Colors of Noise

agx@sigxcpu.org

Debian Fun in May 2016
10th June 2016

Debian LTS

May marked the thirteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 17.25 hours working on these LTS things:

Other Debian stuff

Tags: debian, planetdebian.
Debian Fun in April 2016
8th May 2016

Debian LTS

April marked the twelfth month I contributed to Debian LTS under the Freexian umbrella. I only spent 2 hours (instead of expected 11,25) working on LTS things:

The missing hours will be caught up during May - hopefully also by working on a QEMU/libvirt update in Wheezy should there be any interest - so I've you're relying on QEMU/KVM in wheezy now would be a good time to comment on it.

Other Debian things

Tags: debian, planetdebian.
Debian Fun in March 2016
9th April 2016

Debian LTS

March was the eleventh month I contributed to Debian LTS under the Freexian umbrella. In total I spent 13 hours (of allocated 11.00 + 5.25h from last month) working on preparing for wheezy-lts:

Other Debian things

Tags: debian, planetdebian.
More sandboxing
25th March 2016

More sandboxing

When working on untrusted code or data it's impossible to predict what happens when one does a:

bundle install --path=vendor

or

npm install

Does this phone out your private SSH and GPG keys? Does a

evince Downloads/justdownloaded.pdf

try to exploit the PDF viewer? While you can run stuff in separate virtual machines this can get cumbersome. libvirt-sandbox to the rescue! It allows to sandbox applications using libvirt's virtualization drivers. It took us a couple of years (The ITP is from 2012) but we finally have it in Debian's NEW queue. When libvirt-sandbox creates a sandbox it uses your root filesystem mounted read only by default so you have access to all installed programs (this can be changed with the --root option though). It can use either libvirt's QEMU or LXC drivers. We're using the later in the examples below:

So in order to make sure the above bundler call has no access to your $HOME you can use:

sudo virt-sandbox \
   -m ram:/tmp=10M \
   -m ram:$HOME=10M \
   -m ram:/var/run/screen=1M \
   -m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \
   -c lxc:/// \
   -S $USER \
   -n rubydev-sandbox \
   -N dhcp,source=default \
   /bin/bash

This will make your $HOME unaccessible by mounting a tmpfs over it and using separate network, ipc, mount, pid and utc namespaces allowing you to invoke bundler with less worries. /path/to/your/ruby-stuff is bind mounted read-write into the sandbox so you can change files there. Bundler can fetch new gems using libvirt's default network connection.

And for the PDF case:

sudo virt-sandbox \
  -m ram:$HOME=10M \
  -m ram:/dev/shm=10M \
  -m host-bind:$HOME/Downloads=$HOME/Downloads \
  -c lxc:/// \
  -S $USER \
  -n evince-sandbox \
  --env="DISPLAY=:0" \
  --env="XAUTHORITY=$XAUTHORITY" \
  /usr/bin/evince Downloads/justdownloaded.pdf

Note that the above example shares /tmp with the sandbox in order to give it access to the X11 socket. A better isolation can probably be achieved using xpra or xvnc but I haven't looked into this yet.

Besides the command line program virt-sandbox there's also the library libvirt-sandbox which makes it simpler to build new sandboxing applications. We're not yet shipping virt-sandbox-service (a tool to provision sandboxed system services) in the Debian packages since it's RPM distro specific. Help on porting this to Debian is greatly appreciated.

Tags: debian, libvirt, planetdebian, planetfsfe.
Contatacs, CardDAV, Calypso and the N900
9th March 2016

As a follow up to calendar synchronisation with calypso, syncevolution and the N900 running maemo I finally added contacts to the mix:

on the phone

When you have the calendar sync already running it's as simple as:

First start ssh on the n900 to ease typing:

apt-get install dropbear
echo /bin/sh >> /etc/shells
cd /etc/dropbear && ./run

SSH into the phone and configure contacts synchronization:

cat <<EOF > ~/.config/syncevolution/webdav/sources/addressbook/config.ini
backend = CardDAV
database = https://carddav.example.com/contacts/username
EOF

And perform the initial sync:

syncevolution --sync slow webdav addressbook

From there on you can sync contacts and calendars in one go with:

syncevoluton webdav

Looking at the calypso logs on the server it seems that syncevoluton does not always generate an FN entry and so the card gets skipped. This doesn't harm the overall sync, but I need to have a look how to fix this.

on the laptop

In order to use the contacts im mutt there's pycarddav packaged in Debian. This is basically following upstreams documentation.

sudo apt-get install pycarddav
mkdir -p ~/.config/pycard
cp /usr/share/doc/pycarddav/examples/pycard.conf.sample ~/.config/pycard/pycard.conf
# Edit file as needed

cat ~/.config/pycard/pycard.conf
[Account username]
user: username
resource: https://carddav.example.com/
write_support = YesPleaseIDoHaveABackupOfMyData

[query]
where: vcard

[sqlite]

[default]
debug: False

To use the entries in mutt add the just extend your .muttrc:

cat <<EOF >>~/.muttrc
set query_command="pc_query -m %s"
macro index,pager B "<pipe-message>pycard-import<enter>" "add sender address to pycardsyncer"
EOF

This allows you to query contacts using Q and add new conatcs with CTRL-B in mutt's index and pager.

Calypso Changes

We recently moved calypso's git repository to alioth and started to merge several out of tree patches. More will happen during this years Debian Groupware Meeting including a new upload to Debian.

Tags: groupware, maemo, planetdebian, planetfsfe.
Debian Fun in February 2016
8th March 2016

Debian LTS

February was the tenth month I contributed to Debian LTS under the Freexian umbrella. In total I spent 7 hours (of allocated 11.15 hours) working on squeeze-lts:

… and to make sure we have fewer issues that are fixed in squeeze-lts but affect wheezy …

On non LTS time I cooked up a script to make it simpler to check if a package has security support in a certain release.

Now that squeeze-lts is history I'd like to thank the Debian Security Team for their help and answers to all the questions related to security tracker, DSAs, DLAs and whatnot. I'm looking forward to wheezy-lts now…

Other Debian stuff

Tags: debian, planetdebian.
Debian Fun in January 2016
10th February 2016

Debian LTS

January was the ninth month I contributed to Debian LTS under the Freexian umbrella. In total I spent 13 hours working on:

There was no progress on using the same nss in all suites. This will continue in February as does the Squeeze-lts Wheezy forward porting.

Other Debian stuff

Tags: debian, planetdebian.
Debian Fun in December 2015
9th January 2016

Debian LTS

December was the eighth month I contributed to Debian LTS under the Freexian umbrella. It was a bit of a funny month since most of the time most open CVEs were already taken care of by other team members (which is nice) but it resulted in me not releasing a single DLA which feels weird.

Nevertheless in total I spent nine hours working on:

On unpaid time I introduced some usertags for tracking our non DLA related activities (although it seems I'm currently the only user).

Other Debian stuff

Tags: debian, planetdebian.
Creating views in Jenkins using jenkins-job-builder-addons
14th December 2015

I'm often using jenkins-job-builder to automatically create jenkins jobs since writing them in YAML is more comfortable then doing large amounts of jobs in the GUI, it serves consistency and helps automation.

For views and build pipelines I so far resorted to other tools (like templates in the config management tool at use) but now there's jenkins-job-builder-addons by jimbydamonk. Creating a delivery pipeline view and the "All" view then gets as simple as:

- job:
    name: MyApp
    project-type: folder
    views:
      - delivery_pipeline:
          filter-executors: false
          filter-queue: false
          folder: true
          components:
            - name: Deploy
              first-job: app-deploy-test
          name: myapp-deploy-pipeline
          build-view-title: "MyApp Deploy Pipeline"
          number-of-pipelines: 3
          show-aggregated-pipeline: true
          number-of-columns: 1
          sorting: none
          show-avatars: false
          update-interval: 1
          allow-manual-triggers: true
          show-total-buildtime: true
          allow-rebuild: true
          allow-pipeline-start: true
      - all:
         folder: true
         name: All

This also uses the folder plugin to make sure the views end up in separate files. It currently needs a slightly patched jenkins-job-builder with this patch applied.

Putting this here since I hit jenkins-job-builder-addons mostly by accident. Once jenkins-job-builder catched up I'll look into packaging this for Debian.

Tags: continuous-delivery, jenkins, planetdebian.
Running ansible's integration tests
9th December 2015

ansible is a great tool for deployments. While it doesn't ship that many unit tests it comes with heaps of integration tests that can be run using:

git submodule update --init
. hacking/env-setup
cd test/integration
make

after cloning the repo from here.

However when working on individual parts one often only wants to test a single role. This can be done via:

git submodule update --init
. hacking/env-setup
cd test/integration
ansible-playbook -e @integration_config.yml -i"testhost," -c local test_filters.yml

when e.g. working on some new filers or when you want to run one of the destructive modules, test_apt in this case:

git submodule update --init
. hacking/env-setup
cd test/integration
# Destructive tests usually need sudo
sudo ansible-playbook -e @integration_config.yml -i"testhost," -c local destructive.yml --tags=test_apt

The list of available tags can be ssen in test/integration/destructive.yml.

Just putting it here since I just found myself digging this out the second time.

Tags: ansible, continuous-delivery, planetdebian.

RSS feed

Created by Chronicle