01

I'm in an arms race with a chicken.

She doesn't have a chopper (yet) and I'll admit that there's no actual arms involved. However she does know how to pull of a determined escape to sleep in her favourite place - under our caravan.

Our few chickens used to roam where ever they wanted over our 60 acres but recently we've had the need to restrain them to only one paddock. Having the chickens dig up my seedlings and our vegies was not something we desired.

Since we made that call, I've been battling one of the chickens, "Sunday Roast", who is clearly descended from Houdini. Under gates, onto and over gates, corner assemblies, wooden fence posts. You name it, she's used it to escape.

One by one over the last few months I discovered each of her escape routes and closed them off by a variety of techniques. This week I discovered her latest trick was to land on the fence posts before flying off to land on the other side. This development required a new approach from me and this was the answer:

Some scrap fencing wire I had lying around, a CDROM from my stockpile of future bird scarers (to hang from our fruit trees when they mature), few minutes bending and the fence posts were no longer so attractive to our feathered escapologist.

I'm happy to say that after a couple of hours pacing for an exit on dusk, she returned to the hen house and snuggled up. This round goes to me, for now.

Oh and if you need a copy of a Windows Vista restore disk for a Lenovo, you know where you can get it,

(No, I'm not clipping her wings, there's no fun in that).

Update: This morning Sunday Roast was still in the paddock. I may have the upper hand...for now.

My fingers are very sore tonight. Earlier today I bought a Garrison G30 accoustic guitar and the sound is so sweet that I just can't put it down:

Not for long anyway. Hamish got a lovely guitar from his aunt and uncle for christmas so he and I played for half an hour in his "rock star" way:

This little beauty is a game changer for me. It's such a joy to play. Very happy camper although Hamish has charged me with learning to play B-I-N-G-O. Not what I had in mind...

These are my raw notes from talks held on Monday at LCA2014. May contain errors, mis-heard quotes. Also completely un-reviewed or spell checked:

Keynote:

Dr Suelette Dreyfus - The Surviellance State

• rights of citizens and state are out of balance
• Not enough awareness by the citizens of the survielleance state
• world whistleblowing survey n=2349
• 68% of people see whistle blowers as normal of heros, not rats.
• 50% of Australian think there is too much secrecy
• 81% support whistleblowers actions
• 87% - 90% support protection for going to the media
• A period of universal deceit
• Open source people are revolutionary by there very actions <- said this faulteh
• Telling the truth is revolutionary
• Irony of Russia being a safe haven from the UK, US, Australia
• So much moeny being spent they can't figure out how to spemndit all
• Insight Platform - Cradle to Graduation tracking of children
• Tender process / details are not transparent
• DELL PowerEdge 1950 2950 are compromised with GODSURGE
• iOS is 100% successfully hacked.
• iOS is completely compromised
• shitload of hardware hacks acheived via interdiction
• Call out unacceptable use
• State surviellance is being used for individual financial benefit by ministers and friendly companies
• What can you do?
  • Get political - speak up for provacy protections
  • Write user friendly privacy enhancing software - help people detect intrusions by govt.
  • Get involved in NFPs that give tech support to journos, NGOs etc
  • Have the courage to speak out, particularly if you work for government

System Administration Miniconf

How to keep track of puppet with Foreman - Glen Ogilvie

• Slides
• The Foreman is a complete lifecycle management tool for physical and virtual servers.
• Foreman supports libvirt provisioning
• Provides a web interface for configuration management
• Monitors and logs facts and history
• foreman-ansible - An Ansible ENC (external node classifier) to get, group and classify nodes based on the Puppet facts in The Foreman.

Open Sourcing your entire Puppet configuration - Elizabeth Krumbach Joseph

• Slides
• Talk slides
• Open Source your configuration
• Licence configuration files

Providing a continuously updated ITIL CMDB - Alan Robertson

• Slides
• Focussed on using the Assimilation Project
• Use the process of discovery to locate "forgotten" machines
• Discovers:
  • IP and MAc addresses
  • Services and service details
  • Switches, connections and settings
  • Installed services
  • OS Configuration
  • anything else we like

Ansible and Vagrant - Daniel Hall

• Slides
• Vagrant manages VMs
• Uses Ansible to configure VMs it builds
• Excellent testing framework
• One command for building and testing environments

Scalable SOE deployments - Matthew Cengia

• Slides
• Uses PXE boot and Debian's live-boot to install images
• Trimclient Admin keeps tables of images, realms and hosts
• Allows the grouping of hosts in realms

'Quality of Service', a common misconception - Julien Goodwin

• Slides
• Without understanding how your hardware buffers, applying QoS can cause great congestion
• Some devices have buffers so large you need to apply QoS
• Low Latency == small buffers, frequent drops
• High Throughput == large buffers, few drops
• In practice, balance both.
• Software Routers
  • Buffer sizes are config options in Linux
  • Take a look at cerowrt VOIP does not need specific QoS, standard QoS classes are adequate.
  • Usually due to bad vendor networks

Custom equipment monitoring with OpenWRT and Carambola - Andrew McDonnell

• Slides
• Carambola2
• No video etc
• Runs OpenWRT
• Uses this combination for monitoring devices (aircon, solar panels etc)
• Extremely low power usage
• Supports loads of IO inputs

Dualstack Firewalling with husk - Phillip Smith

• Slides
• Australia lags IPv6 deployment (no surprise)
• Husk is a netfilter wrapper
  • Log and drops by default
  • Supports hooks
  • Not a complete abstraction
  • Not automatic
• Human readable rules
• Named interfaces (ie: ppp0 -> NET)
• Helpers are built in
• Atomic loads
• Logged to syslog
• Need to see how that compares to UFW.
  • BoD reckons Husk is better for production deployments

Optimizing Linux memory usage - Sander van Vugt

• Slides
• virtual memory is not SWAP
• anon mempry roughly corresponds to memory used by applications
• file memory roughly corresponds to memory ins use by file systems and IO

RatticDB - Elizabeta Sørensen

• Slides
• Encryption is done on the filesystem
• Needs HTTPS
• Any DB supported by Django
• Demo U: admin P:rattic
• Manages audit log of what passwords people have seen
• easy way to manage change when staff leave

Coming up to speed on Chef within AWS - Josh Mesilane

• Chef recipes are strictly DSL whereas Puppet feels more like XML
• Chef handles dependencies better that Puppet
• Documentation is generally better in Chef.
• Chef is more strict
• Puppet has a better UI
• Chef has better tools
• Better community support
• Chef uses Chef to install Chef

Howto Reliably Replicate Block Devices, even over Long Distances - Thomas Schöbel-Theuer

• DRBD vs Mars Light
  • Mars Lights is more tolerant of network faults
• DRBD has decreasing thoughput over time after disconnects
• 15 pilot clusters
• Rolling out to > 250 clusters
• Looking for more developers
• New domain coming http://mars.technology/ (?)
• IO latency over networks is much better in Mars Light

Better Living Through Statistics - Jamie Wilkinson

• Slides
• Making monitoring suck less
• Blackbox vs Whitebox
• Blackbox:
  • Only boolean
  • No insight into "why"
• Problems with check+alert
  • THresholds vary
  • Extra work to add targets
  • Monitoring sucks because existing models do not scale.
• Should base monitoring on rates and derivitives
• Duration of abnormality should be considered.
• Aggregate groups of machines data for analysis
• rate of errors vs rate of queries
• What t LAert on:
  • Rate of Change of QPS outside normal
  • Ratio of errors to queries
  • Latency
• Make sure alerts are actionable
• and Documented
• Blackbox testing is still required
• Keep counters in stead of guages
• Compare them
• Run statistical packages to timeseries DB and experiment
• The tools don't exist yet

Performance Co-pilot, checkmk are possible solutions. monitoring@lists.linux.org.au is a useful disucssion place

Running virtualized Galera instances - Raghavendra Prabhu

• Sheepdog does storage virtualisation for QEMU.

The Six Stages of systemd - Rodger Donaldson

• Denial
  • Claiming there's nothing wrong with the existing init system
• Anger
  • Raging against the machine
• Bargaining
  • but No one is realing looking with sysV
• Depression
  • Change is scary
  • May even use BSD (no!)
• Acceptance
  • Tinkering
  • Learning
  • Lead to...
• Enthusiasm
  • Discovering the benefits of the new system
• What do I want?
  • Reliability
  • Deterministi View
  • Enforceable polict
  • Life's to short for sysV script repition
  • "Enterprise" software and "trendy" new frameworks never have sysV init scripts
  • Value spending time efficiently
• systemd has:
  • efficient parameters
  • includes allow efficient variation (a-la apache2)
  • Simplfies service management
  • Reduces risk
• Need Service Views
  • cgroups help with this
• Want to manage multi-tenant systems
  • not multi VM hordes
• Maximise Reliability and Efficiency
  • Minimise overhead
  • makes serice co-tenant
• Easy to Measure
  • cgroups makes measuring and accountability easier
• Linux competitors are already adopting alternatives

Scaling Graphite - Devdas Bhagat

• Graphite is a web based graphing system for time series data series plots
  • Written in Python
  • Uses multiple daemons
  • Has it's own storage backend
• Moving parts
  • Whisper/Cere - storage backend
  • Webapp - web front end and API provider
  • Relaying daemons
• Sppeding up IO
  • SSDs
    • performance improved bu not enough
  • One SSD failure brough down the whole system
• User simple naming conventiosn
• Collectd ran into memory problems (bug)
  • Switched to Diamond instead
• Relaying
  • CPU still a bottleneck
  • rewrote relays in C
• They collect all the business metrics they can
• Graphite doesn't support hashing well but it works
• Switched to RAID0
• They're hiring: http://www.booking.com/jobs

Thinking outside the box - Steven McDonald

• What's the "box"?
  • A confined thinking space
  • confined by the person doing the thinking
  • Inside the box is past experiences, common wisdom, other existing knowledge
• Why outside the box?
  • Inside the box is quicker, easier and produces the same result
  • You can automate box thinking
  • Need to know when to leave the box
• Sometimes you need to use an imperfect solution to restore a service for most users
• Gave examples
• Too easy to focus on the root cause rather then what the customer cares about.
• Problems need to be clearly defined before it is solved, otherwise you're heading in the wrong direction before you begin.

Practical Crypto BoF

• Many crypto passphrase caching agents (like GPG agent) are vulnerable to memory dump attacks via ptrace
• Redphone for VOIP encrypted calls
• No crypto talks as LCA2014...

ownCloud 6 comes with a fantastic Mozilla Sync option that allows you to synchronise your Firefox bookmarks and other settings with your ownCloud instance rather than using Mozilla or another less credible third party provider. This is how I set it up:

In your ownCloud Instance:

• Enable Mozilla Sync if you haven't already
• Click on your username in the top right-hand corner
• Click on Personal
• Set your email address in owncloud (if it's not done already)
• Scroll down to Mozilla Sync where you'll find the information required to configure Firefox.

In Firefox on Your Desktop

• Open Firefox
• Open up Firefox preferences
• Select the Sync icon
• Click on Setup Firefox Sync
• Click on Create a New Account
• On the Account Details window:
  • Select: Use a custom server...
  • Enter your email address as per Mozilla Sync in ownCloud
  • Enter your ownCloud password
  • Enter your server address as per Mozilla Sync in ownCloud
• Press Next

If you entered your credentials correctly, you should be returned to the Sync tab in Firefox preferences.

Enjoy syncing Firefox to your own cloud :-)

These are my raw notes from talks held on Tuesday at LCA2014. May contain errors, mis-heard quotes. Also completely un-reviewed or spell checked:

Keynote:

Kate Chapman

• Why Open Street Map?
  • Most other maps are not free
• Goal: Free map of the world
• Facilates global responses to contribute map data to help in emergencies
• The earthquake in Haiti was the first example of how OSM cold be used to support emergency responses
• HOT trained Haitians how to map to continue the work
• In collaboration with what AusAid they commenced pre-emptively mapping Indonesia.
• The idea: Map once - avaialble for everyone
• OSM was adopted entusiastically by local authorities
• Community is continuing to train members
• Now mapping Jakarta
  • There are 267 urban village heads
  • Trained each hed and a volunteer
  • 70 university students entered the data
  • Allowed flooding reports to be mapped during later flood crisis
• HOT train locals on OSM and qGIS
• Used QR codes on walking papers so smart phones were not required to be provisioned
• Accurate map data allows better planned emergency responses
• Wrote a training programe so people can be certified
• HOT use the OSM tasking manager.
• Agencies like Red Cross using OSM to build other GIS tools
• After Haiti, US Gov recognised the benefit of providing imagry to volunteers like HOT.
  • Provided imagrry to HOT with 5 days of the typhoon Haiyan in the Philipines
• 1,700 people have made 5 millions changs to OSM in response to the typhoon
• Other Apps building upon OSM:
  • Field Papers allows maps to be printed
  • Mango Map
• Part of digital humanitarian network

OpenStack Miniconf:

• Got a free shirt. Thank you OpenStack!
• How To Contribute
• OpenStack bugs tagged low hanging fruit are a great way to get started in OpenStack

Governance

• Designed to be open and collaborative
• Two governance bodies, technical and a board that tend to be removed from technical roles and strategically focussed.
• Ceph is not part of OpenStack, governed seperately but can be utilised.
• Nova, essentially a hypervisor management tool, is agnostic about the virtualisation architecture being used.
• Devstack is a great intro to OpenStack to run up on one box.
• Swift is an object store.
• Voting eligibility is based upon accepted patch providers

OpenStack Moving to a Foundation - Paul Holland

• OpenStack was started 3 years ago.
• NASA and Rackspace kicked it off with mutual synergies between Nova and Swift.
• Over 13,000 contributors
• Joining is free
• Releases are every 6 months
• Followed by summits to roadmap the next release
  • User and business summits are held at the same time
• 20 official projects
• Current key community questions:
  • Deciding what is "core"
  • Implementation vs API compatibility
  • Scaling training
• Very fluid project with an open potential

Artifice: automated billing for Ceilometer - Bruno Lago, Catalyst IT

• Artifice competes with "Billing Stack"
• Integrates provisioning and billing.
• Connects OpenStack to your ERP system
• On github: https://github.com/aurynn/openstack-artifice

OpenStack and the network: is there a better way? - Iain Robertson, Brocade

• Performs automated zoning for fibre
• All contributions are intended to be OpenSource
• VPC is supported (virtual forwarding and routing support)

Adding erasure codes to OpenStack Swift - John Dickinson, Swiftstack

• Original idea behind hardware virtualisation was to maximise utilisation of hardware
• Erasure codes provide space-efficient storage, ie: storage virtualisation
• Storage policies are (will be?) the most exciting thing to happen to SWIFT, since it was open sourced

How Did I Not Know This? Navigating OpenStack-Infra as a Developer. - Anita Kuno, HP

• Gerrit is a specialised git repo
• Nodepool serves up VMs
• status.openstack.org for infrastructure and project status
• Ensure you've configured git for Garrit: $ git config -1
• Use git review $ git review -d nnnnnn
• Don't use draft - use work in progress
• Elastic recheck advises on known bugs
• Graphite is hooked up to Gerrit

Diablo vs Havana: How OpenStack has matured - Robert Collins HP

• Huge improvements in testing and acceptance of tests
• Performance and scalability tests are significantly better

OpenStack at Canonical - Brad Marshall, Canonical

• Run two regions on seperate versions of OpenStack and flip them for upgrades
• MaaS and Juju to deploy to bare metal
• Juju provides Canonical's service orchestration. Heat is the OpenStack equivilent
• Improved service density
• Operating expenses are down
• True reproducitity of deployments has been a big win.

The Nova v3 API - Chris Yeoh, IBM

• Why?
  • Fix inconsistencies
  • Follow REST principles
  • Improve flexibility
  • Add versions
  • Extensions required core code modification
• REST API functionality is a plugin
• Flexible paths within PYTHONPATH
• Whitelisting
• Versioning
• Validation framework
• Automated documentation
• Novaclient support

These are my raw notes from talks held on Wednesday at LCA2014. May contain errors, mis-heard quotes. Also completely un-reviewed or spell checked:

Lightning Talks / Conference Open

• @crowdfundfloss cffsw.modernthings.org
• Slide lint for conference persentation optimisation

Discovery and Monitoring without limit using the Assimilation Project by Alan Robertson

• Interesting attendees: Linus, Tridge, Jon Oxer
• Zero footprint discovery
• Extremely scalable monitoring

Problems Addressed

• Risk Management
  • Maintaining details discovery database
  • Discovring forgotten systems
  • Software discovery
  • Monitoring services and systems
  • Finding unmonitored services
  • Intrusions
• Why Discovery?
  • Continuous

Unique Powerful Features

• Continuous discovery by listening
• Zero network footprint
• Every change noticed
• Dependency discovery
• Low network load

Uniformly, fully distributed work

• Monitoring and discovery are fully distributed
• Reliable
• Only edge conditions are centralised
• Adding systems doe snot increase monitoring work
• Each server monitors 2 or 4 neighbours
• Each server monitors it's own services
• Repair and alerting is low volume
• Detects switch failure by nominating 1 server per switch for a cross switch ring.
• 95% of traffic stays in the same switch

Architectural Components

• Collective Management Authority - per installation
• Nano probes - per server
• Data storage
• Nanoprobe management:
  • Configure and direct
  • Hear alerts and discovery
  • Update rings (join / leave
  • Update database
  • Issue alerts
• Nanoprobe functions
  • Announce self to CMA
  • Do as CMA instructs
  • No persistent state across reboots
• Linux-HA Base Service Monitoring
  • Local Resource Manager (LRM)
• Pros:
  • Simple scalable
  • Uniform work distribution
  • No single point of failure (cluster CMA)
  • Light network load
  • Multi-tenant
• Cons
  • Active agents
  • Potential slow startup at power on (for large numbers of machines
• Why a Graph DB
  • Humans describe things as graphs
  • Dependency and Discovery is fundamentally a graph
  • Speed of graph depends on size of sub graph, not total graph
  • Natural visualisation
  • Schema-less design: good for heterogeneous env.
  • Graph model == object model

Discovery API

• Scripts perform discovery with JSON output
• Three sample discovery snippets
  • OS Information
  • Service discovery
  • Client discovery
• Service discovery is brilliant.

Current Status

• Released in April 2013
• Nanoprobe is functional
• Need adopters

Linception: Playing with containers under linux by Jay Coles

• Checkoint / Restore
• Otherwise standard Linux
• Namespaces
  • Allows granularity
  • Presents a subsite of host resources
  • Allows picking and chosing components
  • Not everything is namespace aware
• setns allows you to enter a namespace
  • no need to ssh into a namespace
• Veth is a virtual ethernet pipe
• Containers need mulitlayer security defenses - no one tool currently provides what's reuiqred.
• LXC is worth looking at. Docker is built on LXC

Building Effective Alliances around the Trans-Pacific Partnership Agreement by sky croeser

• TPP impacts domestic legislative capabilities
• There's a lack of transparency
• Restrictive intellectual property impacts
• Potentially effects access to affordable medicine
• ISP's to monitor IP infringements
• Corporations more able to sue the state for laws that impact them
• Creates an infringement of national sovreignty

What Can You Do?

• Bring attention to the TPPA
• Make a submission to DFAT on the TPP.

Political Landscape

• Greens and Pirate Party are opposed, actively, calling for transparency
• The ALP appesr to be against ISDS despite previosly negotiating
• The Nationals are giving hints of disquiet
• The Liberals claim TPPA will be good for industry

Groups with a Tech Focus

• Australian Digital Alliance
• Electronic Frontiers Australia

Broader Coalitions

• AFTINET
• Choice Australia
• ACTU
• Public Health Association Australia
• MADGE Australia
• Environmental activism

Draw on other strategies

• Utilise Beautiful Trouble
• Consider and map your spectrum of allies
• Shift the discourse
• Tactics that welcome participation
  • Allow for tiered participation
  • Facilitate any one who want to do something to be able to do something
  • Ensure compelling frameworks
  • Think strategically about how you frame it
  • Think about your orgs structure
  • Avoid burnout - keep a balanced life

Direct Action

• Bring about the change you want to see
• Can gain visibility for negotiations

Internal Strategies

• Inequality opens opportunity to split internation consent

• Link with civil society in other nations

• Campaign needs to be funded and resourced

Hierarchical infrastructure description for your system management needs by Martin Krafft

• Approaches:
  • Cloud provisioning
  • Traditional system administration
• Targeting of nodes and classifying nodes
• Configuration managemetn vs monitoring
  • Keep thme seperate
• Parametrisation - word of the conference
• Parametrise your automation system
• Define data in one place
• RECLASS will merge it
• Currently on YAML_FS
• Multiple inheretence
• Adapters interface between configuration management and reclass
  • CLI switches
  • output in YAML / JSON
  • Ansible and SALT are supported currently
  • SALT integration is now via a SALT module (better performance)
  • Provides inventory information for Ansible
• Future work
  • Logging framework
  • Membership lists
  • Tests
  • Disk caching
  • Long running process

Finding signal in the monitoring noise with Flapjack by Lindsay Holmwood and Jesse Reynolds

• Composable(?)
• Rollup - alert summarisation
• Alert routing
• Does three things
• Receives an event
  • notify
  • who?
  • how?
• API (RESTful JSON)
• No restarts required
• Bulletproof use it anger, two developers paid to work on it.
• Ruby, Redis, EventMachine based.
• Designed for humans
  • Considers alert fatigue
  • Normalcy bias
  • Confirmation bias

Why?

• Multi-tenant support
• Segregated responsibility
• Check engine independence (event producers)
• Self-checking with oobetet
• Rollup - alter sumerisation
• Contacts store media type (email, SMS etc), sets summary thresholds, entities, checks and history
• Hooks up to Google Hangouts / Jabber media types
• Tagging can be used for grouping
• No hard/soft states
• Nagios / Icinga used as a dumb alert checker (only configure check execution)
• Allows scaling

@Bulletproof

• Process >~60 events/second
• Manage - a customer portal for managing their own notification rules
• manage-flapjack-sync does what it says :-)

Shortcomings

• 30s fixed broadcast delay (why?)
• Assumes single external source of truth (puppet, CRM, Ansible via API - needs to be written)
• Contacts need to import and exported from an external source (what sources? - what ever sources you write for)

Other Features:

• Release planning is public
• As is bug tracking
• Semantic versioning
• Write/run tests (unit and integration)
• .deb .rpm packages provided
• Solid documentation available
• A bad first experience is considered a bug

Live upgrading many thousands of servers from an ancient RedHat 7.1 to a 10 year newer Debian by Marc MERLIN

• Slides
• Use file leve syncing, handle exceptions via configuration managers
• Google wrote a custom-rsync
• Root partition is the same on all servers
• Ran RedHat 7.1 for over 10 years and wanted to upgrade without reboot (were the machines that old too?)
• On all Google's production machines
• At Google's scale, maintaining your own distro based on Debian makes a lotlof sense
• File level syncing recovers from state and is more reliable
• Forcing service to not write on the rootFS helps with distro switches

These are my raw notes from talks held on Thursday at LCA2014. May contain errors, mis-heard quotes. Also completely un-reviewed or spell checked:

Keynote:

Matthew Garrett

• Video
• Interesting security events in 2013:
  • UEFI was deployed in production
  • Snowden revelations
  • Governments involved in sophisticated hacking on domestic populations
• Who are we concerned about
  • NSA - complete set of capabilities are unknown, assume the worst.
  • Our hosting / service providers
  • Opportunistic attackers
• NSA are able to perform attacks undetectable from th eoperating system
• Leaks describe model-specific exploits
• Plausible that vendors are not actively involved
• Passive involvement is likely
• Who would benefit from a generic exploit?
• Intelligence agaencies are probably not our biggest concern
• Most security breaches are political or profit driven
• How can we protect our users?
  • Boot verification is an absolute requirement, despite being a vector for freedom infringements
  • Operating systems are too big to be perfect
  • Persistent infections make recovery impractical
  • Users will choose to keep an infected machine rather than have it repaired
  • Must be able to replace vendor components
  • Especially firmware
• UEFI secure boot still allows users to replace keys
• No guarentees to replace firmware
• Android:
  • Some vendors allow OS replacement
  • No way to replace keys or firmware
  • Choice between freedom and no security or security and no freedom
• Chromebooks are no better
• Apple are the worst, cant replace OS, keys or firmware
• How much can you trust your system:
  • OS backdoors? (not neccessary)
  • Firmware backdoors?
    • Jetway have not had their leak audited
    • Should be a project people engage in
    • There are obivous vulnerabilities in the code
  • Lower level hacks?
    • AMT, CPU microcode
• Attack vector on modern devices is low due to move to cloud services
• If you give your data to someone else, you're trusting them to not steal, share or lose it.
• Spectrum of trust from software you run through to where you store your data.
• Cloud security is poorly understood
• Balance of probability suggests hypervisors have security vulnerabilities
• SELinux / Apparmor allows you to run a VM in an isolated context
• Introspection os bare metal is difficult
• Introspection of VMs is trivial

Security for 2014

• Be more aggressive about securing every layer
• In a way that doesn't compromise freedom
• Ask cloud vendors hard questions
• Customers too
• Don't by into exchanging freedom for security or vice versa

Without verified boot you are insecure. With verified boot you may be insecure.

Rapid OpenStack Deployment for Novices and Experts Alike by Florian Haas

Rough overview of OpenStack Architecture

• OpenStack is the largest community driven cloud architecture
• Keystone is the central identity/location service
• Nova is the compute service that interacts with hypervisors (most of them)
• Glance is the VM image service
• Horizon is the OpenStack dashboard
• All unified API's are RESTful JSON

Nodes

• Node roles are atomic, composable classes of nodes
  • Infrastructure Node runs a database and a message queue (MySQL + RabbitMQ).
  • Authentication Node Runs the OpenStack Identifty Service (Keystone) providing authentication
  • API Node procides ReSTful endpoints to Openstack services
  • Controller node provides scheduling and registraion services internal to OpenStack
  • Network Node provides network connectivity within the cloud (Neutron).
  • Compute Node(s) hosts and runs VMs (Nova).
  • Block Storage Node provides storage (Glance).
  • Dashboard Node provides unified user interface (Horizon).
  • Metering Node to collect metering data from a unified event stream (Ceilometer).
  • Orchestration node runs and orachestration service (Heat).

Tutorial Architecture

• Using one node (alice) running all the node services except:
• bob will run computes
• Charlie will be the network node (this would normally have pone interface that is public)
• Puppet node running... a puppet master.

Resources

• Stackforge is a collection of puppet modules for OpenStack (and other things).
• KickStack - OpenStack deployment with puppet made easy

Tutorial

Test the puppet architecture:

$ puppet agent --test

Set classes via puppet dashboard to define the node's roles

$ puppet agent --runinterval 10

• Packstack is RedHat's tool and is RDO specific, based on StackForge. Good for all Centos / RHEL OpenStack infrastructure. Not granular enough.
• Crowbar is a DELL project's deployment platform and is used by SuSE (along with Chef)
• Juju is Canonical's deployment tool using a yaml file generated from "charms".
• TripleO/Tusker (OpenStack on OpenStack). Uses Openstack scheduling and deployment for deploying hardware via PXE and IPMI - manage hardware like a VM.
• Foreman "puppet on steroids"
• Presentation tools is reveal.js, shell in a box in an iframe

TroubleShooting

Horizon: * A good understanding of the architecture is required to effectively troubleshoot * Start in the nova-api logs for an error * Check the scheduler logs * Has it found a suitable host? * available hosts may be out of memory * Not responded * nova list or nova show can you which hypervizor has been selected to run it up * Look at the logs for nova compute on that host.

Should find a clear error in 99% of cases...

Writing your first web app using Python and Flask by Danielle Madeley

• Flask is a lightweight python web framework
• Flask will gracefully finish requests

Debian on AWS by James Bromberger

• AWS is a collection of remote computing services
  • Compute, storage etc
  • Certification available
  • Customers can chose software / operating systems

How is Debian using AWS:

• Distributed Debian packagr compilation on EC2
  • Funded by grany
  • Helped find bugs in packages
  • Helped find bugs in compilers
  • Spot Instances allow you to name your own price for EC2, and you get the resources what you pay for - dynamic resource allocation based on market prices
  • 12 complete archive rebuilds
• Accelerating ftp.debian.org
• cloudfront.debian.net
  • Speed up access for all regions
  • Use this in sources.list (or use http.debian.net)
  • 24 hours caching for Debian-CD
  • Cached in 51 locations

Who's using it?

• DD's mostly
• Looking for people to do stats analysis
• snapshot.debian.org - 18TB of Debian packages 55K of files, 1 Postgres database - every package, ever.
• All files are on S3 with automatic aging to Glacier
• $200/month - donated by AWS

Official Debian images on EC2

• AWS now has officual EC2 AMIs for debian generated by DDs.
• Generation script is on GitHub
• Available:
  • In AWS Marketplace ($0)
  • Shared from Debian AWS Account directly
• Available in all regions (including GovCloud)

Creating the Officail AMIs

• Uses build-debian-cloud
• Uses http.debian.net in apt sources
• resizes root file system if larger than default (8G)
• Cloud-init is installed in the Debian AMI
• ssh as admin using your keys
• No remote access - can be changed after log in.

Usage

• In the AWS marketplace for discoverability
• 5% growth in usage every week.

Why Debian on AWS?

• First place many people will discover Debian
• Existing users now use at scale.
• Providing a trusted operating system
• AWS are hiring

This assumes that you have a server with GitWeb installed on it already. The file paths are based on Debian.

On your server

Create a directory for the new git repo:

$ sudo mkdir /var/cache/git/MyRepo

Then change the permissions so you can use it:

$ sudo chown myusername:myusername /var/cache/git/MyRepo/

Now we need to initialise the repo for GitWeb:

$ cd /var/cache/git/MyRepo
$ git init --bare
Initialized empty Git repository in /var/cache/git/MyRepo/

Then provide an appropriate desciption of your repo by editing the description file:

$ vi description

On your workstation

Clone the new repo:

$ git clone ssh://myusername@my.server.com/var/cache/git/MyRepo

Cloning into 'MyRepo'...
warning: You appear to have cloned an empty repository.
Checking connectivity... done

Create some content:

$ cd ./MyRepo
$ touch me

Then add the file to git

$ git add me
$ git status
# On branch master
#
# Initial commit
#
# Changes to be committed:
#   (use "git rm --cached <file>..." to unstage)
#
#       new file:   me
#
$ git commit -am "Added me"
[master 61e4a60] Added me
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 me
Counting objects: 4, done.

Now push it up to your server:

$ git push
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 268 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To ssh://craige@mcwhirter.com.au/var/cache/git/Talks
   0a18962..61e4a60  master -> master

If you check your GitWeb instance, you should the repo is now there and your first file is in it.

Happy GitWeb-ing :-)

These are my raw notes from talks held on Friday at LCA2014. May contain errors, mis-heard quotes. Also completely un-reviewed or spell checked:

Keynote:

Deploying software updates to ArduSat in orbit by Jonathan Oxer

Arduino and Cubesat - ArduSat can allow every child to put an experiment into space as part of their schooling

• One week's experiment time is < $300
• Well affordable for schools
• 30 ArduSats are going to be launched every year over the next 5 years
• 500 thousand school kids will be participating
• Power supply module has 2800mA/h
• Uses amatuer band radio for communication (encrypted)
• Orbit is 90 minutes long
• CubeSat gets slammed from -40C to +80C every 90 minutes

Challenges

• Release of designs with out attracting black helicopters
• Satellite technology is listed as a weapon
• Collaborating with UNSW on a flight computer

The future

Water propelled cubesat with 2.5L of water has enough propellent to reach Mars.

Raspberry Pi Hacks: Building Great Pi Projects by Tom Callaway and Ruth Suehle

• Authors of "Raspberry Pi Hacks" - discount code: authd
• Designed for educational use and intended for Python
• There are solar powered raspberry pi labs
• DX.com have free shipping to Australia
• HDMI displa, PAL / NTCS / DSI. No VGA
• Atrix Lapdock can be used as a screen.
• USB touch screens available
• Occidentalis is a good hacking distro
• NOOBS good for kids hacking on rPI
• Needs a clean 5v - do not use laptop UCB ports for power. Do buy a power supply
• Do grab a case.
• Useful mini camera available
• Lego (TARDIS) Case (you can but one too)
• Use an old gameboy case.
• PIP Boy case
• Game emulating up to PS2
• Scratch is included - teaches coding
• Google Coder for teaching to teach HTML java nodejs
• New SETI programme
• PiGate - rPI stargate
• PiLorean!
• PiFM - turn it into an FM transmitter
• Tux photobooth
• RaspBMC - XBMC
• Ardiuno hacks available
• R2DR pi :-)
• FishPi.org
• Video game table out of IKEA parts
• learn.adafruit.com

Simple DIY Engine Management for simple software hackers by Josh Stewart

• http://noisymime/kartduino

Why?

• Existing Options are:
  • Too closed
  • Too expensive
  • Too complex
  • Too hacker unfriendly
• Good for learning how it works
• Goal: Engine management system for $100 - usable in the real world

Inputs

• Engine Speed
• Engine Position
• Engine Load
• Engine Temp
• Air temp
• O2 reading

Maths

• Volumetric Efficiency - measuring the engines efficuency pumping air
• Often only about 80% VE
• Fuel algorithm is a fixed constant based on fuel required against 100% VE

The Bits

• Arduino Mega 2560
• IO Shield
  • 4 injector circuits
  • 4 ignitions control circuits
  • Relevent protection for 12v power

Problems

• Math capabilities
• Slow IO
• Results with timing / accuracy

Other

• Has an autotune function

Processing Continuous Integration Log Events for Great Good by Clark Boylan

Project Gating

• Tests run on all proposed patches
• Code merges are gated on tests
• Ensure code quality
• Protects developers
• Protects code tree quality
• Tests run continuosly.

Log Archive

• Logs on disk
• Fronted by Apache and mod_autoindex
• Lots of data, no information

Failures

• Often not the fault of newly submitted code
• 1% failures (race conditions / hardware)
• "recheck" comments automate rechecks
• Bug:failure relationships are manual

Need Something Different

• Accessbile logs with good UI, REST API & query language
• Lots of existing options.
• Went with Logstash, Kibana, ElasticSearch
• Near realtime reults

Complications

• Collects logs from untrausted Jenkins slaves
• Redis is unreliable at this scale
• Can't index all logs due to volume
• 1.3 billion logs events archived
• 72 thousand queries
• Doesn't currently tie back to Launchpad
• CRM114 SPAM filter helps identify probable success / failures "probablistic diffs"

Provisioning Bare Metal with OpenStack by Devananda van der Veen

• Blocker to adoption is complexity of OpenStack install.
• To resolve this installation to bare metal is critical
• Ironic-conductor and ironic-api manage the hardware divers and abstracts them from Nova and other components

Openstack is not a virualisation layer, it's an abstraction layer

• Consistent updates
• nodes remapped to conductors
• take-over hooks fire up

Conference Close

• LCA2015 in Auckland
• LCA2016 in Geelong

Lightning Talks

• diybookscanner.org
• Freedombox 0.2 release coming out in a few weeks
• OneRNG - hardware random number generator
• Central Coast starting up
• dlect - Lecture Recording Downloader
• Debian is cool
• EFA need volunteers

Coming to a cinema near you these holidays...

There are no cicadas in Tasmania. Coming from NSW, the summer hum of cicadas was a familiar sound. Since moving to Tasmania five years ago I've never heard one.

You get to know every sound in the country. There's no background city hum so you get to recognise each distinct sound, birds, frogs, insects and a new sound stands out. A loud new sound stands out dramatically and prompts you to rush outside to check it out...

There was what looked like a small "black prince" on the fence post which flew off before I could photograph it.

So, I chased it 20M up the driveway to another fence but as I got to within 1M it flew into the bucks' paddock.

I ran back down the drive, through the gate and ran in the direction I last saw it flying then stood very, very still. A few minutes later it began to sing again, so I aproached the source of the sound in a tuft of grass very carefully...and he flew off behind the bucks' shed!

I bolted up to the buck's shed and ran behind it stopped, waited and listened. Then I heard a sound, a new sound. My periphal vision caught some movement at my feet and my heart lept out of my chest:

This jet black beauty was over 2M long, thicker than my wrist, its' head is the size of my fist (zoom in) and was probably a tiger snake. Fortunately it was significantly more terrified of me (it could undoubtedly see up the utility kilt) and was heading as fast as it could into its' bolt hole, where I left it.

Once my heart rate was back under control, I listened for a few minutes for the cicada but there was nothing to be heard so I sulked off back out of the paddock.

As I neared the gate, above the sound of frogs and crickets I heard the new sound again, from the direction of the bucks' shed! So I ran back through the paddock like I was in a Dr Who episode, up the hill, behind the bucks' shed and stood with my ears to the wind and my eyes to the ground.

I heard the sound again and walked steadily to the wildlife corridor, through the gate towards an old, moss covered fence post and started taking photos from about 2M away but this time I was eventually able to get only centimeters away:

What a little beauty. Their sound is very unlike that of cicadas in NSW and I have thus far only heard and seen this one. Good luck mating little fella!

Fun Facts!

So of course I did a little research on the intarwebs when I got back:

• There are 8 types of cicada in Tasmania:

many Tasmanian invertebrates (and, of course, vertebrates and plants) are of Gondwanan origin, some reveal even more ancient lineages that extend back to Pangea - the supercontinent that predated Gondwana beyond 200 million years ago.

Nearly half of the invertebrate species found within the Tasmanian Wilderness World Heritage Area, for example, are found nowhere else on Earth.

• Apparantly northern Tassie is deafened with the sound of cicadas.

IF YOU thought the noise of cicadas in the bush around Northern Tasmania this year was louder than usual, you would be correct.

Launceston entomologist Simon Fearn said our first wetter summer for a while had seen the hatching of millions of the large and loud black insects.

• Those whacky ancient Greeks used to eat cicadas:

Many people around the world regularly eat cicadas. They are known to have been eaten in Ancient Greece as well as China, Malaysia, Burma, Latin America, and the Congo. Female cicadas are prized for being meatier.

The TP-Link WDR4300 (v1.6) has an impressive array of hardware features and 128M of RAM for about $160. Unfortunately it comes with firmware that the vendor has deliberately crippled and a known backdoor.

Fortunately the amazing OpenWRT exists so we can make this nifty little machine work really hard for us doing a wide array of things. Here's how you get OpenWRT onto this router:

Pre-Installation

• Check the model version underneath the router (You really want v1.6 - the others work but this is the best one)
• Download the version of OpenWRT relevant to your model version from the TP-Link TL-WDR4300 page. At the time of writing this was http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-factory.bin.
• Wait for the download to finish...
• Now plug your ethernet cable into the WDR4300

Install the Firmware

• Log into the WDR4300 at 192.168.0.1 using admin:admin
• Select System Tools then Firmware Upgrade
• Press Browse and select the firmware you just downloaded
• Press Upgrade then OK.
• You will then see the firmware upgrade in progress.
• After a couple of minutes this should switch to Software Upgraded Successfully! and commence restarting.

Post Flashing

• The network range will have changed to 192.168.1.0, so you will need to obtain a lease on this range by restarting your network services or disconnecting / reconnecting your network cable
• The new OpenWRT firmware is on 192.168.1.1 so point your browser in that direction
• Youll be greeted with a warning that there is no password set for this device, click the link to set one.
• Enter in your new password and confirmation, then scroll down press Save & Apply

That's it if for basic installation. You've now got a powerful little router running OpenWRT and the possibilities abound.

This describes how to forward an external port to an internal server / port in OpenWRT 12.09:

• Click on Network.
  • Click on Firewall.
    • Click on Port Forwards.
      • Scroll down to New port forward
      • Name the port forward appropriately
      • Select the Protocol as required.
      • Select the External zone, normally wan for a service you wish to forward internally.
      • Enter the external port you wish to forward internally
      • Select the Internal zone, normally lan for a service you wish to forward internally.
      • Select the Internal IP address you wish to receive the forward.
      • The Internal port should default to what you put in the external port. Change if required.
      • Press Add.
    • Click on Traffic Rules
      • Scroll down to New forward rule.
      • Enter in an appropriate name for the rule.
      • Select the source, usually wan for inbound forwarding
      • The Destination zone should default to wan. Select wan if it isn't already selected.
      • Press Add and edit....
      • Set an fields here as appropriate, ensure the protocol field is correct.
      • At the very least you will need to set the port, as per the previous step.
      • Press Save & Apply.

You should now be able to test this port foward and it ought to have been successful :-)

This describes how to simply forward an internal port to Internet in OpenWRT 12.09:

• Click on Network.
  • Click on Firewall.
    • Click on Traffic Rules
      • Scroll down to New forward rule.
      • Enter in an appropriate name for the rule. Appending "- out" is useful.
      • Set the Source zone to lan, usually it's the default already.
      • The Destination zone should default to wan. Select wan if it isn't already selected.
      • Press Add and edit....
        • Set the Protocol as appropriate
        • Check the Source zone is correctly set to lan.
        • Check the Destination zone is correctly set to wan.
        • Set Destination port to the port you wish to allow out.
      • Press Save & Apply.

You should now be able to test this port access out from the lan to the wan and it ought to have been successful :-)

According to Wikipedia, a Rocket Stove is:

an efficient cooking stove using small diameter wood fuel which is burned in a simple high-temperature combustion chamber containing a vertical chimney and a secondary air supply which ensures almost complete combustion prior to the flames reaching the cooking surface.

Last night I was fortunate enough to have drive of one that Rob and Ken had knocked up during the week. The ingredients were:

• Some spare square piping
• A small found drum
• About 19 kilos of kitty litter

and the result was this:

Ignore the larger sticks in the picture above, this rocket stove generated an awful lot of heat using little more than bark and kindling while the kitty litter kept the outside cool enough to touch. It was brilliant.

A rocket stove generates high heat and very little smoke, keeping the air as clean as possible. You can even make them with as little as 16 bricks. There are 6 plans here which are very simple and easy to do.

As it turns out, there are a lot of possible uses for these little beauties.

This describes how to get your RoundCube 0.9.5 instance embedded into your ownCloud 6.x installation. You would this primarily as a convenience for heavy ownCloud users, so they don't need to leave ownCloud to interact with their webmail client.

On Your Server:

• Download the roundcube app from the ownCloud apps repo.
• Unzip it in your ownCloud web root (usually /var/www/owncloud)
• Set the permissions to be readable by your webserver:

In a Debian installation, that looks like this

$ sudo chown -R www-data:www-data /var/www/owncloud/apps/roundcube

Inside ownCloud's Web Interface

• Scroll down the apps menu and click on the +Apps icon
• Scoll down till you see RoundCube Mail and select it.
• Press Enable
• Click on your name in the top-right hand corner to reveal your menu.
• Press Admin
• Scroll down to RoundCube Settings.
• In Basic Settings type the absolute path to the RoundCube installation, usually /roundcube/
• Press Save.

Log into RoundCube Mail inside ownCloud

• Click on your name in the top-right hand corner to reveal your menu again.
• Press Personal
• Scroll down to RoundCube Mailaccount and enter your username and password.
• Click on the Webmail icon in the apps menu on the left

You should now see the app logging you in and after a few seconds, hey presto, there's your RoundCube session inside ownCloud.

Southern Tasmania put on a special day and we made the most of it by heading to Roaring Beach for some kayaking and Hamish's first surf:

Roaring Beach on a perfect Summer's day: Hamish and I had been out visiting "pirates" on their catamaran: We're actually pulling onto what passes for a wave at Roaring Beach: Hamish caught his first waves on my 9'4" McTavish Fireball: The old man of the sea comes ashore after dusting off his surf board for the first time since they crossed Bass Strait 5+ years ago:

The web user interface in OpenWRT is a reasonably good tool for configuring and managing OpenWRT devices. However it is possible to crash it with fairly innocuous behaviour.

If you're doing a large volume of changes to firewall rules via the web UI, it is tempting to use the Save option rather than Save & Apply, as it saves you a little time and spares service disconnections as the rules are reloaded.

In the top-right-hand corner you will see in red the number of unsaved changes that have been made and require Save & Apply to be pressed to commit persistently. If you store too many changes via Save, somewhere >50, before pressing Save & Apply you can crash the web UI.

You'll start to receive partial page loads or complete failures to load. You'll still be able to ssh in and poke around. If you do, top will tell you everything is fine and restarting uhttpd will not correct the problem.

I was pressed for time and the only way to resolve this I've found thus far is to reboot the device. Everything came good, except for the changes you've accumulated since the last Save & Apply.

The lesson here is to not rely on Save. When you're happy with how a ruleset works, press Save & Apply early and often.

There are many ways you can utilise VLANs in OpenWRT. This documents particularly how to configure a TP-Link WDR4300 running OpenWRT 12.09 to conform to an existing VLAN topology, where VLAN 1 is for data and VLAN 2 is for VOIP (voice) traffic.

Create a third VLAN:

By default OpenWRT comes with VLANs disabled and when enabled, there are two VLANs. VLAN 1 is for the lan interface and VLAN 2 is for the wan interface. Here we have to enable VLANs, create a third VLAN and swap configurations between VLAN 2 and 3:

• Click on Network.
• Click on Switch.
• Select Enable VLAN functionality.
• Scroll down and click on Add - VLAN ID 3 should appear.
• Make VLAN 3 settings the same as VLAN 2
  • Set CPU to tagged for VLAN 3
  • Set Port 1 to off for VLAN 2
  • Set Port 1 to untagged for VLAN 3
• Press Save

Re-Configure the WAN Interface

Now we need to tell the WAN interface to use VLAN 3 instead of VLAN 2:

• Click on Network.
• Click on Interfaces.
• Click on Edit for the WAN interface
• Click on Physical Settings
  • In Interface select VLAN Interface: "eth0.3".
  • Press Save & Apply.
• Check that wan is set to VLAN Interface: "eth0.3"
• Re-check the Switch settings are as per the previous section.
• Click on System then Reboot.
• Click on Perform reboot.

It can take about a minute for services to return after this reboot.

Create the Voice VLAN Interface

Welcome back! Hopefully you didn't make any typos and haven't had to factory reset the box once or twice to get here. Now we're going to create the interface for voice traffic:

• Click on Network.
• Click on Interfaces.
• Click on Add new interface...
• Name the interface appropriately, I'll use Voice for this example.
• Ensure the interface is set to Static address.
• Set Cover the following interface to VLAN Interface: "eth0.2".
• Press Submit.

You will now be taken to the page titled Interfaces - Voice.

Common Configuration

General Setup

Here we set the basic IPv4 configuration for this interface (did I mention I'm assuming IPv4?).

• Set the IPv4 address as appropriate.
• Select a class C netmask (255.255.255.0) if you have a class C network (most likely)
• Press Save.

Firewall settings

After clicking on the Firewall Settings tab, we will assign the Voice interface to the lan firewall zone:

• Select lan.
• Press Save.

DHCP Server

General Setup

I required a DHCP server for the VOIP handsets, so here's what we set:

• De-select Disable DHCP for this interface.
• Set the Limit to 100
• Press Save.

That's it. Everything else is automatically determined by the IPv4 address you set in Common Configuration. I set the limit 100 as that is the dedicated DHCP range for VOIP handsets on that LAN. You could probably safely leave it at 150 (the default) or set it to the range appropriate for your network.

Switch Configuration

Now we need to tell the OpenWRT switch which ports will be active on the Voice VLAN. In this example I select all 4 LAN ports on the WDR4300:

• Click on Network.
• Click on Switch.
• Set Port 2 through to Port 5 as tagged for VLAN 2 (as per picture below)
• Press Save & Apply.

This picture illustrates the connection between switch ports in OpentWRT and the physical ports on the WDR4300, as well as the final switch configuration:

Send it live!

Okay, let's roill the dice and hope it comes back up:

• Click on System then Reboot.
• Click on Perform reboot.

If you've not made any typos, it should all came back up and you'll have a working VLAN 2 for voice. If you can't access the box, you've made typo. Factory reset and try again. Happy VLAN-ing!

I've recently started learning Python. In particular I've started Learning Python the Hard Way which I'm now half way through while I wait for O'Reilly's book Learning Python to arrive.

The free HTML version has been enjoyable and well paced experience. I highly recommend it for anyone else interested in picking up python.

I've been punting my exercises up into my gitweb repo which I'm also mirroring to my github account. Yay for free backups.