etbe - Russell Coker

Reading Glasses

About 4 years ago at a routine eye check the optometrist recommended that I get reading glasses. Apparently I’m old enough that my eyes are losing their ability to focus at different distances to having different glasses for close and remote objects (EG reading and driving) is necessary for good vision.

The optometrist asked me the distance that I use for reading and I indicated a distance that is good for books and phones (about 20cm). So I got a pair of glasses that worked well for that but didn’t work well for the vast majority of my close work which is computer monitors. I found that I could use my reading glasses with my laptop when lying in bed if I had the laptop on my chest with the keyboard touching my chin, which is a reasonable position for watching TV but not for much else.

About 2 years ago I had another eye check which determined that the glasses for long distance were good and got reading glasses designed for objects about 80cm away which worked well for monitors and were usable for watching TV.

Recently I accidentally broke my newer pair of reading glasses and discovered that the older pair now works for distances of about a meter. So it appears that I have become significantly more long sighted over the last 4 years.

Wayland

The Wayland protocol [1] is designed to be more secure than X, when X was designed there wasn’t much thought given to the possibility of programs with different access levels displaying on the same desktop. The Xephyr nested X server [2] is good for running an entire session from a remote untrusted host on a local display but isn’t suitable for multiple applications in the same session.

GNOME supported Wayland by default in Debian since the Bullseye release and for KDE support you can install the plasma-workspace-wayland which gives you an option for the session type of KDE Plasma Wayland when you login. For systems which don’t use the KDE Plasma workspace but which have some KDE apps you should install the package qtwayland5 to allow the KDE apps to use the Wayland protocol. See the KDE page of the Debian Wiki [3] for more information.

The Debian Wiki page on Wayland has more useful information [4]. Apparently you have to use gdm instead of sddm to get Wayland for the login prompt.

To get screen sharing working on Wayland (and also to get a system that doesn’t give out error messages) you need to install the pipewire package (see the Pipewire project page for more information [6]).

Daniel Stone gave a great LCA talk about Wayland in 2013 [5].

I have just converted two of my systems to Wayland. It’s pretty uneventful, things seem to work the same way as before. It might be theoretically faster but in practice Xorg was fast enough that there’s not much possibility to appear faster. My aim is to work on Linux desktop security to try and get process isolation similar to what Android does on the PC desktop and on Debian based phones such as the Librem 5. Allowing some protection against graphics based attacks is only the first step towards that goal, but it’s an important step. More blog posts on related topics will follow.

Update: One thing I forgot to mention is that MAC systems need policy changes for Wayland. There are direct changes (allowing background daemons for GPU access to talk to a Wayland server running in a user context instead of an X server in a system context) and indirect changes (having the display server and window manager merged).

More About the Librem 5

I concluded my previous post about the Purism Librem 5 [1] with the phone working as a Debian/GNOME system with SSH access over the LAN. Before I published that post I managed to render it unbootable, making a new computer unbootable on the first day of owning it isn’t uncommon for me. In this case I tried to get SE Linux running on it and changing the kernel commandline parameter “security=apparmor” to “security=selinux” caused it to fail the checksum on kernel parameters and halt the boot. That seems to require a fresh install, it seems possible that I could setup my Librem5 to boot a recovery image from a SD card in such situations but that doesn’t seem to be well documented and I didn’t have any important data to lose. If I do figure out how to recover data by booting from a micro SD card I’ll document it.

Here’s the documentation for reflashing the phone [2], you have to use the “--variant luks” option for the flashing tool to have an encrypted root filesystem (should default to on to match the default shipping configuration). There is an option --skip-cleanup to allow you to use the same image multiple times, but that probably isn’t useful. The image that is available for download today has the latest kernel update that I installed yesterday so it seems that they quickly update the image which makes it convenient to get the latest (dpkg is slow on low power ARM systems). Overall the flash tool is nicely written, does the download and install and instructs you how to get the phone in flashing mode. It is a minor annoyance that the battery has to be removed as part of the flashing process, I will probably end up flashing my phone more often than I want to take the back off the case. A mitigating factor is that the back is well designed and doesn’t appear prone to having it’s plastic tabs breaking off when removed (as has happened to several other phones I’ve owned).

The camera doesn’t seem to work well at this time, all photos have an unusually low brightness. The audio recording also doesn’t work well, speaking clearly into the phone results in quiet recordings.

I updated the Debian Wiki page on Mobile devices [3] to include a link to a page about the Librem5 [4] and to also have a section about applications known to work well on mobile devices. Hopefully other people will make some additions to that as most programs in Debian don’t work well on mobile devices so we need a list of known good applications as well as applications that can be easily changed to work well.

One thing I’ve started looking at is the code for the Geary MUA (the default MUA for the Librem5 and the only one in Debian I know to be suitable for a phone). It needs the Thunderbird style autoconfig and it needs the ability to select which IMAP folders to scan as a common practice is to have some large IMAP folders that aren’t used on mobile devices.

I believe that Android runs each app in a separate UID to prevent them from messing with each other. The configuration on a standard Linux system and on PureOS is to have all apps running with the same permissions, I think this needs to be improved both for phones and for regular Linux systems which will probably benefit more than phones do. I’ll write another blog post about this.

Librem 5 First Impression

I just received the Purism Librem 5 that I paid for years ago (I think it was 2018). The process of getting the basic setup done was typical (choosing keyboard language, connecting to wifi, etc). Then I tried doing things. One thing I did was update to the latest PureOS release which gave me a list of the latest Debian packages installed which is nice.

The first problem I found was the lack of notification when the phone is trying to do something. I’d select to launch an app, nothing would happen, then a few seconds later it would appear. When I go to the PureOS app store and get a list of apps in a category nothing happens for ages (shows a blank list) then it might show actual apps, or it might not. I don’t know what it’s doing, maybe downloading a list of apps, if so it should display how many apps have had their summary data downloaded or how many KB of data have been downloaded so I know if it’s doing something and how long it might take.

Running any of the productivity applications requires a GNOME keyring, I selected a keyring password of a few characters and it gave a warning about having no password (does this mean it took 3 characters to be the same as 0 characters?). Then I couldn’t unlock it later. I tried deleting the key file and creating a new one with a single character password and got the same result. I think that such keyring apps have little benefit, all processes in the session have the same UID and presumable can use ptrace to get data from each other’s memory space. If the keyring program was SETGID and the directory used to store the keyring files was a system directory with execute access only for that group then it might provide some benefit (SETGID means that ptrace is denied). Ptrace is denied for the keyring but relying on a user space prompt for the passphrase to a file that the user can read seems of minimal benefit as a hostile process could read the file and prompt for the passphrase. This is probably more of a Debian issue, and I reproduced the keyring issue with my Debian workstation.

The Librem 5 is a large phone (unusually thick by modern phone standards) and is rumoured to be energy hungry. When I tried charging it from the USB port on my PC (HP ML110 Gen9) the charge level went down. I used the same USB port and USB cable that I use to charge my Huawei Mate 10 Pro every day, so other phones can draw more power from that USB port and cable faster than they use it.

The on-sceen keyboard for the Librem 5 is annoying, it doesn’t have a TAB key and the cursor control keys are unreasonably small. The keyboard used by ConnectBot (the most popular SSH client for Android) is much better, it has it’s own keys for CTRL, ESC, TAB, arrows, HOME, and END in addition to the regular on-screen keyboard. The Librem 5 comes with a terminal app by default which is much more difficult to use than it should be due to the lack of TAB filename completion etc.

The phone has a specified temperature range of 0C to 35C, that’s not great for Australia where even the cooler cities have summer temperatures higher than that. When charging on a fast charger (one that can provide energy faster than the phone uses it) the phone gets quite warm. It feels like more than 10C hotter than the ambient temperature, so I guess I can’t charge it on Monday afternoon when the forecast is 31C! Maybe I should put a USB charger by my fridge with a long enough cable that I can charge a phone that’s inside the fridge, seriously.

Having switches to disable networking is a good security feature and designing the phone with separate components that can’t interfere with each other is good too. There are reports that software fixes will reduce the electricity use which will alleviate the problems with charging and temperature. Most of my problems are clearly software related and therefore things that I can fix (in theory at least – I don’t have unlimited coding time).

Overall this wasn’t the experience I had hoped for after spending something like $700 and waiting about 4 years (so long that I can’t easily find the records of how long and how much money).

Getting It Working

It seems that the PureOS app store app doesn’t work properly. I can visit the app site and then select an app to install which then launches the app store app to do the install, which failed for every app I tried.

Then I tried going to the terminal and running the following:

sudo bash
apt update
apt install openssh-server netcat

So I should be able to use APT to install everything I want and use the PureOS web site as a guide to what is expected to work on the phone.

As an aside the PureOS apt repository appears to be a mirror or rebuild of the Debian/Bullseye arm64 archive without non-free components that they call Byzanteum.

Then I could ssh to my phone via “ssh purism@purism” (after adding an entry to /etc/hosts with the name purism and a static entry in my DHCP configuration to match) and run “sudo bash” to get root. To be able to login to root directly I had to install a ssh key (root is setup to login without password) and run “usermod --expiredate= root” (empty string for expire date) to have direct root logins.

I put the following in /etc/ssh/sshd_config.d/local.conf to restrict who can login (I added the users I want to the sshusers group). It also uses the ClientAlive checks because having sessions break due to IP address changes is really common with mobile devices and we don’t want disconnected sessions taking up memory forever.

AllowGroups sshusers
PasswordAuthentication no

UseDNS no
ClientAliveInterval 60
ClientAliveCountMax 6

Notifications

The GNOME notification system is used for notifications in the phone UI. So if you install the package libnotify-bin you get a utility notify-send that allows sending notifications from shell scripts.

Final Result

Now it basically works as a Debian workstation with a single-button mouse. So I just need to configure it as I would a Debian system and fix bugs along the way. Presumably any bug fixes I get into Debian will appear in PureOS shortly after the next Debian release.

SAGE (ITPA) Spam

In 2008 I joined SAGE (the System Administrators’ Guild of Australia). It was a professional society for people doing sysadmin work (running computer servers). I quit when I found that the level of clue was lower than hoped and that members used the code of ethics as nothing but a way to score points in online debates. After quitting SAGE kept emailing me and wouldn’t respect my request to be removed from all lists so I had to block their mail server.

SAGE has in recent times changed it’s name to ITPA (Information Technology Professionals Association) and is still sending me email. I’ve just sent yet another unsubscribe request.

How many years of sending unwanted email can be caused by incompetence and when should we assume it’s malice? They have been doing this for over a decade now. Even if it’s incompetence, that’s still damning given that it’s incompetence in the main topic of the organisation.

Here is the ITPA Code of Ethics [1], as you can see there is no reference to spam. The nearest seems to be “I will continue to enlarge my understanding of the social and legal issues that arise in computing environments, and I will communicate that understanding to others when appropriate“. So it’s great that they aren’t breaking their own code of ethics :-# but I’d still like them to stop emailing me.

[1] https://www.itpa.org.au/code-of-ethics/

Mouse and Teflon

I had a problem with my mouse. The slippery plastic bits on the bottom weren’t glued on well and came off, which then gave more friction when moving on the desk. After asking advice on a mailing list the best suggestion was Teflon sticky tape. I bought a few meters of such tape (a lifetime supply for mouse repair) and used an 8cm strip on each side of the bottom of my mouse which made it slippery enough.

Ebay seems like a good place to buy that, most of the offers are well below $20 for a reel of tape including postage. One thing to note is that they also sell non-adhesive teflon tape. I made the mistake of investigating the capabilities of teflon tape then buying the cheapest one on offer which turned out to be “plumber’s tape” which doesn’t have adhesive, fortunately it was well below $10. I now have a lifetime supply of plumber’s tape if I can ever find a use for it.

First Flounder Meeting

Based on a comment from my previous post [1] I have named the new FOSS group for Australia and NZ Flounder. Here is the link to the agenda for the first meeting [2].

I am currently using a DNS name in my own domain for the group, but in the near future I’ll move it to somewhere else under a zone I don’t control. My aim is not to have personal control but to create an organisation for the community. But at the moment I’m just doing things in the fastest way possible, I will setup HTTP redirects when I get a better DNS name.

Links Jan 2022

Washington Post has an interesting article on how gender neutral language is developing in different countries [1].

pimaker has an interesting blog post about how they wrote a RISCV CPU emulator to boot a Linux kernel in a pixel shader in the VR Chat platform [2].

ZD has an interesting article about the new Solo Bumblebee platform for writing EBPF programs to run inside the Linux kernel [3]. EBPF is an interesting platform and it’s good to have new tools to help people develop for it.

Big Think has an interesting article about augmented reality suggesting that it could be worse than social media for driving disputes [4]. Some people would want tags of racial status on all people they see.

Vice has an insightful article making the case for 8 hours of work per week [5].

The Guardian has an insightful article about how our attention is being stolen by modern technology [6].

Interesting article about the Ilobleed rootkit that targets the HP ILO server management system [7], it’s apparently designed for persistent attacks as it bypasses the firmware upgrade process and updates only the version number so anyone who thinks that a firmware update will fix it is horribly mislead.

Nick Bostrom wrote an insightful and disturbing article for Aeon titles None of Our Technologies has Managed to Destroy Humanity Yet [8] about the existential risk of new technologies and how they might be mitigated, much of which involves authoritarian governments unlike any we have seen before. As a counterpoint the novel A Deepness in the Sky claims that universal surveillance would be as damaging to the future of a society as planet-buster bombs.

Euronews has an informative article about eco-fascism [9]. The idea that the solution to ecological problems is to have less people in the world and particularly less non-white people is a gateway from green politics to fascism.

The developer of the colors and faker npm libraries (for NodeJS) recently uploaded corrupted versions of those libraries as a protest against companies that use them without paying him [10]. This is the wrong way to approach the issue, but it does demonstrate a serious problem with systems like NPM that allow automatic updates. It gives a better result to just use software packaged by a distribution which has QA checks applied including on security updates.

VentureBeat has an interesting article on the way that AI is taking over jobs [11]. Lots of white collar jobs can be replaced by machine learning systems, we need to plan for the ways this will change the economy.

The Atlantic has an interesting article about tapeworms that infect some ants [12]. The tapeworms make the ants live longer and produce pheromones to make the other ants serve them. This increases the chance that the ants will be eaten by birds which is the next stage in the tapeworm lifecycle.

Australia/NZ Linux Meetings

I am going to start a new Linux focused FOSS online meeting for people in Australia and nearby areas. People can join from anywhere but the aim will be to support people in nearby areas.

To cover the time zone range for Australia this requires a meeting on a weekend, I’m thinking of the first Saturday of the month at 1PM Melbourne/Sydney time, that would be 10AM in WA and 3PM in NZ. We may have corner cases of daylight savings starting and ending on different days, but that shouldn’t be a big deal as I think those times can vary by an hour either way without being too inconvenient for anyone.

Note that I describe the meeting as Linux focused because my plans include having a meeting dedicated to different versions of BSD Unix and a meeting dedicated to the HURD. But those meetings will be mainly for Linux people to learn about other Unix-like OSs.

One focus I want to have for the meetings is hands-on work, live demonstrations, and short highly time relevant talks. There are more lectures on YouTube than anyone could watch in a lifetime (see the Linux.conf.au channel for some good ones [1]). So I want to run events that give benefits that people can’t gain from watching YouTube on their own.

Russell Stuart and I have been kicking around ideas for this for a while. I think that the solution is to just do it. I know that Saturday won’t work for everyone (no day will) but it will work for many people. I am happy to discuss changing the start time by an hour or two if that seems likely to get more people. But I’m not particularly interested in trying to make it convenient for people in Hawaii or India, my idea is for an Australia/NZ focused event. I would be more than happy to share lecture notes etc with people in other countries who run similar events. As an aside I’d be happy to give a talk for an online meeting at a Hawaiian LUG as the timezone is good for me.

Please pencil in 1PM Melbourne time on the 5th of Feb for the first meeting. The meeting requirements will be a PC with good Internet access running a recent web browser and a ssh client for the hands-on stuff. A microphone or webcam is NOT required, any questions you wish to ask can be done with text if that’s what you prefer.

Suggestions for the name of the group are welcome.

[1] https://www.youtube.com/c/linuxconfau/search

SSD Endurance

I previously wrote about the issue of swap potentially breaking SSD [1]. My conclusion was that swap wouldn’t be a problem as no normally operating systems that I run had swap using any significant fraction of total disk writes. In that post the most writes I could see was 128GB written per day on a 120G Intel SSD (writing the entire device once a day).

My post about swap and SSD was based on the assumption that you could get many thousands of writes to the entire device which was incorrect. Here’s a background on the terminology from WD [2]. So in the case of the 120G Intel SSD I was doing over 1 DWPD (Drive Writes Per Day) which is in the middle of the range of SSD capability, Intel doesn’t specify the DWPD or TBW (Tera Bytes Written) for that device.

The most expensive and high end NVMe device sold by my local computer store is the Samsung 980 Pro which has a warranty of 150TBW for the 250G device and 600TBW for the 1TB device [3]. That means that the system which used to have an Intel SSD would have exceeded the warranty in 3 years if it had a 250G device.

My current workstation has been up for just over 7 days and has averaged 110GB written per day. It has some light VM use and the occasional kernel compile, a fairly typical developer workstation. It’s storage is 2*Crucial 1TB NVMe devices in a BTRFS RAID-1, the NVMe devices are the old series of Crucial ones and are rated for 200TBW which means that they can be expected to last for 5 years under the current load. This isn’t a real problem for me as the performance of those devices is lower than I hoped for so I will buy faster ones before they are 5yo anyway.

My home server (and my wife’s workstation) is averaging 325GB per day on the SSDs used for the RAID-1 BTRFS filesystem for root and for most data that is written much (including VMs). The SSDs are 500G Samsung 850 EVOs [4] which are rated at 150TBW which means just over a year of expected lifetime. The SSDs are much more than a year old, I think Samsung stopped selling them more than a year ago. Between the 2 SSDs SMART reports 18 uncorrectable errors and “btrfs device stats” reports 55 errors on one of them. I’m not about to immediately replace them, but it appears that they are well past their prime.

The server which runs my blog (among many other things) is averaging over 1TB written per day. It currently has a RAID-1 of hard drives for all storage but it’s previous incarnation (which probably had about the same amount of writes) had a RAID-1 of “enterprise” SSDs for the most written data. After a few years of running like that (and some time running with someone else’s load before it) the SSDs became extremely slow (sustained writes of 15MB/s) and started getting errors. So that’s a pair of SSDs that were burned out.

Conclusion

The amounts of data being written are steadily increasing. Recent machines with more RAM can decrease storage usage in some situations but that doesn’t compare to the increased use of checksummed and logged filesystems, VMs, databases for local storage, and other things that multiply writes. The amount of writes allowed under warranty isn’t increasing much and there are new technologies for larger SSD storage that decrease the DWPD rating of the underlying hardware.

For the systems I own it seems that they are all going to exceed the rated TBW for the SSDs before I have other reasons to replace them, and they aren’t particularly high usage systems. A mail server for a large number of users would hit it much earlier.

RAID of SSDs is a really good thing. Replacement of SSDs is something that should be planned for and a way of swapping SSDs to less important uses is also good (my parents have some SSDs that are too small for my current use but which work well for them). Another thing to consider is that if you have a server with spare drive bays you could put some extra SSDs in to spread the wear among a larger RAID-10 array. Instead of having a 2*SSD BTRFS RAID-1 for a server you could have 6*SSD to get a 3* longer lifetime than a regular RAID-1 before the SSDs wear out (BTRFS supports this sort of thing).

Based on these calculations and the small number of errors I’ve seen on my home server I’ll add a 480G SSD I have lying around to the array to spread the load and keep it running for a while longer.

etbe – Russell Coker

Archives

Categories

Reading Glasses

Wayland

More About the Librem 5

Librem 5 First Impression

Getting It Working

Notifications

Final Result

SAGE (ITPA) Spam

Mouse and Teflon

First Flounder Meeting

Links Jan 2022

Australia/NZ Linux Meetings

SSD Endurance

Conclusion

Archives

Email and RSS

Archives

Categories

Tags

Getting It Working

Notifications

Final Result

Conclusion

Archives

Email and RSS