Two questions about git-buildpackage

Leave a reply

I’ve been playing lately with git-buildpackage for managing IPv6 attack toolkit packaging.

It turned out that another folk was trying to package the same software. He got in touch and we decided to join efforts.

After facing my first real experience of shared packaging two questions have arisen regarding the workflow:

  1. should the patch-queue branch be published?
  2. should the content of debian/patches be included in master?

The patch-queue branch is intended to be rebased again and again and you know what they say about rebasing a published branch, on the other hand if this branch is not shared, patch regeneration will be out of sync.

Given that debian/patches content is directly derivable from branch patch-queue/master, commits in master for  adding, refreshing or removing patches seem history pollution to me.

</thinking-out-loud>

Python gets a new ignored context manager

Leave a reply

I was reading What makes Python Awesome? presentation and saw the following construction in slide 22:

This construction is more concise without being less readable than the typical try ... catch ... pass. I had never seen that ignore before and got curious about where is it defined. It isn’t a CPython keyword neither part of the contextlib module.

After some search I found that an ignored (note the trailing d) context manager was recently added to the upcoming python 3.4. Nice!

Managing prebuilt OS images with Ansible

2 Replies

Prebuilt OS images

Prebuilt OS images are usually available for virtualization environments, for example see lists for OpenVZ, Vagrant, EC2, VirtualBox (also here) or Proxmox. As you can guess, some machinery is needed for building and maintaining them all. There is veewee for Vagrant, template creation guides for OpenVZ, dab for Proxmox, and so on.

The chroot connection

Ansible got support recently for executing tasks chrooted inside a local directory. The implementation was straightforward given Ansible agentless nature. chroot was added as a new connection type and that had two nice side effects:

  1. chroot directories can be added to the inventory like any other hostname.
  2. any existing playbook will potentially run chrooted by just setting the chroot connection type.

Putting things together

So you can now bootstrap your distro as usual, run a playbook chrooted to it and them archive the directory. That’s exactly what this example playbooks do.

when the cow stops mooing you will have these tar.gz in /var/tmp/built-images:

  • squeeze-raw-amd64.tar.gz: this is a barely Debian bootstrap
  • debian-6.0-64.tar.gz: this is just squeeze-raw-amd64.tar.gz plus kernel, openssh-server and other customizations.
  • 32bits versions of the above.

as you can guess from the inventory, it’s trivial to add another debootstrap’able distribution.

Two stages

I identify two image categories:

  1. bare image: distro bootstrap with zero or minimal configuration.
  2. custom image: bare image with needed customization.

think of bare images as one per distro (squeeze, wheezy, precise, fedora18, etc…) and custom images as the ones typically published (debian-6.0-lamp-server, precise-nagios-server, fedora18-jboss, etc…). One bare image is used as base for building multiple custom images. Each stage builts one said category, this way it’s easier to cache the distro bootstrap for later reuse.

Missing stuff

I’m missing two things from the example:

  1. Make the playbook work with non Debian distros (febootstrap vs. deboostrap, file location differences, etc…)
  2. Specify extra software to install, ideally in the inventory (see 2290). Thinking in something like:

Why bother?

There are some advantages of using Ansible instead of a custom script:

  • You can reuse with little or zero effort existing playbooks.
  • You can separate data from code making things easier to audit.
  • … and the others things from Ansible you get for free:
    • a powerful templating system (more flexible customization of files inside image).
    • parallel execution (build images faster).
    • idempotent changes (run again and again from any point in the process).
    • more and more modules available.
  • Integrate image maintenance in your workflow if you’re already using Ansible for managing your servers.

ulogd 2.x in Debian, update

Leave a reply

Since my last post on this, some things have changed:

Installing ruby/rbenv with Ansible

Leave a reply

Ansible is a relatively new kid in the town of Configuration Management. If you don’t know it already go see this introductory video: System Provisioning with Ansible.

Having a Puppet background, I got impressed by how state is defined in Ansible with simple YAML files without necessarily sacrificing powerfulness. I actually find very pleasant both reading and writing playbooks (and that is not to mention the cow). Using the current ssh infrastructure is a bonus point, you can instantly get going.

So I need to install ruby + rbenv in some Debian servers. The following playbook will do it, it’s basicly a translation of this script.

playbook with files and templates here.

Note: Building ruby takes its time, be patient.

ulogd 2.x in Debian (aiming to get …)

Leave a reply

ulogd is a userspace logging daemon for netfilter/iptables. Nowadays there are two codebases available: ulogd-1.x and ulogd-2.x but the ulogd-1.x serie has been phased out last year therefore it aren’t receiving security updates or new features since months.

When using iptables, logs messages generated by firewall can be sent to userspace throught one of these three targets:

  • LOG: typically handled by syslogd as any other kernel message.
  • ULOG: handled by both ulogd and ulogd2, this target is available in linux since 2.4.0.
  • NFLOG: handled by ulogd2, this target is available in linux since 2.6.14.

happens that ip6tables only supports LOG and NFLOG targets so if you want to use ulogd with your IPv6 firewall, it should be version 2.0.0 or superior.

ulogd2 was released in jun 2012 but previous betas were available since almost four years ago. Debian currently have version 1.24 in the archive and that’s the one that will be released with wheezy. In other words, you can’t use IPv6 + ulogd in Debian today.

The first bug reported against ulogd requesting a version upgrade was 395302, then an ITP came, then a long time of inactivity.

Given the current stagnation situation, the personal need of an ulogd 2.x package for my IPv6 gateway and my willingness to learn how to package software for Debian I decided to start updating the current package.

I have published an initial ulogd 2.x package, the packaging repository and will post updates to 395302.

Note that ulogd 2.0.1 depends on libnetfilter-conntrack >= 1.0.2 and libnfnetlink >= 1.0.1. Both dependencies aren’t (yet) available in Debian but you can grab them from my mentors space: libnetfilter-conntrack and libnfnetlink.

Update: Chris Boot took over and ulogd2 2.0.2 finally entered unstable. Nice!

Xen guests isolation and ebtables concurrency

Leave a reply

Concurrency is evilWhen using bridging for Xen Networking and your guests machines (domUs in Xen parlance) are fully managed by third parties, some sort of isolation is specially needed. A rogue admin can change the IP and/or MAC address(es) assigned to its domU and potentially cause an IP address conflict.

Xen provides an script called vif-bridge that takes care of adding domU’s virtual interfaces to dom0′s bridge, bring them up and add iptables rules allowing datagrams whose source is one of the assigned IP address(es) coming in through domU’s virtual interfaces.

Those iptables rules might be not enough. They don’t enforce usage of the assigned MAC addresses and could interfere with current deployed firewall. Another point, in my opinion, is that these addresses policies belong to Link Layer (bridge decision) instead of Network Layer (see PacketFlow), so I prefer to have them enforced with ebtables.

Continue reading

es_CU locale landing in GNU libc

1 Reply

Just reading GNU libc 2.15 release announcement and found this nice surprise:

* New locales: bho_IN, unm_US, es_CU, ta_LK

a quick search got me to the merge request. The locale was merged last
december 22nd (commit) and it seems it is being maintained by the UCI.

Google didn’t give out any result searching for es_CU glibc other than the few merge request messages (thread) and the bug report itself.

Besides, I wasn’t able to find an annoucement in gutl-l archive (the national
floss ml), I did a search in the archive from past october up to now. It would
be just nice to have an announcement posted to gutl-l in first place about such
an achievement.

I hold no hope to see a project’s page and source code repository published.
Nova, the UCI flagship product, have had a very hard time getting enough
resources and permissions to publish their repositories.

In any case, I’m very happy about the merge.

PD: It calls my attention that contact phones are prefixes by +45 (Denmark) instead of +53 (Cuba), a typo?