Sudo talk now on YouTube

My talk Sudo: You’re Doing It Wrong is now live on YouTube. (Thanks to TJ for letting me know.) The talk is based on my book Sudo Mastery.

This talk went better than my NYCBSDCon talk. Probably because I hadn’t confused “buzzing with caffeine, adrenaline, and sleeplessness” with “raging tonsilitis.” The Q&A at the end took us wildly astray, and ended with the general conclusion that “Lucas needs to present to mug.org about how to use SSH correctly.”

I gave away a couple books, one Sudo Mastery and one SSH Mastery. The SSH book went to the first person to raise their hand and admit that they used passwords with SSH.

But I’m sure none of you use password-only authentication with SSH. You’re all good, decent, moral people who wouldn’t do anything that vile.

SMLR on “FreeBSD Mastery: Storage Essentials”

The Sunday Morning Linux Review folks have a review of FreeBSD Mastery: Storage Essentials in show 141. The review starts at about 39:30, but the whole show is worth listening to. As always.

For my own reference, here’s a couple key quotes that I’ll probably use for marketing later. (I either write them down here, or have to go listen to the show again when digging up blurb quotes later.)

“Lucas lays a solid foundation about disks.”

“The devil is in the details, and the details are in the book.”

And when it comes to slices versus partitions: Mary is right. Listen to her, guys.

Next tech book: Tarsnap Mastery

Now that “Networking for System Administrators” is out for review, it’s time for me to dive into my next tech project: Tarsnap Mastery. Tarsnap is an encrypted online backup service run by Colin Percival, retired FreeBSD Security Officer.

Colin has asked me to write some Tarsnap documentation for years. Now that I’ve moved my personal servers from hardware in my control to “the cloud,” I need a solid backup system. Tarsnap fits the bill nicely. If I have to deploy it and get everything nicely working correctly, I’d better document it before I forget it. Otherwise, I’ll be arguing with the software when I’m trying to restore my services after a disaster.

And if I have to document it, I might as well sell the documentation to you lot. Because if you need online backups, you want them to be encrypted, right?

Tarsnap has a decent user base, and it’s growing. Tarsnap runs on everything from Mac to Minix. Hopefully, there’s enough new users to support a book. Worst case, Tarsnap Mastery can’t do any worse than DNSSEC Mastery.

As I write the Tarsnap book, I’ll be prepping to write more books on FreeBSD storage. My goal is to finish the research for one book as I finish writing another, so that I can jump directly from one project to the next. Scheduling this is something of a pain, but it’ll improve with practice.

I’ve spent today reading the entirety of the Tarsnap-users mailing list archive, wrapping my head around typical user problems and Tarsnap’s rougher edges.

I now have a headache. I blame Colin.

“Networking for System Administrators” – Tech reviewers wanted

I’ve completed the manuscript for Networking for System Administrators. I’m now looking for a couple types of technical reviewers: people who know TCP/IP and networking, and people who are likely to read this book.

Normally I’d ask for feedback in a few weeks. But the holiday season is at our throats, and we all need to spend some time fending off the incoming pile of coal, so: I’d need your comments by 5 January 2015. If you can return it to me earlier, that’s fantastic.

If you’re interested in being a tech reviewer, please contact me via email at mwlucas at michael double-you lucas dot com, just like the domain name of my blog. (No, that’s not a literal double-you, it’s the letter w. Choke on that one, spam-bots!) Give me a sentence or two telling me what sort of reader you are and why you want to review this book.

You can read more about the tech review process at my tech reviewer information page. This is a little different because it’s a complete manuscript. Why review the whole manuscript at once? Because the Mastery books are short. At least, they’re supposed to be short (cough).

I have more detail about the book at the original announcement linked above, but here’s how the actual table of contents finished up:

0: The Problem
1: Network Layers
2: Ethernet
3: IPv4
4: IPv6
5: TCP/IP
6: Viewing Network Connections
7: Network Testing Basics
8: the Domain Name System
9: Packet Sniffing
10: Creating Traffic
11: Server Packet Filtering
12: Tracing Problems
Afterword

I expect the copyeditor to need a couple weeks with the manuscript. It should be available in print and ebook in late January.

“FreeBSD Mastery: Storage Essentials” print available!

You can now get FreeBSD Mastery: Storage Essentials in print on Amazon.

If you buy the print from Amazon, you can get the Kindle version for $2.99. Sadly, that’s the closest thing to a proper print/ebook combo I’ve been able to do.

For completeness’ sake: you can also buy it directly from my CreateSpace store. As sales go, that’s where I make the most money. It’s also the most expensive version. If you want to pay extra so I make more I won’t object, but I will suggest you avoid the middleman and go straight to me.

It will appear in places like Powell’s in the coming weeks.

Now to finish “Networking for Systems Administrators,” complete the design on the next tech book, finish the outline for the Immortal Clay sequel, and finish outlining the intertwined morass that is my next three FreeBSD Mastery books.

FreeBSD fetch(1) broken on SSL links?

I went to download Tarsnap on a FreeBSD 10.0-p12 machine, and got hit with this error:

# fetch https://www.tarsnap.com/download/tarsnap-autoconf-1.0.35.tgz
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
34380830376:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1179:
fetch: https://www.tarsnap.com/download/tarsnap-autoconf-1.0.35.tgz: Authentication error

Looking at the last line of the error, you might think that Colin password-protected the Tarsnap source code. This would be extremely daft on his part, so I read on. But actually reading the message tells me that fetch(1) died because it couldn’t verify the Comodo RSA cert used on the Tarsnap web site.

Comodo has been around a long time. Why would their cert be invalid?

Second thought: Colin’s been hacked!

But no.

The third thought is the charm. Turns out that fetch in FreeBSD 10 validates SSL certificates–but doesn’t ship with an SSL root certificate! So, Colin hasn’t gone daft, or been hacked… but someone in the FreeBSD crew definitely increased my astonishment!

I installed the ca_root_cert package and created a symlink for fetch.

# ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

Fetch now worked as I expected.

It does seem that if you’re going to validate SSL certs, you should either have a decent root cert bundle installed or print a helpful error message.

FreeBSD Mastery: Storage Essentials at printer

Last night I received the print proofs of the new FreeBSD book.

fmse proofs

I found two errors: a missing tab in a footnote, and an extra page before the index. I’ve fixed those, double-checked the file, and sent it to the printer. It should be available in print in the next week.

I’ll have four copies at next week’s sudo talk at mug.org. Show up and you might be able to bribe me to get a copy of one of these very exclusive rare, authentic, original, limited edition books.

I’m very happy with the look of the final print. The cover is spectacular. Tech book usually have bland covers, but I decided to try something a little different. I’ll have custom covers like this on at least two other books, FM: ZFS and FM: Specialty Filesystems. (And before you ask: no, no release date yet, except “2015.”)

Three books should give me enough data to see if there’s a return on investment for fancy illustrated covers on tech books. If the book doesn’t sell well enough, I’ll fall back to more traditional tech book covers based on photographs.

Book Review: Book of PF, 3rd Edition

No Starch Press was kind enough to send me a review copy of the new 3rd edition of Peter Hansteen’s Book of PF. The first two editions are the standard reference work on the OpenBSD packet filter, and this is a topic I’ve written about in some depth before, so I’m fully prepared to eviscerate Hansteen if he screwed up.

Third edition, huh? So how does this stack up?

Let’s get the obvious out of the way. All three editions have yellow covers, but the first edition had blue trim; the second edition, pumpkin; the third, a kind of fern green.

Once you open the cover, you find that the third edition works much like the earlier editions, starting with a simple packet filter setup and building upon it. Building upon success is perhaps the best education technique, and it fits the topic quite well.

Structurally, BoPF3 is very similar to the earlier editions. CARP and redundancy now gets its own chapter, which is a welcome addition.

The real meat of this book is in the examples, tutorials, and explanations. PF has changed since the second edition, notably with more flexible traffic management and some syntax changes. Not all BSDs have remained synchronized with OpenBSD’s PF, so he has the unenviable job of documenting the differences between OpenBSD, NetBSD, and FreeBSD. He’s done an excellent job of this by combining information where appropriate, but breaking out some topics by operating system. For example, if a topic needs a sysctl, he lists them for each operating system. When a topic requires more in-depth explanation, such as traffic prioritization, he breaks out OpenBSD’s new priority system into one section and FreeBSD/NetBSD’s older altq prioritization scheme in another. This makes it very easy to find what you’re looking for. This book teaches you how to use PF to filter packets just as well as a million dollar appliance, with more insight and control.

One impressive thing is that this book is very clear. Giving a section a title like “Things You Can Tweak and What You Probably Should Leave Alone” gives you very definite ideas about what’s in this part of the book. Hansteen explicitly describes how PF works. He also discusses what happens when the real world impacts your firewall. He hasn’t just got PF up and running in his lab: he actually uses this stuff in the real world, with all its malformed packets and stupid protocol implementations and worse protocols, and keeps services running despite all that.

Complaints with this edition?

As with the earlier editions, the footnotes contain actual facts. It’s like Hansteen wants you to be able to go look up actual sources to verify what he says, instead of requiring us to trust him. As a writer, I prefer assuming blind faith and unyielding obedience from my readers.

If you use PF on any platform, buy this book. You can get it from Amazon (of course), and also get a combined print/DRM-free ebook deal direct from No Starch Press.


This ends the actual review. But someone is going to ask a couple things in the comments, so I’m jumping ahead of them here.

First: my general thoughts on authors writing reviews.

Second: Why hasn’t FreeBSD imported the latest PF?

The FreeBSD and OpenBSD network stacks have massively diverged in the last twenty years. OpenBSD’s kernel uses the Big Giant Lock model. FreeBSD’s kernel is much more finely locked, and the network stack can be in multiple CPU cores simultaneously. Despite their common heritage and licenses, FreeBSD and OpenBSD are different operating systems. They have different use cases. They are designed for different uses. They target different hardware.

FreeBSD’s previous PF import required a lot of work to make it fit its network stack. The FreeBSD Foundation invested a fair chunk of change in thrashing PF in the network test cluster and on high-performance customers so that it didn’t slow down the network stack. (It’s not that OpenBSD is slow, it’s just designed differently than FreeBSD.)

A “new import” is not trivial.

FreeBSD has a flexible firewall system, however. A new PF could be imported as, say, pf56.ko, without impacting the older PF import. You could use mailwrapper-like functionality to transparently assign the proper userland programs to the PF version in use. This can be done.

Nobody has done the work.

I suggest you get coding.

Initial reactions to “Immortal Clay”

(For my own reference later.)

One of the worrisome things about putting out your own books is the concern that it might suck. I have a long track record in nonfiction, so I’m pretty confident there. But novels are a whole different art. When I put Immortal Clay out two weeks ago, I suspected that nobody would get past page two.

Most of the initial feedback came via Twitter, with things like:

So someone I know bought it. That’s cool.

Then some of my nonfiction readers picked it up, and gave it its own hashtag:

People began reading it, and said things like:

Then someone finished it:

So the real message came through? Excellent!

And then a couple comments in private mail, like:

“You bastard! That book kept me up half the night. There was just no good place to stop!

Yep. That’ll do.

If you’ve read the book, I’d appreciate a review on Amazon. There’s four right now. Amazon won’t show it in searches and “also bought” lists until there’s five.