newspaint

Documenting Problems That Were Difficult To Find The Answer To

Monthly Archives: February 2015

Winston Carbon Monoxide Detector Fault

I bought a Winston carbon monoxide detector after being advised I should have one in my home.

Unfortunately it developed a fault after several months where it started to display a minimum of 28-32ppm and I became worried I had a problem in the home! But moving it around rooms or outside into the fresh air wouldn’t bring the number down – nor would powering the unit off and back on.

To ensure it was the unit at fault and not the air I purchased a Fireangel carbon monoxide detector.

When placed side-by-side the readings were thus:

Winston detector reads 34 while Fireangel reads 0

Winston detector reads 34 while Fireangel reads 0

Was the Fireangel carbon monoxide at fault by not detecting anything? I soon found out when I parked my misfiring car with the exhaust facing the home (not intentional, just so happened it seemed to affect the air inside the home). The side-by-side readings were thus (at 19:33 on the day in question):

Winston detector reads 53 while Fireangel reads 51

Winston detector reads 53 while Fireangel reads 51

So it seems that both detected an elevated amount of carbon monoxide in the air. But over the course of tens of minutes the numbers began to drop in the following sequence (at 19:35 on the day in question):

Winston detector reads 52 while Fireangel reads 44

Winston detector reads 52 while Fireangel reads 44

Then (at 19:39 on the day in question)…

Winston detector reads 47 while Fireangel reads 36

Winston detector reads 47 while Fireangel reads 36

Then (at 20:12 on the day in question)…

Winston detector reads 36 while Fireangel reads 12

Winston detector reads 36 while Fireangel reads 12

Finally (at 20:50 on the day in question)…

Winston detector reads 34 while Fireangel reads 0

Winston detector reads 34 while Fireangel reads 0

I demanded a refund for the faulty Winston unit because it concerned me that a unit should be falsely warning an unhealthy situation when, in fact, there was no discernible carbon monoxide present in the atmosphere.

LXC Tutorial on Ubuntu Precise 12.04

Overview

This is a quick-and-dirty tutorial to get containers created, running, and destroyed on Linux Ubuntu Precise 12.04.

Acknowledgements

Tutorial

Installing LXC

Simply run:

$ apt-get install lxc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bridge-utils cgroup-lite cloud-utils debootstrap dnsmasq-base euca2ools
  libapparmor1 libcap2-bin libnetfilter-conntrack3 libpam-cap libyaml-0-2
  python-boto python-m2crypto python-paramiko python-yaml
Suggested packages:
  libcap-dev btrfs-tools lvm2 qemu-user-static
The following NEW packages will be installed:
  bridge-utils cgroup-lite cloud-utils debootstrap dnsmasq-base euca2ools
  libapparmor1 libcap2-bin libnetfilter-conntrack3 libpam-cap libyaml-0-2 lxc
  python-boto python-m2crypto python-paramiko python-yaml
0 upgraded, 16 newly installed, 0 to remove and 4 not upgraded.
Need to get 2,343 kB of archives.
After this operation, 14.4 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Fetched 2,343 kB in 0s (10.3 MB/s)

Creating Your First Container

You can create a container using a pre-existing template. To see the templates available on your system:

$ ls /usr/lib/lxc/templates/
lxc-busybox  lxc-fedora    lxc-sshd    lxc-ubuntu-cloud
lxc-debian   lxc-opensuse  lxc-ubuntu

You can get help for the ubuntu template:

$ lxc-create -t ubuntu --help
/usr/share/lxc/templates/lxc-ubuntu -h|--help [-a|--arch] [-b|--bindhome ] [-d|--debug]
   [-F | --flush-cache] [-r|--release ] [ -S | --auth-key ]
   [--rootfs ] [--packages ] [-u|--user ] [--password ]
   [--mirror ] [--security-mirror ]
release: the ubuntu release (e.g. precise): defaults to host release on ubuntu, otherwise uses latest LTS
bindhome: bind 's home into the container
          The ubuntu user will not be created, and  will have
          sudo access.
arch: the container architecture (e.g. amd64): defaults to host arch
auth-key: SSH Public key file to inject into container
packages: list of packages to add comma separated
mirror,security-mirror: mirror for download and /etc/apt/sources.list

So we can choose ubuntu from the above templates to create a container and give it a name:

$ lxc-create -n lxctutorial -t ubuntu
No config file specified, using the default config
debootstrap is /usr/sbin/debootstrap
Checking cache download in /var/cache/lxc/precise/rootfs-amd64 ...
Copy /var/cache/lxc/precise/rootfs-amd64 to /var/lib/lxc/lxctutorial/rootfs ...
Copying rootfs to /var/lib/lxc/lxctutorial/rootfs ...

##
# The default user is 'ubuntu' with password 'ubuntu'!
# Use the 'sudo' command to run tasks as root in the container.
##

'ubuntu' template installed
'lxctutorial' created

Note that the default password is shown.

You could have specified which release with the command, e.g.:

$ lxc-create -n lxctutorial -t ubuntu -- -r precise

So we’ve created a container. Let’s see if LXC knows about it:

$ lxc-list
RUNNING

FROZEN

STOPPED
  lxctutorial

Where is the LXC container stored?

$ ls -l /var/lib/lxc/lxctutorial
total 12
-rw-r--r--  1 root root 1273 Feb 14 12:07 config
-rw-r--r--  1 root root  110 Feb 14 12:07 fstab
drwxr-xr-x 22 root root 4096 Jun 16  2014 rootfs

So the container has been created!

Running the Container

Start the container with the -d flag (otherwise you will go straight into console mode and there is a bug in lxc-start that prevents the ctrl-a, q escape combination from working).

$ lxc-start -n lxctutorial -d
$ lxc-list
RUNNING
  lxctutorial

FROZEN

STOPPED

You can connect to your container in console mode:

$ lxc-console -n lxctutorial
Ubuntu 12.04.4 LTS lxctutorial tty1

lxctutorial login: ubuntu
Password: ubuntu
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

ubuntu@lxctutorial:~$

To disconnect from the console (quit/exit) press ctrl-a, q.

Stopping the Container

You can stop the container – this kills all the processes inside the container.

$ lxc-stop -n lxctutorial

But a cleaner way of bringing a container to a stop is to halt it:

$ lxc-shutdown -n lxctutorial -w
Container lxctutorial has shut down

Destroying the Container

$ lxc-destroy -n lxctutorial
$ lxc-list
RUNNING

FROZEN

STOPPED

Assigning Static DHCP Leases to LXC Containers

You will need to create a configuration file in which you can put static leases, e.g.:

$ touch /etc/lxc/dnsmasq.conf

Next edit your /etc/init/lxc-net.conf file to add this configuration file to the dnsmasq startup, from:

dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces \
  --pid-file=${varrun}/dnsmasq.pid --conf-file= \
  --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \
  --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \
  --except-interface=lo --interface=${LXC_BRIDGE} || cleanup

to:

dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces \
  --pid-file=${varrun}/dnsmasq.pid --conf-file=/etc/lxc/dnsmasq.conf \
  --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \
  --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \
  --except-interface=lo --interface=${LXC_BRIDGE} || cleanup

Then find the MAC address from your container’s configuration:

# grep lxc.network.hwaddr /var/lib/lxc/*/config
/var/lib/lxc/lxctutorial/config:lxc.network.hwaddr = 00:16:3e:32:9a:a4
/var/lib/lxc/webserver/config:lxc.network.hwaddr = 00:16:3e:0c:5b:1b
/var/lib/lxc/mailserver/config:lxc.network.hwaddr = 00:16:3e:ca:cb:02

Now you can put the fixed address you want into your new configuration file /etc/lxc/dnsmasq.conf, e.g. if you wanted 10.0.3.123 for the lxctutorial container:

# static leases
dhcp-host=00:16:3e:32:9a:a4,lxctutorial-addr,10.0.3.123,7200

Make sure you shut down all LXC containers and restart LXC for this to take effect:

# /etc/init.d/lxc-net stop
# /etc/init.d/lxc stop
# /etc/init.d/lxc start
# /etc/init.d/lxc-net start

In Ubuntu 14.04 Trusty the start/stop jobs are:

# initctl stop lxc-net
# kill dnsmasq daemon
# ifconfig lxcbr0 down
# brctl delbr lxcbr0
# initctl stop lxc
# initctl start lxc
# initctl start lxc-net

Time For A New Messaging Service

I am concerned about the dominance of services like Facebook, Skype, Twitter, WhatsApp, and Viber. They are great services – but in an age where everything we write is recorded and archived for government agencies to reference and retrieve in a moment’s notice for all eternity – it is unhealthy/immoral/wrong.

The two principal problems we face nowadays is:

  • having our messages intercepted in plaintext (via man-in-the-middle attacks or direct access to the company our messages transit through)
  • having our messages tracked (also known as metadata) in an effort to discover and record our relationships

Further is the absolute control individual corporations have over our communications when we use a proprietary application like the ones mentioned above.

What we need is something akin to IRC – where individuals can provide intermediate servers – so that no one person controls the entire messaging service. We also need privacy so passing encrypted messages is a must – but only so that the recipient can decode, not an intermediate organisation as the above mentioned services do. Finally we need obscurity about the path messages take – they must not pass directly point-to-point but through a series of intermediaries so as to make tracking difficult.

It would also be “nice” to have a service that offers some storage or redundancy – so that transmission of a message when the intended recipient is not available is not lost but delivered at the point of recipient availability. Currently e-mail provides such a facility if used with GnuPG, for example, however e-mail does not provide obscurity of transmission path – and it was not designed for short messaging and/or image transmission.

I am currently thinking about how to achieve these two primary goals while also supporting secondary goals:

  • support for short plaintext messaging
  • support for image transmission
  • broadcast/groups (e.g. to family)
  • storage/redundancy (so can go offline and online at different times and retrieve messages sent while offline)
  • allowing anybody to join the network of forwarding servers to expand the service (use a standard and open protocol)

Ideally messages will be sent through multiple hops or intermediary servers. None of the intermediate servers should know anything about the content of the message (apart from size), neither should they know who handled the message other than the server it received from and the server it send to.

To accomplish this it is proposed that a message consists of several encrypted layers, each layer encrypted using a different key, and each layer containing an instruction about which server to forward to next. When a server receives such a bundle it can only decrypt the outer-most layer and then forwards the smaller message onto the next server.

A sending client will create the message by looking up a list of available forwarding servers, choosing a certain number of them (say, 5 randomly), and then generate layers using each server’s encryption key with each layer specifying the next server to transmit to. The innermost layer would contain the message to decrypt and the next layer would specify the recipient client to receive the message (of course the final forwarding server would not know that the next server was the receiving client as it could not distinguish this from another forwarding server).

The question is one of key management. But this should not be a great issue – as the public key could be obtained from each intermediate forwarding server by merely looking it up.

I believe the argument that the government should be entitled to wiretap in the interests of security is broken. Wiretaps used to be expensive and require a team of people to target a particular individual – so they were tolerated as it was generally understood that there had to be good reason for the effort expended on such monitoring. But nowadays governments listen to every individual, innocent, criminal, as well as those under suspicion, and all their communications are recorded for eternity for instantaneous lookup and cross-referencing. There is no effort required any more. No reasonable suspicion.

LinkedIn’s Most Embarrassing Super-Bug

In an astonishing feat of wilful negligence LinkedIn has chosen not to address a super-embarrassing issue on its website. The phantom unread message! For over a year LinkedIn has been aware of this issue but not fixed it.

The problem? Your home page indicates you have an unread message. But when you go to list all your unread messages you see you have none!

LinkedIn Lying About Unread Messages

LinkedIn Lying About Unread Messages

How difficult is it for a web developer to tell the difference between one unread message and no unread messages!? Apparently, at LinkedIn, very hard indeed!

Which makes you wonder – what other incredible bugs are lurking underneath the surface at this company if the ones that are visible for all and sundry to see are completely ignored?

Can one really bring themselves to offer their credit card details to a company so wilfully negligent when it comes to code quality – when the simplest of issues present the biggest challenge to the firm? I would, as a software developer, be thinking twice!