model to represent a request to boot an instance: review 127610 (approved).
- Decouple services and compute nodes in the SQL database: review 126895 (approved).
- Distribute PCI Requests Across Multiple Devices: review 142094.
- Enable adding new scheduler hints to already booted instances: review 134746.
- Fix the race conditions when migration with server-group: review 135527 (abandoned).
- Implement resource objects in the resource tracker: review 127609 (approved, requested a spec exception).
- Improve the ComputeCapabilities filter: review 133534 (requested a spec exception).
- Isolate Scheduler DB for Filters: review 138444 (requested a spec exception).
- Isolate the scheduler's use of the Nova SQL database: review 89893 (approved).
- Let schedulers reuse filter and weigher objects: review 134506 (abandoned).
- Move select_destinations() to using a request object: review 127612 (approved).
- Persist scheduler hints: review 88983.
- Refactor allocate_for_instance: review 141129.
- Stop direct lookup for host aggregates in the Nova database: review 132065 (abandoned).
- Stop direct lookup for instance groups in the Nova database: review 131553 (abandoned).
- Support scheduling based on more image properties: review 138937.
- Trusted computing support: review 133106.
- Dynamic Management of Server Groups: review 139272.
- Make key manager interface interoperable with Barbican: review 140144 (fast tracked, approved).
- Provide a reference implementation for console proxies that uses TLS: review 126958 (fast tracked, approved).
- Strongly validate the tenant and user for quota consuming requests with keystone: review 92507 (approved).
- Pacemaker service group driver: review 139991.
- Transition service groups to using the new oslo Tooz library: review 138607.
When Everything Falls Apart: Stories of Version Control System Scaling – Ben Kero
- Sysadmin at Mozilla looking after VCS
- Primarily covering mercurial
- Primarily mercurial
- 3445 repos (1223 unique)
- 32 million commits
- 2TB+ transfer per day
- 1000+ clones per day
- Biggest customer = ourselves
- tested platforms > 12
- Also use git (a lot) and a bit of: subversion, CVS, Bazaar, RCS
- 2 * ssh servers, 10 machines mirror http traffic behind load balancer
- 1st story – know what you are hosting
- Big git repo 1.7G somebody asked to move off github
- Turned out to be mozilla git mirror, so important to move
- plenty of spare resources
- But high load straight away
- turned out to be mercurial->git converter, huge load
- Ran garbage collection – took several hours
- tweaked some other settings
- 2nd story
- 2003 . “Try” CI system
- Simple CI system (before the term existed or they were common)
- flicks off to build server, sends status back to dev
- mercurial had history being immutable up until v2.1 and mozilla was stuck on old version
- ended up with 29,000 brashes in repo
- Around 10,000 heads some operations just start to fail
- Wait times for pushes over 45 minutes. Manual fixes for this
- process was “hg serve” only just freezein gup, not any debug info
- had to attached debugging. trying to update the cache.
- cache got nuked by cached push, long process to rebuild it.
- mercurial bug 4255 in process of being looked at, no fix yet
- The new system
- More web-scalable to replace old the system
- Closer to the pull-request model
- leverage mercurial bundles
- stores bundles in scalable object store
- hopefully minimal retooling from other groups (lots of weird systems supported)
- Planet release engineering @ mozilla
SL[AUO]B: Kernel memory allocator design and philosophy – Christopher Lameter
- NOTE: I don’t do kernel stuff so much of this is over my head.
- Role of the allocator
- page allocator only works in full page size (4k) and is fairly slow
- slab allocator for smaller allocation
- SLAB is one of the “slab allocators”
- kmeme_cache , numa aware, etc
- SLOB: K&R 1991-1999 . compact
- SLAB: Solaris 199-2008 . cache friendly, benchmark friendly
- SLUB: 2008-today , simple and instruction costs count, better debugging, defrag, execution time friendly
- 2013 – work to split out common code for allocators
- manages list of free objects with the space of free objects
- have to traverse list to find object of sufficient size
- rapid fragmentation of memory
- queues per cpu and per node to track cache hotness
- queues for each remote node
- complete data structures
- cold object expiration every 2 seconds on each CPU
- large systems with LOTS of CPUs have huge amount of memory trapped, spending lots of time cleaning cache
- A lot less queuing
- Pages associated with per-cpu. increased locality
- page based policies and interleave
- de-fragmentation on multiple levels
- current default in the kernel
- slabinfo tool for SLUB. tune, modify, query, control objects and settings
- can be asked to go into debug mode even when debugging not enabled with rest of the kernel
- SLUB faster (SLAB good for benchmarks)
- SLOB slow
- SLOB less memory overhead for small/simple systems (only, doesn’t handle lots of reallocations that fragment)
- More common framework
- Various other speedups and features
The #lca2015 team want to thank Linus, Bdale, Rusty and Andrew for the Q&A session which opened the conference this morning.
When you next run toolbox, you should see it pull down the requested image.$ toolbox Pulling repository debian 835c4d274060: Download complete 511136ea3c5a: Download complete 16386e29a1f4: Download complete Status: Downloaded newer image for debian:jessie core-debian-jessie Spawning container core-debian-jessie on /var/lib/toolbox/core-debian-jessie. Press ^] three times within 1s to kill container. root@myserver:~#
It's that simple.
How to get one of those Open Source jobs – Mark Atwood
- Warns talk might still have some US-centric stuff still in it
- “Open Source Job” – most important word is “Job”
- The Open Source bit means you are a bit more transferable than a closed-source programmer
- Don’t have to move to major tech city
- Communication skills
- Have to learn to Write clearly in English
- Heave to learn how to speak, including in meetings and give some talks
- Reachable – Have a public email address
- Don’t be a jerk, reputation very important
- Technical skills
- Learn how to program
- Learn other languages eg scale, erlang, clojure, c, C++
- How to use debugger and IDE
- Learn to use git well
- Learn how to code test (especially to work with CI testers like jenkins)
- Idea: Do lots of simple practise problems in programming using specific technique or language
- Relationships & Peers
- Work with people remote and nearby
- Don’t be a jerk
- Have to “do the work” then “get the job”
- Start by fixing bugs on a project
- Your skills will improve and others will see you have those skills
- Many projects use IRC
- Most projects have bug tracker
- Learn how to use the non-basic stuff in git
- Peer programming
- Portfolio vs resume
- github account is your portfolio
- Need to be on social media, at least a little bit, most be reachable
- Getting the Job
- If you have a good enough a rep the jobs will seek you out
- Keywords on github and linkedin will attract recruiters
- People will suggest you that apply
- Conferences like linux.conf.au
- Remember to counter-offer the offer letter
- Once you are working for them, work out what is job related an the company might have a claim on. make sure you list in your agreement any projects you are already working on
- Don’t work longer than 40h a week regularly
- 60h weeks can only be sustained for a couple of weeks
- Just eat junk-food
- Don’t work for jerks
- Startups – bad for your health. Do not kill yourself for a nickle, have real equity
- Keep Learning
- 3 books to read
- Oh the palces you will go – Dr Seuss
- Getting things Done – David Allen
- How to fail at almost everything and still win big – Scott Adams
Pettycoin: Towards 1.0 – Rusty Russell
- Problem it bitcoining mining is expensive, places lower limit on transaction fees
- Took 6 months of to mostly work on pettycoin
- Petty coin
- gateway to bitcoin
- small amounts
- partial knowledge, don’t need to know everything
- fast block times
- Altcoins – bitcoin like things that are not bitcoin
- 2 million posts to altcoin announce forum
- lots of noise to talk to people
- Paper released saying how it should have been done
- hash functions
- bitcoin blocks
- Bitcoin transactions
- alternative chains that use real bitcoins
- Lots of wasted work? – bitcoin miners can mine other chains at the same time
- too fast to keep notes
- Compact CVP Proofs (reduce length of block header to go all the way back )
My first linux.conf.au was 2003 and it was absolutely fantastic and I’ve been to every one since. Since I like this radical idea of equality and the LCA2015 organizers said there were 20% female speakers this year, I thought I’d look through the history.
So, since there isn’t M or F on the conference program, I have to guess. This probably means I get things wrong and have a bias. But, heck, I’ll have a go and this is my best guess (and mostly excludes miniconfs as I don’t have programmes for them)
- 2003: 34 speakers: 5.8% women.
- 2004: 46 speakers: 4.3% women.
- 2005: 44 speakers: 4.5% women
- 2006: 66 speakers: 0% women (somebody please correct me, there’s some non gender specific names without gender pronouns in bios)
- 2007: 173 speakers: 12.1% women (and an order of magnitude more than previously). Includes miniconfs
(didn’t have just a list of speakers, so this is numbers of talks and talks given by… plus some talks had multiple presenters)
- 2008: 72 speakers: 16.6% women
- 2009: 177 speakers (includes miniconfs): 12.4% women
- 2010: 207 speakers (includes miniconfs): 14.5% women
- 2011: 194 speakers (includes miniconfs): 14.4% women
- 2012: (for some reason site isn’t responding…)
- 2013: 188 speakers (includes most miniconfs), 14.4% women
- 2014: 162 speakers (some miniconfs included): 19.1% women
- 2015: As announced at the opening: 20% women.
Or, in graph form:
- the historical schedules up on linux.org.au.
- my brain guessing the gender of names. This is no doubt sometimes flawed.
Update/correction: lca2012 had around 20% women speakers at main conference (organizers gave numbers at opening) and 2006 had 3 at sysadmin miniconf and 1 in main conference.
- Everybody Sung Happy birthday to Baale
- Bdale said he has a new house and FreedomBox 0.3 release this week
- Rusty also on the panel
- Why is Linus so mean
- Unified Storage/Memory machines – from HP
- Young people getting into community
- systemd ( I asked this)
- Year of the Linux Desktop
- Documentation & training material
- Predict the security problems in next 12 month
- Does NZ and Australia need a joint space agency
- Will you be remembered more for Linux or Git?
Way, way back in 2003, at LCA in Perth, there was a Q&A session with Linus Torvalds, Bdale Garbee and Andrew Tridgell. It’s time for a follow-up so at LCA 2015 in Auckland it’s going to happen!
The Q&A session is scheduled for 09:00 am Friday, 16 January 2015 and will be moderated by Bdale Garbee with the assistance of Andrew Tridgell.
Helsinki-born Linus, who simply calls himself a Software Engineer, was the principal force behind developing the Linux kernel. It all started from an initial usenet posting in August of 1991 and made what has proved to be a historic debut with the release of version 1.0 on March 14 1994.
In June 2003 Linus started working for Open Source Development Labs. After merging with the Free Standards Group it became the Linux Foundation where Linus continues to work as the project’s coordinator and is Chief Architect of the Linux kernel.
In 2005, after criticism for his use and alleged advocacy of BitKeeper, proprietary software for version-control in the Linux kernel, Linus wrote a free-software replacement for BitKeeper called GIT which is now the most widely-adopted version-control system for software development.
The LCA 2015 Auckland team would like to thank the Linux Foundation for their assistance in making this possible.
Below is info and pictures of some of the amazing swag in this year's bag! If you want to take home some extra SWAG then go see the lovely volunteers at reception and you will be able to purchase some extras. The prices are below. We have only limited stock, so be quick!
The SWAG will be on sale after all people have completed registration on Wednesday morning.
Mi Power Bank 10400mAh
This USB charger has rave reviews, due it's form factor and the amount of power it is able to pack into it's small size. The Mi Power Bank contains LG Lithium-ion batteries that can endure 500+ recharge cycles and a rated capacity of 3.6V/10400mAh (TYP). See www.mi.com for more details.
LCA Price: $NZ 40.00
- The micro-USB port is used to recharge the power bank. It is best to use a 2.0A or higher charger for this.
- The standard USB port is used to charge your target device (for example, your phone).
- There are four white lights beside the power button used to indicate the power bank's charge. Each light represents 25% of the total charge available. For example, if all four lights are lit then the powerbank is 75-100% full.
- To see the current charge in the power bank press-and-release the power button.
- Plugging your target device into the standard USB port starts charging your target device automatically.
- To briefly suspend charging of your target device without unplugging it from the power bank, hold down the "power" button on the power bank. Releasing the button will resume charging the target device.
- When you disconnect your target device from the standard USB port the power bank will shut itself down automatically after 2 minutes.
LCA Bag (rucksack)
The LCA bag by Freeset Global is made under fair trade working conditions using sustainable or organic materials. Freeset Global are serious about bettering the lives of their producers and they also re-invest all profits back to the communities that create our products.Price: $NZ 10.00
The Coffee Cup
The trendy coffee cups are made in New Zealand by CUPPACOFFEECUP. These recyclable coffee cups are made from food-grade polypropylene, which means they are hardy enough for you to reuse them many times, and when you do dispose of them they can be recycled into new consumer goods.
If wish a different design for your coffee cup, take it back to the registration desk and we can exchange it.Price: $NZ 10.00 Stickers We should probably mention the stickers and toiletries - they're free - please take them - we have hundreds of them. :-)
A good day of solid technical stuff today, with no CoC problems (that I saw at least).
Paul McKenny and Matthew Garrett in one day means a lot of knowledge and enjoyment.
Astronomy BOF that night at the Auckland Stardome, where because we were early enough and there was enough room, we were let in to see two shows for the price of one.
Filed under: diary
Drupal8 outta the box – Donna Benjamin
- I went to the first half of this but wanted to catch the talk below so I missed the 2nd part
Connecting Containers: Building a PaaS with Docker and Kubernetes – Katie Miller
- co-presented with Steve Pousty
- Plugs their OpenShift book, they are re-archetecturing the whole thing based on what in the book
- Platform as a service
- dev tooling, runtime, OS , App server, middleware.
- everything except the application itself
- Openshift is an example
- Reasons to rebuild
- New tech
- Lessons learned from old deploy
- Atomic + docker + Kubeneties
- Redhat’s answer of CoreOS
- RPM-OSTree – atomic update to the OS
- Minimal System
- Fast boot, container mngt, Good Kernel
- Nice way of specifying everything
- Pros – portable, easy to create, fast boot
- Cons – host centric, no reporting
- Wins – BYOP ( each container brings all it’s dependencies ) , Standard way to make containers , Big eco-system
- system managing containerize maps across multiple hosts
- declarative model
- open source by google
- pod + service + label + replication controller
- cluster = N*nodes + master(s) + etcd
- Wins: Runtime and operation management + management related containers as a unit, container communication, available, scalable, automated, across multiple hosts
- Rebuilding Openshift
- Kubernetes provides container runtime
- Openshift provides devops and team enviroment
- application = multiple pods linked togeather (front + back + db ) managed as a unit, scald independantly
- build config = source + build -> image
- deployment = image and settings for it
- This is OpenShift v3 – things have been moving very fast so some docs are out of date
- Slides http://containers.codemiller.com
Tunnels and Bridges: A drive through OpenStack Networking – Mark McClain
- Challenges with the cloud
- High density multi-tenancy
- On demand provisioning
- Need to place / move workloads
- SDN , L2 fabric, network virtualisation Overlay tunneling
- The Basics
- The user sees the API, doesn’t matter too much what is behind
- Neutron = Virtual subnet + L2 virtual network + virtual port
- Nova = Server + interface on the server
- Design Goals
- Unified API
- Small Core. Networks + Subnets + Ports
- Plugable open archetecture
- Overlapping IPs
- Configuration DHCP/Metadata
- Floating IPs
- Security Groups ( Like AWS style groups ) . Ingress/egress rules, IPv6 . VMs with multiple VIFS
- Database + Neutron Server + Message Queue
- L2 Agent , L3 agent + DHCP Agent
- Plugins types = Proxy (proxy to backend) or direct control (login instide plugin)
- ML2 – Modular Layer 2 plugin
- Plugin extensions
- Add to REST API
- dpch, l3, quota, security group, metering, allowed addresses
- L2 Agent
- Runs on a hypervisor
- Watch and notify when devices have been added/removed
- L3 agent – static routing only for now
- Load balancing as a service, based on haproxy
- VPN as a service , based on openswan, replicates AWS VPC.
- What is new in Juno?
- based on Radbd
- Advised to go dual-stack
- Look ahead to Kilo
- Paying down technical debt
- IPv6 prefix delegation, metadata service
- IPAM – hook into external systems
- Facilitate dynamic routing
- Enabling NFV Applications
- See Cloud Administrators Guide
Crypto Won’t Save You Either – Peter Gutmann
- US Govt has capabilities against common encryption protocols
- Example Games consoles
- Signed executables
- encrypted storage
- Full media and memory encryption
- All of these have been hacked
- Example – Replaced signature checking code
- Example – Hacked “secure” kernel to attack the application code
- Example – Modify firmware to load over the checking code
- Example – Recover key from firmware image
- Example – Spoof on-air update
- LOTS of examples
- Nobody noticed bunch of DKIM keys were bad, cause all attackers had bypassed encryption rather than trying to beat the crypto
- No. of times crypto broken: 0, bypassed: all the rest
- National Security Letters – The Legalised form of rubber-hose cryptanalysis
- Any well design crypto is NSA-proof
- The security holes are sitting right next to the crypto
8 writers in under 8 months: from zero to a docs team in no time flat – Lana Brindley
- Co Presenting with Alexandra Settle
- 8 months ago online 1 documentation person at rackspace
- Hired a couple people
- Horrible documentation suite
- Hired some more
- 4 in Australia, 4 in the US
- Building a team fast without a terrible culture
- Management by MEME – everybody had a meme created for them when they started
- Not all work and No play. But we still get a lot of work done
- Use tech to overcome geography
- Treat people as humans not robots
- Always stay flexible. Couch time, Gym time
- Finding the right people
- Work your network , job is probably not going to be advertise on linkedin, bad for diversity
- Find great people, and work out how to hire them
- If you do want a job, network
- Toolchains and Systems
- Have a vision and work towards it
- acknowledge imperfection. If you can’t fix, ack and just move forward anyway
- You can maintain crazy growth forever. You have to level off.
- Pair US person with AU person for projects
- Writers should attend Docs summit and encouraged to attend at least one Openstack summit