Blog

Posted on

Summer 2011 nonfiction project: OpenSSH

I have a problem with Absolute OpenBSD, 2nd edition. It’s too big. The outline is 26 chapters. This brings the book close to 300,000 words, well over a thousand pages. I don’t want to write books that I don’t like. I don’t like huge books that I cannot comfortably read in the bathtub.

One component of OpenBSD is OpenSSH. People have written books about OpenSSH, but they contain more information than most people need. (Not all, but most.) I write for the most common user, which means that those books are perhaps 2x-3x the size of what I would write. And OpenSSH is widely used outside OpenBSD: I could argue that it’s their most widely deployed component. Lots of people who will never use OpenBSD need a swift sharp smack with the OpenSSH clue-by-four.

AO2e book needs some OpenSSH stuff in it, of course. But I have about 30,000 words of OpenSSH. For comparison, the smallest nonfiction book I’ve written is about 60,000 words. It’s too small for a traditional publisher.

So I’m removing the intermediate-level OpenSSH material from AO2e, and doing a small independent book tentatively titled “OpenSSH: Your Next Steps.” It will cover the OpenSSH server, and the OpenSSH and PuTTY clients.

Many people believe they know how to use SSH: they download PuTTY, enter a hostname, username, and password, and “poof!” — they’re secure. It’s not that simple. If you search for documentation and articles about using OpenSSH, you’ll find years and years of accumulated cruft. Many of the most visible articles and posts are obsolete. A single source of up-to-date information at an inexpensive price would find readers, and would let me satisfy my self-publishing curiosity. I’ve contemplated independent publishing for some time now, and this looks like a realistic opportunity.

I’ll have to pay for copyediting, design, and so on. And I’ll have to manage the whole project. Worst case, I lose a lot of time and money, but develop a new appreciation for my publisher. (I still cannot see leaving them for major books like AO2e, however; it’s just too much work.)

I believe that there’s a market for inexpensive, small, single-topic books, as Cisco Routers for the Desperate is one of my best-selling books on Kindle. Not bad for a two-year-old book. I could also make the case that if you want a book called “Cisco Routers for the Desperate,” you want it NOW. (The publisher could probably double the price without impacting Kindle sales, but that would be gauche.)

I will do a community-based tech review. I’ll announce here when I’m looking for reviewers.

Finally: at Austin Hook’s request, I’ll also do a print-on-demand version. (I’m not terribly interested in distribution of physical copies of such a short book, but the expense and annoyance of setting up POD isn’t that great, so why not?) Austin handles the sale and distribution of the various OpenBSD merchandise, so I have confidence he can manage this.

As an independent, I cannot do pre-orders for books that don’t yet exist. There are Web sites that manage this for authors, but I really don’t want to bother. But Austin does that all the time, and he’s a trusted community figure. He will be the official source for pre-orders. While POD books need to be paid for in advance, the money doesn’t come to me until the books are ready to print and ship. This will get some extra cash in the hands of the folks who develop OpenSSH, which is a good thing.

No, I don’t have numbers or prices yet. I’m taking a course on this stuff, as well as POD, though, so I’m not even trying to figure that out yet. I can assure you that the paper version will be more expensive than the electronic version, however.

Will this succeed? There’s only one way to find out.

UPDATE: I’m not shelving AO2e for the summer. I normally work on multiple projects simultaneously. When I’m sick of one, I work on the other.

Posted on

my .cwmrc

I need a window manager that doesn’t take up desktop space with lots of icons and permits me to work without removing my hands from the keyboard. (I do use the mouse, mind you, but I don’t want to be required to use the mouse for routine tasks.) I’ve used cwm on OpenBSD as my window manager for about a year, and it’s fulfilled my needs perfectly well.

I have made some changes. cwm is very easy to modify via the .cwmrc file. Here’s mine, with comments interspersed to show why I’ve made these changes.

I want a narrow blue border around my windows, and I want the active window to be highlighted. Maximized windows leave a 180-pixel gap at the right-hand side of the screen, so my xclock remains visible. (Without a clock, I sink into an authorial coma and lose awareness of time, sound, light, and so on.)

borderwidth 2
color activeborder blue
color inactiveborder darkblue
gap 0 0 0 180

My most heavily-used big applications are OpenOffice and Firefox. Both of these highlight text a word at a time when you use CTRL and an arrow key. By default, cwm maps CTRL-arrow to moving the pointer. I’m not going to train my fingers to make my applications work differently on OpenBSD than on any other operating system, so I needed to make cwm pass CTRL-arrow through to applications and use another key sequence for moving the pointer.

bind CS-Left unmap
bind CS-Right unmap
bind CS-Up unmap
bind CS-Down unmap
bind C-Left unmap
bind C-Right unmap
bind C-Up unmap
bind C-Down unmap
bind 4S-Left bigptrmoveleft
bind 4S-Right bigptrmoveright
bind 4S-Up bigptrmoveup
bind 4S-Down bigptrmovedown
bind 4-Left ptrmoveleft
bind 4-Right ptrmoveright
bind 4-Up ptrmoveup
bind 4-Down ptrmovedown

The 4th option key (which probably appears as the Windows key on your keyboard) and an arrow now controls pointer movement.

I experimented at length with my cwm configuration, and wanted to be able to make cwm reread .cwmrc with a keyboard shortcut, such as CTRL-ALT-r.

bind CM-r reload

I have a preferred screensaver, activated on a CTRL-ALT-DELETE.

command lock '/usr/X11R6/bin/xlock -mode flow'

Finally, I want to be able to start commonly-used programs via a right mouse click on the background. I don’t have to start them this way, but the option is convenient.

command firefox /usr/local/bin/firefox
command xpdf /usr/local/bin/xpdf
command OOo /usr/local/bin/soffice

With these modifications, cwm stays out of my way and lets me work.

And while I’m babbling about cwm: when you spawn an SSH session with CTRL-. you can put SSH command-line arguments before the hostname. Very useful for when you want to enable, say, X11 forwarding for a particular session.

Posted on

IP Tables and VoIP

Here’s an iptables ruleset for a VoIP server with a Web interface. The goals are to allow management hosts to communicate with them freely, allow VoIP and HTTP(S) from the public, and drop everything else. It’s designed to be used as /etc/iptables.rules, and loaded with

# iptables-restore < /etc/iptables.rules

In Linux, you’re supposed to adjust the firewall at the command line. This implies an ability to retain the firewall ruleset in your head, as well as an ability to type correctly. Neither of these is true for me. My /etc/iptables.rules


*filter
#management
-A INPUT -s 192.168.0.0/16 -i eth0 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eth0 -j ACCEPT

#Web interface
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

#VoIP
-A INPUT -p udp -m udp --dport 5080 -j ACCEPT
-A INPUT -p udp -m udp --dport 5061 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m udp --dport 1025:65534 -j ACCEPT

#keep state
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j DROP

#allow outbound
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT

The section labeled “management” is where the rules allowing access from my management network goes. Management hosts may connect to this server on any port desired. Add additional lines for additional subnets.

The Web interface rules permit inbound HTTP(S) connections, and the VoIP section supports phone calls.

After working with iptables for a while, I feel perfectly qualified to say: I vastly prefer PF. Or even ipfilter. But now that I have the ruleset worked out, I can easily replicate it across all my VoIP servers.

Posted on

OpenBSD, Firefox, and Flash

An OpenBSD advocacy article led me to a mailing list posting on how to get Flash playing transparently in Firefox on OpenBSD. You could get Flash (and other clunky media formats) to work on Unix-like platforms that Adobe doesn’t support for some time now, using a combination of players in packages and nearly random hacks in Firefox. This process makes everything simple, however.

I’m using 4.9/i386 and mozilla-firefox-3.6.13p3.

Set a package path in your shell. A few tests with ping and traceroute showed ftp3.usa.openbsd.org is my closest mirror. I use tcsh, so my .cshrc has:

PKG_PATH=ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.9/packages/i386/

Then run:

$ sudo pkg_add -r gecko-mediaplayer

This installs a whole bunch of packages for playing not just Flash, but other complicated media formats.

Browse to https://addons.mozilla.org/en-US/firefox/addon/flashvideoreplacer/ and install the plugin. The plugin handles replacing Flash with appropriate third-party players from packages.

Restart your browser. And everything just works.

Posted on

FreeBSD iSCSI panic

I woke up today to find a console with:

panic: _mtx_lock_sleep: recursed on non-recursive mutex iscsi-io @ /usr/src/sys/modules/iscsi/initiator/../../../dev/iscsi/initiator/isc_sm.c:324

The initiator is a FreeBSD-current amd64 from 8 May 2011. The iSCSI target is an inexpensive iomega NAS. Other hosts attached to this iSCSI NAS have also had errors, though. The errors clear when I reboot the NAS.

Unfortunately, the FreeBSD box is a diskless system. Dumps aren’t exactly simple. While I heard some rumours about a network dump facility coming soon at the FreeBSD BSDCan devsummit, that’s the future.

How to fix this?

I attended the High Performance FreeBSD Clusters talk at BSDCan 2011. The presenter had originally used FreeBSD servers, then tried OpenSolaris to get better performance. He had OpenSolaris problems, but found that they could not access the bug information without a support contract. They’re now moving towards FreeBSD with EIT, and are happier.

I intend to learn from their mistakes, and replace the iomega with a FreeBSD EIT server. I’ll keep the iomega for, say, a central ports and packages NFS server, where a reboot won’t impact my uptime.

Why bother to blog this? So that the next poor bugger who gets this panic message gets at least one search engine hit.

Posted on

BSDCan 2011

BSDCan 2011 was great. The problem with a conference that’s routinely great is that great becomes routine, and hence boring. Several presentations struck me as notably interesting for a variety of reasons, and I wanted to comment on three of them. These are only my personal opinions, of course. BSDCan had three tracks, and I could only be in one talk at a time.

Mark Linimon’s talk on How not to build a lights-out facility discussed the FreeBSD Project’s efforts to mirror its core infrastructure in datacenter space donated by New York Internet. As a chronicle of lessons learned and things that should be done differently next time, it’s valuable listening for anyone who thinks that building heavy-duty project infrastructure is easy.

I’m not going to name the people, the projects, or the code involved in the second talk, because the talk itself is less important than what happened during it. A committer from one large BSD project presented on a new piece of infrastructure he had developed. The audience included people associated with a variety of BSD projects. At the end of the talk, a senior developer from a different BSD project asked a few questions. The presenter and the developer had several rounds of completely civil back-and-forth technical discussion, and at the end the presenter agreed that the developer had some strong points and that some parts of his infrastructure needed additional work. I’m told that this happened in more than one talk. Despite discussion of disagreements between various BSDs projects, it’s clear that technical correctness is still most important.

The presentation I found most technically interesting was Randall Stewart’s work in data center congestion control. Stewart did real-world testing of data center congestion control with ECN and SCTP, and presented his results. It wasn’t until hours later that I realized exactly why I found the talk so interesting: he had essentially done “Mythbusters” for a specific part of TCP/IP. He’d bought a bunch of $50 servers on eBay, repeatedly adjusted SCTP’s response to packets with ECN set, and graphed the results. This was real-world stuff suspiciously close to academic research, done in a basement. And this sort of research is something that almost anyone could do. Lots of claims are made for our network stacks, but very few people actually experiment to measure performance with their workloads.

I’m glad to see open source projects learning lessons. I’m glad to see different BSD camps politely testing their ideas against each other, creating better software for everyone. But I’m really really happy to see real-world experiments.

I see all sorts of claims for different BSD’s network stacks, disk performance, and so on. Please, put them to the test. Make changes. Measure the results. While this work requires real hardware rather than virtualization, it’s something that anyone can do. You know your workload. Read about benchmarking. While naive benchmarks aren’t useful, it’s not that hard to design valid benchmarks. Buy used hardware, run your own tests. Make changes, and test again. Measure and document everything. Capture packets, and keep the pcap files so that you can go back and answer interesting questions. Publish your results. You’ll get interest. Perhaps your results will be as you expect. Maybe they won’t. But you’ll never know until you try.

As a BSDCan committee member, I would love to see more work like this. I can’t guarantee that your paper would be accepted, but I can say I’m much more likely to vote for a paper with a real investigation than yet another talk on well-understood features. Even if your results say “Yes, the fooBSD disk I/O system works exactly as expected,” it’s still interesting. And if you discover weak spots, you’ll have evidence the developers will need to improve performance.

Posted on

Populating OpenSSH chroot on OpenBSD

I need to confine the user jrlodden to his home directory on this OpenBSD 4.9/i386 system, but give him a shell prompt and access to a couple of specific commands. While the SFTP server has built-in chroot support, a shell environment is more complicated. The /etc/ssh/sshd_config part is pretty simple…

...
#ChrootDirectory none
...
Match User jrlodden
ChrootDirectory %h

This chroot directory is nonfunctional. I must create device nodes and add necessary programs. Start by creating the the user account with adduser(8), creating standard device nodes, and removing unnecessary nodes.

# cd ~jrlodden
# mkdir dev
# cd dev
# /dev/MAKEDEV std
# ls
arandom klog ksyms null stdin tty zero
console kmem mem stderr stdout xf86
# rm console klog kmem ksyms mem xf86
# ls
arandom null stderr stdin stdout tty zero

He’ll need a statically-linked shell, such as /bin/ksh.

# cd ~jrlodden
# mkdir bin
# cd bin/
# file /bin/ksh
/bin/ksh: ELF 32-bit LSB executable, Intel 80386, version 1, for OpenBSD, statically linked, stripped
# cp /bin/ksh .

A chrooted user should not have write access to his own root directory. He will need a home directory in the chroot, however.

# chown root:wheel /home/jrlodden/
# mkdir -p /home/jrlodden/home/jrlodden
# chown jrlodden:jrlodden home/jrlodden

Now he can log in:

# ssh jrlodden@chroothost
ksh: No controlling tty (open /dev/tty: Device not configured)
ksh: warning: won't have full job control
$

jrlodden is logged in and cannot access anything beyond his cell. While I’d like to clean up the /dev/tty warning, I can’t seem to create /dev/ttypc in the chroot’ed /dev. For now, I can copy statically-linked versions of his necessary programs into /home/jrlodden/bin and get on with my life.

Posted on

Absolute OpenBSD, 2nd Edition

I promised I’d announce the title of my next No Starch Press book in my BSDCan talk. That happened. The rest of you had to wait until now to hear that I’m rewriting Absolute OpenBSD. The technical reviewer is Peter Hansteen, author of The Book of PF.

Most of the book does not exist yet. Best guess for a release date is some time in 2012.

Why did a second edition take so long?

I will only write books about tools I use in production, out in the real world. (Desktop use does not count.) In my previous job, senior network engineer at a global automotive supplier, I had no opportunity to use OpenBSD. That meant I couldn’t offer advice about using OpenBSD, or discuss how it fit into my infrastructure. I could have written the book, but it would have sucked.

I’m also working on a second nonfiction project, but I’ll announce that separately.

Posted on

new package system coming for FreeBSD

From the BSDCan FreeBSD developer summit:

The ports team has developed new package management tools and methods to simplify FreeBSD package management. The hope is to have these as the default in FreeBSD 10. Erwin Lansing has posted slides from his brief presentation, and a Web search for “pkgng FreeBSD” will get you all sorts of details.

Posted on

Agents for Tech Authors

I know several tech authors who use an agent to sell their books license their copyright to publishers. Tech authors don’t need agents. You can sell to a tech publisher yourself, and hire a lawyer to evaluate any contract offered. I’ve never used an agent for my nonfiction.

Pimping yourself is work, yes. And it takes time, and you must educate yourself. But it’s not hard, or authors couldn’t do it. Before you decide to hire an agent to place your work, I suggest you read this. Some agents are transforming into publishers.

Are there good tech author agents? Certainly. Don’t ask me, I’ve never had an agent. I can’t even say what percentage of agents are good… could be 99%, could be 1%. But no profession is all good, or all bad. (Except, perhaps, clowns. But that’s a separate issue.)

If you really want an agent, if you’re convinced that you need an agent, you should know the signs of a bad agent. An agent must be your advocate. Not the publisher’s. And certainly not the agent’s. The agent’s job is to maximize your income so as to maximize his percentage, not to pay you a percent of his take from your work.

In publishing, money always flows towards the author. Any deviation from this is a danger sign.