I got frustrated over the overview in time with graphing plugins for redmine. The ones I tried only showed me a growing curve of added tickets, it didnt show any progress or positive feedback. 

I wanted the positive feedback, so I created a quick script which took the atom ticket-list and parsed through it and counted all tickets depending on status:

Just add it to the munin plugin-folder, and it will “just” work. It would be possible to adjust it a bit, so the url comes from the munin plugin config. 

Last week, I realized I needed a quick way to set up logging of incoming udp-messages. My first idea was using netcat which is kind of a swiss army knife when it comes to network data. It worked, but for small scale mostly.

$ nc -l -u -p 4711 » udp-stream.log

GAH! Frustration, google chrome, my thrustworthy companion everyday stopped working today. Segfaulted.

It happened after a reboot, it might have been that I hadnt restarted chrome for a week or two or something like that. The battery went dead which made it hard-reboot. After boot, chrome segfaulted, likely because the version got updated(not entirely sure yet).

I realized that there was a release today in the stable update channel, and figured I might as well try to upgrade to that one(15.0.874.120), the upgrade I had was probably a week or two old. But, no change. I changed the apt cache, and noticed I had google-chrome-stable_15.0.874.106-r107270_i386.deb in there, so I tried to revert to that. No change.

After some googling, I came across this post which seems to indicate a similar problem, and it hinted me to check dmesg. Dmesg tells me its a segfault in ligGL,

[  504.112676] chrome[9171]: segfault at 4 ip a841729c sp b1498600 error 4 in libGL.so.1.2[a83aa000+b4000]

I checked my version of libgl1-mesa-glx, and that was 7.7.1-5, I added backports for squeeze and installed 7.10.3-4~bpo60+1. No change though. Same segmentation fault.

I did some attempts with strace, but its mostly useless(for me) and no obvious place where it happens.

I even tried the beta channel of google chrome(16.0.912.32-r108990 now), but the same error is still there.

Not really sure where to go further, firefox feels like a downgrade when used to chrome imho. :)

Any hints?

I just deployed StatsD together with Graphite and Carbon according to http://codeascraft.etsy.com/2011/02/15/measure-anything-measure-everything/ .

Seems to work nice so far, havent finetuned it so much yet though. Although, I didnt find a decent init-script for StatsD and Debian, so I modified one for RHEL found at https://gist.github.com/1071989 to this Debianized one: https://gist.github.com/1326359 I guess it would also work with ubuntu with minor tweaks(if any).

I’ve been running LAMP-setups throughout the last 12 years or so, but security have always been a big concern. User convenience, simplicity and accessibility have also been big concerns, so security features and a locked down system can not decrease any of theese key points.

This is still a draft, needs to be updated. Consider it as a work in progress.

The setup below is a continous work and will probably be modified, but should be considered as a request-for-comment document. There will likely be lots of improvements possible, and it might even contain security holes that I havent thought about yet.

I expect to keep the following services:

 - ssh/scp/sftp access

 - apache

 - mysql database

 - php

 - outgoing emails

 - use of subversion and git through ssh

 - possibly memcached(to be added later)

Common attack scenarios are

 - sql injections

 - execution of arbitrary phpcode

Goals:

 - Limit successful attacks to a single user account

 - Limit successful attacks so they can not cause much harm to affected user

First and foremost - ssh/scp/sftp

Allow users to ssh and scp into their chrooted home directory. Although, they should be able to use most stuff locally in there, like subversion, git and also access their weblog files. Uploading should be made with scp or preferrably managed with some version control system.

I found this script which sets up a chroot jail where users are sent after successful scp and ssh. Seems to work reasonably well. 

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/

My biggest worry with it is that its really old. :)

My $APPS-list in it is:

/usr/bin/git-* /bin/chmod /usr/bin/git /usr/bin/file /bin/nc /usr/bin/giftopnm /usr/bin/jpegtopnm /usr/bin/bmptoppm /usr/bin/pnmscale /usr/bin/ppmtojpeg /usr/bin/ppmquant /usr/bin/ppmtogif /usr/bin/pngtopnm /usr/bin/pnmtopng /usr/bin/tail /usr/bin/php /bin/cat /usr/bin/crontab /usr/bin/svnadmin /usr/bin/grep /usr/bin/ssh-keygen /bin/nano /bin/hostname /usr/bin/svn /bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd

This makes users locked into a “fake” system-chroot in /home/jail/. Right now I run multiple users in the same /home/jail, although, they have separate user homedirs in /home/jail/home/user but share the binaries. 

The user-row in /etc/passwd looks like:

user-name:x:1032:1032::/home/jail/home/user-name:/bin/chroot-shell

And this is added to the /etc/sshd_config:

Match Group webuser
ChrootDirectory /home/jail/
AllowTCPForwarding no
X11Forwarding no

Running apache as the real user-user

I’ve been thinking about this a lot, whichever is the best. Now I’m running apache as the real user, within the chroot with help of the mpm-itk module for apache.

This is an example of the virtualhost used. Apache is running as the real jailed user, and documentroot is set as below.

<VirtualHost 127.0.0.1>
        ServerName hostname.domain
	DocumentRoot /home/jail/home/user-name/www/
	AssignUserID user-name user-name
	php_value mysql.default_user db-user-name
	php_value mysql.default_password db-password
	php_value mysql.default_host localhost
    
	php_admin_value 	open_basedir 	/home/jail/home/user-name/	
	php_admin_value	    upload_tmp_dir 	/home/jail/home/user-name/tmp/
	php_admin_value	    session.save_path /home/jail/home/user-name/tmp/
 </VirtualHost>

The virtualhost-config-file can be owned and only readable by root, which means the user can access the environment variables in php with the getenv()-function. This is good, since the user doesnt need to store the database username and password in their homedirectory, makeing it a little bit more protected.

Read more about mpm itk at http://mpm-itk.sesse.net/

Using suhosin to limit PHP

Some things in PHP have so sharp edges that users are more or less expected to do mistakes with them, therefor, I’ve been disabling the following functions:

suhosin.executor.func.blacklist = “register_globals, enable_dl, show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen”

TODO:
 - Lots of documentation and clarifications to make
 - Add some example code to verify that its not possible to escape the jail. Would be nice with a thorough testsuite. 

If you see problems somewhere, see good improvements, or have questions, leave a message. 

I’ve been pursuing the idea of using rdiff or something similar to manage sqldumps more effectively. We have a bunch of customers with the need and the requirement that they should store backups for a long time back in time. 

As I like to keep it simple, using this wrapper together with Amazon S3 for storage seems simple and fairly robust. Its still in an early stage, and things might need adjustments, but its kept simple so it shouldnt hopefully be much, needs more testing though.

A quick and simple test shows the followng, on a testdatabase, a full sqldump is 1.3GB, gzipped its around 176MB. See below with an example patch created:

drwxr-xr-x   3 eric eric 4,0K 10 okt 23.30 .
drwxr-xr-x 175 eric eric  12K  8 okt 20.22 ..
-rw-r--r--   1 eric eric 7,6M 10 okt 23.06 full_20111010_230629.signature
-rw-r--r--   1 eric eric 1,3G 10 okt 23.06 full_20111010_230629.sql
-rw-r--r--   1 eric eric   11 10 okt 23.30 patch_20111010_233033_to_full_20111010_230629.rdiff
-rwxr-xr-x   1 eric eric 2,9K 10 okt 22.53 rdiff_mysqldump
-rw-r--r--   1 eric eric   21 10 okt 23.06 .rdiff_mysqldump_lastbase
-rw-r--r--   1 eric eric    2 10 okt 23.30 .rdiff_patches_since_full
-rw-r--r--   1 eric eric 1,1K 10 okt 23.11 README

The rdiff patchfile got 11 bytes on this one, not much, but not really a fair comparison since its not more than 2 hours of changes. Will redo it on a later backup to see the differences better.

Get the source at github, https://github.com/perssontm/rdiff_mysqldump

Good quick examples of rdiff can be found at http://beerpla.net/2008/05/12/a-better-diff-or-what-to-do-when-gnu-diff-runs-out-of-memory-diff-memory-exhausted/ 

I also came across this post, which is an attempt to shorten the locktime when dumping sqlite databases, possible thanks to rdiffs signature, quite interesting, http://ts1-en.blogspot.com/2009/06/backup-sqlite-database-with-rdiff.html

Google launched the realtime stats in analytics in beta a few weeks ago, I quickly signed up and after a few days got the confirm-email. Great!

My often biggest issue with analytics have been the terribly long delay from the visit to the site until it shows up in the statistics. Especially when creating funnels, goals and other more specialized tracking stuff, the debugging have been extremely lengthy and timeconsuming since I usually had to wait to verify it was working. 

Will realtime solve that? No, as far as it looks now, nope. It includes the nice suboptions Overview, Locations, Traffic sources and Content. I would have liked to see goals and funnels. Imagine the possibility to see in realtime how people enter and exit your funnels, would have been fantastic. 

Is it any good then, well, the live-view of contentpages is really nice, but its mostly neat to get away using yet another service for the realtimestuff than anything else. 

Although, I hope they’ll improve it shortly. 

Update 1: This is the results after a few minutes of putting up this post, a worlwide spread to 10 visitors. :)

DVD is an annoying mediaformat, filled with barriers, obstacles and annoyances towards the enduser. The dvdplayer constantly tells you what you can and can not do, if you feel like fast forwarding through the “please do not pirate this movie”-text, youre immediatly shown a stop sign. Even though you bougt it, you cant fast forward. Its fair to assume that pirated material doesnt have this text still left in them, so they likely have a higher and much better user experience where the customer is in charge.

I wonder if theres a move somewhere in the industry trying to get rid of this, likely not since it seems to get worse for each movie i buy.

Putting on a dvd for your kid, needs 6 clicks on the remote and somewhere between 10-30 secs of wait between each, all because WB feel the need to spin their logo in my face and tell me that others use to pirate their movie. Oh, btw, thats a good idea, maybe Ill do that next time.

I would pay double for a dvd that did let me skip this junk, or double for the movie that just consisted of the movie. Or at least, give me some sort of “dvd-player-version-of-cookies” so we only have to see this junk once, at least once per player.

Is blueray any better perhaps?

I read about this a few weeks ago, and finally got around to implement and try it. Really interesting method to compensate for Google Analytics poor bounce rate calculation.

http://mindtheproduct.com/2011/08/data-driven-your-bounce-rate-and-time-on-site-are-wrong/

Today I realized coincidentally that cookies between incognitowindows are shared, didnt think about this before, I just assumed that a newly opened incognitowindow from the main window was a new fresh one. It turns out not to be.

A quick googlesearch shows that its not just be, theres several others who came across this a long time ago. Theres even a bug filed for it, although the status wontfix is not very optimistic, see issue 24690.

Some of the comments on the issue refers to the multiple profile work thats beeing done instead, it looks like a good idea, but seems to need some preparations before use. I’ll definitly try this in the near future..

See the user dropdown in the right corner of the window.