Penguins in a Strange Land

I’ve been late to update to Fedora 12, and I’ve kept my installation at Fedora 11. Oh, but I couldn’t update my kernel either. It seems the following module is to blame:

$ modinfo ssb
filename: /lib/modules/2.6.29.4-167.fc11.i586/kernel/drivers/ssb/ssb.ko
license: GPL
description: Sonics Silicon Backplane driver
srcversion: A3AE34BE4010797EEEB08AF
....


What is ssb.ko? Well, according to Kconfig in the corresponding source directory, it’s probably related to some Broadcom device.

Now that I know the culprit, I can continue the installation. Oh, I installed Fedora 12 by dd(1)ing the ext4 filesystem in LiveOS/ext3fs.img (that itself is in LiveOS/squashfs.img in the LiveCD image) under my old installation of Fedora 11. That allowed me to download and compile the wireless driver (in package kmod-wl) without requiring a cabled network.

So, how to disable the module? In the installed system, just add a line in /etc/modprobe.d/blacklist.conf. As for when booting, LiveCD or system? Well, by grep(1)ing the contents of the initrd, it’s by using the following parameter: rdblacklist=ssb.

And how did I found out this module was the culprit? Booting with the arguments: udevtrace udevlog init=/bin/bash

I was booted directly to bash, then did: strace -f -e open /sbin/start_udev

udevd will start, serializing the events, and being a little slower, allowing me to see the point of failure.

Now, to migrate the configuration…

So, you have a Linux system and want to show its hawtness to random stranges, but without having them mess with the system permanently? And use that account for those airport checks automatically? Well, it’s easy.

1. Disable remote login for the guest account:

   echo DenyUsers guest >> /etc/ssh/sshd_config
   service sshd condrestart
   

2. Create the guest account:

   adduser guest

3. Make the guest account home directory a filesystem in RAM:

   echo "guest /home/guest tmpfs size=20%,
     mode=0700,uid=$(id -u guest),gid=$(id -g guest) 0 0" >> /etc/fstab
   

4. And finally configure the system to automatically login as guest:

   echo '
   [daemon]
   TimedLoginEnable=true
   TimedLogin=guest
   TimedLoginDelay=15
   ' >> /etc/gdm/custom.conf
   

That’s it. On your next reboot, and if you do nothing, you’ll be logged in as guest. If you don’t like that the terminal for the guest user doesn’t include a pretty prompt, you may change the fstab entry, mounting the tmpfs somewhere else, like /home/.guest, and then have a funionfs mount for ~ with /etc/skel on top.

On boot, just make sure to cancel the automatic login, if you want to log in as another user.

There are several reasons for having an encrypted home partition. But usually, everyone should have it, if only for the reason that disks do go bad, and you don’t want to replace it and leave private data behind.

With that in mind, there are several options, depending in your operating system and security requirements. In this howto I’ll be concentrating on pam_mount, using a LUKS encrypted partition. Probably limited to Linux, then. PAM works in many Unix systems, but LUKS may be restricted.

But before beginning, you have to choose between security and speed. By that, I mean choose an encryption and chaining algorithms. For the most security, I recommend aes-xts-plain, with essiv:sha256 for IV calculation. For speed, though, on my netbook, I use blowfish-ecb-plain. Blowfish is slightly faster than AES, and not much less secure, but the ECB chaining mode is the fastest and very much insecure method. So choose wisely. Personally, my data isn’t that important, and if cryptanalysts are interested in it, there are better methods on getting the data: http://xkcd.com/538/

Now that you have chosen the algorithm, it’s time to encrypt your swap partition. That’s right, never forget the swap partition, where sensitive data may be swapped out to:

echo 'swap /dev/sdaX /dev/urandom swap,cipher=blowfish-ecb-plain'
  >> /etc/crypttab
echo '/dev/mapper/swap    swap    swap    defaults    0 0' >> /etc/fstab

Then reboot. Make sure you correct the swap device and replace the current entry in /etc/fstab.

Make a backup of your current home folder, or start from a clean state. Choose the partition you want your home to reside on, and format it as a LUKS device. First, however, you should zero the first megabyte or two, so that the detection code doesn’t mistake it as other filesystem:

dd if=/dev/zero of=/dev/sdaY bs=16M count=1

Take care to erase the correct device! And if it contained sensitive data, then remove the count=1 and let it zero the full partition. Next, format it as LUKS. I’ll be using the less secure algorithm. When asked for a passphrase, enter your user’s.

cryptsetup luksFormat /dev/sdaY --cipher blowfish-ecb-plain --key-size 128

OK, you now have a device formated for encryption. Next step, activate it, and format a real filesystem on top:

cryptsetup luksOpen /dev/sdaY enc

This will create the device: /dev/mapper/enc

For filesystem, choose what you will. I use ext4:

mkfs.ext4 /dev/mapper/enc

Then mount it, and restore your original data. Or start from scratch:

mount /dev/mapper/enc /mnt
cp -a /etc/skell/.[[:alnum:]]* /mnt/
chown user: /mnt -R
umount /mnt

Your home is ready! Unmount it, the job of mounting and unmounting will be done by pam_mount:

umount /mnt
cryptsetup luksClose enc

The preliminaries are done. You have your home in an encrypted device. Now, to configure pajm_mount for automatically mount and unmount it.

Make sure you have pam_mount installed in your system. The package is called like the name in Fedora, and libpam-mount in Debian/Ubuntu. The configuration file is /etc/security/pam_mount.conf.xml, read it, and disable any limitation you’re interested in. Add a line for your user:

<volume user="luciano" path="/dev/sdaY" mountpoint="~" options="" />

Note the empty options key, otherwise some default options may get in your way. Try either way. If you didn’t zero the device, and it gets detected as something else than a LUKS device, then add fstype="crypt_LUKS" to the line. You can see what it is detected as with:

# blkid /dev/sdaY
/dev/sdaY: UUID=".." SEC_TYPE="ext2" TYPE="ext3"

If it doesn’t say LUKS, then you must add the fstype definition.

pam_mount is now set up. Next, configure PAM to use it. There are some particularities for pam_mount, especially because GDM may try to start daemons as your user before you get your home mounted. Created a configuration file that will be include by other PAM-aware services, defining pam_mount

echo '
auth	optional	pam_mount.so
session	optional	pam_mount.so
' >> /etc/pam.d/system-mount

Now, depending on your current PAM configuration, you may get away with doing the following steps only to the /etc/pam.d/system-auth or other generic file, included by services’ definitions. But that is not the case for Fedora 11, and do make sure all services include the generic file first.
In my case, I changed the files:

• /etc/pam.d/sshd
• /etc/pam.d/login
• /etc/pam.d/gdm-password

Now, add the following line as the first auth definition, or as the definition immediately after an selinux permit or close action:

auth        include       system-mount

Also, for session, respecting the selinux thingy:

session     include       system-mount

Now try logging in as the user in a console, or via ssh. You should see the prompt for password as: pam_mount password:
If it works, then try a graphical login. Console is easier, a graphical login may get dbus or keyring programs running before the pam_mount is run, but you’ll prevent that by having the system-mount lines as the first ones.

You can execute commands on VirtualIron nodes, using the supplied support_tools/testagent program, like this:

./support_tools/testagent 192.168.0.1 --exec="ls"

But this is cumbersome. Run the following commands to activate the ssh daemon:

ip=192.168.0.1
ag=./support_tools/testagent
$ag $ip --exec='ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -C "" -N ""'
$ag $ip --exec='
   echo sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
   >> /etc/passwd'
$ag $ip --exec='/usr/sbin/sshd'
$ag $ip --exec='echo r00t:FBx3ZpLywKVEk:0:0::/root:/bin/bash >> /etc/passwd'

The last command creates a user with login r00t and password foobar.

This is useful for when a node’s agent locks and you can’t use it in the Virtualization Manager Console. Usually, some SCSI scan process gets stuck in the D state. Search for the storage_discover.py process, kill it, and the node will be available once again.

But remember: with great power, comes great responsibility!

RAID-6 makes RAID more complex. The other ones are quite simple. Either duplication of blocks (RAID-1), reordering of blocks (RAID-0), or parity using the ⊻ (XOR) properties of A ⊻ B ⊻ B = A.

But what about RAID-6 parity and the way it is stored? You can’t just store the parity in two places:
1. layout: A B C D P_a P_b;
2. lost C and D;
3. If P_a = P_b, then there’s no way to reconstruct C, D or both.

Yesterday I found a paper from NetApp describing their implementation. You can find the PDF in their site here.

The gist is that the other parity block is constructed diagonally and it skips a disk in each interaction. Like this:
A₁ B₁ C₁ P_{a1 A1 ⊻ B1 ⊻ C1} P_{b1 A1 ⊻ B2 ⊻ C3}
A₂ B₂ C₂ P_{a2 A2 ⊻ B2 ⊻ C2} P_{b2 B1 ⊻ C2 ⊻ Pa3}
A₃ B₃ C₃ P_{a3 A3 ⊻ B3 ⊻ C3} P_{b3 C1 ⊻ Pa2 ⊻ A3}

What does this means? The fact that in the new parity calculation a drive is missing, it means that there’s always a row were you can restore the missing block from one of the drives. With that new block, you can then use the standard parity to get the block for the other drive. With a new diagonal now missing only one block, you can then proceed to the next row, following the same route.

Imagine drive A and B fails and you replace them with two new drives, X and Y respectively:

X₁ Y₁ C₁ P_{a1 A1 ⊻ B1 ⊻ C1} P_{b1 A1 ⊻ B2 ⊻ C3}
X₂ Y₂ C₂ P_{a2 A2 ⊻ B2 ⊻ C2} P_{b2 B1 ⊻ C2 ⊻ Pa3}
X₃ Y₃ C₃ P_{a3 A3 ⊻ B3 ⊻ C3} P_{b3 C1 ⊻ Pa2 ⊻ A3}

The restoration steps:

1. Y₁ = C₂ ⊻ P_a3 ⊻ P_b2
2. X₁ = Y₁ ⊻ C₁ ⊻ P_a1
3. Y₂ = X₁ ⊻ C₃ ⊻ P_b1
4. X₂ = Y₂ ⊻ C₂ ⊻ P_a2
5. X₃ = C₁ ⊻ P_a2 ⊻ P_b3
6. Y₃ = X₃ ⊻ C₃ ⊻ P_a3

Et voilà. Drives X and Y are restored with contents of A and B.
How about Linux’s RAID6 implementation? I still have to analyze it.

With the output of a ‘find’ command, or other, sorted list of entries:
(o=; while read f; do [ -n "$o" ] && [ "${f#$o/}" == "$f" ] && echo "$o"; o="$f"; done; echo "$o") < list

Meaning: show a line only if next line doesn’t include this one (if last line is a directory, it still shows).

Compare the output of the following two lines. They must match:
$ openssl x509 -noout -modulus -in server.pem | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

$ sort a <(sed -e p b) | uniq -u
Meaning: list unique lines in (contents of file ‘a’ plus duplicated contents of file ‘b’). ’sort’ is required for ‘uniq’ to work.

Here’s the relative pricing graph:

Of course, the location also varies greatly. But notice how, for Hotel Vis, it varies so much in just four days.

So what places am I going to see in Croatia?

All the places that I can, in the following cities, as time permits:

1. Zagreb, from 17th of August to the 20th
2. Dubrovnik, from the 20th to the 24th
3. Split, from the 24th to the 25th
4. Zadar, from the 25th to the 26th
5. Pula, from the 26th to the 29th
   • Including a trip to Venice!

And then back to Zagreb, for my plane back to Portugal.

Oooh, this is exciting! What perils await me? What sites, peoples, adventures?