Meltdown and Spectre: Links compilation

Having recently come to light, meltdown and spectre are names given to a set of high impact security issues exploiting CPU instructions to read system memory. Provided below is a collection of links that relate to different aspects of these vulnerabilities.

Initial Disclosure

Updates from Vendors

 

Mitigations

Against meltdown

Against spectre

Performance / Benchmarks

 

Bits from the web

 

Roaming profile on Linux in 2017

To quote Wikipedia,

A roaming user profile is a concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows Server domain to log on to any computer on the same network and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same.

Our office environment consists of a mix of Windows and Linux systems, and the task was to setup a system on which user data could be stored such that the users would not be bound to a single system and be able to work on any system.

On Windows using Active Directory and Roaming profiles user data and logins can be centrally store and authenticated. Advances have been made in Linux too to allow for a similar setup:

  • [server side] Samba can be used to setup a Domain controller to authenticate users (for Linux only environments, solutions like Free IPA also exist).
  • [client side] Can be setup by combining different services (as given here and here), or an integrated system can be used (like given here).

After considering the above, we went with the following solution:

Server side setup

Went with Zentyal server for user authentication, data storage, and file sharing (other options like ClearOS also exist).

Client side setup

Used pbis open for authenticating to the AD server, and put together a system for implementing roaming profiles.

Roaming profile setup

When searching for roaming profile on linux, csync was found which seemed like the ideal solution; however in practice an issue was encountered trying to sync between a local home folder and a samba mount of the remote folder.

Eventually discovered osync which synced the folders (local and remote) correctly.

Wrote some scripts tie it all together (available here).

Note: SMB v1.0 was used for the remote home folder cifs mount as unix extensions needed for proper permissions support seem to implemented for that version only (link).

Using Gitlab CI for deployments

gitlab

Hi there folks!

This time we are going to talk about something different: using Gitlab and its CI system for deployments.

Gitlab CE (community edition) is an Open Source git platform that can be used to host your git repositories on a server. It offers most of the features offered by Github, with the advantage that you can host it on your own server.

In my previous organization we were using Github for hosting our git repos and using git along with git hooks for deployment on the server (tutorial). Now with a bigger team we needed a pull request and merge based approach and deployment for the same. After evaluating the options available, my thoughts are as follows:

1. Custom Hooks

These are basically git’s server side hooks and only run when someone pushes to the repo.

Pros
  • Easy to setup, supported by git, and documented.
Cons
  • Not executed run on merges.
  • Difficult to redeploy.
2. Webhooks

These allow hitting a URL for certain actions / events like push, merge, etc.

Pros
  • Easy to understand.
  • Triggered on both pushes and merges.
Cons
  • Need to setup a custom webhook handler for it on the deployment server.
  • Since Gitlab’s webhook system does allow to store any state (like whether the deployment succeeded, or is in progress), this information needs to be stored by the webhook handler as well (by comparison I find Github’s webhook system much better in this regard).
3. Gitlab CI

This is Gitlab’s CI (Continuous Integration) and CD (Continuous Deployment) system.

Pros
  • Quite featureful and customizable.
  • Runs on both pushes and merges.
  • Can be used to track deployment status and redeploy if needed.
Cons
  • Higher learning curve.

As can be seen, the CI system seems like the more appropriate choice as per the requirements. Only thing now is to set it up.

 

Setting up the Gitlab Runner

Gitlab Runner is what we will be installing on the deployment server. Installation looks simple but there is a question: which executor to use? Since we are deploying on the same server as the runner (and not doing anything else that needs a clean environment), we will be choosing the shell executor.

Whenever there is a commit in the Gitlab repo, the runner gets notified, places us in a checkout of the commit, and runs through what is specified in .gitlab-ci.yml (for example I wrote a bash script to transfer the changed files using rsync to a location in the docroot of the webserver).

And that’s it! Let me know in the comments if there are any questions.

Adding an external fan to the Raspberry Pi 3 Model B

A while ago I had purchased a Raspberry Pi 3 to learn more about building software on the ARM platform (IoT), and getting to know configuration management software like SaltStack.

Since I intended to compile software on the Pi, I looked into external cooling solutions and found that adding a heat sink and fan should work. Ordered the items, and when they came I attached them to the Pi.

But there was an issue: the fan was too loud and not really required unless the Pi was heating.

Searching for solutions, I found two tutorials, the first of which used a transistor controlled via the Raspberry Pi’s GPIO system (I could not find the suitable transistor online) to turn the fan on/off as required, and the second  one which used a relay module (which I could find online and ordered).

After some fiddling around, managed to get the connections right, and it worked 🙂 There was a strange issue though that whenever the GPIO pin was set to output mode, irrespective of the fact whether the voltage was HIGH or LOW, the fan got switched on. As a workaround I set the GPIO pin to input mode instead of setting it to output LOW and it worked.

I took the scripts from the tutorials , modified them a bit to workaround the above issue, merged the best bits, and wrote some code for monitoring. All this is now available in a Github repo.

Raspberry Pi 3 fan setup

Links:

  1. Automated-cooling-fan-for-Pi
  2. how-to-control-a-fan-to-cool-the-cpu-of-your-raspberrypi
  3. raspi-fan

If anyone has any comments or queries feel free to post them in the comments section below.

Manjaro OpenRC 17.0 Xfce Development ISOs [RC]

While waiting for Manjaro 17.0 to be released, have created RC ISOs for Manjaro OpenRC 17.0 Xfce edition.

Highlights:

  • Kernel updated to 4.9.x series (next LTS).
  • Reverted to using ALSA by default (decided by voting, see here for reference).
  • Old CLI installer patched to work with manjaro-tools 0.13.8 (changes
    available here).

Download:

https://sourceforge.net/projects/manjaro-openrc/files/17.0/

P.S. May also create Net Edition ISOs this time around if there is need for them.

Edit:

RC (Release Candidate) ISOs were released, have updated the download link (old link for reference).

Manjaro OpenRC 16.10.2 ISO released!

After about a month of development (mostly over the weekends), Manjaro OpenRC 16.10.2 ISO has been released. It was originally not intended as a development edition, but become one since I noticed that it failed to boot in EFI mode both in Virtualbox as well as on bare metal, and was unable to fix it (has been fixed).

Major changes are the inclusion of Linux 4.8 to better support newer hardware like AMD Polaris, and the inclusion of Pulseaudio for better out of the box support for multiple audio devices (more of that in the release announcement).

Minor changes include switching the icon theme to elementary-xfce-icons (shoutout to oberon2007 for adding it to the community packages), and adding hardinfo for graphical system information, and ffmpegthumbnailer for video thumbnails.

Release announcement: https://forum.manjaro.org/t/manjaro-openrc-16-10-2-iso/13654

Download: https://sourceforge.net/projects/manjaro-openrc/files/16.10.2/

 

Touchscreen issues with my phone

For some time now, I had been having touchscreen issues with my phone (a Moto G3), where scrolling registered as a click; finally decided to research it and stumbled upon this thread:

https://forums.lenovo.com/t5/MOTO-G-3rd-Gen/Touch-detection-problems-phantom-touch-ghost-touch/td-p/3277853

Seems like an issue faced by a lot of people regarding this handset, but I am 12 pages in and yet to see any reasonable response from Motorola (Lenovo?).

Trust in this brand eroded and I will likely never buy their phones again.

Native Window Snapping / Window Tiling with Fluxbox, Openbox, and xfwm4 (Xfce)

I find tiling helpful when I have to work with the contents of two windows at once, or when comparing things.

By native window tiling I mean that we will be using only the native commands of a particular window manager and not any external program.

Fluxbox

The following can be added to ~/.fluxbox/keys

# Tiling
Control Mod1 Left :MacroCmd {ResizeTo 50% 100%} {MoveTo 00 00 Left}
Control Mod1 Right :MacroCmd {ResizeTo 50% 100%} {MoveTo 00 00 Right}
Control Mod1 Up :MacroCmd {ResizeTo 100% 50%} {MoveTo 00 00 Up}
Control Mod1 Down :MacroCmd {ResizeTo 100% 50%} {MoveTo 00 00 Bottom}
Control Mod1 Return :ToggleCmd {Maximize} {Restore}

The modifiers above (Ctrl + Alt + Left/Right/Up/Down/Enter) should not conflict with existing modifiers, else they will not work correctly.

Openbox

The following can be added to ~/.config/openbox/rc.xml within the keyboard tags.
http://pastebin.com/z1KcJCkV
(have to use a pastebin as WordPress interprets it as tags)

xfwm4 (Xfce)

Go to Menu -> Settings -> Window Manager -> Keyboard

The commands should already be present, only the keys need to be set.

 
keybinds