Dobrica Pavlinušić's Weblog / Blog

rpcbind is new portmap or how to make nfs secure

2012-05-08T19:32:42Z

I was installing NFS server on otherwise public host recently, and noticed that conventional wisdom about securing NFS server is somewhat dated. My goal was to expose NFS on two internal interfaces without exposing it to whole wide Internet (assumptions about network security changed a lot since NFS was designed, sadly).

For a start, you are probably running rpcbind instead of portmap on recent Debian installations. So you will need to modify flags which are passed to portmap on startup:

root@rsync1:~# cat /etc/default/rpcbind 
OPTIONS="-w -l -h 172.16.10.2 -h 192.168.0.219"

You will also need to add following line:

root@rsync1:~# grep rpcbind /etc/hosts.deny 
rpcbind: ALL

Now you will notice that rpcinfo -p still works OK on localhost. That's because rpcbind will always add loopback address, so we have to test it from another machine:

root@rsync1-dev:~# rpcinfo -p 192.168.0.219
rpcinfo: can't contact portmapper: RPC: Authentication error; why = Client credential too weak

That's more like it! If we take a look in log...

root@rsync1:~# tail -1 /var/log/auth.log
May  8 20:31:51 rsync1 rpcbind: connect from 192.168.0.21 to dump(): request from unauthorized host

...we don't even have to guess local system IP adress. We'll allow this host to connect with...

root@rsync1:~# grep rpcbind /etc/hosts.allow 
rpcbind: 192.168.0.21

We can also check our tcp wrappers configuration with:

root@rsync1:~# tcpdmatch rpcbind 192.168.0.21
client:   address  192.168.0.21
server:   process  rpcbind
access:   granted

munin migration and upgrade to v2

2012-05-02T18:15:50Z

I always loved graphs. For my monitoring needs I'm using munin so in last few days I was migrating one installation from machine behind DSL line to co-location (virtual) server. Using old munin server, I would occasionally get e-mail alerts about unavailable services, mostly because n2n (which we use to connect to nodes) forgot about node or dropped packets because of busy DSL line. In the process, I decided to jump ahead and install version 2.0-rc5 from Debian unstable. This blog post will try to describe my journey...

I started simply by installing new munin instance in new (virtual) machine. I decided that historic data is important, so I decided to move configuration and graphs over to new instance. Simply coping rrd files over didn't went all that well and resulted in dreaded This RRD was created on another architecture error. This was unfortunate but rrd files where so large, that transfer won't fit into 5 minute munin poll interval anyway, so I had to take different approach.

To keep all historical data and not loose any munin polls while I transfer them I decided to first configure new munin node to poll all clients (so new updates will be preserved) and while this is running copy over rrd files from old server. This involved editing all nodes (9 of them!) and Cluster SSH came as perfect solution to add additional allow ^192\.168\.0\.10$ lines in /etc/munin/munin-node.conf on all nodes.

Coping rrd files had to be done using rrdtool dump/restore and it had to be done over compressed ssh link due to slow DSL line. For that, small shell script came very handy:

#!/bin/sh -x

dir=/var/lib/munin/maxxo


via_ssh="ssh -o ControlPath=/tmp/ssh_sock -o ControlMaster=auto -o Compression=yes root@10.1.3.10"

if [ ! -e /tmp/ssh_sock ] ; then
        $via_ssh read
fi

ls $dir/*.rrd | while read file
do
        echo $file
        rrdtool dump $file | $via_ssh rrdtool restore - $file --force-overwrite
done

You need to start it twice. First invocation will ask for password and open master ssh socket which next invocation will use for transfers of rrd files using compressed ssh link, without connection overhead for each file. We are talking about 4560 rrd files with total of over 250Mb, after all... Even with all this, it took hour and a half to transfer all that over, so setting up update of existing files was really required.

You might think that it's all, but unfortunately, it's not. Looking in /var/log/munin/munin-update.log I could see [FATAL] Socket read timed out to node. Terminating process.. Some of nodes required more time than default value provided by munin (30 sec) to respond with all data. It seems that ipmi plugins are notoriously snow to respond for example. To change server-side timeout, you have to pass --timeout 90 to munin-update utility. Unfortunately, in Debian you can't do that by modifying munin-cron invocation in /etc/cron.d/munin because it passes all parameters to munin-limit which doesn't have timeout option and dies on you (moral of the story: check cron e-mail while configuring cron jobs). In the end, I edited /usr/bin/munin-cron directly, changing one line:

/usr/share/munin/munin-update --timeout 90 $@ || exit 1

This will probably break with next update, but this blog post will remind me to change it again :-)

There where also a few tweaks on munin-node plugins to make them work inside kvm. iostat_ios plugin from munin-plugins-extra didn't like virtio devices which have major number 254, same as LVM2 devices which it ignores. Following patch solved this problem:

diff --git a/cs-munin/etc/munin/plugins/iostat_ios b/cs-munin/etc/munin/plugins/iostat_ios
index 1380eb1..823df63 100755
--- a/cs-munin/etc/munin/plugins/iostat_ios
+++ b/cs-munin/etc/munin/plugins/iostat_ios
@@ -101,7 +101,7 @@ sub filter {
         return 0 if ($major ==   1); # RAM devices
         return 0 if ($major ==   9); # MD devices
         return 0 if ($major ==  58); # LVM devices
-        return 0 if ($major == 254); # LVM2 devices
+        return 1 if ($major == 254); # LVM2 devices and KVM virtio
     }
     if(defined($tmpnam)) {
         return 0 if ($tmpnam =~ /part\d+$/);

I also decided to use ksm which is enabled by following line in /etc/rc.local:

echo 1 > /sys/kernel/mm/ksm/run

And of course, now I had to graph it with simple shell ksm munin plugin. Dropping sharing line on this graph makes me think that it wasn't really needed, but we'll see in few more days.

To track other kvm parameters, I used munin-libvirt-plugins which comes with it's own helper script munin-libvirt-plugins-detect which you have to run to enable plugin and generate configuration.

For a web server, I opted to use apache2 and libapache2-mod-fastcgi together with graph_strategy cgi and html_strategy cgi in /etc/munin/munin.conf mostly to save some performance on polling machine. To make it work, I had to copy /etc/munin/apache.conf into /etc/apache2/conf.d/munin and uncomment relevant fast-cgi lines inside. After that, dynamically generated html is available at http://munin.example.com/munin-cgi/ and if you ever run munin-html before, you will still get old (obsolete) html pages if you visit page directly.

Next step would probably be to get rrdcached up and running...

Read two-column pdf files on Kindle

2012-03-01T22:48:49Z

I really like Kindle because it allows me to run my own selection of software on it. However, when I try to persuade other Kindle owners in all the benefits of running custom software, I usually get response like: but it already does everything I need. That might be true, but that's only because you never tried to read two column article on Kindle...

Fortunately, we have alternative pdf reader for Kindle based on muPDF library which is mostly written in lua. This is especially nice since it allowed me to add support for reading two-column pdf layouts which you can see in following video:

Basically, you press F to switch to new layout and then use fiveway buttons to move down the column, or right to move to top of next column, with page change if needed. If you move to left, you will be positioned to bottom of previous column which is useful if you want to read again last thing.

If you like this feature, liberate your kindle and download latest version of pdf reader, drop it in /mnt/us/customupdates and press Shift Shift I to install it from louchpad. Then press Shift P D to start it. Wiki pages of project describe all available shortcuts and there is active thread on mobileread forum.

Printing from Koha to Zebra printers on local Windows machine

2012-02-10T11:20:56Z

As you know by now, I'm somewhat biased towards pixel-exact printing on strange printers. This time around, I was tasked with requirement to make Koha print bar-code labels from web interface on Zebra S4M printers which are locally connected to Windows clients over USB.

At first sight, this seems like an easy task. Zebra printers are supported under CUPS on Linux and OSX, so there shouldn't be any problems, right? For a start I found out that CUPS driver doesn't work well, mostly because it's older that Windows version of driver, and doesn't seem to send all ZPL codes required to print label.
To make thing even worse, since printer is connected locally to Windows machine, it presents itself as Windows GDI printer which doesn't want to print ZPL (printer protocol) directly without wrapping ZPL in magic quotes and enabling it in Windows.

On the other side, Koha tries to print labels using normal print dialog in Windows. This won't work well, because we (again) need pixel exact label as opposed to web page randomly scaled to printer label. To make this worse, client Windows machines are behind firewall, so I can't send label to IP address of client because all I can see in request is IP address of our firewall.

To solve all this problem I decided to deploy following setup:

Label design is done in Inkscape. To rasterize it to bitmap I decided to use rsvg-convert which has nice option to create exact bitmap size from SVG file in which I replace placeholders with variable values (bar-code and call number)
Printers are installed in Windows using Generic/Text driver which is only one which will just pass data directly to printer
To share printer to Linux, I decided to install lpd server so I don't have to open local Windows accounts to access printer (and they are behind firewall, so It's safe)
To get local IP address of client (so I can send ZPL to internal IP address on which lpd is listening) I decided to redirect client to internal web server (behind firewall, same as clients) which knows client IP address, and knows where to send label.
From user's perspective, Koha redirects clients to internal CGI script, which in turn rasterize label from request parameters, sends it to printer and redirect browser back to Koha page (with additional parameter of IP address of client/printer). This page shows label which was just printerd by pointing directly to internal server's PNG rendering of label. It also inserts data about printed label (including printer IP) in database for audit log.

Since I couldn't use CUPS to produce ZPL for printer, I wrote Printer-Zebra which can convert pbm and pnm formats (easily created from png label using pgntopnm). Even better, it also includes script which can render ZPL printer output back to pbm bitmap which is the only good way to verify that your solution doesn't anti-alias bar-codes or does something similar to reduce print quality on back and white printers. Rasterizer was also very useful when tracking differences between Windows driver output (gathered by printing to File on Windows) and CUPS one.

Nook Color as Android tablet

2012-01-21T11:30:42Z

For a last month or so I used Barnes & Noble Nook Color as Android tablet. This post will try to explain what is wrong with Android tablets and now to fix this.

For a start, original Android distribution on Nook doesn't make it really Android tablet (no market). But there is easy solution since this device is supported by CynanogenMod 7 for Nook Color to get proper Android distribution. So, let's get started with hints for easier life with your new tablet...

adb doesn't see Nook Color

For a start, you won't see Nook in adb devices listing. This is easily fixed with proper device id in ~/.android/adb_usb.ini like this:

dpavlin@t61p:~/.android$ echo 0x2080 > ~/.android/adb_usb.ini && adb kill-server && adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached 
2011120012345678        device

Nook Color specific application

There are lot of application which will look quite broken on your Nook when running Android 2.3. Some of them require audio input, GPS or camera and they generally won't work. There is also problem with application which just don't know about wired 1024*600 screen size and produce strange small screen centered on big display.

However, this is just a list of few extremely useful apps which you should install on Nook with CM7:

Nook Color Tweaks - change speed of CPU, turn USB host more and more
Nook Screen Recalibrate - having problems with screen sensitivity?
Nook Key Editor allows you to map back and menu keys which are very useful on Android 2.3 to volume up/down which makes tablet much more useful.

Once you install all of this, you will be painfully aware that Android 2.3 just isn't OS which works well on tables. So, let's try to see what Google has in source for tablets...

Ice Cream Sandwich

To get most out of Android on tablet, you have to hop over to CM9/ICS Nightly Builds and install unstable builds on ICS on Nook Color. After initial install reboot into recovery, flash Google Applications from gapps-ics-4.0.3-sam-noinit.zip, turn off signature verification and install fix-bootanimation.zip and telephony-permission-fix.zip. Unfortunately browser application doesn't work for me well, and usually segfaults with:

F/libc    ( 2878): Fatal signal 11 (SIGSEGV) at 0x0000001f (code=1)
I/DEBUG   ( 1072): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 1072): Build fingerprint: 'bn/bn_encore/encore:2.3.4/IML74K/228551:user/release-keys'
I/DEBUG   ( 1072): pid: 2878, tid: 2895  >>> com.android.browser <<<

ICS on Nook currently doesn't have hardware acceleration (but older Androids also doesn't have it) and it freezes from time to time (so you will get quite used to holding power button for 8 seconds or more to turn it off), but ICS is really so much better experience on tablet that I would really recommend it.

Finally a note about hardware performance: Nook Color has 512Mb of RAM and Ti OMAP 3621 @ 800 MHz which makes it probably a bit slow for ICS. As o consequence I wouldn't really recommend any Android laptops which are slower than this for ICS.

Update 2012-02-07: There is also CyanogenMod Kang build with OpenGL enabled which works very well. In fact, so well that it fixes problem in Hacker's keyboard :-)

28C3: recommended watching

2011-12-31T13:13:49Z

Each year, we get a treat right before end of the year in form of 28C3. This year, I can recommend following lectures as a must-see:

r0ket++ video
Very nice ARM Cortex M3 embedded device with Nokia LCD, battery, RF interface and extension headers.
802.11 Packets in Packets video
Drop wifi packet on unsuspecting listeners without access to network segment!
Defending mobile phones video
Visit GSMmap.org to see if your GSM networks are protecting you or contribute data!
Reverse Engineering USB Devices video
Very similar to my approach to USB examinations.
How governments have tried to block Tor video
It's arms race all over again, this time on Internet.
Reverse-engineering a Qualcomm baseband video
~~I can't wait to see release of this tools on code.google.com~~ Available at http://code.google.com/p/qcombbdbg/
KinectFusion video
I would love to see something similar in open source code.
Cellular protocol stacks for Internet video
Very good overview of cellular stack as it is today
Implementation of MITM Attack on HDCP-Secured Links video
NeTv is very interesting ARM/FPGA/Linux device which overlays webkit content over HDMI signal on your TV using chroma key.
Introducing Osmo-GMR video
Osmocom got some support for satellite phones
bup: Git for backups video
Nice backup system with de-duplication implemented on top of git's pack file

batman-adv layer 2 mesh ad-hoc network at NSND Moravice 2011

2011-12-21T21:35:13Z

We had another gathering called Nothing will happen in Moravice, and this time we wanted to be prepared for it. So we got 2 WRT and 2 TP-Link devices with good faith that we will have stable Internet there. However, our telecom provider decided to screw up our order to increase bandwidth from 4Mbit/s to 10Mbit/s for event and instead decided to downgrade our access to 512Kbit/s. So we opted to create following simple network architecture which involved multiple hops to alternative 4Mbit/s upstream and batman-adv mesh setup.

batman-adv is quite cool layer-2 mash network which operates in ad-hoc mode and allows adaptive routing over mash and multiple upstream providers (at DHCP request or renew time, so we made our DHCP lease time down to 5 minutes). Joining network is quite simple:

iwconfig wlan0 mode ad-hoc essid nsnd-batman
ifconfig wlan0 mtu 1528
modprobe batman_adv
batctl if add wlan0

ifconfig wlan0 up
ifconfig bat0 up
dhclient bat0

This will bring any laptop with ad-hoc support (and not all of them have it), and relatively recent kernel (2.6.32 from Debian stable is a bit too old - batman-adv got included in 2.6.33 kernel) up and running on mash network.

My own experience with this experiment is very positive, mostly because we had around 5 clients in mash at any time, compared with overloaded WRTs which handled rest of 40 wifi enabled devices. But, I hope that during next event more people will upgrade to 2.6.33 or newer kernels, so we can have even better mash connectivity.

Liberate your Kindle 3 and get full-screen terminal!

2011-12-03T17:10:09Z

As you might know by now, I'm very happy user of Kindle 3 (keyboard) and Kindle DX graphite. One of reasons why I choose those devices was community around Kindle Developer's Corner at mobileread forum. With new generation of Amazon's Kindle device on the way, let me stress that for me older Kindle 3 devices are more interesting since we still don't have the way to run home-brew software on newer Kindle 4.

One of the good things about next generation of Kindles is that older models get sold second-hand at reasonable price, and let me re-iterate: for around 100€ older Kindle 3 with keyboard are great devices. But what would you do with one when you get your hands on? Start a k3libre project to develop and document free libre command-line tools for Kindle development. It's very much work in progress, with useful example scripts which describe framebuffer format, but also a handy step-by-step instruction on how to liberate your Kindle by installing jailbreak and usbnetwork to get root ssh access over usb cable. Next step is launchpad which listens on /dev/input/input? and allows you to bind execution of programs on key-presses. We are doing all this to install to nice full-screen Kindle terminal. You can do most of this work in under an hour, so there is no excuse not to read man pages on your Kindle!

So now that you can run your own software on Kindle, with which would you like to start? I would suggest kindlepdfviewer - a PDF viewer made for e-ink framebuffer devices, using muPDF. It's implemented in lua, so adding new features are rather easy, and latest development include serialization of state into SQLite database and drawing characters on screen! OK, it's in early stage of developments, but already useful on real Kindle, and if you don't like something you can always just edit lua code a bit :-)

n2n: connect your networks using P2P VPN

2011-10-08T11:47:42Z

Sometimes, you need to connect two networks in some way. My usual motivation is ability to access machines behind multiple NATs for easy system administration. So far, I used combination of OpenVPN and DynamicForward in ssh with clever use of ProxyCommand and nc with a sprinkle of proxy.pac for Firefox to make everything seemingly work. However, I never successfully managed to tunnel various JavaWebStart based remote consoles which want to connect directly from your machine to remote IP using sockets (for which you have to disable all proxy settings using jcontrol and selecting direct connection).

So this got me thinking. I could configure another OpenVPN for this, but it has many steps and I was lazy. Wouldn't it be great if there is some kind of P2P network like Skype or Hamachi for Linux? Something like this:

n2n: a Layer Two Peer-to-Peer VPN is exactly what I was looking for. It allows you to construct IP network over nodes behind NAT. But is it really easier to configure for specific example of accessing private network on another LAN behind NAT? Let's find out.

Steps are simple:

Install n2n (you will have to do this on supernode and two nodes)
```
all$ sudo apt-get install n2n
```
Start super node on public address with DNS name super.example.com
```
internet$ supernode -l 1234
```

Start first client

local# edge -c community -d community  -k secret \
  -l super.example.com:1234 -a 10.1.2.1

Start remote end-point somewhere within LAN
```
remote# edge -c community -d community  -k secret \
  -l super.example.com:1234 -a 10.1.2.2 -r
```
Note changed IP address and -r flag which will allow us to route over this node.
```
remote# sysctl -w net.ipv4.ip_forward=1
remote# iptables -t nat -A POSTROUTING -s 10.1.2.1 -o tun0 -j MASQUERADE
```
This will turn forwarding and NAT for our packets coming from community tap interface and going out through tun0 to LAN. We also need to setup route on local side for remote LAN network:
```
local# ip route add 172.18.0.0/16 via 10.1.2.2
```

And we are done. In just 6 commands we routed remote LAN 172.18.0.0/16 over our 10.1.2.0/24 n2n interface to our local machine. And you don't have to stop at that. By installing additional edge in some other local network, you can get instant connectivity to your internal administrative network. This is very useful if you want to access your private repositories on local machine or need to open arbitrary sockets between machines.

Collecting disk SMART informations from large disk pool

2011-09-30T12:38:42Z

Last few weeks, I was configuring huge ZFS pool of 50 disks over three machines. Aside from benchmarking, I wanted to setup monitoring of this disk pool. smartctl comes as natural candidate for getting smart data, but where should I keep it? I recently learned of git log -p output format which shows nicely changes in your source files, so natural question was can I use git to track smart disk statistics?

As it turns out, getting overview of disk layout is really easy under Linux if you know where to look. /proc/partitions first comes to mind, but it lacks one really important peace of information: disk serial number. It's only peace of information which won't change between reboots when you have to spin up 30+ disks, so you really want to use it as identification for disks, instead of device name for example (which I tried on first try and learned that disks move around).

Good naming of dump files is as important as always. In the end, I opted to use smart.id where id part is from /dev/disk/by-id/scsi-something. Paths in /dev/disk/by-id/ are essential useful when creating storage pools because they also don't change between reboots.

Now that we know where to look for disk identification and serial number, we are ready to start collecting smart data. However, this data is much more useful if coupled with info from controllers, so final version of smart-dump.sh script also supports dumping of controller status for LSI Logic / Symbios Logic and 3ware controllers. Have in mind that collecting smart info from disks does interrupt data transfers, so if you have huge pool you might want to spread those requests (or even issue them in parallel if you want one huge interruption as opposed to several smaller ones).

So was all this worth an effort? In fact, it was! In our sample of 50 3T disks, one disk reported errors after just 192 hours of lifetime. It would probably report it earlier, but this was second time that I run smartctl -t long on it. On the other side, it passed long check on first test which was 8 hours of LifeTime. Even if you read Failure Trends in a Large Disk Drive Population paper from Google, and concluded that smart is lying to you and you could ignore it, please monitor your drives!

ZFS on Linux and pool replication

2011-09-07T11:34:31Z

I have been using ZFS on Linux for some time to provide backup appliance using zfs-fuse. Since then, we got native ZFS implementation on Linux, so I decided to move by backup pool from zfs-fuse to in-kernel ZFS.

Additional reason to move pool over to new machine was to change pool's RAID level. In current ZFS implementation(s) you can't change mirror to RAIDZ1 without re-creating pool and then transfering data over using zfs send and zfs receive. However, when you are creating snapshots for years, and expiring them using script you will have hundreds of snapshots which you need to transfer.

This is where zfs-pool-replicate.pl script comes handy. It uses Net::OpenSSH to connect to two machines (source and destination), list all snapshots on source and transfer them to destination. If you have filesystem without snapshots it will create one @send snapshot which will be transferred. It will also optionally use compression for transfer of snapshot over the network. I am using LZO which is fast compression which nicely transfers 150Mb/s or more over normal 1Gbit/s network without much CPU overheard (and we all have multi-core machines anyway, right?). Current implementation allows you to re-run replication script to transfer only new snapshots creating handy disaster recovery solution.

Current implementation is designed to run from third (management) machine, so I can envision central storage administration tool which will also allow you to transfer LVM snapshots into ZFS snapshots. For now, I'm using shell script for that, but rewriting it in perl would improve error recovery and reporting.

MySQL innodb_file_per_table upgrade

2011-06-20T10:40:42Z

By default, MySQL installation on Debian comes without innodb_file_per_table option which spread tables in individual InnoDB files. Based on your usage patterns or backup strategies this might be better filesystem organization than one big /var/lib/mysql/ibdata1 file. I first heard about it in OurSQL Episode 36: It's Not Our (De)fault!. It's great podcast, but to be honest with each new episode I wish to have only PostgreSQL servers to maintain...

To enable this option you will need to create configuration file and restart MySQL server:

koha:/etc/mysql/conf.d# cat > file-per-table.cnf 
[mysqld]
innodb_file_per_table
CTRL+D
koha:/etc/mysql/conf.d# /etc/init.d/mysql restart

This won't change anything, because only new tables will be created in separate files. But, we can use ALTER TABLE table ENGINE=InnoDB on each table to force InnoDB to re-read tables and create separate files:

mysqlshow koha --status | grep InnoDB | cut -d'|' -f2 | sed -e 's/^/alter table/' -e 's/$/ engine=InnoDB;/' | mysql -v koha

If you replace grep InnoDB with grep MyISAM you might use same snippet to convert MyISAM tables into InnoDB (if you still have them or don't use fulltext search).

I think that system administration is like gardening. I don't know anything about gardening, but it seems to involve a lot of care here and there, seemingly without much pattern. In that sense, it's similar to wiki editing, you start somewhere and you really don't know where it lead you to.

SAML2 expirience: implementing SP with perl website

2011-06-12T12:29:47Z

You have to start reading by singing lady Ga-Ga with words: S, s, s, ss... SAML, SMAL2! It will help, really.

SAML 2 is latest in long line of different SSO implementation you will have to do sooner or later if you want to be part of larger web. Google and others seems to be using it, so it must be good, right?

It has two end-points: identity provider (IdP) which has user accounts and Service Provider (SP) which is usually your application. But of course, it's more complicated than that. For a start, you will need https on your host. I will assume that you already have domain, and you can get free SSL certificates at StartSSL so hop over there if you need one.

First, install SimpleSAMLphp. It's pimpliest possible way to get working SAML2 implementation of IdP and SP. You will want to follow first simpleSAMLphp Installation and Configuration and then SimpleSAMLphp Identity Provider QuickStart to configure simple IdP with static accounts so you can test your application against it. You will need both IdP and SP under your control to do development. It will also help if your remote IdP (identity provider which you intend to use) is also simpleSAMLphp (as AAI@EduHr is).

Installation is rather easy:

dpavlin@lib:/srv$ sudo apt-get install install memcached php5-memcache

dpavlin@lib:/srv$ wget http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.0.tar.gz

dpavlin@lib:/srv$ tar xf simplesamlphp-1.8.0.tar.gz
dpavlin@lib:/srv$ cd simplesamlphp-1.8.0/
dpavlin@lib:/srv/simplesamlphp-1.8.0$ cp config-templates/* config/
dpavlin@lib:/srv/simplesamlphp-1.8.0$ vi config/config.php

You will want to edit following options:

auth.adminpassword
secretsalt
enable.authmemcookie

dpavlin@lib:/srv/simplesamlphp-1.8.0$ php5 -l config/config.php 
No syntax errors detected in config/config.php

Interesting part here is authmemcookie option. This allows us to use SP side of simpleSAMLphp and store resulting authentication in memcache and send browser a cookie which we can later read and acquire data from memcache about current user.

To configure Apache side, you need Auth MemCookie but it isn't available in Debian package, so I opted for Apache::Auth::AuthMemCookie so I can flexibly modify IdP response before passing it on as environment variables.

dpavlin@lib:~$ cat /etc/apache2/conf.d/authmemcookie.conf 
Alias /simplesaml /srv/simplesamlphp-1.8.0/www
perlModule Apache::Auth::AuthMemCookie

        # get redirected here when not authorised
        ErrorDocument 401 "/simplesaml/authmemcookie.php"
        PerlAuthenHandler Apache::Auth::AuthMemCookie::authen_handler
        PerlSetVar AuthMemCookie "AuthMemCookie"
        PerlSetVar AuthMemServers "127.0.0.1:11211"
        PerlSetVar AuthMemDebug 1
        PerlSetVar AuthMemAttrsInHeaders 0
        AuthType Cookie
        AuthName "Koha SAML"
        Require valid-user

To test it, easiest method is to create account in Feide OpenIdP and test against it. After all, it easiest to start with same implementation of SAML2 on both sides just to prevent following scenario:

On perl side I first tried Net::SAML2 and found out that it doesn't handle IdP without adding HTTP-Artifact support to the IdP. However, even after that I wasn't managed to make it work with simpleSAMLphp IdP implementation mostly because of my inpatience with SSL configuration of it.

On the bright side, for first test I didn't need to modify Koha (Library management software which I'm configuration SAML2 for) at all because it already has support for HTTP authorization.

Kindle K3G and DXG

2011-05-22T18:51:42Z

As some of you already know, almost a moth ago we placed order for our first Kindle (3G with wifi). Week after it arrived, we also ordered bigger DXG to complement our reading habits. So why do we have two Kindles and do we have regrets with them? Well, no! This post will try to summarize what I learned since...

For a start, both devices have ARMv6, but K3G has 256 Mb of RAM while DXG has only 128 Mb. Both have 4Gb of flash of which about 3.5Gb is available for user content. Both have working 3G connectivity in Croatia. wpa_supplicant on Kindle won't allow connections to "enterprise" networks (like EduRoam). Smaller K3G is just too small for reading pdf files. Bigger DXG has e-paper in A5 size, so it's much more useful, but comes with older 2.5.8 firmware which has terrible browser (Netfront as opposed to WebKit in 3.1) and pdf reading without contrast settings (which is very, very useful).

But, I was fortunate enough to find mobileread forum post on migration of 3.1 software from K3G to DXG by Yifan Lu to whom I'm eternally grateful for much needed software upgrade.

However, even if you don't want to upgrade Amazon's own firmware, there is Duokan alternative reader software for Kindle. It has superb support for two column pdf files which allows you to just press next page key and read column on the left (from top to bottom) and then on the right (from top to bottom). It has also various other layouts for reading, and it makes smaller Kindle almost useful for pdf reading (and reading on bigger one a joy).

But, sooner or later, you will come across pdf which would really benefit from manual cropping. Take a look at briss which is cross-platform application for cropping PDF files.

While we are at software, you should really look at mobileforum's Kindle hacks thread which documents latest jailbreak (which will give you root permissions on Kindle), usbnetwork (to connect over USB cable) and various fonts and screensaver hacks.

Development for kindle can be done using Java2ME (remember that from cell phones?). However, Amazon doesn't actually seem to give out it's Kindle development kit but don't despair: Andrew de Quincey figured out a way to develop kindlets without the KDK. With KDK API from Amazon and JSR217 specification for Java2ME you can be in your marry Java development in no time.

I would like to see something like OpenInkport running on Kindle. This would allow free software developers to take full power from this nice e-paper device. If only I didn't have so much books to read...

Optimize pdf file size using Ghostscript

2011-05-11T14:22:27Z

We just got our conference booklet, and we need to publish it on the web. But, it has 152 Mb. This seemed excessive, so I googled a bit and found following:

$ gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen -dNOPAUSE -dQUIET -dBATCH -sOutputFile=output.pdf input.pdf

$ ls -al input.pdf output.pdf 
-r-xr-xr-x 1 dpavlin dpavlin 158511430 May 11 16:23 input.pdf
-rw-r--r-- 1 dpavlin dpavlin   1646309 May 11 16:24 output.pdf

That's reduction to 1% of original size.

-dPDFSETTINGS=configuration to presets the "distiller parameters" to one of four predefined settings:

/screen selects low-resolution output similar to the Acrobat Distiller "Screen Optimized" setting.
/ebook selects medium-resolution output similar to the Acrobat Distiller "eBook" setting.
/printer selects output similar to the Acrobat Distiller "Print Optimized" setting.
/prepress selects output similar to Acrobat Distiller "Prepress Optimized" setting.
/default selects output intended to be useful across a wide variety of uses, possibly at the expense of a larger output file.