The Old Monk

What we needed at work :

• A wiki
• VPN
• A bug/issue tracker

Trac gave us the first and the last, and OpenVPN gave us the middle. The newer versions of Trac can use MySQL as a database instead of SQLite and have a nice AccountManager plugin.

And it all comes together with pam_mysql. The only problem was that Trac likes to store passwords hashed as HTTP-Digest style hashes (not the most secure, I know) with an empty realm, and pam_mysql doesn't work for that. The solution was a simple patch to pam_mysql which adds support for such hashes. I'll publish that soon - I'm making it more general by adding support for realms rather than assuming that realm would be empty.

OpenVPN (and apache - via mod_auth_pam) etc. can authenticate via PAM and adding authentication to anything is a simple matter of placing the right .htaccess file. And this is a *common* password across all services, which users can change on the wiki, in their browsers, with a nice polished interface. No unix shells for people who can't deal with them.

This is no Kerberos, but is infinitely simpler - which means a lot for a small startup.

There are a few gotchas though :

• Apache doesn't like empty realms. This can be worked around by switching to Basic authentication where passwords are passed on to PAM and we ignore realm. Yes, Basic is worse, but there's always SSL. Thus, one can supply _any_ value of realm (the AuthName in .htaccess). The situation might improve if my pam_sql patch accepts realms and we manage to modify the Trac AuthManager plugin to use the same realm.
• SSH doesn't like to authenticate users which don't have an account on the machine. It does a getpwent() call, and if it fails, it sets the password to '^H ^M INCORRECT' (the ^H and ^M represent the control chars here, but this is what you see in your logs if you debug PAM). One (ugly, in my opinion) way out is to LD_PRELOAD your own getpwent() method for sshd. The other is to grant ssh access to people on a machine by machine basis. This doesn't scale beyond a point but is good enough for small setups and the most secure. We use this. The cleaner solution of course, is to use something like nss_mysql. This might be our next step, but not in the immediate future.

Patch to come Real Soon Now.

I have been using unique passwords for (almost) all the websites I have accounts on, and have a handy script to do the task for me. The idea is simple and came from a comment on a blog post. You just need to remember one secret passphrase. Every time you need a unique password, append that secret to a unique string identifying the use (the website URL, or the domain name), hash the result and use the first n characters of it as the password. Unique, and there's only one thing to remember.

The script is useful enough, and I'm finally getting around to releasing it. There are other password generators (like Crypt::RandPasswd, Data::SimplePassword, String::MkPasswd, Text::Password::Pronounceable, Crypt::PassGen etc.), but they focus on creating random passwords - leaving it upon the user to manage and remember them.

This might be useful as a firefox extension as well. I eventually plan to convert it to one, but if someone else wants to do it, or has already done so - even better. It's a very simple idea, and I'm sure it can be implemented purely in chrome/javascript.

I need a place to announce it and I will let this be that place.

So I decided to upgrade to Hardy after doing a Wubi install on a couple of machines. With some gotchas of course.

I couldn't login. Not even as root. It wouldn't even ask for a password, but straightaway said "login failed" (on the console) and "authentication failed" (gdm).

That seemed like a PAM problem and it was. My encrypted HOME setup uses pam_encfs which had a problem loading into PAM.

The fix : a recompile, but after the patch mentioned in this bug.

Also, my network profiles stopped working - which turned out to be because of sudo. Adding a 'env_keep=NETSCHEME' to the Defaults in sudoers fix that too.

I have my gtdo to manage the TODOs, and it shows me the list every time I open a terminal (via a 't ls' in my .bashrc). But what to do when my '@work' TODO list grows long and is shown to me on every terminal spawn, even at home?

what I also have is my network profiles setup. Till today, my office profile was called "office" - which I changed to "work". This makes my profile name the same as my context name ('work' and '@work' - we can manage the @ in the context). Do I need to say more? :)

Every time I do a 'NETSCHEME="work" sudo ifup ath0' and the network comes up, the '/var/run/network/ifstate' contains a line like 'ath0=ath0-home'. Which means, I can get the profile I'm using. Which means, if I name my profiles carefully, I can get the location I'm at. Which then means, if I name my contexts carefully, I can get the relevant context.

Adding this:

LOCATION=`grep -m 1 '-' /var/run/network/ifstate | awk -F '-' '{ print $2 }'`
t ls @$LOCATION

to my .bashrc works like magic.

By the way, I *could* scan for known SSIDs and select a network (and hence a location and a context) automagically, but I don't do that yet - one of the reasons being that I *think* there might be an information leak hidden somewhere. But I haven't thought it through. But I might, and then I might get around to doing it.

Some people have been saying that Firefox tries to emulate other browsers and be Windows-like in general. Some people have been saying that about Linux/Ubuntu as well. I don't know how correct they are and what they're based on, but there's one thing that comes in the category of being too smart and too user friendly which ends up annoying the regulars.

I was on my machine and wanted to run a remote instance on Firefox, with the display forwarded back to my machine. I had X forwarding over SSH and my DISPLAY enviroment variable all set up. But when I started 'firefox' on the remote commandline, it opened up an instance of firefox *locally*. WTF!!?

The fix to this is a 'MOZ_NO_REMOTE' env variable. Duh.

I got a new widescreen LCD for using with my Eee. Everything went on fine, but the default resolution of 1024x768 kinda sucked. The monitor (Acer AL1516W) supports a max of 1280x800, so I tried that, but I needed a custom modeline to get it working. The monitor specs say that it supports "1280x800@60Hz", but a lot of modeline generation tools don't support that odd widescreen resolution. This one does. The catch is the 60Hz - which is more like 59.91, which goes in as 59.73 in the textbox on that page. It does tell you the different values ("actually 59.91"), but you have to keep an eye. Another important thing is the monitor's 'Dot Clock' frequency. If you're exceeding that (and the tool will warn you if you are), it's most probably a mistake. Go re-read the specs of the monitor again.

FWIW, here's the modeline for the Acer AL1516W that I generated for the Eee :

"1280x800@59" 83.44 1280 1312 1624 1656 800 816 824 841

I'm writing a Perl interface to libtrackerclient (see the Tracker Project). The code will come out when it manages to do something - which should be soon, but I need a place to announce it and hold any comments that might come across. For the lack of a better option, I'd let this post be it.

Update : The code is at a stage where it's usable. The git repository is at http://repo.or.cz/w/LibTracker-Client-Perl.git. You can also grab the latest snapshot. The code is a lot of XS and some Perl. You would need libtrackerclient (and headers), glib-2.0 (and headers) and dbus-glib-1 (and headers) along with the obvious things like Perl headers and a C compiler.

There's always SCMBug, but you can cook your own Git-Bugzilla integration very easily. SCMBug's fine, but it's a lot of code if all you want is simple cross-linking between Git, Bugzilla and Trac (btw - GitPlugin for Trac would throw up an error unless you have at least *two* commits in your repository - talk about undocumented easter bugs!).

Anyhoo - here's what I want :
1. Git should disallow any commit where the commit message does not have a bug number.
2. Git should add a comment to the corresponding bug on a commit, mentioning the author, the Trac changeset link, the commit message and the list of files which changed.

And here's the code to do it. First, the post-receive hook :

#!/usr/bin/perl -w
use strict;

# A hook script which integrates with bugzilla. It looks for bug IDs in
# commit messages and adds the commit message as well as a link to the
# changeset as a comment on the bug.

# This program is released under the terms of the GNU General Public License
# version 2. A copy of the license may be obtained by emailing the author,
# or at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
#
# The absolute lack of warranty and other disclaimers as per the license
# apply.
#
# Copyright 2008, Devendra Gera. All rights reserved.
#
# Author : Devendra Gera 

### user configurable section

# The bugzilla has contains the server, username and password for the targeted
# bugzilla installation. There's NO 'http://' in the server line.
my $bugzilla = {
	server		=> "10.147.251.90/bugzilla",
	user		=> "demonuser",
	password	=> "daemonuserspassword",
};

# __PATH__ and __REVISION__ are replaced in $browser->{changeset} and
# $browser->{revision} to get the changeset and revision URLs respectively. 
my $browser = {
	changeset	=>
	"http://10.147.251.90/projname/changeset/__REVISION__",
	revision	=>
	"http://10.147.251.90/projname/browser/__PATH__?rev=__REVISION__",
};

# The bug_regex should extract the bug id from the commit message and place
# it in $1
my $bug_regex = 'bug #(\d+)';


##### End user configurable section

use WWW::Bugzilla;

my $input = <>;
chomp $input;

my ($oldrev, $newrev, $refname) = split /\s+/, $input;
my $commit_msg = `git-whatchanged $oldrev..$newrev`;

# prepare the changeset URL
my $changeset_url = $browser->{ changeset };
$changeset_url =~ s/__REVISION__/$newrev/g;

# author
my ($author) = ( $commit_msg =~ /^Author:\s+(.*)$/m );

# files
my @filelist = grep ( /^:/, split( /\n/, $commit_msg ) );

# prepare comment
$commit_msg =~ s/^.*?Date://s;	# eat everything till the Date: heder
$commit_msg =~ s/^.*?\n//m;	# eat the date line completely
$commit_msg =~ s/^:.*?$//mg;	# eat the file list from the msg.
chomp $commit_msg;
my ($bug_number) = ( $commit_msg =~ /$bug_regex/ );

my $comment = <<END_COMMENT;

------------------------------------
changeset $newrev [ $changeset_url ]
    by $author :

$commit_msg
------------------------------------

Files changed :
END_COMMENT

$comment .= join("", @filelist) . "\n";

my $bz = WWW::Bugzilla->new(
	server		=> $bugzilla->{ server },
	email		=> $bugzilla->{ user },
	password	=> $bugzilla->{ password },
	bug_number	=> $bug_number
);

die "cannot connect to bugzilla" unless defined $bz;

$bz->additional_comments( $comment );

$bz->commit;

And here's the update hook :

#!/usr/bin/perl -w
use strict;

my $refname = shift;
my $oldrev = shift;
my $newrev = shift;

my $commit_msg = `git-whatchanged $oldrev..$newrev`;

# check if the commit message contains a bug number
if($commit_msg !~ /bug #\d+/) {
	exit -1;
}

exit 0;

The TODO :
1. Push every configurable thing to git's config file and access it via git-config.
2. Code cleanups. One definition of the bug regex (which is hardcoded in the update for now).

edit : the here doc in the code was causing a problem with formatting, eating up some of the code. Fixed now.

WWW::Bugzilla was a great help in setting up git-bugzilla integration, but there's a small fix which needs to be applied before it would work with my Bugzilla 3 install.

The problem is that WWW::Mechanize selects the first form on a page by default, and WWW::Bugzilla fails in WWW::Mechanize while setting any field to be updated (with a 'no such field' or 'no field called comment' etc. messages). On my Bugzilla install, there's a small bug search form in the header which makes that happen.

The fix is a single line and has been emailed to the author. Here it is :

@@ -614,6 +614,7 @@
     my $mech = $self->{mech};
 
     if ($self->{bug_number}) {
+        $mech->form_name( "changeform" );
         foreach my $field ( keys %update_field_map ) {
             $mech->field( $update_field_map{$field}, $self->{$field} ) if defined($self->{$field});
             # handle special cases

There are various ways of managing multiple network profiles in Ubuntu, but I've never been a fan of NetworkManager. Commandlines work for me very well, and even there - multiple solutions exist with the help of packages like resolvconf etc. Here's my setup which is very Debian-ish and depends on this nice package called ifupdown.

First, there's the /etc/network/interfaces file :

# we always want the loopback
auto lo
iface lo inet loopback

# mappings
mapping eth0
  script /etc/network/map-scheme
  map dhcp eth0-dhcp
  map emergency eth0-emergency

mapping ath0
  script /etc/network/map-scheme
  map office ath0-office
  map home ath0-home

iface eth0-dhcp inet dhcp
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface ath0-office inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/office.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface eth0-emergency inet static
  address 10.9.5.201
  gateway 10.9.4.1
  netmask 255.255.254.0
  up iptables -F
  up lokkit -q --high
  up echo nameserver 172.31.6.5 > /etc/resolv.conf
  up echo nameserver 203.197.12.30 >> /etc/resolv.conf

iface ath0-home inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/home.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

Notice the mappings section (and see 'man interfaces') - that allows me to say :

NETSCHEME="home" sudo ifup ath0

or

NETSCHEME="office" sudo ifup ath0

because the specified script (/etc/network/map-scheme) just looks up the NETSCHEME environment variable and spit out the correct mapping to go to. This thing, by the way, could be rigged to do arbitrarily complex tasks (look in /usr/share/doc/ifupdown/examples/ for sample scripts, including one which tries to ping some known IPs, and decides its location/profile based on successful pings - you could write one which looks for all known wireless SSIDs and then decide which profile to switch to). Here's my trivial script :

#!/usr/bin/perl -w
use strict;

my $scheme = $ENV{NETSCHEME} || "home";

while(<>) {
	if ( s/$scheme\s+// ) {
		print;
	}
}

The conf files in /etc/wpa_supplicant/* are of course wpa_supplicant configuration files. See 'man wpa_supplicant.conf' for details.