Linux

HOWTO: WRITE BETTER DOCUMENTATION

/ local / , ,

So, call to action: if you are writing any kind of documentation, before explaining how to fix the problem, teach the user how to diagnose it.

Source: Why Linux Troubleshooting Advice Sucks

I’ve been writing documentation for myself for years, and been using Linux for 20 years and I still struggle with the basics cos most documentation for Linux fucken sucks.

  • Teach the user how to diagnose the issue so they can confirm the solution you have is indeed for their issue.
  • Explain why this is happening.
  • Provide the solution. Could be a bash one-liner they can copy-paste. Could be a script (explain how to run it). Could be a patch (explain how to apply it). Don’t just say “this is an exercise left to the reader.”

And no, “reading the source” doesn’t help. Neither does “read the man pages”; the only man page worth anything is the one for nmap.

If you’re one of those people that say that you can go fuck yourself, hard, in the ass, no lube.

“Burn the witch!”, they yell

/ local / , , , , , ,

This is written in Rust because I personally believe that writing security critical components that we would ship with the operating system in C is a massive disservice to our users. Go also doesn’t really have a good story to do interoperability with core C system components like this (the Go runtime is massive and as of writing this post the entire PAM module I’ve written is smaller than the Go runtime, even with a statically compiled copy of libcurl).

Source: The Surreal Horror of PAM – Xe

You can already see C fanbois off in the distance carrying pitchforks and torches

The more things change the more they stay the same

/ local / , , ,

I first started using Linux and FreeBSD on laptops in the late 1990s. Back then, there were all sorts of hassles and problems, from hangs on suspend to pure failure to boot. I still worry a bit abo…

Source: Managing an External Display on Linux Shouldn’t Be This Hard | The Changelog

Evidently nothing has changed since we stopped using Linux as our daily driver OS. We were actively thinking of switching back as we got tired of Windows rebooting on me whenever it felt like. Slight problem— We have two 4K displays and two 1080p displays hooked to a Radeon GPU and AMD isn’t particularly nice about proper driver support; they’re better than Nvidia but not by much.

We hate to think what would happen if we have to switch to a laptop full-time. We’d probably give in fully to the dark side and run WSL on Win11. More and faster progress is being made on running desktop applications on it than people are doing on fixing these issues on “real” Linux.

Microsoft is just using Linux to make the moat around Windows deeper

/ local / , , , , , ,

I’ve also slowly become convinced of something else. Elegant though they may be, grand, over-arching theories of human-computer interactions are just not very useful. The devil is in the details, and accounting for the quirky details of quirky real-life processes often just results in quirky interfaces. Thing is, if you don’t understand the real life process (IC design, neurosurgery procedures, operation scheduling, whatever), you look at the GUIs and you think they’re overcomplicated and intimidating, and you want to make them simpler. If you do understand the process, they actually make a lot of sense, and the simpler interfaces are actually hard to use, because they make you work harder to get all the details right.

Source: Perhaps WSL2 Should be a Wake-up Call | Lobsters

As someone who has railed elsewhere about the evils of point of sale systems created by people who have never, in their little sad developer lives, worked in food service, I feel this comment in my bones. For people who know what they want to accomplish, a complicated interface will let you your job once you learn it, and it will let you do magic once you master it.

People bitch about Windows— including myself. But we’re still using it. I personally keep thinking of switching back to Linux but I find myself dreading the inevitable UI churn of GNOME and KDE; it is one of the reasons why I prefer XFCE. But even it suffers from churn under it in the form of libraries and modules that are tossed aside and rewritten in an inane race towards “modernity”.

As for WSL, the classic Borg assimilation quote comes to mind.*

We are the Borg. Existence, as you know it, is over. We will add your biological and technological distinctivensess to our own. Resistance is futile.

Accessorize your Windows toys with WSL

/ from outside / , ,

Normally I would consider this a bug. However over the years I’ve come to the conclusion that Windows is a pretty toy. It works wonderfully “in the small”. But it isn’t useful for significant programmer workloads (like typing :-) ).

Source: WSL Isn’t Linux | Hacker News

Your mistake was considering Windows suitable for anything but media consumption. It will phone home, it will reboot when it feels like it, and it won’t resume state when it does reboot or resume from sleep.

The best use for WSL is to use it to shell into a proper Linux host. Only way you can guarantee you won’t lose your work when the OS decides to do something.

Block attacker IP addresses, four ways

/ from outside / , , , , , , , , , , , , ,

If you run WordPress you’ve seen these in your web server logs:

132.232.46.230 - - [29/Oct/2020:13:58:41 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:44 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:48 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:52 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:55 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:58 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"

Fucken scanners just slamming xmlrpc.php looking for a way in. When this happens CPU usage just goes through the roof for as long as the scan lasts and it could be five minutes, could be six hours, could be all week; before it ends. The gods help you if you’re paying by CPU usage.

So you have to block access to the file. You could just block all access to XML-RPC but doing this will prevent the WP mobile app from working.

We’ll just block that specific IP address but we need to be quick about it; just do a quick one liner on the terminal before the OS just topples over and becomes completely unresponsive or worse.

iptables

This should work for any Linux distribution that has iptables out of the box which is basically all of them.

# iptables -I INPUT -s 132.232.46.230 -j DROP
  • -I: Insert the rule as the first rule to be applied in the INPUT chain. You could use -A (append) but the sooner we get rid of that traffic the less work the CPU has to do.
  • -s: Source address, in this case 132.232.46.230, which belongs to Tencent.
  • -j: jump to the DROP target. If you use the REJECT target you’re just creating more work for the CPU.

Documentation here but the Ubuntu how-to is far more useful in getting people started.

pf

As it is part of both FreeBSD and OpenBSD base installations it should be enabled in /etc/rc.conf but from reading the (almost useless) documentation and looking around the web You need to fuck around with pf.conf first, then you can manipulate the table. This is the first result on the web when you search for “pf block ip address”. So no one-liner that can save your life.

Edit /etc/pf.conf and add

table <badhosts> persist
block on fxp0 from <badhosts> to any
  • Create table named badhosts, and set it to be persistent in kernel memory
  • Block, on interface fxp0 (you’ll want to change this), traffic from rules in the badhosts table to any destination.

Once you have this you can manipulate the table from the command line with pfctl

# pfctl -t badhosts -T add 132.232.46.230
  • -t means pfctl will manipulate the badhosts table
  • -T will show statistics
  • add address 132.232.46.230 to the table

Fucken hell FreeBSD documentation is the fucken worst. Dryer than Melania Trump’s libido. Now, reading through the OpenBSD pf documentation it looks like you can do

# pfctl -t badhosts -T add 203.0.113.0/24

Which will create the badhosts table automatically without having to fuck around with /etc/pf.conf. Don’t know if this will work on FreeBSD though.

ipfw

It is part of the FreeBSD base installation so it does depend on ipfw being enabled in /etc/rc.conf but it looks like you can go

# ipfw add deny all from 132.232.46.230 to any
  • Add rule denying any and all fraffic from 132.232.46.230 to any destination

At least these rules are succint and easy to read. Whomever wrote the documentation seemed to pay more attention to usage at least.

Still, fuck FreeBSD.

Windows

Super easy now that PowerShell is built into Windows itself:

PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Block traffic from 132.232.46.230" -Direction Inbound -LocalPort Any -Protocol Any - Action Block -RemoteAddress 132.232.46.230
  • -DisplayName: The human-readable name of the firewall rule
  • -Direction: Can be Outbound or Inbound. We want Inbound obviously.
  • -LocalPort: Going with any ports because fuck crackers.
  • -Protocol: Same, block all port
  • -Action: Block traffic
  • -RemoteAddress: Specifying only 132.232.46.230

The documentation for the commandlet is super nice. No, I’m not typing ‘cmdlet’.

The old way involved so, so manny clicks. PowerShell makes it easy.

Now all of the previous bits of code cease to have any effect after a system reboot so if you want the rules to be permanent… don’t. Blackhats will just scan from different hosts and different networks so blocking an IP address permanently is just unproductive.

A better solution is to use fail2ban:

There is also CrowdSec but I haven’t personally used them.

This post came to be cos I spent 30+ minutes trying to figure out how to block traffic on a FreeBSD host and their documentation is just… inscrutable. Should you ask for help in their forums you’ll just get told to RTFM.

You end up going in circles, consuming yourself in rage and frustration which does not feel nice. Rage-posting is where it’sat.

Nice

/ local / , , ,

Pretty sure this is the longest I’ve been able to keep a server alive without having to reboot for whatever reason.

A Debian Wifi Router: Kernel tuning

/ local / , , , , ,

So it turns out that if you go with the default kernel parameters on the device you won’t get much throughput. I’m currently paying my ISP for a 25Mbit/s pipe both ways, which is bloody awesome.

I was having problems with throughput and network jitter, though. I was able to have a fast connection from my devices to the router and the router had the full connection available to itself; problems were the router was not able to make the full connection bandwidth available to its clients and the bandwidth would go from 25Mbit/s all the way down to 5Mbit/s all the time.

This is really damn annoying when you’re putting in a good match on Unreal Tournament, let me tell you.

Thinking it could be something related to hostapd I played around with a few more settings but nothing really made a difference. I’m having problems with reception and throughput in my bedroom but that’s for another post, I guess. Suffice to say that with a direct line of sight to the router everything works about as expected.

So it wasn’t hostapd. Played around with iwconfig and iw but neither made much of a difference. That left the network interfaces themselves and the kernel.

Dug around and found plenty of links and articles on what settings to adjust and how to adjust them but all of them are geared towards servers of some sort. There isn’t much information that a home/office IT guy would be able to use for tuning the kernel for bandwidths of less than 100Mbit/s, which is what I’m attempting to do here. The most popular post (which I basically copied into my configuration) is using settings for 1Gbit/s connections that I then changed with the one entry that matched from the Ars Technica post.

Here’s sysctl.conf as I have it right now:

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# Kernel parameter adjustments
# 2016/09/12 02:59:32: http://www.nateware.com/linux-network-tuning-for-2013.html
# http://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
#
kernel.sem = 250 256000 100 1024

# Increase system file descriptor limit
 fs.file-max = 100000
#
# # Discourage Linux from swapping idle processes to disk (default = 60)
 vm.swappiness = 10
#
# # Increase ephermeral IP ports
 net.ipv4.ip_local_port_range = 10000 65000
#
# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
net.core.rmem_default = 4194304
net.core.rmem_max = 4194304
net.core.wmem_max = 4194304
net.core.rmem_default = 4194304
net.core.wmem_default = 4194304
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304

# Make room for more TIME_WAIT sockets due to more clients,
# and allow them to be reused if we run out of sockets
# Also increase the max packet backlog
net.core.netdev_max_backlog = 25000
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 200000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0

# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# Disable source routing and redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

# Log packets with impossible addresses for security
net.ipv4.conf.all.log_martians = 1

Everything in here I’m sure can be tuned further and the file itself is so damn ugly to look at but for now at least I have a starting point I can use.

All this tomfoolery is turning me into a network wonk.

Blackslab back on Linux

/ local / , ,

Title says it all. First I tried using Windows 8 on her and it kinda sorta worked… but it was just too much for the computer.

I tried Windows 7 and it worked without a hitch… before I actually installed software. Once I did, the system bogged down to the point where I would dread using it. Even youtube videos would bring the system to its knees.

Right now I’ve been using Linux Mint 14 Debian Edition without problems except the usual Pulseaudio bullshit, but that will require very smart minds to fix.

Linux desktop “progress”

/ local /

Northfield/Norwood isn’t about changing anything fundamentally with Wayland/Weston, but Moreau doesn’t like the pace of development within Wayland/Weston and it being bottlenecked at times by Kristian’s workload. Moreau is also more focused on just “desktop bling” and effects than low-level graphics subsystem work. Among the desktop effects he wants to bring over from Compiz into a Wayland compositor include the desktop cube, desktop wall, scale, wobbly windows, expo, and Emerald Theme support.

[Phoronix] Wayland/Weston Fork Now Called Northfield/Norwood.

In a couple of years you’ll have to get a new computer to run any sort of Linux desktop environment, while your old computers get Windows installed on them.

Redesigning the Thinkpad for Windows 8 and ONLY Windows 8

/ local / , ,

ThinkPad loyalists will almost certainly direct their attention to the new trackpad when first laying eyes on the T431s. Or, perhaps, they’ll spot the notable (and very deliberate) omission of the physical buttons that have historically sat just beneath and above a far smaller tracking surface. According to Parrish, the overall concept was to “simplify the appearance of two pointing devices in ThinkPad notebook design and maximize touchpad area — while optimizing it for interaction with Windows 8.” A tricky approach, no doubt, given that a solid swath of ThinkPad users have no doubt grown used to mousing with the crimson-clad, centrally located nub. The end result is a five-button clickpad, as it was detailed to me, which supports 20 gestures and handles northerly clicks for those who refuse to switch from using the aforementioned pointing stick.

The inside story of Lenovo's ThinkPad redesign.

So I guess Linux support is out? Right now I’m pissed at the desktop environment mess, but once the dust has settled, I’ll probably be going back. I’d like to go back to Linux on a Thinkpad, but if Lenovo chooses to block me from that, I’ll buy a computer from some other OEM that does let me.

/ local / , ,

Ask Slashdot: Mac To Linux Return Flow? – Slashdot.

Just like me, people are switching back and forth.

  • OS X is getting a lot of iOS stuff into it that professional creators don’t want or need.
  • Windows 8 is not everyone’s cuppa tea… but it’s quite solid as long as you learn how to deal with don’t-call-it-Metro interface.
  • Linux is in a state of disarray. KDE is pure eye candy, GNOME is griefing, Xfce and Enlightenment kind of refuse to pick up the slack, MATE and Cinnamon are still bug ridden.
  • BSD is stable… if you’ve got compatible hardware and don’t mind using libraries that are often years old.

Shit’s broken and no one ain’t fixin’ it.

Xorg, Radeon, Thinkpad.

/ local / , , , , ,

By the pits of elemental chaos, I don’t know where to begin. I truly don’t. I’m typing this up trying to calm down after I was taken against my will on an odyssey of bad documentation, stupid changes and general assholery.

It all started with an innocuous aptitude update; aptitude upgrade. Package linux-image-3.2.0-4-686-pae refused to install properly, but that can be dealt with later. Reboot.

All hell breaks loose upon Xorg. All 2D/3D hardware acceleration is gone. Xrandr refuses to work and the most it can do is clone the displays, displaying the following error with a command that worked for years before today:

$ xrandr --output LVDS --auto --preferred --output VGA-0 --auto --preferred --right-of LVDS
xrandr: screen cannot be larger than 1600x1200 (desired size 2680x1200)

Dig into documentation… nope, I’m setting all options properly. The xorg.conf man page has this golden nugget of information:

VIDEOADAPTOR SECTION
Nobody wants to say how this works. Maybe nobody knows ...

Is it any wonder people are using sites like StackExchange as their first stop when trying to fix issues? Man pages refuse to evolve and more and more applications simply don’t provide them, telling you to go to their website when seeking help.

Anyway, back to Xorg. Installing the proprietary fglrx driver doesn’t work; the Radeon Mobility X1400 card on this Thinkpad T60 is not supported anymore. I could try apt pinning to get it to work… but Debian doesn’t really encourage its use. Purged the driver from the system.

Now I’ll have to do the one thing I really didn’t want to do. Setup a xorg.conf file manually. Switch to a VT (Ctrl+Alt+F1), uplift to root, Kill X (/etc/init.d/lightdm stop), issue X -configure. Get this error:

Number of created screens does not match number of detected devices.
Configuration failed.

2003 called. They want XFree86 back.

All right then, let’s manually create a xorg.conf file that X can use without shitting itself. Visit thinkwiki.org and found useful nuggets of information, including a mostly working xorg.conf file. Couple this with another demonstration xorg.conf file and I came up with this beauty:

Section "Device"
Identifier "ATI X1400"
Driver "radeon"
Option "AGPMode" "8"
Option "AGPFastWrite" "1"
Option "RenderAccel" "1"
Option "AccelMethod" "EXA"
Option "AccelDFS" "1"
Option "EnablePageFlip" "1"
Option "ColorTiling" "1"
Option "DynamicClocks" "1"
Option "BIOSHotkeys" "1"
BusID "PCI:1:0:0"
EndSection

Section "Monitor"
Identifier "LVDS"
Option "DPMS"
EndSection

Section "Screen"
Identifier "Default Screen"
Device "ATI X1400"
DefaultDepth 24
SubSection "Display"
Virtual 2680 1050
EndSubSection
EndSection

It’s ugly, it’s messy. It mostly works.

Video performance is, hmm, how to describe it… quirky; I’m getting lots of drawing artifacts all over the place; CPU usage seems to come and go. Hell, the performance of iceweasel while typing this post leaves much to be desired. But now I’ve got a starting point from which to improve the situation.

Was any of this necessary? No. Would I have run into these issues if I were using Windows or OS X? Certainly not. The urge to leave Linux behind on the desktop and move back to Windows is becoming ever stronger. Windows 8 runs quite nicely on my Thinkpad X61t, and I don’t have to deal with forced changes to my desktop environment.

I’m tired of this. All of this. First Amarok 2 became a monster that still can’t compare with Amarok 1.4.x — Clementine does the job well enough, but really. Then GNOME 2 turned into GNOME 3, throwing into disarray the desktop environment landscape; people haven’t recovered and the alternatives aren’t working yet. Interacting with Android devices remains a pain in the ass. Interacting with iOS devices is basically impossible. The big companies are treating Linux like a third-class citizen.

Should I not be able to get performance to what it was before, I will be migrating back to Windows. I am not alone in this consideration. Right now a whole lot of people are migrating to OS X or Windows to avoid these headaches; they too are tired of having to fight the desktop in order to do real work.

Linux is victorious on the server and mobile spaces, but I now truly don’t expect it to remain more than a plaything for common desktop users. I hope to someday come back to the Linux fold but this won’t probably happen for a few years, when things have changed.

UNIX vs. FLOS

/ local / , , ,

To me, the core of a UNIX system is a philosophical matter. To quote Mike Gancarz’s The UNIX Philosophy from 1994, UNIX has 9 paramount precepts:

  1. Small is beautiful.
  2. Make each program do one thing well.
  3. Build a prototype as soon as possible.
  4. Choose portability over efficiency.
  5. Store data in flat text files.
  6. Use software leverage to your advantage.
  7. Use shell scripts to increase leverage and portability.
  8. Avoid captive user interfaces.
  9. Make every program a filter.

FLOS is a nearly diametrically opposed design, with design concepts like the following:

  • FLOS avoids scripts, and prefers to split tasks into compiled logic interacting with logic-less configuration files.
  • FLOS prioritizes ease of machine manipulablity over human manipulablity.
  • The components of FLOS communicate over D-Bus rather than sockets and pipes.
  • FLOS is built on a core of monolithic programs which attempt to synergisticly manage multiple complex components.
  • FLOS leverages features specific to Linux and ignores portability.
  • FLOS prefers tightly integrated components to generic solutions.

I’m not sure that this is a bad design, but it is most definitely not UNIX or anything like it.

Linux Future | PAPPP's Rambling.

via Linux Reddit.

This here explains why a lot of stuff simply doesn’t work the way it used to: Xorg, NetworkManager, Pulseaudio. It also explains why no one outside of IT uses Linux for real-world software development; you don’t have to fight OS X to get started writing code. FreeBSD is almost there as well, with people switching over to it to avoid dealing with the eldritch abomination that is D-Bus.

Are FLOS proponents still butthurt by Microsoft? So much that they would turn the OS on top of Linux-the-kernel into a bad imitation of Windows?

Sinful Interfaces

/ local / ,

Windows 8′s Greatest Sin | TechPinions.

It is quite telling that Linux is nowhere on the list. This is how hard all open source desktop environments have failed.

GNOME lusted after OSX and became a bad imitation of it. KDE lusted after Windows 7’s candied interfaces, and became bloated. Xfce remains too static and people use it only it is known and stable.

There is some semblance of hope with MATE, Cinnamon, Trinity and Razor-qt, but they’re too young and still need years to achieve feature parity with Windows XP.

I’ve been using Windows 8 and I’ve found I have to fight its UI quirks less than those of Xfce, GNOME or KDE, enticing me to jump back and stop dealing with all these changes.

Scroll to Top