Author: Michael Lucas

Writer. Sysadmin. Owns this site.
Posted on

Fediverse Servers, plus mac_portacl on FreeBSD

One of my business mantras is “control your platform.” If you build your business around a site like Facebook, they can de-prioritize you and disappear you. Twitter’s implosion served as a fierce reminder of that, so I’m blogging more here.

Before Twitter’s implosion, the Fediverse (Mastodon, PixelFed, and all the other ActivityPub-powered systems) drove just as much traffic to my site as Twitter. Other social networking sites are negligible. If I want to follow my business mantra, I must run my own Fediverse server. I tested three options: Mastodon, pleroma, and GoToSocial.

Mastodon is huge, clunky, and handles like a tank made out of chicken wire, tar, and lobsters. I spoke with a few Mastodon operators, and none of them recommended it.

Pleroma? I followed the instructions. They didn’t work. I went looking into support, but I discovered that Pleroma seems to be the server of choice for TERFs, racists, and related jerks. Their recommended servers for new users are all on my personal blocklist. I don’t care to help those folks debug their instructions.

GoToSocial was a joy. Except it’s not only in development, it’s in alpha. They are very clear about this. The features that exist are beautifully done, but certain features I find critical are incomplete.

I have decided to wait to deploy a production fediverse server until GoToSocial enters beta.

For incomplete software, though, GoToSocial is surprisingly complete. It has its own web server and Let’s Encrypt implementation. If it can bind to ports 80 and 443, you don’t need a web server or ACME agent. The catch is, gotosocial(8) runs as an unprivileged user. It can’t bind to privileged ports.

Enter mac_portacl(4).

In the BSD tradition, the man page details everything you can do with this Mandatory Access Control kernel module, but in short it lets you permit particular users or group to bind to privileged network ports. I don’t care for mac_portacl in production, as the rules are hard to read when you’re debugging. If you want me to use an access control program, the output better be no harder to read than pfctl -sr. But here’s how you do it.

Enable the module in /boot/loader.conf.

mac_portacl_load="YES"

You can now write port ACL rules. Each rule has four parts:

uid or group : numerical identifier : tcp or udp : port number

The gotosocial user has uid 209. I want uid 209 to be able to bind to TCP ports 80 and 443, so I need these rules.

uid:209:tcp:80
uid:209:tcp:443

Set the access control rules in /etc/sysctl.conf.

net.inet.ip.portrange.reservedhigh=0
security.mac.portacl.rules=uid:209:tcp:443,uid:209:tcp:80

The first sysctl disables the traditional “reserved port” behavior and allows unprivileged programs to bind to ports below 1024.

The second sysctl installs our rules in the kernel. When you write to this sysctl you must include all rules you want active, separated by commas.

Would I use this in production? If the software has a solid security track record and is designed to be directly exposed to the Internet, sure. If you’re running a web server, some program has to listen on port 80. GoToSocial is brand new, though, and I’d like to see a bit of a track record before I completely trusted it.

When GoToSocial enters beta next year and I deploy it for real, I’ll put an nginx or httpd in front of it so I can filter when needed.

Are there other options other than Mastodon, pleroma, and GoToSocial? Sure. But I’m out of time, and really need to make some words this week.

Posted on

Why Mastodon/the Fediverse kind of sucks right now

I’m a big fan of the fediverse. As of right now (8 November 2022), it deeply sucks. Why?

Because nobody expected Elon Musk to be this stupid.

We expected some daftness, sure. But actions like cutting the entire human rights team, accessibility team, and AI ethics team, plus limiting moderation, have people abandoning Twitter and searching for alternatives.

Nobody wants to live in a free-for-all wasteland. “The right to free speech” is built on “the right to take the consequences.” Without moderators, Twitter is a cesspit.

The Fediverse resembles Twitter[1], except it is run by volunteers on donated equipment. Every time Twitter did something stupid, we got a few thousand folks looking for a better way. We’ve grown steadily as a result.

Almost hourly Musk demonstrates that he doesn’t understand people, doesn’t understand how Twitter is used, and picking stupid fights. I’m told that last Friday, the biggest Mastodon server got 70,000 new users. If you add in all the hundreds of other servers, we’re looking at hundreds of thousands of new accounts. Many servers doubled or tripled in usage.

Here’s a graph of the number of users interacting with our server.

Nobody expected Musk to be this stupid.

Nobody expected this flood of new users.

If you get an account and find it’s slow? The volunteers are working as hard as they can. Scotty is shouting “She canna take any more!” over the roar of the struggling servers. New servers are being installed, but physical equipment must be shipped and mounted and plugged in.

The servers that are doing well, ironically, are the alt-right ones. The worst Nazis already fled Twitter, so they set up their own Mastodon servers. The rest of the fedi automatically blocks those monsters, but they’re actively recruiting both abusers and victims. I’ve seen more than one LGBT person innocently sign up for a disguised white supremacist instance and get a torrent of abuse.

Be patient with the volunteers. They’re doing the best they can. We’ll catch up as soon as we can.

The truth is, nobody can prepare for a stupid billionaire.

[1] No, the Fediverse isn’t exactly like twitter. Each server is a community of interest, like “BSD Unix folks” or “book lovers” or “LGBT in tech.” They can all talk to each other. We have content warnings, so that people can interact with difficult content as they wish rather than having it jammed into their face. Each server does its own moderation. (My server blocks the alt-right, TERFs, racists, ableist jerks, and cryptocurrency scammers.) Where Twitter has been increasingly negative and stressful over the last few years, local control means the Fediverse is downright sweet.

Posted on

Eight years ago today, my first novel

Eight years? Who celebrates eight years? I missed every previous anniversary, and I will probably miss most of the others, so suck it up.

Anyway, eight years ago today my first novel came out. Immortal Clay is a critical success and a financial sinkhole. Seems that some parts of it were a bit much for people. Mind you, this book did establish my unbroken practice of never writing a normal sex scene, so there’s that. I took “Carpenter’s The Thing, but after we lose” to its logical extreme, so it shouldn’t have surprised anyone, but here we are.

I’m hoping to take another run at book 3, Bones Like Water, next year. Yes, it’s been delayed. Writing cheerful apocalypses requires a certain amount of stability, which we haven’t had since 2016.

Part of me says, “Eight years? What have you been doing, wasting your time? You should have had thirty novels and a television contract by now!” But then I look at my fiction brag shelf and realize it’s bigger than many authors build in their lifetime–I mean, I’m no Blaze Ward or Rex Stout, but it’s not a shabby showing.

fiction brag shelf, 2022-11-04

If the book didn’t do as well as I hoped, what will I do about it? I will continue flensing readers out of the indifferent mass of humanity, that’s what. After all, the best promo for an old book is a new book.

Posted on

“Prohibition Orcs” Kickstarter signed paperbacks shipped

Today I converted this:

into this:

If you backed the Kickstarter for a signed paperback, these are them. I booked a pickup for tomorrow, but if the postman’s feeling mighty he might take them today.

Note that the piles are not the same size. I ordered 13 of each. They sent me a box with 13 “Prohibition Orcs” and 11 “Frozen Talons,” plus another box with two more “Prohibition Orcs.” It’s like they realized they’d printed the wrong number and ran off two to make it up–but two of the wrong book. Sigh.

Patronizers, what about your books?

You’re backers. You get the exclusive limited-edition Orcibus. Which I plan to order before Monday. I was waiting for the printer to ship me a correct proof before I ordered.

Also, a note on shipping:

If you do any amount of shipping personally, such as signed books: invest in a thermal shipping label printer and learn how to feed address spreadsheets into your postage vendor. I’ve been shipping books from my house for seven years now, and adding new capacities every time.

The spreadsheets shrunk days of shipping into a single day.

But the label printer? “Oh, I can just print my labels on regular paper, trim them down, and use a tape gun to put them on the package.” I bought the label printer this summer and holy crap, I just did an afternoon’s worth of shipping in an hour.

The right tools help. Who knew?

I also discovered that shipping to Canada got more expensive, so I’ve adjusted the shipping rates on the OpenBSD Mastery: Filesystems limited-time direct order. It’ll also impact future sponsorships. The change isn’t horrid, I can eat the difference for what’s already been sold, but still.

Posted on

Two pieces by me in this month’s FreeBSD Journal

Yes, I’m trying to use the blog more, rather than dumping everything to multiple social media outlets. Yes, this is in part in response to Comic Book Supervillain purchasing Twitter and kneecapping the moderation team. If you want me on social media, I’m on the fediverse as @mwlucas@bsd.network.

Anyway.

The latest issue of the FreeBSD Journal has two articles by me: one on PAM tips & tricks, and the other my regular “We Get Letters” “advice” column. With any luck, the Journal’s editorial board will use these articles as grounds for reconsidering their “we’ll publish anything Lucas sends us” policy.

If you find the Letters column amusing, I’ve collected the first three years of that column in Letters to ed(1).

Posted on

upgrading PHP 7.4 to PHP 8 on FreeBSD

What, a technical post? It happens. Rarely. Usually, I’m focused on the tech that goes into a book, but sometimes the real world intervenes.

Like PHP. PHP is very much the real world. My site has been running PHP 7.4 for a while, which goes end of life on 28 November. I put this off as long as possible, but it’s time to update.

I run my e-bookstore on Woocommerce, which is built on WordPress, which is built on PHP. What started as a silly experiment has become the center of my business. I need to minimize downtime, which means I must check everything before upgrading. It’s PHP, which means it’s a maze of twisty little modules that all look alike. PHP has this annoying habit of adding, removing, splitting, and changing modules. Running PHP applications on FreeBSD is all about finding the module your application needs, so I want to identify all possible problems before changing.

First, let’s see what packages need upgrading.

# pkg info -x php
mod_php74-7.4.32_1
php74-7.4.32
php74-ctype-7.4.32
php74-curl-7.4.32
php74-dom-7.4.32
php74-exif-7.4.32
php74-fileinfo-7.4.32
php74-filter-7.4.32
php74-gd-7.4.32
php74-iconv-7.4.32
php74-intl-7.4.32
php74-json-7.4.32
php74-mbstring-7.4.32
php74-mysqli-7.4.32
php74-openssl-7.4.32
php74-pcntl-7.4.32
php74-pdo-7.4.32
php74-pdo_mysql-7.4.32
php74-pecl-imagick-im7-3.5.1_1
php74-phar-7.4.32
php74-posix-7.4.32
php74-session-7.4.32
php74-simplexml-7.4.32
php74-soap-7.4.32
php74-tokenizer-7.4.32
php74-xml-7.4.32
php74-xmlreader-7.4.32
php74-xmlrpc-7.4.32
php74-xmlwriter-7.4.32
php74-zip-7.4.32_1
php74-zlib-7.4.32

31 packages. Software like Tiny Tiny RSS and WordPress depend on PHP, but if the underlying PHP software has all the necessary libraries then they should just work. Should. But PHP modules sometimes disappear, get replaced, or get renamed. I want a list of all the modules I need before running any commands. So, what would the PHP 8.0 version of these packages be named? I have to iterate through sed a couple times to trim out excess version information and wind up with this.

# pkg info -x php | sed s/74/80/g | sed s/-7.4.32//g | sed s/_1//g

mod_php80
php80
php80-ctype
php80-curl
php80-dom
php80-exif
php80-fileinfo
php80-filter
...

Those look sensible. Now check to see if the packages exist.

I could automate this by checking the exit code of each command, but the list is short enough that I can process it by hand. I run one package search at a time, letting xargs prompt me for each one so I can eyeball the results.

# pkg info -x php | sed s/74/80/g | sed s/-7.4.32//g | sed s/_1//g | xargs -L1 -p pkg search
pkg search mod_php80?…y
mod_php80-8.0.25 PHP Scripting Language
pkg search php80?…y

This particular search will spew a couple hundred lines of output, but I’m confident the base PHP 8.0 package is in there.

...
php80-intl-8.0.25 The intl shared extension for php
pkg search php80-json?...y
pkg search php80-mbstring?...

Ooops! Pay attention here. There is no package for PHP 8.0’s JSON module! Make a note of that.

At the end, I have problems with three packages: php80-json, php80-openssl, and php80-xmlrpc. Freshports tells me that the JSON and OpenSSL modules were added into the default PHP 8.0 package, so I can cross those off my list.

The XML-RPC module is another tale. PHP 8.0 no longer has an XML module. Fortunately, that same bug lists a replacement pecl-xmlrpc. There’s a related php80-pecl-xmlrpc module.

I have a list of modules to install. For a last check, I’ll look for anything that depends on PHP 7.4.

# pkg info -dx php74
The list looks different, but contains the same modules. I’m as prepared as I can be.

One last check. Make a list of the packages to install. Eyeball it to make sure it looks right.

# pkg info -x php | sed s/74/80/g | sed s/-7.4.32//g | sed s/_1//g > php8.pkg

Create a boot environment, and do a dry run. If I remove all packages with PHP in their name, what will get pulled? Using -n tells me what the command would do, but doesn’t actually change anything.

# bectl create 12.3-p7-lastbeforePHP
# pkg remove -nx php74

That list looks sensible. Now remove the packages, and install everything on our list.

# pkg remove -x php74
# cat php8.pkg | xargs -L1 -p pkg install -y

The -p argument to xargs prompts me for confirmation, so I can use -y on the pkg command. The install fails on the nonexistent JSON, OpenSSL, and XMLRPC modules, but that’s expected.

At the end, I manually install php80-pecl-xmlrpc.

Reboot.

Test, test, test. Run a test purchase. It works.

Everything looks okay? I guess I can turn it over to the Crowdsourced Monitoring System, aka “y’all,” and go make some paying words.

Posted on

Talk on Rat Operated Vehicles

On Tuesday, 8 November 2022, 7PM Detroit time, I’ll be giving a talk for mug.org about Rat Operated Vehicles. If the guys are cooperative, there might be a demo.

(Narrator: It’s a live talk. They will not be cooperative.)

Compared to my last few MUG talks, on topics like TLS and SNMP and other unholiness, this will be light and fluffy.

If you missed my Rat Operated Vehicle, I have a YouTube playlist. I should probably upload some more videos before the talk, though.

Posted on

“OpenBSD Mastery: Filesystems” Print/Ebook Bundle Preorder

Until 1 December, I’ll be taking preorders for print copies of OpenBSD Mastery: Filesystems. You can even buy two books if you want, because I can cram a second book into a Priority Mail envelope. Just let me know the title of the second one in an order comment.

Every purchase includes ebook versions of OMF (and any other titles you get).

I’ll be ordering your books with the sponsor copies, signing them, and shipping at the same time.

Details on the order page.

If this works out well, I’ll do it again. Disintermediation is good.

If it whirls into a bewildering mess, I won’t.

Posted on

Sponsorships, Releases, New Books, and Kickstarters

A giant tangle of stuff, and it’s all related. Plus, I want your opinion on two questions.

OpenBSD Mastery: Filesystems is at the copyeditor, and due back 15 December. I should have print in stores immediately before Christmas. Barely.

Prohibition Orcs and Frozen Talons are leaking out in ebook right now. If you buy them directly from me, they come with an exclusive bonus–To Serve Orc: Enduring Recipes from the Old Country, Watered Down for America. It’s short, but you won’t find it anywhere except my site. The print books are underway, and the leather-covered Orcibus will have to wait until I can deliver print books to the cover maker. Covers should exist in early December, so I should completely fulfill everything before 2023.

Which brings me to scheduling.

People sometimes ask me if they can buy signed print books directly from me. I had intended to run a Kickstarter as an advance sale for OpenBSD Mastery: Filesystems, which would let those folks buy signed books from me. Kickstarter will not let you run a new Kickstarter while an old one has not yet been fulfilled, however. If I’m honest, I can’t run a new Kickstarter until, oh, 1 January 2023.

Which means I can’t realistically do one for OMF. I am considering running a thirty-day print sale for OMF on my web site, however. Paperbacks would be $25, hardcovers $40. Shipping would be $10 US, $15 Canada, and $40 rest of world. (Yeah, shipping is terrible.) You’d have the option to order one extra book, at the same prices, for the same shipping. I can cram two Mastery books, or a Mastery and a novel, in an USPS Priority Mail envelope. Shipments would go out with the sponsor shipments, but would NOT arrive in time for Christmas. Comment if you’d buy one. If nobody wants it, I won’t bother setting it up.

Which means that my next Kickstarter will be for a fiction collection (Corrosive Devotion: Ten Tales of Love that Aren’t Love Stories), probably in January 2023.

About that time, I’ll open sponsorships for the next Mastery title, “Running Your Own Mail Server.” Because, like Kickstarter, I won’t open new sponsorships until I’ve fulfilled the old ones. Prices are rising everywhere, so I’m contemplating raising print sponsorship prices from $100 to $120. If you’re a previous print sponsor, would that stop you from sponsoring again? This will let me integrate a Kickstarter into the business plan, rather than being a late addition haphazardly nailed onto the side.

For similar reasons, the ebook of OpenBSD Mastery: Filesystems will be $12.99 rather than $10.99. This means that while the Kindle version will be available at any number of bookstores, it will not be in Amazon’s Kindle bookstore. Amazon will have the print edition. Amazon is no longer a viable e-bookstore for my new shorter nonfiction, mostly because I’m not willing to screw my readers.

That’s the reasons for the schedule.

Speaking of schedules, I have once again completed all current writing projects simultaneously and now must perform a laborious cold start. I truly must figure out how to de-synchronize my multiple projects.

Posted on

“OpenBSD Mastery: Filesystems” draft done!

After far too long, I have finished a first draft of OpenBSD Mastery: Filesystems. Sponsorships are now closed.

I’m asking tech reviewers to get any comments to me by 15 October 2022. That’s four weeks. It might seem tight, but experience shows that people either get their comments to me immediately, or wait until the last possible weekend. I’m not complaining–I do exactly the same thing. Please return any comments either a) in plain text, with enough context that I can find them when page numbers change, or b) as annotations directly on the PDF.

My tech reviewers are now in their third decade of winning the prize for “most likely to use many different PDF readers.” A file that works for one won’t work for another. I work around this by distributing three PDFs of the manuscript, each identical in contact but prepared differently. Everyone should be able to find one that works for them.

If you’re interested in doing a tech review, please drop me an email (mwl at mwl dot io) saying who you are, why you would make you a good reviewer, and that you won’t share the manuscript. (Piracy is bad, but having my name on an unreviewed and thus certainly incorrect document is horrifying). I’ll ignore responses that can’t follow those instructions, because whenever I don’t I get difficult-to-decipher feedback. (I have previously received PostScript diffs, and… no. Just no.)

I’ll be turning my attention to the Prohibition Orcs copyedits next. Then it’s back to the Epic Giant Fiction Project, and another tech book, title TBA.