Colors of Noise

Entries tagged "planetfsfe".

Foreman's Ansible integration
19th August 2016

Gathering from some recent discussions it seems to be not that well known that Foreman (a lifecycle tool for your virtual machines) does not only integrate well with Puppet but also with ansible. This is a list of tools I find useful in this regard:

There's also support for triggering ansible runs from within Foreman itself but I've not used that so far.

Tags: ansible, planetdebian, planetfsfe, theforeman.
More sandboxing
25th March 2016

More sandboxing

When working on untrusted code or data it's impossible to predict what happens when one does a:

bundle install --path=vendor


npm install

Does this phone out your private SSH and GPG keys? Does a

evince Downloads/justdownloaded.pdf

try to exploit the PDF viewer? While you can run stuff in separate virtual machines this can get cumbersome. libvirt-sandbox to the rescue! It allows to sandbox applications using libvirt's virtualization drivers. It took us a couple of years (The ITP is from 2012) but we finally have it in Debian's NEW queue. When libvirt-sandbox creates a sandbox it uses your root filesystem mounted read only by default so you have access to all installed programs (this can be changed with the --root option though). It can use either libvirt's QEMU or LXC drivers. We're using the later in the examples below:

So in order to make sure the above bundler call has no access to your $HOME you can use:

sudo virt-sandbox \
   -m ram:/tmp=10M \
   -m ram:$HOME=10M \
   -m ram:/var/run/screen=1M \
   -m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \
   -c lxc:/// \
   -S $USER \
   -n rubydev-sandbox \
   -N dhcp,source=default \

This will make your $HOME unaccessible by mounting a tmpfs over it and using separate network, ipc, mount, pid and utc namespaces allowing you to invoke bundler with less worries. /path/to/your/ruby-stuff is bind mounted read-write into the sandbox so you can change files there. Bundler can fetch new gems using libvirt's default network connection.

And for the PDF case:

sudo virt-sandbox \
  -m ram:$HOME=10M \
  -m ram:/dev/shm=10M \
  -m host-bind:$HOME/Downloads=$HOME/Downloads \
  -c lxc:/// \
  -S $USER \
  -n evince-sandbox \
  --env="DISPLAY=:0" \
  /usr/bin/evince Downloads/justdownloaded.pdf

Note that the above example shares /tmp with the sandbox in order to give it access to the X11 socket. A better isolation can probably be achieved using xpra or xvnc but I haven't looked into this yet.

Besides the command line program virt-sandbox there's also the library libvirt-sandbox which makes it simpler to build new sandboxing applications. We're not yet shipping virt-sandbox-service (a tool to provision sandboxed system services) in the Debian packages since it's RPM distro specific. Help on porting this to Debian is greatly appreciated.

Tags: debian, libvirt, planetdebian, planetfsfe.
Contatacs, CardDAV, Calypso and the N900
9th March 2016

As a follow up to calendar synchronisation with calypso, syncevolution and the N900 running maemo I finally added contacts to the mix:

on the phone

When you have the calendar sync already running it's as simple as:

First start ssh on the n900 to ease typing:

apt-get install dropbear
echo /bin/sh >> /etc/shells
cd /etc/dropbear && ./run

SSH into the phone and configure contacts synchronization:

cat <<EOF > ~/.config/syncevolution/webdav/sources/addressbook/config.ini
backend = CardDAV
database =

And perform the initial sync:

syncevolution --sync slow webdav addressbook

From there on you can sync contacts and calendars in one go with:

syncevoluton webdav

Looking at the calypso logs on the server it seems that syncevoluton does not always generate an FN entry and so the card gets skipped. This doesn't harm the overall sync, but I need to have a look how to fix this.

on the laptop

In order to use the contacts im mutt there's pycarddav packaged in Debian. This is basically following upstreams documentation.

sudo apt-get install pycarddav
mkdir -p ~/.config/pycard
cp /usr/share/doc/pycarddav/examples/pycard.conf.sample ~/.config/pycard/pycard.conf
# Edit file as needed

cat ~/.config/pycard/pycard.conf
[Account username]
user: username
write_support = YesPleaseIDoHaveABackupOfMyData

where: vcard


debug: False

To use the entries in mutt add the just extend your .muttrc:

cat <<EOF >>~/.muttrc
set query_command="pc_query -m %s"
macro index,pager B "<pipe-message>pycard-import<enter>" "add sender address to pycardsyncer"

This allows you to query contacts using Q and add new conatcs with CTRL-B in mutt's index and pager.

Calypso Changes

We recently moved calypso's git repository to alioth and started to merge several out of tree patches. More will happen during this years Debian Groupware Meeting including a new upload to Debian.

Tags: groupware, maemo, planetdebian, planetfsfe.
whatmaps 0.0.9
18th January 2015

I have released whatmaps 0.0.9 a tool to check which processes map shared objects of a certain package. It can integrate into apt to automatically restart services after a security upgrade.

This release fixes the integration with recent systemd (as in Debian Jessie), makes logging more consistent and eases integration into downstream distributions. It's available in Debian Sid and Jessie and will show up in Wheezy-backports soon.

This blog is flattr enabled.

Tags: debian, planetdebian, planetfsfe, planetgnome, whatmaps.
krb5-auth-dialog 3.15.4
17th January 2015

To keep up with GNOMEs schedule I've released krb5-auth-dialog 3.15.4. The changes of 3.15.1 and 3.15.4 include among updated translations, the replacement of deprecated GTK+ widgets, minor UI cleanups and bug fixes a header bar fix that makes us only use header bar buttons iff the desktop environment has them enabled:

krb5-auth-dialog with header bar krb5-auth-dialog without header bar

This makes krb5-auth-dialog better ingtegrated into other desktops again thanks to mclasen's awesome work.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetfsfe, planetgnome.
Testing a NetworkManager VPN plugin password dialog
12th October 2014

Testing the password dialog of a NetworkManager VPN plugin is as simple as:

echo -e 'DATA_KEY=foo\nDATA_VAL=bar\nDONE\nQUIT\n' | ./auth-dialog/nm-iodine-auth-dialog -n test -u $(uuid) -i

The above is for the iodine plugin when run from the built source tree. This allows one to test these dialogs although one didn't see them since ages since GNOME shell uses the external UI mode to query for the password.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetfsfe, planetgnome.
Bits from the 7th Debian groupware meeting
29th April 2014

The seventh Debian Groupware Meeting was held in the LinuxHotel, Essen, Germany. We had one remote hacker from NYC which brings the number of attendants up to 9. This is a short summary of what happened during the weekend:

Since we had a nice mix of first time Debian contributors, Debian Maintainers and Debian Developers we had lots of room for discussion and co-working which made this an exciting weekend.

Groupphoto by Carsten Schönert

Tags: debian, planetdebian, planetfsfe.
Truncating git history
21st February 2014

When starting to work on a new project I start from an empty git repository right away so I can try out different ideas, revert easily, can diff against old versions (to check if I missed something) and have a commit history to record fixmes and todos. However when making the repo public these things are not of much interest anymore so I truncate the history. To be on the save side I want to keep that history locally though. Assuming the repo is on master, I do:

# 1.) Move the old master out of the way
git branch -m branch master oldmaster
# 2.) Get the current tree at HEAD
tree=$(git rev-parse HEAD^{tree})
# 3.) Create a new commit without ancestry
commit=$(git commit-tree -m "Initial commit" $tree)
# 4.) Make this the new master
git branch master $commit
# 5.) Switch to the new branch
git checkout master

Done. One can now add a remote and push the master branch. The old history is still there locally on the completely detached commit history ending at oldmaster:

$ git log --pretty=short --graph --decorate master oldmster

* commit d5cf3371eaefbaa8efac10c0fb9e7597da17b423 (HEAD, master)
  Author: Guido Günther <>

      Initial commit

* commit 64103ff72bde13d7ec4cf0489ad2a80f3ac249d3 (oldmster)
| Author: Guido Günther <>
|     Another uninteresting commit message
* commit bd7332a79380bb217eca09cbd7f6ff0e5174deb8
| Author: Guido Günther <>
|     Uninteresting commit message
... <more old history>

Update: Uli Heller pointed out that this is the same as using git checkout's --orphan option.

Tags: planetdebian, planetfsfe.
CrystalHD progress
30th November 2013

Following up on my port of the crystalhd plugin to the gstreamer 1.0 api I realized that the CrystalHD repo is pretty dormant. After reading slomo's nice article about GStreamer and hardware integration and a short off list mail exchange I decided to split the GStreamer part out of the CrystalHD repo and to try to get the plugin into gst-plugins-bad.

Since the kernel part is already in linux kernel's staging area there would not be much left in the repo except for the libcrystalhd library itself and the firmware blobs. So I split them out as well and started to clean them up a bit by moving it to autoconf/automake, dropping the need for a C++ compiler and adding symbol versioning among other things.

So up to know video is still smooth with:

gst-launch-1.0 filesrc location=sample.mp4 ! decodebin ! xvimagesink

after jhbuilding up to gst-plugins-bad.

There are #ifdefs for macosx and windows but I doubt they're functional but in case anybody is building libcrystalhd on these these platforms it'd be great to know if it still works.

Should these efforts lead to the crystalhd plugin being merged into GStreamer getting the kernel driver out of staging would be a great next step.

This blog is flattr enabled.

Tags: gnome, planetdebian, planetfsfe, planetgnome, wetab.
Monitoring the temparature values of a Ökofen Pellematic using munin
3rd September 2013

I recently had the joy to adjust a heating system powered by a Ökofen Pellematic pellet boiler. It turned out that the heating control for that system has a small web interface running on a Linux system that allows one to set the different temperature values.

The different temperature values can be queried easily using python-request and then graphed via a simple munin plugin:

Temperatures of the pellet boiler

The sources are available here. Several more plugins for the different pumps and switches are already in the works. This needs some more work though to avoid lots of copy and paste.

Sadly enough there's no SSL available in the web interface. I already contacted the vendor about that and about the GPLed parts of their software so there's more to come.

This blog is flattr enabled.

Tags: munin, planetfsfe.
Calendar synchronisation between Nokia N900 and the Calypso CalDAV server
5th June 2013

One of the replies to the post about Debian's last groupware meeting was from Patrick Ohly of syncevolution fame pointing out that syncevolution already implements calendar autodetection for CalDAV calendars as described in draft-daboo-srv-caldav-10.

While looking at the code I noticed that there's a backend for the N900s calendar by Ove Kåven as well.

When I tried Ove's latest package on my N900 it lead to an immediate crash when doing a:

syncevolution --print-items target-config@webdav calendar

According to Patrick the bug was supposed to be fixed in recent versions so I set up scratchbox and built a newer git snapshot for maemo (sources). This wouldn't crash but didn't show up any items either. It turned out to be a minor bug in calypso returning no content type for REPORT queries which resulted in libneon discarding the whole reply (now already fixed in calypso upstream).

With this out of the way setting up synchronisation is quiet simple:

# Configuration
syncevolution --configure username=<username> password=<password> \
              calendar/backend=caldav calendar/database=https://${CALDAV_SERVER}:5233/private/my_calendar \
              target-config@webdav calendar
syncevolution --configure --template SyncEvolution_Client sync=none syncURL=local://@webdav username= password= webdav
syncevolution --configure sync=two-way backend=calendar webdav calendar

You should then be able to print the items on the local (N900) and from the remote (CalDAV server) end:

# This lists the current calendar items on the server
syncevolution --print-items target-config@webdav calendar
# This lists the current calendar items on the N900
syncevolution --print-items @default calendar

And from there on sync away:

# initial slow sync
syncevolution --sync slow webdav
# from there on
syncevolution webdav

The syncevolution source code has great documentation about debugging problems (e.g. src/backends/webdav/README). So check that in case you run into problems. The tl;dr version is

SYNCEVOLUTION_DEBUG=1 src/syncevolution loglevel=10 --print-items target-config@webdav calendar

to debug CalDAV related problems. In case you need to run syncevoluton from source be sure to set these beforehand:

export SYNCEVOLUTION_XML_CONFIG_DIR=$PWD/src/syncevo/configs/

On the CalDAV side I used current Calypso git which (with some additional minor fixes) now also interoperates nicely with Iceowl/Icowl-Extension aka Sunbird/Lightning on the desktop side. There's also an ITP for it. So it'll hopefully end up in Debian soon.

Update: in order to do ssl verification with syncevolution/libneon you have to put the CAs certificate to /etc/ssl/certs on the N900 and do a

c_rehash /etc/ssl/certs

otherwise syncevolution won't ve able to verify the server's certificate.

Tags: debian, groupware, maemo, planetdebian, planetfsfe.
Bits from the 5th Debian Groupware Meeting
11th April 2012

This went out to d-d-a already but I figured that this might be of interest here too:

The fifth Debian Groupware Meeting was held in the LinuxHotel, Essen, Germany. Eight persons attended which is an all time high! This is a short summary of what happened during the weekend:

Tags: debian, planetdebian, planetfsfe.

RSS Feed