asyd’s blog

Introduction

As a system administrator, I dislike to edit text in Firefox (or any other webbrowser), for example to write a new post on this blog, or edit some contents in drupal. This morning, I was looking for a Firefox extension allowing to use an external editor (in my case vim, for sure) to edit contents of textarea. This extension is pretty simple, you only need to configure which command to run to edit the file.

However there is a big trouble with Mac OS X, indeed, I was not able to find a command line to open a new terminal tab and lauching vim with the file to edit. Indeed, something like:


% open -a iTerm /usr/bin/vim


is working fine, however, it’s not possible to do something like:


% open -a iTerm /usr/bin/vim -- /tmp/file_to_edit


That’s very inconvenient, isn’t it! So, the only way I found to achieve that is to write an AppleScript to open a new iTerm, using vim profile (which runs vim as startup), and then open the file by sending text to vim from the AppleScript. But, once gain, I run out of luck. Indeed, the filename computed by it’s all text contains spaces, and vim expect escaped spaces. So, I look for a way to replace string in AppleScript, but… guess what? it’s seem very difficult (because I need to create another file..). So the only simple solution I found is to create a shell script that create a symbolic link in /tmp to the file to edit.. Here we go!

Configuration

iTerm
Open your bookmarks manager, and create a new bookmark like
that:

Open a terminal, create the directory ~/bin, create the file
editfile with the following contents (replace bbonfils
with your login name):

#!/bin/zsh
 
extension=${1:e}
link="/tmp/firefox."$$".${extension}"
 
ln -s "$1" $link
 
/Users/bbonfils/bin/editfile.scpt $link

Create a new file named editfile.scpt with the following contents:

#!/usr/bin/osascript

on run argv
        tell application "iTerm"
                activate
                make new terminal
                tell the last terminal
                        launch session "vim"
                        tell the last session
                                write text "^[[:e " & item 1 of argv
                        end tell
                end tell
        end tell
end run

Ensure both are executable chmod +x, and then configure it’s all text
to use the first script to open file (/User/bbonfils/bin/editfile), and
now it should work!

The last word

Note I can’t remove the link in the script, since all of them are executed in background,
if you add a rm in the think, the link will be removed few seconds after you start vim,
so your textarea contents won’t be updated.

And yes, I know, it’s ugly, if you have a better way to achieve that, please post it in comments!

Uncategorized firefox, vim

OpenSolaris 200906 comes with some very interesting features about networking management. One is flowadm, allowing to manage network streams in a very simple and elegant way. For example, the next commands allow me to restrict the bandwith for my HTTP server.


flowadm add-flow -l bge0 -a transport=tcp,local_port=80 httpflow
flowadm set-flowprop -p maxbw=8 httpflow



wget -O /dev/null http://eva0/empty
2009-09-12 17:32:07 (971 KB/s) - « /dev/null »


As you can see it’s very simple! The following properties can be applied to a stream:

• maxbw: Sets the full duplex bandwidth for the flow.
• priority: Sets the relative priority for the flow.
• cpus: Allocate packets of the flow to a processor set, for systems that have multiple
  processor sets. (this property is not yet available, maybe in 200911?)

References:

OpenSolaris

It’s the first time I’m using pound (a http reverse proxy), and I was a little disappointed about its configuration. My use case is very simple, for a given virtual host (idp.asyd.net in my case) I want to redirect from / to /opensso. Since pound seems not very well documented, here my configuration to achieve that:

ListenHTTP
   Address  0.0.0.0
   Port  80
   Service
      HeadRequire "Host: idp.asyd.net"
      URL "^/$"
      Redirect "http://idp.asyd.net/opensso"
   End
   Service
      HeadRequire "Host: idp.asyd.net"
      Backend
         Address 127.0.0.1
         Port 8080
      End
   End
End

Sysadmin

As a new owner of an yubikey, I was looking the best way to integrate it with the web application I already use. While there is already an available OpenID provider which support Yubikey authentication, I prefer to manage my own system, using OpenSSO for sure

First, let me introduce the yubikey. This USB key act as an OTP (One Time Password) device, each time you press the button, the key compute a new password. This pasword must be verify, in the case of Yubikey, this is done by query a Webservices on a yubico (the company) server. Yubikey offers a lot of advantages than others classical OTP devices, including:

• The yubikey is see as an USB keyboard (class HID), no driver required!
• No battery, more longlife than anothers devices
• Very cheap, around 20 euros (ordered by 10, from France), transport and taxes included

So, why choose OpenSSO? For few years know, OpenSSO provides an extension to act as an OpenID provider, and an authentication class is available for the Yubikey.

References:

• Build the OpenSSO extension for OpenID
• Build the Yubikey authentication class

IAM, Security, Sysadmin openid, opensso, yubikey

I actually manage a LDAP directory with a lot of entries (almost 1,5 millions entries in the same OU). In order to check the replication state, I was looking for a way to count the number of entries in this OU. Thanks to Ludovic Poitou (once again), this information is available via an hidden attribute in the OU.


% ldapsearch -Wxh ldap1 -D "cn=Directory Manager" -b 'ou=people,ou=ssousers,dc=asyd,dc=net' -s base '(objectClass=*)' 'numsubordinates'
[..]
dn: ou=people,ou=ssousers,dc=asyd,dc=net
numsubordinates: 1386931


Depends on the directory server, it’s also possible to get the number of entries for a given backend (the following code was tested for Sun Directory Server 5.2):


% ldapsearch -Wxh ldap1 -D 'cn=Directory Manager' -b 'cn=monitor' -s base '(objectclass=*)' 'backendmonitordn'
[..]
dn: cn=monitor
backendmonitordn: cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
backendmonitordn: cn=monitor,cn=ssoUsers,cn=ldbm database,cn=plugins,cn=config
backendmonitordn: cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config



% ldapsearch -Wxh lynx -D 'cn=Directory Manager' -b 'cn=monitor,cn=ssoUsers,cn=ldbm database,cn=plugins,cn=config' -s base '(objectclass=*)' 'ldapentrycount'
[..]
dn: cn=monitor, cn=ssoUsers, cn=ldbm database, cn=plugins, cn=config
ldapentrycount: 1408974


Sysadmin

Most of system administrators use OpenSSL (which is not a good idea, but it’s an another story) to manage their PKI. While OpenSSL is good to create/convert X509 certificates from PEM/DER to PKCS#12 (and vice versa, for sure) it doesn’t understand the JKS (Java KeyStore) format. JKS are used in Java world, for example Glassfish application server, OpenDS and so more. In this post, I’ll explain how to convert a PKCS#12 to a JKS using portecle. portecle is a small, but very useful application (written in Java) to manipulate keystores.

1. Download portecle, extract it, and lauch it using java -jar portecle.jar (note that Java 6 seems required for version 1.4.x)
2. Open your PKCS#12 file, provide the password
3. Click on Tools/Change KeyStore Type/JKS menu
4. If you don’t want to use the default password (which is password), click on the menu keystore password
5. Save it, that’s all folks!

You can know list the contents of your JKS using keytool:


% keytool -list -v -keystore yourkeystore.jks


Security, Sysadmin

Here the following commands I use to create a IPMP (IP Multipathing) groups (master/slave):


#!/bin/sh

# Add logicial interface
ifconfig nge544001 addif 10.16.244.60 netmask 255.255.252.0 up


You can also tweak the multipath daemon by editing /etc/default/mpathd to decrease the value to detect a NIC failure.

• Solaris 10 IPMP Documentation reference

Solaris, Sysadmin

I actually need to write a little daemon based on the JVM (I’ll explain why in a future post). As the groovy fan I am, I was looking for a ready to use receipt, this one is interesting but show only how to write, not to read After getting some help from Guillaume here a working sample:

import java.net.ServerSocket
import net.asyd.nagios.Hello
 
def listenPort = 4242
 
def server = new ServerSocket(listenPort)
 
while(true) {
    server.accept { socket ->
        println "new connexion"
 
        socket.withStreams { input, output ->
 
            def reader = input.newReader()
 
            def buffer = reader.readLine() 
 
            output << "Hello world " + buffer + "\n"
 
        }
    }
}

As you can see it’s very simple, thanks to groovy, once again. A thread will be create for each client.

Sysadmin groovy

Le 16 Juin, à 19h30, se tiendra à Paris, chez Sun (attention, Sun a déménagé) une présentation technique autour de Solaris 10 / OpenSolaris, sur la gestion des IOs. Cette présentation est organisé par l’association GUSES. Au programme :

• Les différents composants : logiciel (système de fichiers), matériel
• La gestion du cache
• Le rôle du matériel
• Mesure de performances et optimisation

Comme vous l’aurez sans doute remarqué, cette présentation s’adresse avant tout à des administrateurs systèmes Solaris, mais les concepts abordés sont tout aussi vrai pour les autres UNIX.

Cette présentation sera assurée par Fabrice Bacchella, administrateur système senior.

Afin d’optimiser la place, nous vous serons reconnaissant de vous inscrire.

OpenSolaris, Solaris, Sysadmin guses, io, performances, Solaris

Depuis quelques jours (heures ?), Glassfish v3 preview est disponible. Comme Alexis est bien mieux placé que moi pour en parler, je vous engage à lire cet article pour la description de cette version. Au travers de ce petit billet, je résume ma toute première utilisation de Preview. Pour cela, mon cas d’utilisation est tout simple, déployer XWiki en version 1.8 dans un premier temps, mais au travers d’une source de connexions JDBC. Cas d’utilisation donc très simple.

Mes remarques, en vrac :

• Nécessite un JDK 1.6 (java -version pour vérifier). Utilisateur d’OS X, vous devez définir JAVA_HOME et PATH, la version par défaut étant encore en 1.5
• La commande start-domain ne met que quelques secondes à rendre la main ! Néanmoins, la console d’administration n’est pas disponible avant d’autres longues secondes . Pour rappel, la version 3 de Glassfish est construit autour d’OSGI, un système orienté composant.
• L’interface d’administration est proche de la version 2.1, on s’y retrouve donc assez facilement. Néanmoins, il y a une différence notable dans la gestion des applications. Il faut que je creuse le sujet.
• Il faut que je vérifie, mais lors de la configuration du pool de connexions JDBC, Glassfish me demandait un restart, que j’ai fait. J’avoue que cela me dérange un peu si c’est vraiment nécessaire, c’est quand même une opération simple !
• Temps d’arrêt très rapide, plutôt appréciable.
• J’en suis presque surpris (pas taper), mais le déploiement de XWIki est OK du premier coup ! Très bon signe !
• L’URL JMX n’est plus affiché lors du démarrage du domaine, c’est bien dommage !
• A priori pas de changements sur la taxinomie (namespace) des MBeans, ce qui est plutôt plaisant.

Bref, premier contact plutôt positif, même si j’ai constaté quelques petits soucis dans l’interface web, mais rien de bien méchant. Vivement la première version de production !

Java, Sysadmin glassfish, xwiki