philipp's weblog header image

Does /tmp have a split personality?

April 12th, 2014 · English, other stuff, web development

Today I had my first real encounter with the new Linux world, with namespaces, cgroups and systemd. As it turns out, old wisdoms like “an absolute file path is an absolute file path” don’t hold any more :-)

But let’s start from the beginning. I just recently updated a machine to the latest openSUSE 13.1, which uses systemd unit files for a lot of services. I use this machine to develop a web application in PHP, and for  debugging I wrote something to /tmp, like that:

<?php
file_put_contents('/tmp/some-file', 'some-content');
?>

The script always worked fine and it still does work fine. But not really the way I expected it to … The file /tmp/some-file does not exist after the script ran, even though I could read it back from PHP! Strange… the file simply seems to disappear!

After scratching my head for some time, I finally found out what’s going on:

$> cat /usr/lib/systemd/system/apache2.service
 [Unit]
 Description=The Apache Webserver
 Wants=network.target nss-lookup.target
 After=network.target nss-lookup.target
 Before=getty@tty1.service
[Service]
 Type=notify
 PrivateTmp=true
 EnvironmentFile=/etc/sysconfig/apache2
 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k start
 ExecReload=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -t -k graceful
 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop
[Install]
WantedBy=multi-user.target

I already highlighted the offending line in the unit file. What does it? Let’s have a look at the man page (man systemd.exec)

PrivateTmp=
  Takes a boolean argument. If true, sets up a new file system namespace for the
  executed processes and mounts private /tmp and /var/tmp directories inside it,
  that are not shared by processes outside of the namespace. This is useful to
  secure access to temporary files of the process, but makes sharing between
  processes via /tmp or /var/tmp impossible. All temporary data created by service
  will be removed after service is stopped. Defaults to false.

So yes, that’s the solution. Apache (and thus PHP, which runs as Apache module) sees a different /tmp as I do. The solution is easy obviously: either use a different directory for storing your files or disable PrivateTmp. The latter is quite easy as well, thanks to the configuration overrides in systemd (you may need to change the directory of the override, it’s the name of the unit + “.d”, see the announcement for details)

#> mkdir /etc/systemd/system/apache2.service.d
#> echo -e "[Service]\nPrivateTmp=no" > /etc/systemd/system/apache2.service.d/privatetmp.conf
#> systemctl daemon-reload
#> systemctl restart apache2
#> systemctl show apache | grep PrivateTmp
PrivateTmp=no

→ No CommentsTags:

On Reviewing Technology

February 11th, 2014 · English, other stuff

Within the whole Debian init system debate, within all the heat and personal attacks, Russ Allbery managed to publish a couple calm and insightful posts very much worth reading. One quote particularly struck me.

There is no such thing as a completely impartial review of technology, and you wouldn’t want someone who was completely impartial making technological decisions since it would indicate a disturbing lack of familiarity with the problem area.

Russ Allbery

 

→ No CommentsTags:

FOSDEM 2014

January 31st, 2014 · English, other stuff

As for some years now I’ll be at FOSDEM in Brussels this weekend. But this time is special, I’ll give a talk about the project I’m working on most of the time now: OpTiMSoC. Join me on Sunday, February 2nd at 10am for an introduction on how to build y0ur own Manycore System-on-Chip!

→ No CommentsTags:

S/MIME und EGVP unter openSUSE 12.3

November 18th, 2013 · German, other stuff

Ich hatte letztens die Freude bei einem Anwalt eine Signaturkarte für die Verwendung zur E-Mail Signierung mittels S/MIME sowie zur Nutzung des Elektronischen Gerichts- und Verwaltungspostfaches (EGVP) unter openSUSE 12.3 x86_64 (64 bit) einzurichten.

Die Signaturkarte kam von Soldan (einem Anwalts-Bürodienstleister). An sich handelt es sich dabei nur um eine weiterverkaufte PKS-ECC Smartcard von Telesec (Deutsche Telekom).

Als Lesegerät kommt ein Reiner-SCT Cyberjack Pinpad mit USB-Anschluss zum Einsatz.

Die erfreuliche Nachricht ist: es funktioniert. Die weniger erfreuliche Nachricht: es erfordert etwas Arbeit. Wie diese Arbeit genau aussieht, soll im Folgende nun erläutert werden.

E-Mail Signierung in Thunderbird 24

Zuerst muss der PC/SC Daemon (pcscd) installiert und gestartet werden:

sudo zypper install pcsc-lite pcsc-cyberjack libpcsclite1
/etc/init.d/pcscd start

Danach ist noch ein PKCS#11 Modul für Thunderbird (d.h. für NSS, die Kryptobibliotheken in Mozilla Produkten) notwendig. Leider wird die Karte noch nicht von OpenSC unterstützt, sodass die Closed Source PKCS#11 Module von Telesec heruntergeladen und installiert werden müssen.

  1. Das Treiberpaket von der Telesec Downloadseite für das richtige Betriebssystem herunterladen und die ZIP-Datei entpacken. In meinem Fall war es das Paket “P11TCOS3-Lib für Linux x64 v.1.6.0″.
  2. Für die Verschlüsselung/Signierung ist das NetKey Modul notwendig, das mit folgendem Befehl an seinen üblichen Platz kopiert wird (für 32 Bit Systeme lib64 durch lib ersetzen):
    sudo cp libpkcs11tcos3NetKey64-1.6.0.so /usr/lib64/pkcs11/
  3. Nun kann die Chipkarte (sofern nicht bereits geschehen) in das Lesegerät eingesteckt werden.
  4. In Thunderbird Bearbeiten -> Einstellungen -> Erweitert -> Kryptographie-Module auswählen und dann rechts auf den Button Laden klicken. Der Modulname kann frei gewählt werden, z.B. “Telesec PKCS#11 NetKey”. Als Modul-Dateiname muss /usr/lib64/pkcs11/libpkcs11tcos3NetKey64-1.6.0.so eingetragen werden.
  5. Nach einem Klick auf den Button Anmelden (Log-In) sollte ein Fenster erscheinen, das auf die Pineingabe hinweist. Danach muss auf der Tastatur des Cyberjack die Pin eingegeben und mit OK auf der Tastatur des Lesegeräts bestätigt werden.
  6. Unter Bearbeiten -> Einstellungen -> Erweitert -> Zertifikate -> Zertifikate im Tab Ihre Zertifikate tauchen nun im Baum “T-Systems International GmbH” drei Zertifikate auf. Mit einem Doppelklick können weitere Details zum Zertifikat angezeigt werden.
  7. Jetzt ist es Zeit das Zertifikat für die E-Mailadresse auszuwählen. Dazu auf Bearbeiten -> Konto-Einstellungen klicken und dann für das richtige E-Mail Konto im Baum links den Untereintrag  S/MIME-Sicherheit anklicken. Unter dem Bereich Digitale Unterschrift auf den Button Auswählen … klicken und dann das Zertifikat “ECC Authentication Certificate” (das Signature Certificate, das sich ebenfalls auf der Karte befindet, funktioniert nicht!) auswählen und mit OK bestätigen.

Bevor die Zertifikate funktionieren, müssen noch die CA-Zertifikate von Telesec installiert werden. Diese können unter http://www.telesec.de/download/CA-Zertifikate.zip heruntergeladen werden. Nach dem Entpacken der ZIP-Datei können  unter Bearbeiten -> Einstellungen -> Erweitert -> Zertifikate -> Zertifikate im Tab Zertifizierungsstellen mit einem Klick auf den Button Importieren … die nötigen Zertifikate ausgewählt werden. Dieser Schritt muss für jedes der benötigten Zertifikate wiederholt werden. Benötigt werden aktuell folgende Zertifikate:

  • 14R-CA_1PN.802.cer
  • TeleSec PKS CA 7.crt

Welche CA-Zertifikate genau benötigt werden kann sich über die Zeit ändern. Es werden alle Zertifikate benötigt, die nicht in Thunderbird integriert sind und die das E-Mail Zertifikat ausgestellt haben, sodass sich eine geschlossene Kette bis zum in Thunderbird integrierten Zertifikat der Deutschen Telekom ergibt. Wie oben in Schritt 5 beschrieben können Details zum Zertifikat angezeigt werden. Der unter “Ausgestellt von” angezeigte Aussteller des Zertifikats muss ebenfalls installiert sein.

Jetzt kann die erste Testmail verschickt werden. Erstelle eine neue Mail an dich selbst und klicke auf den Pfeil neben dem Button S/MIME und dann auf “Nachricht unterschreiben”. Sobald die Mail ankommt sollte sie als gültig unterschrieben gekennzeichnet sein.

Die Verschlüsselung von Mails scheint mit dem Zertifikat allerdings nicht zu funktionieren.

 

Elektronisches Gerichts- und Verwaltungspostfach (EGVP)

  1. Die EGVP Anwendung unter www.egvp.de/software/index.php herunterladen
  2. Die Anwendung erfordert die 32-Bit Version einiger Bibliotheken. Diese können mit
    sudo zypper install libpcsclite1-32bit libxext-32bit libxtxt-32bit libxi6-32bit

    installiert werden.

  3. Nun kann die EGVP-Anwendung installiert werden:
    bash EGVP_Classic-Client-setup.bin
  4. Und schließlich der Client mittels
    ./EGVP_Classic-Client/EGVP_Classic-Client

    gestartet werden.

Die verwendete Chipkarte kann nicht zur Verschlüsselung eingesetzt werden, weshalb für das Ver- und Entschlüsseln des Postfachs ein Softwarezertifikat verwendet werden muss. Da dies ohnehin die empfohlene Vorgehensweise ist, sollte das kein Problem darstellen. (Siehe Liste der unterstützten Chipkarten, Tabelle 10: “keine Ver- und Entschlüsselung mit der neuen TeleSec PKS-ECC Signaturkarte möglich (NetKey 3.0 SignatureCard 2.0)”)

Leider ist die ganze EGVP-Anwendung nicht wirklich Linux-freundlich verpackt; sie bündelt eine 32 Bit Java Runtime und installiert beim ersten Start in $HOME/.AppData die eigentlichen Anwendungsbibliotheken. Das erschwert die systemweite Installation für mehrere Nutzer erheblich, weshalb ich für’s Erste auch drauf verzichtet habe.

Viel Spaß beim Ausprobieren und ich freue mich wie immer über Kommentare!

→ No CommentsTags:

A tiny update for Firefox OS on Raspberry Pi

September 20th, 2013 · other stuff

Many of you have been waiting for updates on Firefox OS on the Raspberry Pi. Unfortunately my time is very limited at the moment, and a lot of things are to be done. To get you a bit better involved, I did two things. First, the patch repository with all necessary patches to get Firefox OS building on Raspberry Pi is online. And second, the meta-b2g layer has been changed so that it now can produce a SDK which can be used for compiling Firefox OS with, so that you don’t need work with all the OpenEmbedded/Yocto stuff any more.

Patch Repository

You can find the Mercurial patch repository containing all patches for the Mozilla source code necessary to build Firefox OS here:

https://www.philipp-wagner.com/hg/mc-b2g-patches/

To use it, checkout a mozilla-central source tree. Then go to the .hg folder inside your checkout, and checkout the patches repository:
hg clone https://www.philipp-wagner.com/hg/mc-b2g-patches patches

Then go back to the root of your mozilla-central source tree, and update it to the version given in the .hg/patches/changeset file. Now apply all patches by running

hg qpush -a

SDK

Not everybody want’s to build a whole distribution only to hack on Firefox OS — but to compile it, a cross-compiler and various libraries for the target are necessary. To make cross-compiling easier, I’ve added a new target to the OpenEmbedded/Yocto meta-b2g layer. You can now run

bitbake meta-b2g-sdk

and it will create an installable SDK (after building you can find it in tmp/deploy/sdk in your OpenEmbedded build folder). I’ve also uploaded a precompiled version (155 MB).

Install it by simply running the shell script, choose an installation location, and after a couple of seconds you have everything setup to cross-compile Firefox.

 

To compile Firefox OS, get a checkout of mozilla-central and patch it as described above. Then get the mozconfig file from the meta-b2g repository.

$> source /opt/poky/1.4+snapshot/environment-setup-armv6-vfp-poky-linux-gnueabi
$> export MOZCONFIG=/path/to/your/downloaded/mozconfig-b2g-linuxgl-rpi

Now you can build Firefox OS just as always:

$> make -f client.mk build

Things left to do

A lot! I currently don’t get around to do new binary images, so you need to build from source to get support e.g. for newer/some Raspberry Pi models with different DDR memory on them (they require a newer firmware).

But I hope the SDK as well as the patch queue will help some people to do some changes themselves more easily.

→ No CommentsTags:

Thanks!

May 31st, 2013 · English, Mozilla

After publishing the Firefox OS for Raspberry Pi post, Dietrich Ayala commented that he liked it and that he’d send me something from my Amazon Wishlist. Today I went to the post office to pick up a parcel and look what I got:

Does the outside say what's on the inside?

And that’s what’s inside it:

A-Team DVD Set unboxed

That’s a lot of DVDs to watch. Thanks so much! Now I’m in a little quandary* on what to do on the weekend: work on Firefox OS or watch the DVDs? Maybe I can find time for both, the weather is bad enough to stay inside all day :-)

 

* That’s probably one of the nicest English words I know, so I had to use it here.

→ No CommentsTags:

Firefox OS for Raspberry Pi: Now Available

April 14th, 2013 · other stuff

UPDATE: This was a project done in 2013, and since then I didn’t find enough time to continue it. Please look at the recent Mozilla effort to bring Firefox OS to RaspberryPi for a more usable and up-to-date solution.

It has been quite some time since my last post about Firefox OS running on a Raspberry Pi, but  the questions didn’t stop to come in “when will it be released”? Well, I’m sorry that it took so long (sometimes finding time is not that easy), but finally, here we are: the sources and build instructions are available!

Head over to the Firefox OS for Raspberry Pi Manual, which contains all build instructions, download links to a pre-built SD card image and much more information.

But before you start, please note the following limitations of this current release:

  • No input devices are supported. No mouse, no keyboard.
  • The screen resolution is hardcoded to 1280 x 1024 px.
  • The used Firefox/Gecko used is not up-to-date (it’s using revision 801ba75ac563 from 2013-01-03).
  • Quite some patches are required to get Gecko building, most of which were developed by Oleg Romashin. Unfortunately, they are not yet part of the official Mozilla source tree, and some of them are quite hacky. Progress to get this work upstream is tracked in bug 731498.All those patches are exported into the meta-b2g layer. A source repository for easier development will be made available soon together with instructions how to contribute to the Gecko development.

So what is all of this useful for at this point? I mainly leave this up to your imagination, but I’m using it as public info screen, displaying the weather forecast, room occupation, the next subway connections and today’s lunch menu. All data comes from publicly available web services or is scraped from Internet pages, all client-side with no web server or anything. Here’s how it looks:

Firefox OS for Raspberry Pi powering an infoscreen

Firefox OS for Raspberry Pi powering an infoscreen

I hope you find Firefox OS for Raspberry Pi as useful and exciting as I do, and please send me your comments, suggestions or (best) patches, to make it even greater!

→ 40 CommentsTags:

Firefox OS (Boot2Gecko) for Raspberry Pi

August 17th, 2012 · English

Two weeks ago my Raspberry Pi finally arrived. Immediately I started looking around for a way to get Firefox OS (formerly Boot2Gecko, B2G) running on it and found work-in-progress patches for Mozilla by the awesome Oleg “romaxa” Romashin. With those patches, Gecko renders directly into a OpenGL ES framebuffer without using an X Server. Nice! So the plan was to use those patches for the “Firefox” part of “Firefox OS” – now only the “OS” part was missing. I had two ideas for it: it should be as minimal as possible and for best performance it should be a hardfloat build. For this task PTXdist came handy. It’s a tool that allows you to build a complete Linux-based operating system (kernel and root file system) from source based on rule files. Again I wasn’t the first one using PTXdist on Raspberry PI and after some googling I found a GitHub repository from “fabricega” (I don’t know his full name unfortunately) that I could use as basis for my work.

So that was the idea: build Firefox OS for Raspberry Pi by combining Firefox with a PTXdist-built Linux.

Fast-forward two weeks. Welcome today! After many sleepless nights, a couple switches of the GCC and binutils versions (and full rebuilds of everything), different Linux kernels and some work on Oleg’s patches, I finally got it all working together! In the mean time Oleg posted a Youtube video of Firefox OS running on Raspberry Pi that made it to the homepage of raspberrypi.org. Many people seem to be excited by the idea of running Firefox OS on Raspberry Pi, which is great.

Firefox OS for Raspberry Pi combines two exciting projects, and I’m sure those two will have a great future together.

A lot of work remains to be done, and I’ll post patches and more documentation on how to build all of it in the coming days, but let’s get started with some images (and watch Oleg’s video if you didn’t do so yet!):

→ 19 CommentsTags:

Contribute to openSUSE: Update a package

June 26th, 2012 · English, other stuff

I’m sure many openSUSE users have already heard about the goodness of the openSUSE Build Service (OBS). But how many have already tried to use it as developer? I didn’t — until recently. A couple weeks ago I had found a wrong dependency in the calibre package, and today I was in the need for a newer version of hplip. I found that using OBS is much easier than I expected. Don’t believe me? Have a look how easy it can be to update a package. It all follows the popular github fork-and-pull-request development style. As an example I’ll use (a subset of) the changes I did today to the hplip package.

Step 0: Prepare your system to use OBS

Instead of duplicating existing documentation, just have a look at the OBS tutorial at the openSUSE wiki. You’ll only need to follow Step One. Basically, this means installing the required packages for OBS and creating a working directory.

If you’re done, switch to your working directory and you can follow the next steps*.

Step 1: Branch (fork) the original package you want to modify

$> osc branch Printing hplip

Step 2: Do a checkout of the branched project

$> osc co home:YOUR_USERNAME:branches:Printing/hplip
$> cd home:YOUR_USERNAME:branches:Printing/hplip

Step 3: Do the required changes to the package (the actual work!)

$> wget http://prdownloads.sourceforge.net/project/hplip/hplip/3.12.6/hplip-3.12.6.tar.gz
$> # verify binary (gpg, md5sum, etc.)
$> osc add hplip-3.12.6.tar.gz
A    hplip-3.12.6.tar.gz
$> osc del hplip-3.12.4.tar.gz
D    hplip-3.12.4.tar.gz
# adjust the spec file as necessary ...

Step 4: Build locally to verify your changes

$> osc build openSUSE_12.1

Instead of openSUSE12.1 you can use any target your might want to test (e.g. openSUSE_Factory etc.). This command is actually pure magic, it pulls all dependencies, installs them into a chroot build environment, and builds the package. Awesome!

You can now even install the resulting RPM package, the above command will tell you where to find it at the end of its output (probably somewhere in /var/tmp/build-root/home/abuild/rpmbuild/RPMS). You actually should do that and verify that everything works as expected.

Step 5: Finish it up

If you’re happy with your changes, and everything works as it should, we can get ready for submission.

First, add a changelog entry:

$> osc vc

will open an editor and allow you to add a changelog entry into the already prepared text template.

Now, check that you added/deleted all files by calling

$> osc status

If everything looks good, commit the package to OBS by using

$> osc commit

You can now go to the OBS web interface and watch your package build, or use

$> osc results

to see the results of the build process on the openSUSE servers. Note that building may take some time, depending on the OBS load and obviously your package.

Step 6: Submit the changes to the maintainer

Everything is great? The last step

$> osc sr

sends a “pull request” (in git language) to the package maintainer. You can see the status of this request in the web interface as well.

Now you only need to wait for the maintainer to accept your changes and then: Congratulations, you’ve made your possibly first contribution to openSUSE!

Further reading

OBS tutorial in the openSUSE wiki
Tutorial on how the branch/pull system works in OBS

 

* Actually, the steps as written here will not result in a working package. The update of hplip required some other changes that I didn’t document here, but I hope the real-life examples will help to make the steps more understandable.

→ 1 CommentTags:

Using the the Sun/Oracle Multi-Schema XML Validator (MSV)

April 18th, 2012 · English, other stuff

I regularly work with more or less complex XML Schemas, and debugging those requires some tools with command lines I usually forget after a while. So I decided to write down some of my frequently used command lines for MSV, the Sun/Oracle Multi-Schema XML Validator. Maybe you find some of those helpful as well (since the MSV documentation is not exactly perfect).

Note: While I only use MSV for XML Schema validation, it can be used for RelaxNG and other schema languages as well.

Get MSV

That’s the easy part: download a binary build from http://java.net/downloads/msv/releases/ and unzip it (you only need the msv.YYYYMMDD.zip).

Validate a XML document

$> cd msv-20090415
$> java -jar msv.jar schema.xsd document.xml
start parsing a grammar.
validating document.xml
the document is valid.

Dump the post-schema-validation infoset (PSVI)

Often it is useful to see which type the XML Schema parser attached to a node in a document. To do this, get the post-schema-validation infoset (PSVI) from the schema validator. With MSV comes a sample application that can be used for this purpose.
$> cd msv-20090415/examples
$> java -cp .:../msv.jar psvi.PSVIDump schema.xsd document.xml

→ 2 CommentsTags: