Marginally nefarious crime writer. Many of those crimes involve computers.
I’m planning on doing a Google hangout of my talk tonight at mug.org.
Don’t know what time I’ll be going on, however. My guess is some time a little before 7PM. Come by my Google Plus page if you want to see it live.
With luck, it’ll record as well, so you can watch it later.
You can now get a print Sudo Mastery from Amazon.
I have signed all of the Mastery books up for the Matchbook program. People who buy the print book from Amazon will soon be able to get the Kindle version for $2.99. It’s not an ideal print/ebook combo, but I’m not nearly well enough organized to ship out physical books directly.
My BSDNow interview is now live. We talk sudo, BSD, tech books, and more.
I was researching next week’s OpenBSD talk and thought “You know, I ought to tell the story about VRRP, CARP, and Cisco. That’s a good one, and it illustrates how the OpenBSD community works and thinks.” It’s been ten years, so I decided to do some research to make sure I had my facts straight.
And I came across the Cisco Nexus 1000V manual. This big and mighty Cisco switch… supports CARP.
This is absolutely hilarious. I laughed so much my sides hurt.
Some of you younger folks are probably wondering what the big deal is. Well…
Back in the late 1990s, Cisco came up with the Virtual Router Redundancy Protocol (VRRP), using some of the lessons of their Hot Standby Router Protocol (HSRP). This was a quick-acting router failover protocol. If one router died, a second would notice and automatically take over for it. VRRP isn’t rocket surgery, it’s just that Cisco’s hardware could now support it and the market demanded it. Fair enough.
But then Cisco patented VRRP.
Cisco announced that anyone could implement VRRP, so long as they didn’t sue Cisco over it. Cisco wanted to offer something to the world, and didn’t want it to come back and bite them. Again, fair enough. Perfectly sensible from Cisco’s perspective.
The OpenBSD folks wanted router redundancy, too. And they wanted it in the base system. But Cisco’s licensing terms were a problem.
The modern BSD license boils down to:
1) Keep our copyright notice on this code
2) Don’t sue us if it breaks
There’s nothing in there about “And don’t sue Cisco if something breaks.” Specifically, the code can be used for any purpose, including suing Cisco. Mind you, you’d have a pretty hard time using OpenBSD code to sue Cisco, but the license doesn’t prohibit it.
So, while the VRRP patent terms were fine for Cisco, they weren’t acceptable under the BSD license.
And the OpenBSD devs wanted redundancy.
What to do? Go off and write your own protocol, the Common Address Redundancy Protocol (CARP). Make it different from VRRP. Field-test the protocol, using your legions of willing lackeys — er, devoted userbase. Make CARP not only a usable replacement for VRRP, but inherently better and stronger. Put the protocol under the BSD license, and give the protocol and code away.
This caused something of a kerfuffle at the time. Ugly accusations flew around. “It’s a VRRP knock-off!” “No, it’s a different protocol!” Great big reams of email were written about the whole thing.
The OpenBSD folks applied to IANA for a protocol number. IANA rejected the application, telling them to use VRRP instead. VRRP was assigned protocol 112. So OpenBSD used protocol 112 for CARP. And putting CARP hosts on a network with Cisco VRRP hosts made Cisco routers crash. The Cisco stack wasn’t robust enough to handle strange packets on the network. Cisco updated their hardware to survive seeing a lone CARP packet.
This escalated the kerfuffle into industry news. You’d see articles in all kinds of industry magazines about OpenBSD versus Cisco.
The OpenBSD folks responded by doing a CARP/VRRP-themed 3.5 release, complete with a Monty Python parody (lyrics, MP3).
And in the end of it all… everyone shut up. Other people started implementing CARP. Because it’s a solid, respectable redundancy protocol. You can get CARP from FreeBSD, Linux, Solaris, and a whole bunch of other vendors…
…including Ciso.
I had plans for today, but I’m too busy laughing. And then I need to go watch some Monty Python.
I’ll be presenting about OpenBSD at !Michigan/usr/group, a Linux and UNIX user group, on Tuesday, 12 November 2013. The tentative title “OpenBSD for a Linux User Group,” covering the features and culture that make OpenBSD what it is. (Hint: it’s not security.)
These talks are always more fun when readers show up to heckle, throw rotten tomatoes, and question my morals and parentage.
If I have sufficient connectivity and nobody objects, I’ll try to do a Google Hangout for it. But you can’t throw rotten tomatoes over IP. Yet.
The fine folks at BSDNow.tv have requested my presence this Wednesday for an interview. We’ll talk sudo, FreeBSD, OpenBSD, and whatever else comes to mind.
You can watch it live, this Wednesday at 2PM EST.
PS: Hey, boss, I’ll be out Wednesday afternoon. Personal business.
I’ve written elsewhere how daemons running on jail servers (the main host, not the imprisoned machines) should listen only on a single address. They shouldn’t bind to all addresses on the machine.
Your average empty FreeBSD install has two problem children: syslogd and ntpd. Adding syslogd_flags="-ss" to /etc/rc.conf handles the first. But FreeBSD’s included ntpd binds to port 123 on all addresses on the machine.
You can run jails while running ntpd. The jail won’t crash in flames. But the jail code expects the jail to have exclusive access to the jail address. This could well come back to bite you later. Besides, it lacks elegance.
Enter openntpd. Openntpd can synch your host clock without binding to any ports. Install it from packages:
# pkg install openntpd
The file /usr/local/etc/ntpd.conf lets you set the preferred server(s) and, if needed, a bind address. This machine is in private address space, so I have to point it at my local time server.
server time.michaelwlucas.com
Now enable openntpd in /etc/rc.conf, and disable the system default ntpd if it’s running.
openntpd_enable="YES"
Run ntpdate to fix the time, then start openntpd.
# ntpdate time.michaelwlucas.com
1 Nov 15:03:22 ntpdate[53689]: adjust time server 192.0.2.130 offset -4.001088 sec
# service openntpd start
Starting openntpd.
The clock is now correct — or, rather, if the clock is wrong, all the servers will be wrong together. And the various jails each has sole access to their own IP addresses.
And what’s Halloween without a ghost story? A high-tech ghost story, even.
If you don’t care for fiction, there’s always true horror of my real life.
I’ve mentioned this before in various forums and in passing, but it bears a small emphasis.
Some people want books in both ebook and print. I’m not set up to do that, but Amazon is making that happen through their Matchbook program. The general idea is that if you bought a book in paper, you can get the ebook version at a steep discount.
I’ve put both existing Mastery paperbacks in the program. If you’ve bought the print book from Amazon, you can get the electronic version for $2.99. When Sudo Mastery hits paperback, it’ll be included.
Why $2.99?
I feel the fair price for the combo is about $20. The list price on the print books is $20, but Amazon knocks a few bucks off based on their own inscrutable algorithms. I’ve seen SSH Mastery as low as $14 and as high as $18.
There’s also the Amazon royalty on Kindle books. Ebooks priced less than $2.99 pay me a 35% royalty. Ebooks priced at $2.99 and up pay 70% royalties. If I price the Matchbook versions at $2.99, I make about $2.00 per sale. If I price them at $1.99 (the next lower option), I make about $0.66/sale. Ouch. Either way, that’s a lot of sales to pay the mortgage.
All this is a long-winded way of saying:
If you want both the print and ebook versions of Sudo Mastery, wait until the print version comes out. You’ll be able to get both for about $20, more or less.
I never buy my print books through Amazon’s retail channel — I buy them in bulk, from their CreateSpace arm. I would really like confirmation that folks who bought a print Mastery book from Amazon can get the ebook at a discount. If you bought a print Mastery, please take a look at Amazon. See if you can get the Matchbook deal and let me know in the comments here.
At long last, Sudo Mastery is now available in ebook form on most platforms.
You can get it at my bookstore or Amazon.
It’s also available at Smashwords, but Smashwords doesn’t support footnotes. They do support a workaround that puts all footnotes together at the end of a chapter or the end of the book, but it’ll take some work on my part to make that happen.
It’s not at Barnes & Noble yet, because their new Nook Press application completely mangled the book’s formatting. As I sell an average of one book a month through B&N, I’m seriously considering not having the book there.
Print will come some time in November.
I appreciate all the people who helped me write this book. So, in that spirit, here are the acknowledgements.
I want to thank the folks who reviewed the manuscript for Sudo Mastery before publication: Bryan Irvine, JR Aquino, Hugh Brown, and Avigdor Finkelstein. Special thanks are due to Todd Miller, the current primary developer of sudo, who was very patient and helpful when answering my daft questions.
While I appreciate my technical reviewers, no errors in this book are their fault. All errors are my responsibility. Mine, do you hear me? You reviewers want blame for errors? Go make your own.
XKCD fans should note that the author does not particularly enjoy sandwiches. However, Miod Vallat, currently exiled to France, would really like a sandwich with nice fresh bread, really good mustard, and low-carb ground glass and rusty nails. And Bryan Irvine would like a rueben.
This book was written while listening obsessively to Assemblage 23.
Now, to finish writing my big 2013 fiction project before the end of the year…