What is World IPv6 Launch?

Organized by the Internet Society, World IPv6 Launch on 6 June 2012 is intended to motivate organizations across the industry – including Internet service providers (ISPs), hardware makers, and web companies – to prepare for and permanently enable Internet Protocol version 6 (IPv6) on their products and services as Internet Protocol version 4 (IPv4) address space runs out.

This web site has been accessible via IPv6 since last year thanks to burst.net link to Hurricane Electric. And now I have configured CloudFlare to serve the content of the site via their CDN network which is also IPv6-enabled.

For home IPv6 connectivity I am using Ukrainian NetAssist tunnel broker which has delegated me a /48 block. I am actually using IPv6 in my LAN for all communications with occasional fallback to IPv6 for some services that does not support it yet.

So I am prepared for World IPv6 Launch.

Frankly speaking, I will celebrate the World IPv6 Launch day when I notice the first SSH brute force attack on my servers using IPv6 link.

Yandex-Import-Id: 61907928.366051546.1337588139.6716b286801600fc9c318745a3c0d97c

Surprisingly, setting up Keystone, Nova Compute, and Glance went really well with almost no effort from my side and I was even able to launch an instance of Ubuntu Server 12.04 running in nested KVM, which in turn was running on Compute virtual instance in KVM. So I had 2 levels of virtualization and it was still working quite well.

Then I decided to make Swift (Object Store) authenticating against Keystone (instead of built-in swauth). And this took a bit longer than expected.

I was using the following documents to prepare the installation:

• Installing OpenStack Essex (2012.1) on Ubuntu 12.04
• Multiple Server Swift Installation (Ubuntu)

This post assumes you are setting up a local private installation of OpenStack without HTTPS, which is fine when it is on a private LAN, but is a very bad decision for a public network. The passwords are traveling in clear-text. And by clear text I mean this:

1
2
3
4
5
6
7
8
9
10
11

POST /v2.0/tokens HTTP/1.1
Host: compute.example.com:35357
Content-Length: 132
content-type: application/json
accept-encoding: gzip, deflate
accept: application/json
user-agent: python-novaclient

{"auth": {"tenantName": "you@example.com-tenant",
          "passwordCredentials": {"username": "you@example.com",
                                  "password": "testing123"}}}

Keystone

The instructions at hastexo state they are missing the keystone integration with swift. So when it says you need to use a templated catalog, that catalog by default does not contain the swift endpoint. Here’s what you will need to append to the default:

1
2

catalog.RegionOne.object-store.publicURL = http://proxy-server.example.com:8080/v1.0/AUTH_$(tenant_id)s
catalog.RegionOne.object-store.name = Swift Service

See paragraph about AUTH_ prefix below.

Q: Where is “object-store” service defined?
A: Keystone does not actually care about the names and URLs of these endpoints, so the services themselves use the information. For example, swift application queries the endpoints and searches for object-store type, then directs all storage requests to the corresponding publicURL. All other service types are listed in default_catalog.templates.

Q: What is tenant_id?
A: Keystone knows several variables it can dynamically substitute with values based on the client - tenant_id and user_id. These are defined in TemplatedCatalog.

If you set up cert_key and key_file as the multinode howto says, your proxy-server will expect HTTPS (i.e. HTTP over SSL) connection. So adjust the schema accordingly.

AUTH_ prefix

By default Keystone’s swift_auth middleware is using reseller_prefix = AUTH_. So if you set up tenant with ID abc and set publicURL without AUTH_ prefix, you will get a very unhelpful message in syslog of proxy-server:

1

tenant mismatch: abc != abc

The real-world log line will look like this:

1
2
3

proxy-server tenant mismatch: ⤶ 
    9830818c942e40bbabaad02454524597 != 9830818c942e40bbabaad02454524597 ⤶
    (txn: txfd89a4d692394b3589c7d31c9f78ebb2) (client_ip: 192.168.1.110)

The message does not show the real compared value and, in fact, should print “abc != AUTH_abc”. You have two options:

• If you are setting up a single authentication server and the backend nodes are going to serve only one set of accounts, then you can unset AUTH_ prefix in middleware configuration on proxy-server and in endpoints catalog.

• If you have a massive deployment and it is possible to have resellers for the storage you provide, you set up a different reseller_prefix on each proxy-server that is going to serve a different reseller and update keystone catalog and middleware configuration on proxy-server.

So, to simplify our deployment, we are dropping AUTH_ prefix completely. Update the keystone service template:

1

catalog.RegionOne.object-store.publicURL = http://proxy-server.example.net:8080/v1.0/$(tenant_id)s

Update the reseller_prefix in swift.conf on proxy-server itself (you don’t need to change anything on storage nodes):

1
2
3
4

[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
reseller_prefix = 
operator_roles = admin, swiftoperator

I will get to operator_roles setting later.

Proxy Server

Important: By default proxy-server will try to connect to keystone using HTTPS. Earlier versions would hang indefinitely but since the fix in 891687 the response from swift will be:

1

Account HEAD failed: http://proxy-server.example.com:8080/v1.0/a...3 503 Service Unavailable

If you are following the tutorials, keystone will not listen for HTTPS so you will need to modify proxy-server.conf:

1
2
3

[filter:authtoken]
...
auth_protocol = http

Zones

This is not actually about keystone but it’s nice to know.

First of all, if you feel lost about the concept of a Ring and OpenStack: The Rings is not helping, you should definitely read this analysis by Julien Danjou - you will find out slightly more than you need for the simple setup, the article tells you about the bottlenecks too, which you must know should you start a large-scale deployment.

So, a zone can be basically a disk, a server, a rack, or anything that groups the storage devices. If you have two servers and each holds a storage zone then PSU failure of one server will not affect the other zone.

For initial testing purposes you can actually start with a single zone, just set the number of replicas for the ring to be 1:

1
2
3
4
5

swift-ring-builder account.builder create   18 1 1
swift-ring-builder container.builder create 18 1 1
swift-ring-builder object.builder create    18 1 1
#                    partition size --------^  ^
#                       number of replicas ----'

Please note that if you want to change the number of replicas later, you will have to re-create the rings from scratch - 958144.

Tenants and Roles

Remember operator_roles in [filter:keystone] earlier? Only the users granted those roles will be able to access the storage server. If the user does not have the role listed there, then all the requests will fail with 401 - Unauthorized.

Tenants (earlier called projects) allow grouping the users. In order to use swift you will need to create a role, a tenant, a user and assign the role to the user within the tenant:

You can also use admin user and role set up in the tutorials above, but creating these users is quite straightforward.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

$ keystone role-create --name swiftoperator
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| id       | e77542b0b6884ea4ada3ec9eb6b75c6f |
| name     | swiftoperator                    |
+----------+----------------------------------+

$ keystone user-create --name you@example.com --pass testing123
+----------+-----------------------------------------+
| Property |                                   Value |
+----------+-----------------------------------------+
| email    | None                                    |
| enabled  | True                                    |
| id       | 866be627384044a49b3a172a1cbef74f        |
| name     | you@example.com                         |
| password | $6$rounds=40000$Bl/EL3YgSUqIpSr/$Lc...  |
| tenantId | None                                    |
+----------+-----------------------------------------+

$ keystone tenant-create --name "you@example.com-tenant"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description | None                             |
| enabled     | True                             |
| id          | aaee4b5b277c40aaad201742db9e20c3 |
| name        | you@example.com-tenant           |
+-------------+----------------------------------+

$ keystone user-role-add --user 866be627384044a49b3a172a1cbef74f \
        --role e77542b0b6884ea4ada3ec9eb6b75c6f\
        --tenant_id aaee4b5b277c40aaad201742db9e20c3y

The names of the user and tenant can be arbitrary. For example, hpcloud uses your-email@example.com-default-tenant for tenant name and your email as username.

Great, now we check whether the user can get auth token:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

$ nova --os_username you@example.com --os_password testing123 \
       --os_tenant_name=you@example.com-tenant \
       --os_auth_url http://compute.example.com:35357/v2.0 credentials 

+------------------+---------------------------------------------------------------------------+
| User Credentials |                                   Value                                   |
+------------------+---------------------------------------------------------------------------+
| id               | 866be627384044a49b3a172a1cbef74f                                          |
| name             | you@example.com                                                           |
| roles            | [{u'id': u'e77542b0b6884ea4ada3ec9eb6b75c6f', u'name': u'swiftoperator'}] |
| roles_links      | []                                                                        |
| username         | you@example.com                                                           |
+------------------+---------------------------------------------------------------------------+
...

And finally, we use swift cli:

1
2
3
4
5
6
7
8
9

$ swift -U you@example.com-tenant:you@example.com -K testing123 -A \
        http://compute.openstack.lappyfamily.net:35357/v2.0 -V 2.0 \
        stat

   Account: aaee4b5b277c40aaad201742db9e20c3
Containers: 0
   Objects: 0
     Bytes: 0
Accept-Ranges: bytes

Congratulations, the Swift/Keystone pairing is set up properly.

The next step is to play with the storage and I’ve already described what operations are available in my HP Cloud-related post.

Finally, there is a bug in python-webob that causes Swift HEAD request to return the following response:

1
2

Content-Type: text/plain
Content-Length: 13

This is 920197 and can be fixed by the patch attached to the bug report until I or somebody else forwards the patch to Debian maintainer (the fix is already in the trunk of webob thanks to quick Martin Vidner response).

S3 Emulation and Keystone

If you follow the instructions at Configuring Swift with S3 emulation to use Keystone, proxy-server will not actually be able to talk to Keystone because the /s3tokens URL is not being handled in the default configuration.

I found the solution in a message by Thanathip Limna at 956562 - [filter:s3_extension] config needs to be added along with adding s3_extension to pipelines of public_api and admin_api right after ec2_extension:

1
2
3
4
5
6
7
8

[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[pipeline:public_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension s3_extension public_service

[pipeline:admin_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension s3_extension crud_extension admin_service

If you don’t add this, any requests to Swift with S3 credentials are failing with Internal Server Error:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 1119
Date: Sun, 20 May 2012 08:31:12 GMT
Connection: close

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in
handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/python2.7/dist-packages/swift/common/middleware/healthcheck.py",
line 38, in __call__
    return self.app(env, start_response)
  File "/usr/lib/python2.7/dist-packages/swift/common/middleware/memcache.py",
line 47, in __call__
    return self.app(env, start_response)
  File "/usr/lib/python2.7/dist-packages/swift/common/middleware/swift3.py",
line 479, in __call__
    res = getattr(controller, req.method)(env, start_response)
  File "/usr/lib/python2.7/dist-packages/swift/common/middleware/swift3.py",
line 181, in GET
    body_iter = self.app(env, self.do_start_response)
  File "/usr/lib/python2.7/dist-packages/keystone/middleware/s3_token.py",
line 157, in __call__
    (resp, output) = self._json_request(creds_json)
  File "/usr/lib/python2.7/dist-packages/keystone/middleware/s3_token.py",
line 91, in _json_request
    response.reason))
ServiceError: Keystone reply error: status=404 reason=Not Found

If you have modified the reseller_prefix in swift_auth middleware of proxy-server, you will need to change it in [filter:s3token] too, otherwise you will get this response from S3 emulation layer

1
2
3
4
5

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>InvalidURI</Code>
  <Message>Could not parse the specified URI</Message>
</Error>

And that’s what will be in proxy-server syslog:

1

tenant mismatch: AUTH_abc != abc

So now we have Swift S3 emulation working with keystone too.

Интернет

Одним из условий подписания контракта с Canonical было наличие стабильного подключения к Интернет. После года попыток наладить нормальное подключение с домашним интернетом Билайна (теперь Киевстар, но VPN костыль у них никуда не делся) я решил перейти на akson45. За 2 года работы с этим провайдером суммарно связь пропадала на 8 часов (99.96% up) а в техническую поддержку потребовалось звонить два раза, первый раз - при подключении внешнего IP адреса, второй - уже во время падения канала связи.

С билайном я помнил телефон службы поддержки наизусть.

Банк

Уже долгое время я являюсь клиентом Piraeus Bank МКБ и пользуюсь практически всем спектром услуг - платежными картами, расчетными счетами, интернет-банкингом для физический лиц и предпринимателей. Специалист банка, Ольга Виценко, помогла разобраться в тонкостях работы с зарубежным клиентом и радостно отвечала на все мои вопросы (иногда довольно глупые) касательно банковских процессов, за что я ей очень благодарен.

Использование интернет-банкинга позволило оплачивать услуги различных компаний без комиссии, через стандартный банковский перевод. А SMS оповещение о транзакциях позволило создать достаточно простую и удобную систему учета расходов, о которой, возможно, я напишу в следующий раз.

Для того, чтобы поиграться с НСМЕП, я завел карту в Экспресс-Банке. Отношение к нему нейтральное. Сайт не содержит тарифов по обслуживанию карты, а для того, чтобы узнать о новых тарифах, требуется приехать в отделение. Почему-то для получения листка с тарифами, требуется предоставить свой паспорт. Тем не менее, их НСМЕП карта работает и я время от времени пересобираю wine с поддержкой смарт-карт в своем PPA.

Оборудование

Рабочий ноутбук у меня - Lenovo E420 (после того, как Acer Aspire 5520 сжег себе видеокарту). На батарее 25++ 94Wh (которую пришлось покупать в США, т.к. в Украине рынок батарей какой-то странный) система обещает проработать 6 часов. Этот ноутбук не может похвастаться низким энергопотреблением (сравнение здесь - тестирование RC6), однако у него очень удобная клавиатура, отличный экран и технические характеристики).

Между моей локальной сетью и сетью провайдера находится TP-Link TL-WR1043ND под управлением OpenWRT. Он служит как маршрутизатором, так и точкой доступа в режиме 802.11g (хотя позволяет и .11n). Дополнительно он выступает как шлюз в IPv6 сеть NetAssist и OpenVPN сервером на случай необходимости подключения к рабочим ресурсам, которые не защищены SSL.

В моей локальной сети есть также сервер, который используется как хост для хранения данных, вируальных машин различного назначения. Используется четырехъядерный AMD Athlon™ II 630 @ 2.8Ггц. На материнскую плату Asus M4A785T-M установлено 8Гб памяти, в качестве жестких дисков выступают 2x1.5Тб Seagate ST31500341AS после того, как при скачке напряжения вышли из строя 2 винчестера Samsung SpinPoint F3 (как оказалось, довольно обычное явление для этих дисков). В сеть подключены 2 гигабитные карты (RTL 8168B на материнской плате и D-Link DGE-528T). Требуется обе, так как при использования моста для виртуальных машин включение или выключение одной из них приводит к временному зависанию сети на данной карте (видимо, из-за перестройки топологии).

На сегодня все, надеюсь из данного поста удалось получить немного полезной информации. Удачи!

If you are using KVM directly, you will construct the command line manually and will eventually end up with something like this:

1
2
3
4
5
6
7
8

/usr/bin/kvm -S -M pc-1.0 -cpu qemu32 -enable-kvm -m 1024 \
  -smp 4,sockets=4,cores=1,threads=1 \
  -name plum -uuid 1da8c95b-0586-d41a-8c64-760034aa2453 \
  -nodefconfig -nodefaults \
  -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/plum.monitor,server,nowait \
  -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown \
  -drive file=/dev/vg0/vm-nfs-test,if=none,id=drive-virtio-disk0,format=raw\
  ...

I’ve been there and wrote scripts to help maintaining running kvm instances. For a small number of options that’s OK. But interacting with the instances through qemu monitor quickly became very tedious.

When I found out about libvirt I was really excited. Well, I am still excited :)

The most user-visible part of libvirt is virt-manager which provides the GUI for libvirt API. It looks like this:

It allows creating, reconfiguring, cloning and deleting virtual machines and storage, configure virtual networks and control instance power states – almost everything you need.

Another client is a CLI application called virsh:

1
2
3
4
5
6

virsh # list
 Id Name                 State
----------------------------------
  4 plum                 running
  5 WIN7PNX64EN          running
  6 fedora-12            running

It allows modifying the VM description directly (that’s an XML file), managing the storage pool… Well, pretty much everything that virt-manager does and a little bit more, such as snapshotting the VM (warning: I am currently investigating the corruption happening with qcow2 disks but have not yet obtained any results).

libvirt is a client library. The server side is implemented by libvirtd. libvirtd can be connected to using Unix domain sockets or remotely via TCP.

To make contacting virtual hosts easier, the clients can connect to remote server through SSH. Basically client creates a SSH session, starts netcat on the remote end and makes it relay the commands from the local end to the Unix domain socket, in this case you will see the following in the process list on the server:

1
2

sh -c if nc -q 2>&1 | grep "requires an argument" >/dev/null 2>&1; then \
  ARG=-q0;else ARG=;fi;nc $ARG -U /var/run/libvirt/libvirt-sock

The grep is needed because there are 2 versions of netcat in existence, netcat-openbsd and netcat-traditional, each with a bit different options.

The user account on the server should have access to /var/run/libvirt/libvirt-sock file. The easiest thing to make this on Ubuntu is to add the user account to libvirtd group. In Fedora it is customary to use root account and allow root to log in via SSH (which I will never do again).

For remote virtualization servers the SSH access has another benefit, you can use VNC console without exposing the ports to an outside world. In this case upon starting the virt-viewer or using graphical console from virt-manager a new SSH connection is being created with…

1
2
3

sh -c nc -q 2>&1 | grep "requires an argument" >/dev/null; \
    if [ $? -eq 0 ] ; then   CMD="nc -q 0 127.0.0.1 5906"; \
    else   CMD="nc 127.0.0.1 5906";fi;eval "$CMD";

That allows kvm to listen on loopback interface only, while still being accessible to somebody with a shell account on the VM server.

Now this is all nice but using SSH has one drawback, it requires a shell account on the server which may not always be good. Additionally every request to virsh requires the SSH session to be set up and then torn down which adds to the total time of virsh command running. And when I got 10 virtual machines, volume listing in virt-manager became really slow, which I attributed completely to the SSH session. So I decided to set up everything for TLS connection and compare the speed of qemu+tls vs qemu+ssh.

I am not using SASL authentication and rely on TLS certificates only.

So, connecting to TLS libvirtd faster? Yes. Is virt-manager working faster? No.

First of all I followed the detailed instruction at libvirt wiki, creating all the necessary keys and certificates. Since I wanted only one account to become administrative one and not the whole host (even though I am the only user on the laptop), I copied the clientcert.pem, clientkey.pem and cacert.pem to ~/.pki/libvirt/.

Then I added -l to the list of libvirtd options on the server in /etc/default/libvirt-bin and restarted the service:

1

restart libvirt-bin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$ time virsh -c qemu+ssh://fridge.lappyfamily.net/system list
 Id Name                 State
----------------------------------
  4 plum                 running
  6 fedora-12            running

real    0m0.798s
user    0m0.040s
sys 0m0.012s

$ time virsh -c qemu://fridge.lappyfamily.net/system list
 Id Name                 State
----------------------------------
  4 plum                 running
  6 fedora-12            running

real    0m0.134s
user    0m0.052s
sys 0m0.008s

Yes! It is indeed faster! (qemu+tls:// is the same as qemu:// alone)

Checking virt-manager proved that while connecting is indeed faster, all other operations are carried over an existing ssh connection and take exactly the same amount of time, and that needs to be investigated in the code.

Remember that VNC connection is also proxied via SSH? VNC is gone for virt-manager as it relies on proxying. No SSH - no VNC.

You can get VNC console back if you reconfigure the VNC server to listen on all interfaces. While virt-manager still can’t connect to the graphical console, virt-viewer works perfectly.

So, having performed all these steps, I can say it was not really worth it but I will definitely continue using the TLS connection because of initial speed-up. You will want to use TLS connections under very particular circumstances where using SSH may add an additional point of failure (such as automated provisioning of virtual machines) or when you don’t want to expose SSH to an external world and still be able to connect to libvirtd (with TLS your traffic is both encrypted and authenticated using SSL). Using SASL will allow to have libvirt-specific accounts separate from your server accounts and that may be useful sometimes too.

Serial console

Now my remote libvirt server is accessible via SSH and TLS socket and, since VNC is not available, I started to look into making the linux virtual machines log to serial console as it is accessible over TLS socket. That’s actually quite easy for kernel and getty on Ubuntu, haven’t found a way to make grub cooperate yet:

Edit /etc/default/grub and alter the GRUB_CMDLINE_LINUX_DEFAULT to contain the consoles you want the boot messages to appear on:

1

GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0"

Run update-grub for the changes to take effect. This command will combine all the files needed to bring grub up and write /boot/grub/grub.cfg file. Never modify that file directly because the changes will be overwritten.

Now we run a login session on ttyS0 with this /etc/init/ttyS0.conf upstart file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# ttyS0 - getty
#
# This service maintains a getty on tty1 from the point the system is
# started until it is shut down again.

start on stopped rc RUNLEVEL=[2345] and (
            not-container or
            container CONTAINER=lxc or
            container CONTAINER=lxc-libvirt)

stop on runlevel [!2345]

respawn
exec /sbin/getty -8 38400 ttyS0

start ttyS0 to make console appear and run virsh console:

1
2
3
4
5
6
7

$ virsh console plum
Connected to domain plum
Escape character is ^]
*press <Enter>*
Ubuntu 12.04 LTS plum ttyS0

plum login: 

Upon reboot the console will have all the info the kernel prints out.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$ virsh console plum
Connected to domain plum
Escape character is ^]

Ubuntu 12.04 LTS plum ttyS0

plum login: rtg
Password: 
[...]
rtg@plum:~$ sudo reboot
[...]
 * Will now restart
[  507.815197] Restarting system.
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 3.2.0-24-generic-pae (buildd@vernadsky) (gcc
version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #37-Ubuntu SMP Wed Apr 25
10:47:59 UTC 2012 (Ubuntu 3.2.0-24.37-generic-pae 3.2.14)
[...]

Nice, huh?

A while ago I was searching for the docs on how to actually become an iSCSI target but the one I found - using iscsi on ubuntu 10.04 required to use a kernel module and I had some weird problems (too weird to start diagnosing just for fun).

So if you combine the target (server) setup from the fedoraproect.org with initiator (client) from the howtoforge, you will get a pretty decent iSCSI playground.

In ubuntu the package required for target is tgt.

In order for the server-side settings to be preserved across reboots, the configuration must be stored via tgt-admin utility (notice that this is a frontend to tgtadm):

1

tgt-admin -dump > /etc/tgt/conf.d/my-target.conf

iSCSI:

Compare this to my local Lenovo E420 hard disk:

The local hard disk is 5400RPM while the remote one was connected over GigE connection (with 500MBit/s max throughput, therefore 62MB max read speed).

To whoever is wondering the images were created by palimpsest, a disk utility by Redhat.

Now I just need to find a use case for this…

Місяць тому я подав документи у Міжрегіональний центр видачі паспортів, а вчора отримав новий паспорт.

Знову їздив двічі, цього разу через те, що пропустив наступний пункт у правилах:

Після закінчення відповідного терміну для отримання паспорта громадянина України для виїзду за кордон необхідно з внутрішнім паспортом та (за наявності) діючого закордонного підійти до робочих місць 8,9.

Дата видачі у самому паспорті - 10 квітня, тобто документ був готовий через 16 робочих днів.

Видача паспортів працює протягом усього робочого дня центру і займає 5 хвилин, але зранку люди створюють чергу на отримання паспортів ще до відкриття центру.

The reason for this is 927572 in the old Control Panel code, in Ubuntu Precise this switch was removed. However some users might have already disabled their synchronization service.

To re-enable this, open ~/.config/ubuntuone/syncdaemon.conf in your favorite editor (don’t use sudo) find the following text:

1

files_sync_enabled = False

Please change the value to True so it reads

1

files_sync_enabled = True

Save the file and re-open the control panel. Syncdaemon should now start and control panel will work.

• Properly format estimation time (982221)
• Order the Recently Published Files list by mtime (981726)
• Use ubuntuone-client icons if icon-theme is not ubuntu-mono (981350)
• Remove old ubuntuone-indicator.desktop file (982118)
• Refresh quota after uploads, downloads and unlinks (982164)
• Automatically restart after upgrade (983361)

Subsequent upgrades won’t require the users to relogin as indicator will restart itself automatically after every upgrade.

Further announcements will be posted at Announcements page only.

If you add ppa:rye/ubuntuone-extras, you’ll get all the updates automatically:

1
2
3

sudo apt-add-repository ppa:rye/ubuntuone-extras
sudo apt-get update
sudo apt-get install indicator-ubuntuone

About two years ago I published the post on Ubuntu One Indicator, which at that time simply displayed the current synchronization state right from syncdaemon by listening to DBus signals. Then it started to grow, attempting to estimate the time needed for Ubuntu One to complete the operations.

Basically it looked like this:

Earlier this week I decided that I need to get some real-world experience with Vala and since I have found the python-based indicator to consume about 40Mb of residential memory I decided to rewrite the indicator completely.

A couple of days and bug reports later…

Well, not much different, added some menu entries, but let’s add the file.

Yes, finally, it calculates the current transfer rate and provides the ETA for the whole queue to be completed. It takes into account only Upload and Download processes. Since Ubuntu One has greately improved the metadata processing speed, metadata operations can be almost neglected.

However at the moment Downloads are not estimated properly since SyncDaemon does not provide size info on Downloads, bugreport pending.

The 1.0.0 version is available in ppa:rye/ubuntuone-extras, for precise the package was renamed to indicator-ubuntuone to be in line with other packages. Installing transitional ubuntuone-indicator package will install indicator-ubuntuone, so don’t be alarmed.

The project page was renamed to indicator-ubuntuone too, “one-indicator” was a weird name, really.

The new indicator installs an autostart file to /etc/xdg/autostart so it should not be launched automatically. Old per-user autostart file can be safely removed, by default it is at ~/.config/autostart/ubuntuone-indicator.desktop). For those who are interested, the compiled binary is located at /usr/lib/indicator-ubuntuone/indicator-ubuntuone.

This is a call for testing. The upcoming 1.0.2 version contains the estimation process described above and if you have some spare time please help me testing it.

Grab a package below according to your architecture and install it using the Software Center.

• i386 indicator-ubuntuone
• amd64 indicator-ubuntuone

These all come from my daily PPA which gets automatically built by Launchpad using the recipe.

Please report the bugs you may find via Launchpad bug tracker and if you’d like to help translating it to your native language, head over to Launchpad translations.

Upstart is an event-based replacement for the /sbin/init daemon which handles
starting of tasks and services during boot, stopping them during shutdown and
supervising them while the system is running.

Upstart scripts have always seemed to be weird to me, somebody who learned about SysV init subsystem in Mandrake and Slackware long time ago. It seemed like Upstart was lacking lot of features but it turns out I just needed to understand what I was looking for.

So, when I found a need of a startup script, I decided to stop treating upstart as magic and here are my Upstart examples.

• Respawning a dead daemon.
• Monitoring the respawn limit.
• Disable an Upstart task.
• Listing, starting, stopping and restarting Upstart jobs.

Respawning a dead daemon

To stream files to my XBox (yes, I admit I have an XBox 360 console) I am using uShare, an outstanding piece of software that is actually compatible with Microsoft’s horrible DLNA specification. (That’s also the reason why I am so passionate about 973295 and 880076)

The default startup script simply launches the daemon as root and does nothing to keep it alive. As I found out one can make uShare exit by sending too much requests to reload the contents via its web server (this resulted from a bug in my inotify monitoring script, though). How do we ask upstart to restart the daemon?

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# uShare UPnP A/V & DLNA Media Server

description     "uShare UPnP A/V & DLNA Media Server"
author          "Roman Yepishev <rtg@rtg.in.ua>"

start on filesystem
stop on runlevel [016]

respawn

setuid nobody
setgid nogroup

exec /usr/bin/ushare

Original script reads $USHARE_OPTIONS from /etc/default/ushare which does not actually exist so I left this out.

What we have above is a simple script that:

• Starts uShare when filesystem is available.
• Stops uShare when system is rebooted or shut down.
• Respawns the process if it exits.
• Makes the process run as nobody:nogroup because I don’t want it to run as root.

1
2
3
4
5

$ sudo start ushare
ushare start/running, process 5892
$ sudo kill 5892
$ sudo status ushare
ushare start/running, process 7800

Yep, it works as expected. restart stanza (that’s how these directives are called in Upstart) by default have a respawn limit 10 5 - 10 respawns per 5 seconds. If the application respawns faster than that (basically meaning that it cannot start successfully), the init will say

1

init: ushare respawning too fast, stopped

While respawn limit can be made unlimited such rate of failure signals about a real problem.

Monitoring the respawn limit

uShare crashing is not such a big deal but it was still upsetting my wife since it meant I had to log into the server and start the process again (before I fixed a bug in my script). But then I thought that notifying an administrator about such kind of an issue is a good thing.

1
2
3
4
5
6
7
8
9
10
11
12
13

# upstart-respawn-monitor.conf

description "Notify root about ushare respawn limit reached"
author "Roman Yepishev <rtg@rtg.in.ua>"

# This is a short-lived job
task

start on stopped ushare PROCESS=respawn

script
    echo "uShare reached respawn limit" | mail -s "uShared crashed" root
end script

This is another type of Upstream job, a task. It does not keep running forever and once it has finished it will not be respawned. Same thing as setting up the hostname. But what we just did is we created a simple monitoring task that will be executed once ushare reaches stopped state and a special PROCESS variable will have respawn as the reason why the service stopped. And this is all was done using Upstart only.

Disable Upstart task

By default when you install a service in Ubuntu it will be immediately started. Sometimes, however, you might want to start service manually. Upstart has a concept of overrides that basically let you override any stanza in the original job file by creating a job.override file in /etc/init and placing the stanzas here.

For example, I am using LXC for some machines now and these lack tty[2..6]. Actually I don’t need these but getty keeps trying to start on these ttys. It starts and stops pretty slowly so it is not caught by the respawn limit. Disabling a task in Upstart is trivial, you just need to add manual to the stanzas:

1
2

# /etc/init/tty2.override
manual

Yes, it is that easy. Another example when you’d want to use an override file is when you want to use different options on the exec line (you will copy the original exec line and change the options then) or change the start on/stop on conditions.

Starting, stopping and restarting

If the job was converted to upstart, then interacting with it is easy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Getting the info about particular job:
$ sudo status cups
cups start/running, process 1503

# Getting the info about all the jobs
$ sudo initctl list
avahi-daemon start/running, process 1526
cgroup-lite start/running
mountall-net stop/waiting
nmbd start/running, process 1649
qemu-kvm start/running
...

# Stopping a job
$ sudo stop cups
cups stop/waiting

# Starting a job
$ sudo start cups
cups start/running, process 7870

# Ask the job to reload the configuration (SIGHUP)
$ sudo reload ushare

For SysV compatibility, the packages that were converted to upstart ship the symlinks pointing from /etc/init.d/something to /lib/init/upstart-job.

When you run e.g. /etc/init.d/cups restart you will receive an explanation how can you run the upstart job without the compatibility layer:

1
2
3
4
5
6
7
8

Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service cups restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop cups ; start cups. The restart(8) utility is also available.
cups stop/waiting
cups start/running, process 4028

Cookbook

The Upstart cookbook may look like it is an unnecessary long document but once you start reading it you realise the potential of upstart. I did not want to learn about upstart until I found myself in a need of a startup script that could launch and control my daemon, the whole script ended up having 7 stanzas and I did not even need to handle forking, respawning and privilege dropping in the daemon itself.

Seriously, if you are in doubt, read the Upstart Cookbook. Have fun!

Через 5 років після того, як я отримав свій перший закордонний паспорт, в ньому закінчилися сторінки для віз. Варіантів отримання нового - два, за місцем прописки (м. Бровари, де “немає апаратури”) або міжрегіональний центр видачі паспортів, що в інтернеті відомий як passport-ua.org.

На сайті присутня можливість запису у електронну чергу, але через те, що кількість місць у електронній черзі приблизно 10 на день, то протягом перших секунд восьмої години ранку (коли “відкривається” запис) розбираються всі наявні місця.

Але можна приїхати туди і без запису. Різні джерела свідчать про різні часові проміжки, комусь пощастило приїхати і пройти всі процедури після обіду, хтось приїжджав о сьомій годині ранку і записувався у чергу на вхід (відкривається центр о дев’ятій). Я приїхав о восьмій і був тридцятим у списку на листочку на підвіконні.

Більш логічно було б зробити тільки електронну чергу (наприклад, як в візовому центрі великобританії), майже всі люди, що були в черзі, перед цим намагалися записатися онлайн.

Близько дев’ятої години ми пройшли в середину, отримали номери вже у внутрішній черзі. Через те, що я забув оригінал ідентифікаційного коду, довелося повертатися додому і вдруге їхати у центр, за півтори години прийому документи встигли подати 30 чоловік.

Для отримання паспорту потрібні:

• Оригінал внутрішнього паспорту та 2 копії перших двох сторінок та всіх сторінок з штампами про реєстрацію. Якщо були вклеєні фотокартки у 25 та 45 років, то також потрібні копії сторінок з фотографією та даними про вклеювання.
• Оригінал та копія ідентифікаційного коду на листку A4.
• У разі, якщо попередній паспорт залишається у себе, то також потрібна копія першої сторінки закордонного паспорту.
• Гроші

Після подання документів потрібно оплатити рахунки у місцевому відділенні Комерційного індустріального банку, який за кожну транзакцію стягує 1% але не менше 10₴. Таких транзакцій буде 5, тож до суми треба додати ще 50₴.

Після сплати рахунків треба чекати на свою чергу на фотографування та перевірку даних, ця процедура чомусь займає найбільше часу.

В моєму випадку на це пішло 8 хвилин, після цього через місяць треба прийти та отримати паспорт.

I like to find new ways to use Ubuntu One as easily as possible. I have to admit that the way described in headless Ubuntu One article is not quite reliable since the file is read completely into the memory prior to being transferred. For large files this can be a problem. There are ways to make this work for streaming, but while investigating this I found out that we can use curl for uploads and downloads, without any python wrapper.

Basically,

1
2

 curl -H "Content-Type: text/plain" \
      -T filename `oauth-sign -m PUT -f url http://.../~/Folder/filename`

But in order to make it work this way, you need just a tiny bit of preparation.

First of all, you must know that all Ubuntu One clients do not use your password for authentication, a mechanism called OAuth is used. This means that for every connected device a separate set of credentials is being assigned allowing you to invalidate the access whenever you need and keep the really secret password to yourself.

OAuth is not natively supported by curl but since this is a standard, there are multiple solutions you can use to generate the signed URL as in the example, there are no proprietary extensions or cookie storage.

If you have ruby, installing oauth gem will give you an oauth script. In case you are after the python one, you can grab my implementation from ubuntuone-scripts branch.

First you need to get the tokens, we are using pretty much the same ubuntuone-sso-login.py script I mentioned in the article about the REST client, however in order to make it simpler to pass the arguments to other application, i added the --format (-f) option, which does the following:

1
2
3
4
5
6
7

$ python ubuntuone-sso-login.py --format shell
Ubuntu SSO Login: sso-test-2@rtg.in.ua
Password: 
export OAUTH_CONSUMER_KEY=RwLrAWeWF
export OAUTH_CONSUMER_SECRET=fGztsAJHqfWFirGBwXNhiEinrfqCvDVtEHJ
export OAUTH_TOKEN=HFvMpWiwuOcGOsSSRbkaHZHMARjHZrfYYRa
export OAUTH_TOKEN_SECRET=BjnVKEhQqCaTcHWBEywVGMhlqvtTBzFFeykYC

Copy the lines with export to some shell script file, e.g. ~/.ubuntuone-credentials, we will re-use the names further.

Now create the signed URL with ruby implementation: We are requesting account information, so the URL is https://one.ubuntu.com/api/account/.

1
2
3
4
5
6

$ SIGNED_URL=`oauth --consumer-key $OAUTH_CONSUMER_KEY \
        --consumer-secret $OAUTH_CONSUMER_SECRET \
        --method GET --uri https://one.ubuntu.com/api/account/ \
        --secret $OAUTH_TOKEN_SECRET \
        --token $OAUTH_TOKEN -v -Q sign | grep 'OAuth Request URI:' \
                                    | sed 's/OAuth Request URI: //'`

The weird grep/sed dance is needed to get the URL to the format we will use later, you will not need to do this in python oauth-sign version.

1
2
3
4

$ curl $SIGNED_URL
{"username": "https://login.ubuntu.com/+id/RwLWeWF", "openid":
"https://login.ubuntu.com/+id/RwLWeWF", "last_name": "Roman"
...

Great, it works. Now let’s work with the actual files.

According to the docs the file root is https://files.one.ubuntu.com/ and PUT is being used to upload the files.

Please note the following paragraph in the docs -

Note also that content_paths may not be rooted under the API root, and may change without warning, so they must be read from the API and not hardcoded.

The current way assumes that the content path is /content/~/path/to/volume/path/to/file.txt, this works for now, but may change in the future.

First let’s construct the URL we will be using

1

$ URL=https://files.one.ubuntu.com/content/~/Ubuntu%20One/hello.txt

Now we need to get the signed URL. Let’s use the python version. Since it reads the environment variables, there is no need to specify the token:

1

$ SIGNED_URL=`oauth-sign -f url -m PUT $URL`

Yes, that’s it.

Now create a hello.txt file locally and then upload it with curl, specifying -T makes curl use “PUT” request and transfer the file without buffering it in the memory:

1
2
3
4
5

$ echo "Hello, Ubuntu One" > hello.txt
$ curl -T hello.txt -H "Content-Type: text/plain" $SIGNED_URL

{"kind": "file", "public_url": null, "hash":
"sha1:b50a416c31dbf3620b72cd7841980541805db44e", ...

Great! Now let’s get the file:

1
2

$ curl `oauth-sign -f url $URL`
Hello, Ubuntu One

Please note that I am specifying Content-Type header too. Usually when you ask curl to upload with --data-binary, it sets the Content-Type to application/octet-stream. This is a mandatory header for Ubuntu One servers. In case you omit the header, you will receive an error.

I have some SQL databases of text messages, expenses and a test openfire installation. I upload the backup regularly to Ubuntu One with the following simple script. I put the OAUTH exports to ~/.ubuntuone-credentials file which gets sourced.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

#!/bin/bash

URL=https://files.one.ubuntu.com/content/~/Ubuntu%20One

source ~/.ubuntuone/credentials

for DB in webapp openfire; do
    RESULT=fridge-$DB.sql.gz

    LOCALFILE=`mktemp /tmp/backup-XXXXXX`

    pg_dump -h localhost -U backup $DB | gzip > $LOCALFILE

    REMOTE=$URL/$RESULT

    SIGNED_URL=`~/bin/oauth-sign -f url -m PUT $REMOTE`

    HEADERS=`mktemp /tmp/headers-XXXXXX`
    OUTPUT=`mktemp /tmp/output-XXXXXX`

    STATUS=`curl --silent --fail --dump-header $HEADERS \
         -T "$LOCALFILE" \
         -H "Content-Type: application/octet-stream" \
         -w '%{http_code}' $SIGNED_URL -o $OUTPUT`
    rv=$?
    if [ "$rv" != "0" -o \( "$STATUS" != "201" -a "$STATUS" != "200" \) ]; then
        echo "Backup of $DB failed!"
        echo "The server replied with:"
        echo
        cat $HEADERS
        echo
        cat $OUTPUT
    fi

    rm $OUTPUT
    rm $HEADERS
    rm $LOCALFILE

done

In order to make a standalone movie, flashplayer.exe was simply concatenated with .SWF file so in order to get .SWF file I simply needed the offsets and end markers (if any).

I wrote a simple application in C that was doing exactly this.

At some point in time my friend Alex asked me to see whether it is possible to recover any data from his hard drive which had the file system table completely overwritten by something and no data recovery software was able to extract anything.

I dumped the image of the whole 20Gb drive and began thinking about the way the data can be recovered if we don’t know where to look.

And so the nxtractor project was born. During next couple of days I was examining the signatures and markers of the most common file types, wrote the scanner that was sufficiently good and extensible.

I did not recover much information from that drive, the data was too fragmented.

This was back in 2003.

Fast forward to today, when SD cards hold the same amount of data as the hard drives of the past, data storage devices are used by music players, phones and cameras.

Now imagine you have deleted all the photos from the camera. What would you do?

1
2
3
4
5

sudo dd if=/dev/mmcblk0p1 of=~/mmcblk0p1.bin
bzr branch lp:~rye/+junk/nxtractor
cd nxtractor
make
./nxtractor ~/mmcblk0p1.bin

Yes, that’s the ideal variant, in some cases you will need to do adjustments to the types.dat file, for example to prevent false positives on TIFF files you comment out the whole type=tiff block. To make sure you are not extracting embedded data in JPEG files, set minsize in type=jpeg to 1000000 which means that it will not consider files that are less than 1Mb to be real jpeg files.

For example, my recent removal of the photos resulted in the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

nxtractor ~/mmcblk0p1.bin
Scanning started at Sun Mar 18 13:34:01 2012
@365056: Found magic numbers for jpeg. Size: 1043563
@1413632: Found magic numbers for jpeg. Size: 1249863
@2691584: Found magic numbers for jpeg. Size: 1225140
@3936768: Found magic numbers for jpeg. Size: 726782
@4690432: Found magic numbers for jpeg. Size: 685591
@5378560: Found magic numbers for jpeg. Size: 860730
@6263296: Found magic numbers for jpeg. Size: 712114
@6984192: Found magic numbers for jpeg. Size: 757930
@7770624: Found magic numbers for jpeg. Size: 872590
...
@59707904: Found magic numbers for jpeg. Size: 1775034
Scanning finished at Sun Mar 18 13:34:05 2012
Extraction started at Sun Mar 18 13:34:05 2012
Writing mmcblk0p1.bin.nx/jpeg/365056.jpg (1043563 bytes)
...
Writing mmcblk0p1.bin.nx/jpeg/59707904.jpg (1775034 bytes)
Extraction finished at Sun Mar 18 13:34:05 2012

And I got my files back! Several years after I wrote the software. It’s amazing :)

This software is provided AS IS and I have no plans developing it any more, use at your own risk. For another Open Source data recovery software, see CGSecurity’s TestDisk and PhotoRec.

And please, backup your sensitive data. NOW.

Setting up

Object Storage used to be called “Swift” in RackSpace, so the command I tried to upload the data was called swift. The versions prior to the ones included in Ubuntu Precise (or OpenStack PPA) will not work, they will cause the server to emit Internal Server Error response.

In order not to repeat the credentials on the command line, set the following environment variables

1
2
3

ST_AUTH=https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/
ST_USER=$OS_TENANT_NAME:$OS_USERNAME
ST_KEY=$OS_PASSWORD

Where OS_TENANT_NAME is the name of the tenant as seen on the management web ui and OS_USERNAME in HPCloud is your EMail address. OS_PASSWORD is your HPCloud password. These OS_ variables are actually useful to be set for nova command, in this case OS_AUTH_URL will be equal to the identity service one.

Once you get the vars set up, run swift stat

1
2
3
4
5
6

   Account: 12122100844760
Containers: 3
   Objects: 1
     Bytes: 352116
Accept-Ranges: bytes
X-Trans-Id: txefd92a9c9312434d9892a9c4b272f29e

Uploading

1

$ swift upload -S segment_size_in_bytes bucketname filename.ext

Why do I use the segment size? In ideal world, network connections never drop so all uploads and downloads terminate successfully. In our world there may be some weird hickup right at the last byte and the whole transfer is considered corrupted.

So S3 tools learned to split the original file in blocks of arbitrary sizes and writing manifest file that links to the original ones. In case one of the parts fails to transfer properly, it gets retried, not the whole file. To reconstruct the original file client reads the mainfest and fetches all the parts.

OpenStack has a similar approach, yet a bit different implementation.

I found that swift started eating my CPU like mad, spiking at 130% CPU. It looks like the client (which is based on eventlet.green.httplib) is doing more than it should between the writes. This will need to be looked into - 959221. It took quite some time to start printing anything to the terminal, being impatient I shut it down several times and decided to use nice during the last attempt.

During the last test, the upload speed to Object Storage from Ukraine was around 1.4MBit/s (174kB/s). That’s slow.

Downloading

The instance I was using (Ubuntu 11.10) came with outdated packages so I added the milestone-proposed OpenStack PPA and upgraded swift.

There I issued

1

swift download bucketname filename.ext

and the file started to reassemble locally.

The fastest connection to Object Storage is from the HPCloud itself, but I was not able to get more than 32MBit/s (that’s around 4MiB/s which is slower than my home uplink at the moment). This does not appear to be directly connected with Object Storage, all other connections to outside world are also throttled this way.

I hope this is just because of the beta stage and the attempt to provide reasonable speed for everyone.

Publishing

Yes, OpenStack Object Storage support ACLs on the buckets, so while we are at it, here’s how the bucket can be published:

1

swift put --read-acl .r:* bucketname

Basically, it assigns a read permission for everyone instructs object storage to allow bucket access for any referrer (see ACLs for more info). I haven’t looked into sharing with specific accounts yet.

In order to test the download speed from Object Storage, I put an awesome Big Buck Bunny made with open source tools to such public bucket where it will be available until 2012-04-18 - big_buck_bunny_480p_stereo.ogg, you can test the download speed from your location. For me it is 1.5Mbit/s.

Since HPCloud is located in the US, the data had to travel around the globe, so it impacted the speed. In this case having multiple availability zones (e.g. USA, Europe and Asia) is a must.

Actually I ended up recovering the files on my local machine, however I performed the same steps on the HPCloud instance afterwards. Should I suddenly stop having my local machine, I’d need about 2 instance-hours to get everything I need excluding the initial upload of 4GiB file and subsequent download of the recovered data.

Remote CUPS access

By default CUPS does not listen to the network and does not accept remote configuration. Edit /etc/cups/cupsd.conf to enable:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# For IPv6
Listen [::]:631
# For IPv4
Listen 0.0.0.0:631

# Restrict access to the server...
<Location />
    Order allow,deny
    Allow @LOCAL
</Location>

<Location /admin>
    Order allow,deny
    Allow @LOCAL
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
    AuthType Default
    Require user @SYSTEM
    Order allow,deny
    Allow @LOCAL
</Location>

@LOCAL expands to the names of all the local interfaces.

The printer is supported by SpliX driver:

1

sudo apt-get install openprinting-ppds printer-driver-splix

Remote scanner access with saned

Install sane-utils and edit /etc/sane.d/saned.conf:

1
2
3
4
5

## Access list
# My local IPv4 network
192.168.1.1/24
# My local IPv6 network
2a01:d0:801a::2/64

Enable daemon startup in /etc/default/saned:

1

RUN=yes

On the client end, the hostname/IP of the server should be added to /etc/sane.d/net.conf

Due to a 773617 the saned user is not added to scanner group, fix this with

1

sudo gpasswd -a saned scanner

And then restart the saned service.

To test whether client can see the saned server, run

1
2

$ scanimage -L
device `net:example.net:xerox_mfp:libusb:001:005' is a SAMSUNG ORION multi-function peripheral

If the client crashes and you haven’t rebooted after you installed sane-utils, unplug/plug in the device for udev rules to be reapplied.

The A record for rtg.in.ua has been temporarily switched over to hpcloud floating IP, will see how it goes. IPv6 connectivity is not available in HPCloud, however based on my website stats, there are 3 unique IPv6 addresses. All of them belong to my subnet, so does not appear to be a great loss.

So far it is only $0.10.

Update

I am pretty new to the EC2-like pricing for the computing nodes. It turns out that the instance-hour EC2 and RackSpace are using is nothing else than a regular hour.

It does not matter whether you are using all your CPU allocation or it idles for days serving static content to your visitors, you will still pay for the time instance is running.

For such simple site as this blog it is clearly an overkill. Now I understand why Jorge Castro switched to S3 to serve his blog.

For everything else requiring some computation power, such services are really great. I suppose I will switch the host back to burst.net VPS even though HPCloud Beta is completely free.

Но сегодня быстрый поиск в гугле привел к посту Славика на сайте магазина Fotos (где, кстати, мы их и купили).

Сегодня отдали с угрозой не возьмешь - выкинем напольные весы Тефаль (модели нет, т.к. без стикера, но на картинке точно они:

Проблема на индикаторе веса значок _| при надавливании пальцами на дисплее что-то по-сегментно отображалось, видимо на него наступили.

Вскрыл, поддев двумя отвертками, разобрал блок индикатора, протер пластиковый токопроводящий “шлейф” между платой и ЖК спиртом, собрал - заработало. (был перекос платы от механического воздействия).

разберите и протрите все контакты. мне помогло

Значит, их все-таки можно разобрать.

Надо снять ножки, вставить какой-то плоский предмет в щель и отогнуть защелку в каждой из ножек.

Вот знакомые цифры:

Эти контакты я почистил, и все снова заработало!

При разборке желательно отщелкнуть все крепления, перевернуть весы и снять верхнюю панель, иначе выпадут пластины с датчиками. В таком случае их нужно вставить назад схемой вверх.

Судя по всему, 114 появляется, если не удается прочитать информацию с датчиков. К сожалению, об этом нет никакой публичной информации.

• Fixed 940803 - switching to left/right workspace is not possible.
• Fixed 939521 - annoying help hint when switching the remaining workspaces.
• 937822 - press F10 in any app and get a menu. I did not know about this “feature” until it broke (should be Shift-F10 only).
• Fixed 934072 - looks like intel-specific, menu shadows appear but not the menu itself.
• Fixed 932906 - HUD is not receiving keyboard input immediately.
• Fixed 925895 - Menus are light instead of being dark, also looks like empathy tooltips are also affected.
• 744812 - Qt applications display labels in bold Ubuntu fonts.

And my wife’s computer has X segfaulting while trying to play the video, 941881.