Home Home > Base-system > Network
Sign up | Login

Deprecation notice: openSUSE Lizards user blog platform is deprecated, and will remain read only for the time being. Learn more...

Archive for the ‘Network’ Category

On wlan and browser authenticated internet

July 7th, 2009 by

Nowadays more and more organisations will use an intercepting proxy to give you access to internet. Last week I had the pleasure to use again such a system. To use is an exaggeration as my opensuse 11.1 box with kde4.3 rc1 connected to the wireless network (network manager) but refused to give me access to the authentication page in the browser.

I did all the decent tests that my brain and time allowed me. Checked the ip, checked gateway and checked dns. They seemed ok.

To make frustration even bigger I was able to connect to th very same network with a kde4.3 beta1.

Sending Proxy Settings via DHCP

June 3rd, 2009 by

It’s a bit “overdressed” for my little homenet, but playing around with DHCP, DNS and YaST is always interesting….

My DHCP Server at home is configured to use LDAP – and I’ve done the configuration via YaST. Now I read in some M$ pages, that it’s possible to tell the Clients via DHCP (and Apache) to use my Proxy server automatically. (Yes, my wife still needs Win** for her schoolwork.)

First, I had to figure out how I can insert two “non standard” options into the LDAP configuration of the DHCP server. I called “yast2 dhcp-server” (thanks for the tab completion, btw!), marked the “Global Options” entry and clicked on “Edit” (not Add!). On the next page, click on “Add” to add a new Option. Just delete the first available entry “allow” and replace it with the full line as you would write it in dhcpd.conf. In my case, this is
option wpad code 252 = text;
option wpad “http://myserver/proxy.pac\n”;
(dunno if the “\n” is really needed). That’s the trick. Have a look at /var/log/messages in a separate terminal when you finish the yast2 dhcp-server module to catch possible errors.

Now all what’s left is a running apache server on “myserver” delivering the “proxy.pac” file to your users. The file content is well known – and google would find hundreds of examples for you.

NetworkManager and keyring

May 15th, 2009 by

Tonight I stumbled upon the solution to a irritating little problem I have had for a long time. I use autologin and every time I log in I get prompted for my keyring password in order to access the wireless network. I have googled for this problem numerous times in the past without any luck. All the suggested solutions had to do with Ubuntu and a tool called libpam-keyring. This does not seem to work the same on openSuSE as on Ubuntu and did not help me much. Then I found this post. Towards the bottom of the thread is the instructions that have been evading me for so long. Hope this helps someone else.

Qemu network speed

May 7th, 2009 by

I’m working on a solution to automatically test drive factory installations every day and one thing that bothered me majorly was the download speed I had with kvm. I couldn’t get faster than around 300K/s, which makes a factory installation take around 5 hours. Not really practical for my purpose, and it was quite frustrating taking that the host gets almost 3MB/s out of download.opensuse.org (I get various german mirrors). So I asked around and Jan suggested the setup of Gladiac, but it didn’t want to fly for me. So I continued experimenting and went to Luwdig for some firewall advise. And his suggestion was much simpler: using pcnet. So my kvm call looks like this now:

qemu-kvm -net user,hostname=factory-pc -net nic,model=pcnet -drive ....

Now I have about the full performance – and I’m ten steps closer to automating bootchart generation of daily factory 🙂

I got Network!

May 6th, 2009 by

I tried an installing using the USB images on the Acer Aspire One I’m using to test these things (and to test preload on SSD systems).

And I wasn’t able to connect to wifi, because the NetworkManager didn’t want to give out wireless networks to the applets. The reason was in the logs: it thought the radio kill switch was on. But fortunately Helmut gave me the golden tipp:

echo "blacklist acer-wmi" > /etc/modprobe.d/coolo.conf
rmmod acer-wmi
rcnetwork restart

It’s one of these things that frustrate you, because they are very easy to work around if you find the right spot in the internet. And that’s the reason I create this blog entry: to allow the next with the problem to fix his wlan. Happy surfing and thank Helmut not me 🙂

BTW: it’s fixed for newer kernels, but 2.6.30 is too fresh for me.

Saschas Backtrace: Interview with Petko D. Petkov on Netsecurify

December 24th, 2008 by

Petko D. Petkov is one of the founding-members of the Gnucitizen-hacker-network. They work inbetween internet, computers and security and always have very interesting projects going on, for example the “House of Hackers” a social-network for hackers and security experts. The Gnucitizen define themself as “a leading information security think tank, delivering solutions to local, national and international clients“.

Thier latest project is Netsecurify, an automated, webbased, remote testing tool, that enables security-testings of applications. One of the primary goal of the projects is not only to have a pioneering sort-of feeling, but foremost to support low-profit or non-profit organisations to have a robust and stable security-testing tools for free. They think of organisations, that otherwise would not be able to affort security experts and testing. We had a short interview with Petko D. Petkov on Netsecurify, their motivation, software design and overall goals.

What does the tool Netsecurify exactly do?

Netsecurify is a remote, automated, vulnerability assessment tool. The tool follows the SaaS (Software as a Service) model, i.e. it is a service which runs from Amazon’s scalable computing infrastructure. In it’s core, the tool performs several assessments, all based on open source technologies, and also provides recommendations through a flexible recommendation engine. The tool also allows 3rd-party organizations to enhance the reports.

Netsecurify is very simple to use. All the user has to do is to login and schedule a test for a particular network range. Once we approach the specified scheduled data, we run the test. When the test is done, the user is notified via email or by other means which we are working on at the moment. The user then logs in and downloads a copy of the report. For security reasons, the report is destroyed 30 days after it has been completed.

What was your motivation for starting the project?

The primarily motivation for starting this project is to provide free, quality, flexible, automated information security testing tool which can be employed by charity organizations, 3rd world countries, and in general, organizations and companies who cannot afford to spend money on security. Also, a huge motivational factor is the fact that no one has done a project like this. We are the first to do it. 🙂 This is pretty cool.

Who are the people behind the project and how is the project organized (agency, virtual, decentralized)?

Technically speaking, the people behind Netsecurify are GNUCITIZEN. However, we welcome anyone who is interested to join us and help us improve it. Because the testing engine is based on open source technologies which we have glued together and we are continually enhancing, we are planning to contribute back to the community everything that we do and as such close the circle of energy. In theory, this makes the entire security community part of the Netsecurify project.

What is the basic design concept and how do you think will the project develop and evolve?

We have a scalable backend and very easy to use and flexible frontend. In between we have several APIs which allow us to expand the service as we go. The tool hasn’t been just built from scratch. There was a lot of thought and design considerations put into this project before the actual code. We follow the KISS (Keep it Simple Stupid) principle. We find that this approach works quite well for us. In the future we are planning to continue simplifying and enhancing the product.

Do you have other projects planned, that will be coming at us in the future?

We always have. Expect to see more from the GNUCITIZEN team soon.

Thanks to Martin Wisniowsky (mw@node300.com)

Original Link to this Interview: http://digitaltools.node3000.com/5minutes/interview_with_petko_d_petkov_on_netsecurify_testing_tool.php

Longstanding Wiki Problem Fixed.

December 15th, 2008 by

Today, I fixed a long-standing, serious problem in the openSUSE wiki:

15-20 seconds long hangs that one would see when loading pages. It occured only when one was logged in, and it happened (for me) on every second access. So one page load hang, the next would work, the next would hang again, and so on. Eventually each page would load and show correctly, but after an initial waiting time of nearly 20 seconds.

I experienced this on Friday, and was not happy about it, because we are preparing for an openSUSE release. I fixed it today.

What follows is the complete story of how I debugged it. It was quite complicated, took hours, and can hopefully serve as an educational example of the diagnostic thinking and different debugging methods. I always planned to write up things like this 🙂

So at first, I made sure that the hang is not in my browser, or my network. I could reproduce it from a different machine in a different browser. Next, I tried to reproduce it from an Internet server on the commandline. After grabbing the exact Cookie headers from Firefox (with the Firebug extension), it was possible. (Note: all sensitive data in the following logs, like cookies, is garbled.)

date; curl -sv -H 'Cookie: opensuse_enUserName=Poeml; bblastvisit=1227878957; bblastactivity=0; s_sq=%5D%5D; s_cc=true; sessionhash=392aee91a9d014da0d7; opensuse_en=6eb4a0c94855; opensuse_de=3jtsao6a6jr8mrfm1; ZNP00-opensuse=09a41c; opensuse_deUserName=Poeml; opensuse_enLoggedOut=20081212192257; opensuse_deLoggedOut=20081212213443; IPC8ef153=e3c5b0f; opensuse_deUserID=87; cmTPSet=Y; cm=u2=1104985&pi=User%3APoeml; opensuse_enUserID=32' http://en.opensuse.org/User:Poeml; date
Next was to find out where the hang occurs. The normal way that the request should take is from my client to the iChain servers that are in front of the openSUSE wiki servers, and they should pass it on to one of the servers. (The iChain proxy acts as a reverse proxy, and sends the request to the backend server(s) as if it was the client itself.)

Fortunately, the setup allowed to narrow down the affected webserver to a single one, due to the way that the proxy distributes the requests to the backends.

After configuring iChain to add X-Forwarded-For with the clients real IP address, and configuring Apache to log this header, my hanging request could clearly be seen in the Apache access log. Apache is configured to log an additional client header like this by adding %{x-forwarded-for}i to the log lin template, that’s defined with a LogFormat directive (in /etc/apache2/mod_log_config.conf at our Apache). I just appended it to the end of the line:

LogFormat "%h %l %u %t \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\" %{x-forwarded-for}i"         combined

Now, the next step was to reproduce the hanging request on the local machine. This in order to rule out that the request might be “stuck” in the proxy, before it actually reaches Apache. However, when I did the request from locally (on the web server), it didn’t cause the hang! But a request that is passed through the iChain proxy looks different; it gets additional session state cookies. So it seems like a good idea to capture the actual request headers that Apache sees.

This can be done with Apache’s mod_log_forensic module. This module was written to be able to debug crashes in Apache that are caused by specific requests. Apache generally logs after it completed processing a request. So a fatal request would normally never be logged (if it crashes the Apache process, the parent would log the segmentation fault, but the request cannot be logged anymore). mod_log_forensic logs each request before Apache starts working on it, and adds a unique id to the logfile; and when the request is done, the module logs another line, just with the unique id. So after a crash, one could check with the logfile and find requests that weren’t fully handled. A single directive is needed: ForensicLog /var/log/apache2/forensic_log. (A script that analyzes such a log file is provided as /usr/bin/check_forensic2.)

Incidentally, the module logs all request headers, so it is simple to capture the headers this way that I was interested in:

+6a73:4942cb0e:0|GET / HTTP/1.1|User-Agent:curl/7.15.1 (x86_64-suse-linux) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.6.0|Host:de.opensuse.org|Accept:*/*|Connection:close, TE|X-Forwarded-For:|Cookie:opensuse_enUserName=Poeml; bblastvisit=1227878957; bblastactivity=0; rr_t=%25255B55D%25255D; s_cc=true; sessionhash=52aee91a9d014da0d7; opensuse_en=576eb4a0c94855; opensuse_de=ao6a6jr8mrfm1; opensuse_deUserID=87; opensuse_deUserName=Poeml; opensuse_enLoggedOut=20081212192257|TE:chunked, identity, deflate|Via:1.1 ICS_SERVER (iChain 2.3.416)|X-username:poeml|X-email:poeml@novell.com

With those headers, the problem was indeed reproducible locally on the machine. Now, it could be taken off the network (so it doesn’t get any live requests more from users), and I could start to look closer at Apache. Apache uses mod_php, which is executing PHP scripts that implement the wiki functionality, which talk to a backend database, and also talk to a memcache daemon which is used to cache user data and page results, to serve them faster. As one could easily tell with netstat, Apache was talking to both of them.

To look at the timeline of these things happening, strace is useful to trace the system calls that are done. The question, though, is which Apache process to trace?

Normally, “ps axO ppid,wchan | grep httpd” can be used to determine the process which is going to get the next request:

# ps axO ppid,wchan | grep httpd
3614 1 select S ? 00:01:44 httpd2-worker
10921 3614 pipe_w S ? 00:00:12 httpd2-worker
22615 3614 pipe_w S ? 00:00:01 httpd2-worker
23860 3614 skb_re S ? 00:00:27 httpd2-worker
23861 3614 select S ? 00:00:00 httpd2-worker

The child (not parent) which is in select() is the one. However, the above example is from another machine; it turned out that on x86_64, the calls are not showing correctly by “ps”. Thus, I needed to start Apache in single process mode, which avoids the ambiguity. So, we use strace with timestamps (-tt) to start Apache in single process mode:

strace -f -s 1024 -o httpd2.strace -tt /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DONE_PROCESS -DNO_DETACH &

The trace showed a lot of normal things happening, and at one point during the request processing it starts showing successive leaps of 1 second. The first one is this one:

4059  06:47:54.279227 setsockopt(19, SOL_SOCKET, SO_RCVTIMEO, "\2003\341\1", 16) = 0
4059  06:47:54.280772 sendto(18, "set opensuse_en:pcache:idhash:7452-0!1!0!ISO 8601!0!en!0 1 86400 1183\r\nO:12:\"ParserOutput\":7:{s:5:\"mText\";s:961:\"gt;gt;gt;\ngt;gt;gt;\nYou see me working here\ngt;gt;gt;\nHello!\ngt;gt;I started to work for SuSE in 2000. For some years, I maintained Apache, OpenSSL, DHCP and other packages.\ngt;gt;Today, I maintain the openSUSE gt;download infrastructuregt; and gt;mirror ing frameworkgt;. (Contact address for thay is ftpadmin at suse.de.) Currently I work on metalink support.\ngt;gt;I also work on the gt;Build Servicegt;. I star ted to write gt;oscgt; in the earlier days.\ngt;gt;You\'ll find me on freenode as \"mirrorbrain\" (previously: DuDE)\ngt;\n<!-- Saved in parser cache wi th key opensuse_en:pcache:idhash:7452-0!1!0"..., 1256, MSG_DONTWAIT, NULL, 0) = 1256
4059  06:47:54.281212 poll([{fd=18, events=POLLIN|POLLERR|POLLHUP}], 1, 1000) = 0
4059  06:47:55.285308 poll([{fd=19, events=POLLIN|POLLPRI}], 1, 0) = 0

Some explanations about this. File descriptor 18 is the socket to the memcache daemon, 19 is to mysql. We see a write to memcached, and two poll() calls. The first one is polling on the memcached fd and it’s called with a timeout of 1000 ms. The = 0 means that the call returns 0, and 0 from poll() means that it did run into the timeout. Thus, here’s our one-second-leap. strace logs the timestamps at the start of each call, and thus the following poll happens 1000ms after the other. I was not entirely sure, but I verified it with a tiny test program:

int main() { sleep(1); return 0; }

Thus, PHP is waiting to read from the memcache daemon, and doesn’t get anything to read.

This could happen if the length that PHP intends to write into the memcache is calculated wrongly; http://code.sixapart.com/svn/memcached/trunk/server/doc/protocol.txt explains the protocol, and such a (still hypothetical) issue is easily reproducible when speaking to the memcache daemon:

# telnet localhost 11211
Connected to localhost.
Escape character is '^]'.
set foo 1 60 2 <-- I'm saying '2' bytes will be sent
x <-- I sent only one

Here, both ends will hang and wait forever.

However, this was just a theory, as I was not yet sure if I read the strace 100% correctly, and don’t think on false assumption.

Now, apart from the fact that it was Sunday afternoon, and I had some time to continue debugging it, something unexpected happened:

When I coincidentally logged into the wiki, I got the hang there again – from the live server (other box). Thus, the other server(s) were clearly also affected. But worse, my test case was gone — I could no longer reproduce the issue locally. Oh well! This was unfortunate, because I was just about to capture a better strace, which captures full length, to show the complete and exact memcached communication. I used 8192 bytes of string capture length and got a trace from that. However, 8192 bytes were not enough in the interesting place, and I intended to increase it more, but that was the moment when the problem wasn’t reproducible anymore.

Now, it seemed highly important to fix this, because it seemed to affect all servers; and if it happens during high load in multiple cases then any of the machines might explode pretty soon, because the time that an Apache process handles a requests this way is extremely long, and they accumulate…

So I switched to continue debugging on the live server, this time in a non-intrusive fashion. Still trying to find out whether the communication with mysql or memcached was at fault.

The gathered data seemed consistent so far, but to rule out false assumption, I
wanted to double check it with tcpdump. I took a tcpdump, and dumped the
protocol to align it with the timestamps:

tcpdump -s 8192 -i lo -w poeml-memcached-tcpdump-broken port 11211 &
# another test request
curl ...
# stop the tcpdump
kill %tcp
# look at the trace
tcpdump -X -r poeml-memcached-tcpdump-broken |vi -

Below is an dump that doesn’t show the full packets (-X), but I annotated it with the protocol chatter:

(You need a very wide browser window to view it completely.)

07:43:38.774044 IP localhost.4911 > localhost.11211: S 4021632256:4021632256(0) win 32767 
07:43:38.774087 IP localhost.11211 > localhost.4911: S 4017670477:4017670477(0) ack 4021632257 win 32767 
07:43:38.774115 IP localhost.4911 > localhost.11211: . ack 1 win 8192 
07:43:38.774227 IP localhost.4911 > localhost.11211: P 1:29(28) ack 1 win 8192                get get.opensuse_en:user:id:32
07:43:38.774251 IP localhost.11211 > localhost.4911: . ack 29 win 8192 
07:43:38.774320 IP localhost.11211 > localhost.4911: P 1:941(940) ack 29 win 8192             VALUE ... END
07:43:38.774362 IP localhost.4911 > localhost.11211: . ack 941 win 8662 
07:43:38.775164 IP localhost.4911 > localhost.11211: P 29:44(15) ack 941 win 8662             get lag_times
07:43:38.775211 IP localhost.11211 > localhost.4911: P 941:946(5) ack 44 win 8192             END
07:43:38.777246 IP localhost.4911 > localhost.11211: P 44:111(67) ack 946 win 8662            set lag_times
07:43:38.777311 IP localhost.11211 > localhost.4911: P 946:954(8) ack 111 win 8192            STORED
07:43:38.814846 IP localhost.4911 > localhost.11211: . ack 954 win 8662 
07:43:38.829412 IP localhost.4911 > localhost.11211: P 111:1046(935) ack 954 win 8662         set set.opensuse_en:user:id:32
07:43:38.829468 IP localhost.11211 > localhost.4911: P 954:962(8) ack 1046 win 8660           STORED
07:43:38.829487 IP localhost.4911 > localhost.11211: . ack 962 win 8662 
07:43:38.845369 IP localhost.4911 > localhost.11211: P 1046:1104(58) ack 962 win 8662         get get.opensuse_en:pcache:idhash:7452-0!1!0!ISO.8601!0!en!0
07:43:38.845421 IP localhost.11211 > localhost.4911: P 962:967(5) ack 1104 win 8660           END
07:43:38.845520 IP localhost.4911 > localhost.11211: P 1104:1149(45) ack 967 win 8662         incr opensuse_en:stats:pcache_miss_absent 1
07:43:38.845572 IP localhost.11211 > localhost.4911: P 967:972(5) ack 1149 win 8660           622
07:43:38.846039 IP localhost.4911 > localhost.11211: P 1149:1175(26) ack 972 win 8662         get get.opensuse_en:messages
07:43:38.846087 IP localhost.11211 > localhost.4911: P 972:2372(1400) ack 1175 win 8660       VALUE
07:43:38.846138 IP localhost.11211 > localhost.4911: . 2372:18756(16384) ack 1175 win 8660 
07:43:38.846150 IP localhost.4911 > localhost.11211: . ack 18756 win 12332 
07:43:38.846183 IP localhost.11211 > localhost.4911: P 18756:34486(15730) ack 1175 win 8660   VALUE (cntd.)             *** no END yet! ***
07:43:38.861524 IP localhost.4911 > localhost.11211: P 1175:2431(1256) ack 34486 win 12332    set opensuse_en:pcache:idhash:7452-0!1!0!ISO.8601!0!en!0 1 86400 1183
07:43:38.898856 IP localhost.11211 > localhost.4911: . ack 2431 win 8660 
07:43:39.863552 IP localhost.4911 > localhost.11211: P 2431:2479(48) ack 34486 win 12332      get opensuse_en:watchlist:user:32:page:2:Poeml
07:43:39.863576 IP localhost.11211 > localhost.4911: . ack 2479 win 8660 
07:43:40.867489 IP localhost.4911 > localhost.11211: P 2479:2536(57) ack 34486 win 12332      set opensuse_en:watchlist:user:32:page:2:Poeml
07:43:40.867508 IP localhost.11211 > localhost.4911: . ack 2536 win 8660 
07:43:41.908938 IP localhost.4911 > localhost.11211: P 2536:2579(43) ack 34486 win 12332      get opensuse_en:messages:Project_Overview
07:43:41.908966 IP localhost.11211 > localhost.4911: . ack 2579 win 8660 
07:43:42.908826 IP localhost.4911 > localhost.11211: P 2579:2622(43) ack 34486 win 12332      get opensuse_en:messages:Project.Overview
07:43:42.908854 IP localhost.11211 > localhost.4911: . ack 2622 win 8660 
07:43:43.915679 IP localhost.4911 > localhost.11211: P 2622:2667(45) ack 34486 win 12332      get opensuse_en:messages:How_to_Participate
07:43:43.915706 IP localhost.11211 > localhost.4911: . ack 2667 win 8660 
07:43:44.927676 IP localhost.4911 > localhost.11211: P 2667:2712(45) ack 34486 win 12332      get opensuse_en:messages:How.to.Participate
07:43:44.927703 IP localhost.11211 > localhost.4911: . ack 2712 win 8660 
07:43:45.934733 IP localhost.4911 > localhost.11211: P 2712:2752(40) ack 34486 win 12332      get opensuse_en:messages:Documentation
07:43:45.934759 IP localhost.11211 > localhost.4911: . ack 2752 win 8660 
07:43:46.942543 IP localhost.4911 > localhost.11211: P 2752:2792(40) ack 34486 win 12332      get opensuse_en:messages:Documentation
07:43:46.942568 IP localhost.11211 > localhost.4911: . ack 2792 win 8660 
07:43:47.945386 IP localhost.4911 > localhost.11211: P 2792:2830(38) ack 34486 win 12332      get opensuse_en:messages:Communicate

Observing at the timestamps, we see a protocol desynchronization happening which makes the rest of the communication stuck (only failed gets follow).

Where does it happen? I checked the (memcache value) length that PHP gives, and it is correct, and reflects the actual data length that it sends. When it claimed (somewhere else) to send 1183 bytes, it actually sent 1183 bytes. So, the

> get get.opensuse_en:messages
> VALUE (cntd.)             *** no END yet! ***

part may actually be a false alarm, which could happen if the snap
length of the tcp dump was too small. (It was 8192.)

Indeed, when I did another dump with maximal snaplength (64k), it showed the “get” reading the complete VALUE, including the trailing “END” line that memache daemon appends.

Thus, the subsequent command could be at fault. And indeed it is the culprit. Look at the trace:

09:21:04.921611 IP localhost.4720 > localhost.11211: P 1176:2432(1256) ack 34487 win 12332 
        0x0000:  4500 051c 77e6 4000 4006 bff3 7f00 0001  E...w.@.@.......
        0x0010:  7f00 0001 1270 2bcb 5f1c dd2e 5fd5 8ada  .....p+._..._...
        0x0020:  8018 302c 061c 0000 0101 080a 172e af66  ..0,...........f
        0x0030:  172e af61 7365 7420 6f70 656e 7375 7365  ...aset.opensuse
        0x0040:  5f65 6e3a 7063 6163 6865 3a69 6468 6173  _en:pcache:idhas
        0x0050:  683a 3734 3532 2d30 2131 2130 2149 534f  h:7452-0!1!0!ISO
        0x0060:  2038 3630 3121 3021 656e 2130 2031 2038  .8601!0!en!0.1.8
        0x0070:  3634 3030 2031 3138 330d 0a4f 3a31 323a  6400.1183..O:12:
        0x0080:  2250 6172 7365 724f 7574 7075 7422 3a37  "ParserOutput":7
        0x0090:  3a7b 733a 353a 226d 5465 7874 223b 733a  :{s:5:"mText";s:
        0x00a0:  3936 313a 223c 703e 3c62 7220 2f3e 0a3c  961:ou.see.me.wo
        0x0110:  726b 696e 6720 6865 7265 0a3c 2f70 3e3c  rking.here..Hell
        0x0130:  3c2f 703e 3c70 3e49 2073 7461 7274 6564  ./p..p.I.started
        0x0140:  2074 6f20 776f 726b 2066 6f72 2053 7553  .to.work.for.SuS
        0x0150:  4520 696e 2032 3030 302e 2046 6f72 2073  E.in.2000..For.s
        0x0160:  6f6d 6520 7965 6172 732c 2049 206d 6169  ome.years,.I.mai
        0x0170:  6e74 6169 6e65 6420 4170 6163 6865 2c20  ntained.Apache,.
        0x0180:  4f70 656e 5353 4c2c 2044 4843 5020 616e  OpenSSL,.DHCP.an
        0x0190:  6420 6f74 6865 7220 7061 636b 6167 6573  d.other.packages
        0x01a0:  2e0a 3c2f 703e 3c70 3e54 6f64 6179 2c20  .../p..p.Today,.
        0x01b0:  4920 6d61 696e 7461 696e 2074 6865 206f  I.maintain.the.o
        0x01c0:  7065 6e53 5553 4520 3c61 2068 7265 663d  penSUSE..a.dow
        0x0210:  6e6c 6f61 6420 696e 6672 6173 7472 7563  nload.infrastruc
        0x0220:  7475 7265 3c2f 613e 2061 6e64 203c 6120  ture./a..and..a.
        0x0270:  6f72 696e 6720 6672 616d 6577 6f72 6b3c  oring.framework.
        0x0290:  6472 6573 7320 666f 7220 7468 6179 2069  dress.for.thay.i
        0x02a0:  7320 6674 7061 646d 696e 2061 7420 7375  s.ftpadmin.at.su
        0x02b0:  7365 2e64 652e 2920 4375 7272 656e 746c  se.de.).Currentl
        0x02c0:  7920 4920 776f 726b 206f 6e20 6d65 7461  y.I.work.on.meta
        0x02d0:  6c69 6e6b 2073 7570 706f 7274 2e0a 3c2f  link.support...p
        0x02f0:  206f 6e20 7468 6520 3c61 2068 7265 663d  .on.the..a.Build
        0x0330:  7669 6365 3c2f 613e 2e20 4920 7374 6172  vice./a...I.star
        0x0340:  7465 6420 746f 2077 7269 7465 203c 6120  ted.to.write..a.
        0x0390:  6865 2065 6172 6c69 6572 2064 6179 732e  he.earlier.days.
        0x03a0:  0a3c 2f70 3e3c 703e 596f 7527 6c6c 2066  ../p..p.You'll.f
        0x03b0:  696e 6420 6d65 206f 6e20 6672 6565 6e6f  ind.me.on.freeno
        0x03c0:  6465 2061 7320 226d 6972 726f 7262 7261  de.as."mirrorbra
        0x03d0:  696e 2220 2870 7265 7669 6f75 736c 793a  in".(previously:
        0x03e0:  2044 7544 4529 0a3c 2f70 3e0a 3c21 2d2d  .DuDE)../p...";s
        0x0470:  616e 6775 6167 654c 696e 6b73 223b 613a  anguageLinks";a:
        0x0480:  303a 7b7d 733a 3134 3a22 6d43 6174 6567  0:{}s:14:"mCateg
        0x0490:  6f72 794c 696e 6b73 223b 613a 303a 7b7d  oryLinks";a:0:{}
        0x04a0:  733a 3137 3a22 6d43 6f6e 7461 696e 734f  s:17:"mContainsO
        0x04b0:  6c64 4d61 6769 6322 3b62 3a30 3b73 3a31  ldMagic";b:0;s:1
        0x04c0:  303a 226d 4361 6368 6554 696d 6522 3b73  0:"mCacheTime";s
        0x04d0:  3a31 343a 2232 3030 3831 3231 3431 3632  :14:"20081214162
        0x04e0:  3130 3422 3b73 3a38 3a22 6d56 6572 7369  104";s:8:"mVersi
        0x04f0:  6f6e 223b 733a 353a 2231 2e35 2e30 223b  on";s:5:"1.5.0";
        0x0500:  733a 3130 3a22 6d54 6974 6c65 5465 7874  s:10:"mTitleText
        0x0510:  223b 733a 303a 2222 3b7d 0d0a            ";s:0:"";}..
09:21:04.962876 IP localhost.11211 > localhost.4720: . ack 2432 win 8660 
        0x0000:  4500 0034 ab75 4000 4006 914c 7f00 0001  E..4.u@.@..L....
        0x0010:  7f00 0001 2bcb 1270 5fd5 8ada 5f1c e216  ....+..p_..._...
        0x0020:  8010 21d4 5f95 0000 0101 080a 172e af70  ..!._..........p
        0x0030:  172e af66                                ...f
09:21:05.930092 IP localhost.4720 > localhost.11211: P 2432:2480(48) ack 34487 win 12332 
        0x0000:  4500 0064 77e7 4000 4006 c4aa 7f00 0001  E..dw.@.@.......
        0x0010:  7f00 0001 1270 2bcb 5f1c e216 5fd5 8ada  .....p+._..._...
        0x0020:  8018 302c 3bd2 0000 0101 080a 172e b062  ..0,;..........b
        0x0030:  172e af70 6765 7420 6f70 656e 7375 7365  ...pget.opensuse
        0x0040:  5f65 6e3a 7761 7463 686c 6973 743a 7573  _en:watchlist:us
        0x0050:  6572 3a33 323a 7061 6765 3a32 3a50 6f65  er:32:page:2:Poe
        0x0060:  6d6c 0d0a                                ml..

Looks normal, except that the memcached reply is an empty TCP ACK, without the “STORED” confirmation. And we see the next command already being issued, which is the first in the series of those that are never replied to.

So what’s wrong?

The command that PHP sends is broken. By the protocol specs, the key names must not contain spaces. The syntax is:

set key flags ttl length

But as the above trace shows, the command _does_ contain a space:

set opensuse_en:pcache:idhash:7452-0!1!0!ISO 8601!0!en!0 1 86400 1183\r\n

This turns the command, that intends to write 1183 bytes of data, into one that indicates to memcached it’ll write 86400 bytes of data.

Of course, these will never be sent, and memcached will hang forever, eating all further commands up as perceived data, and never reply in this connection.

Thus, the wiki uses keys that are not suitable, while the PHP memcache implementation expects them to be valid.

09:21:04.921611 IP localhost.4720 > localhost.11211: P 1176:2432(1256) ack 34487 win 12332 
        0x0000:  4500 051c 77e6 4000 4006 bff3 7f00 0001  E...w.@.@.......
        0x0010:  7f00 0001 1270 2bcb 5f1c dd2e 5fd5 8ada  .....p+._..._...
        0x0020:  8018 302c 061c 0000 0101 080a 172e af66  ..0,...........f
        0x0030:  172e af61 7365 7420 6f70 656e 7375 7365  ...aset.opensuse         # set opensuse_en:pcache:idhash:7452-0!1!0!ISO 8601!0!en!0 1 86400 1183
        0x0040:  5f65 6e3a 7063 6163 6865 3a69 6468 6173  _en:pcache:idhas                                                               ^
        0x0050:  683a 3734 3532 2d30 2131 2130 2149 534f  h:7452-0!1!0!ISO
        0x0060:  2038 3630 3121 3021 656e 2130 2031 2038  .8601!0!en!0.1.8
        0x0070:  3634 3030 2031 3138 330d 0a4f 3a31 323a  6400.1183..O:12:         # claims it'll write 1183 bytes. And it does so
        0x0080:  2250 6172 7365 724f 7574 7075 7422 3a37  "ParserOutput":7
        0x0090:  3a7b 733a 353a 226d 5465 7874 223b 733a  :{s:5:"mText";s:
        0x00a0:  3936 313a 223c 703e 3c62 7220 2f3e 0a3c  961:"t;img.src="

So, I fixed the PHP memcache client to sanitize all memcache keys before usage, replacing spaces with underscores.
The fix looks like this:

function sanitize_key($key) {
    /* make sure there are no spaces in the key
       otherwise, it'll lead to a protocol desynchronization, with beautiful hangs
       poeml, Sun Dec 14 10:24:12 MST 2008 */
    $key = str_replace(" ", "_", $key);
    return $key;

/* and then in all places where keys are used: */
    $key = $this->sanitize_key($key);

Indeed, with the sanitized memcache keys, the problem is immediately fixed!

To verify the effectiveness of the patch, I run tcpdump in the background, with ‘grep -A3 opensuse’ attached, to basically limit the output to show the key values:

Before :
        0x0030:  1748 336d 6765 7420 6f70 656e 7375 7365  .H3mget.opensuse
        0x0040:  5f65 6e3a 7063 6163 6865 3a69 6468 6173  _en:pcache:idhas
        0x0050:  683a 3734 3532 2d30 2131 2130 2149 534f  h:7452-0!1!0!ISO
        0x0060:  2038 3630 3121 3021 656e 2130 0d0a       .8601!0!en!0..
        0x0030:  1748 62d3 6765 7420 6f70 656e 7375 7365  .Hb.get.opensuse
        0x0040:  5f65 6e3a 7063 6163 6865 3a69 6468 6173  _en:pcache:idhas
        0x0050:  683a 3734 3532 2d30 2131 2130 2149 534f  h:7452-0!1!0!ISO
        0x0060:  5f38 3630 3121 3021 656e 2130 0d0a       _8601!0!en!0..

A simple bug, in the end. Luckily, with a trivial fix. But quite a long way to go to find it.
And I hope this writeup is useful.

Setting up a simple router

December 10th, 2008 by

Today I spent the best part of the morning to configure a SLES 10 SP2 server as a simple router. I googled quite a lot and could not find a nice and concise post on how to configure SLES 10 as a simple router, so I thought I’ll write up my experiences in the hopes that it will help someone. Although this was done on SLES 10 I am pretty sure it will apply to openSUSE as well.

My setup is as follows: Local lan is and I want a private lan on so that I can run stuff like DHCP and PXE without upsetting everyone on the network. I have a SLES 10 server with 2 network cards: eth1 connected to the local lan and eth0 connected to my private switch. The local lan is connected via ADSL to the Internet and I need my private network to also be able to connect to the Internet.


small Qt based mail biff

September 8th, 2008 by

Some days ago I was asked what this little button bar on my desktop is and I explained that it’s only a small program I wrote to keep track on my mail folders. I know there are many many programs out there which already does the same but for some reason he liked it and encouraged me to blog about it 🙂

qbiff runs as a server client application and is able to manage mails stored in the maildir format. The server should run on the machine which locally stores the data and the client or multiple of them can run on the desktop you have an eye on. The connection(s) between the server and the client(s) are SSL connections, even though there is no mailcontent which is transfered the information how many mails, how many new ones and what mail folders exists might be an information not everybody needs to know about… so I chose a secure connection 😉

If the file .qbiffrc exists the user can control which mail folders should be checked, if the file doesn’t exist all folders the server finds at start up will be used. Each folder is represented by a button. Whenever a new mail arrives the button changes its color and notifies the user with a tip window about the current mail situation of this folder. A click on the button runs a user defined program whereas the first parameter is the path and name of the folder. In my setup I call mutt respectively to read the mail in the folder

So it looks basically like this…

Packages can be found in my home Project at:

  • http://download.opensuse.org/repositories/home:/sax2
  1. Install the package qbiffd on your server
  2. Install the package qbiff on your client, server and client could be the same machine
  3. Edit the file /etc/sysconfig/qbiff on the server and setup at least the  QBIFF_USER which should be the same user the mails belong to and the QBIFF_FOLDER which is the base directory of your mails
  4. Run the server by calling rcqbiffd start
  5. Run the client by calling qbiff-client. The default password for the SSL certificates is “linux
  6. click on a folder button and read the note about how to setup a personal mail reader script

If you want to create your own certificates you need to check out the code at

  • svn co https://svn.berlios.de/svnroot/repos/qbiff/qbiff-head .

and run the following commands:

  1. cd cert-server && make distclean && make
  2. cd ../cert-client && make distclean && make
  3. cd ..
  4. ./.certinstall on the server and the client