putting HTML codes and other special characters into a blog entry

June 10, 2007 | etbe

I often want to write blog posts about HTML code and about source code in various languages. One problem I have is that the characters I want to use have special meanings (EG < and >), another is that I indent source code to make it readable and I don’t want the spaces trimmed from the start of lines.

I initially wrote a simple Perl script to replace characters such as < with HTML codes. I then had to extend it to escaping quote characters because WordPress tries to get smart and change quotes in a way that might look nice when dealing with plain text, but is just a pain when dealing with code.

The next problem I had is that when I used the <PRE> tag around some text to preserve the white-space WordPress would double-space the text (IE insert a blank line between every two lines of code). This was annoying when reading it and in some situations would change the meaning of the code! The solution I have found to these problems is to use the below script and not use the <PRE> tag. Also I tried using the <CODE> tag, but it made no difference to the end result as far as I could see.

The below script is what I am currently using. It is working well with shell scripts, HTML, and XML so far.

Update: The way that -- is munged by WordPress to — is something that I find particularly annoying. I already had this in the script but forgot to mention it in the post.
Continue reading →

configuring a Heartbeat service

June 9, 2007 | etbe

In my last post about Heartbeat I gave an example of a script to start and stop a cluster service. In that post I omitted to mention that the script goes in the directory /usr/lib/ocf/resource.d/heartbeat.

To actually use the script you need to write some XML configuration to tell Heartbeat which parameters should be passed to it via environment variables and which nodes may be candidates to run it.

In the below example the type of web means that the script /usr/lib/ocf/resource.d/heartbeat/web will be called to do the work. The id attributes are all arbitrary, but you want to decide on some sort of consistent naming scheme. I have decided to name web server instances web-X where X is the IP address used for providing the service.

The nvpair element contains a configuration option that will be passed to the script as an environment variable. The name of ip means that the environment variable will be named OCF_RESKEY_ip. Naming of such variables is arbitrary and a script may take many variables. A well written script (which incidentally does not mean my previous blog post) will have an option meta-data to give XML output describing all the variables that it accepts. An example of this can be seen by the command /usr/lib/ocf/resource.d/heartbeat/IPaddr2 meta-data.

In the XML the resources section (as specified by --obj_type resources on the cibadmin command-line) describes resources that the Heartbeat system will run. The constraints section specifies a set of rules that determine where they will run. If the symmetric-cluster attribute in the cluster_property_set is set to true then resources will be permitted to run anywhere, if it is set to false then a resource will not run anywhere unless there is a constraint specifying that it should do so – which means that there must be at least one constraint rule for every resource that is permitted to run.

In the below example I have constraint rules for the service giving node-0 and node-1 a priority of 9000 for running the service.

In a future post I will describe the cluster_property_set and how it affects calculations of where resources should run.
Continue reading →

Heartbeat service scripts

June 8, 2007 | etbe

A service script for Heartbeat needs to support at least three operations, start, stop, and status. The operations will return 0 on success, 7 on failure (which in the case of the monitor script means that the service is not running) and any other value to indicate that something has gone wrong.

In the second half of this post (not in the feed) I have included an example service script. It is a very brief script and does not support some of the optional parameters (monitor, validate-all, and meta-data). So this script is not of a quality that would be accepted for inclusion in a Heartbeat release but is adequate to demonstrate the concepts.

The XML configuration for a service can have an arbitrary set of name-value pairs, and they are passed to the script as environment variables. For example the below script expects that the XML configuration item named ip will have the IP address used by the service, my script receives this as a variable named OCF_RESKEY_ip. My script doesn’t use the address, it merely allows it to be inherited by the IPaddr2 script (which is part of the Heartbeat distribution) and that script assigns the address to an Ethernet interface.

The script is for testing Heartbeat, it mounts a filesystem and starts Apache (which is configured to serve web pages from the filesystem in question on the IP address supplied by the ip parameter).

For test purposes the script looks for a file named /root/fail, if this file exists then the status check will always abort. An aborting status script means that Heartbeat can not be certain that the node in question has released all resources that it was using for the service. This means that Heartbeat will have to kill the node via the STONITH service. Such test scripts are the only way to test that STONITH works, and I believe that it’s a necessary part of pre-production testing of a Heartbeat cluster.

Update: Made it display error messages in all cases and also reformatted it for better cut/paste.
Continue reading →

Another Heartbeat 2.0 STONITH example configuration

May 30, 2007 | etbe

In a Heartbeat cluster installation it may not be possible to have one STONITH device be used to reboot all nodes. To support this it is possible to have multiple STONITH devices configured that will each be used to reboot different nodes in the cluster. In the following code section there is an example of how to configure STONITH for two separate ssh instances. Of course this is not useful apart from as an example of how to configure STONITH. It would be quite easy to change one of those ssh configuration entries to use IPMI or some more effective method of managing machines. My previous post on this topic has an example of a simpler ssh STONITH configuration.

It is convenient that the ssh method for rebooting nodes is available both as a shared object (which is used by the following example XML) and as a shell script (type external/ssh). The shell script can be used to give the same functionality as the shared object (with reduced performance) but the benefit is as an example of how to write external plugins. For a client I have just written an IPMI module that works with machines that have two Ethernet ports. When a server has two Ethernet ports you want to send an IPMI reset command to both of them in case the failure which requires a STONITH was triggered by a broken Ethernet cable. Unfortunately I can’t release the IPMI code at this time

Continue reading →

Heartbeat version 2.0 CIB STONITH example configuration

May 29, 2007 | etbe

Below is a sample script to configure the ssh STONITH agent for the Heartbeat system. STONITH will reboot nodes when things go wrong to restore the integrity of the cluster.

The STONITH test program supports the -n option to list parameters and the -l option to list nodes. The following is an example of using it with the ssh agent:
# stonith -t ssh -n hostlist # stonith -t ssh hostlist="node-0 node-1" -l node-0 node-1

The hostlist tuple is the only configuration option for ssh. It is assumed that you have passwordless ssh logins allowed between root on all the nodes in the cluster so the host name list is all that’s needed.

The important thing to note about the constraint is that you are constraining the parent of the clones (which in this example has an ID of “DoFencing“) not a clone instance.

ssh is the simplest and in many ways least useful method of STONITH, but it’s good for an example as everyone knows it. Once you get ssh going it’ll be trivial to get the other methods working.

See below for the script to insert the XML in the CIB.
Continue reading →

paypal – are they trustworthy now?

May 28, 2007 | etbe

Having read paypalsucks.com I am concerned about the safety of my money if I was to chose to do business with them. However there are many ways of making money by using them.

Does Paypal still suck? If so are there any other better options? The merchantinc.com recommended by paypalsucks.com seems to only cater for business customers.

New Blogs

May 28, 2007 | etbe

After reading advice from ProBlogger I have become convinced that I should create separate blogs for some of the content that is currently on my blog. The first such blog that I will create will be about computer security. Naturally it will cover SE Linux to some degree, but the exact focus is something I have not yet determined.

Here are the options I’m considering:

The exact topic to be covered, computer security is a broad area, choosing which sub-topics to focus on and which users to present it to is a difficult task.
The length of the articles, this will to some degree depend on the posting frequency. If I am going to post 4+ times per week then most of the posts would be small. But for one or two posts per week I could make them 1000+ word posts.
The mix of news, educational material, and background information. I think that all of these areas are important, and to some extent the mix will depend on what news happens and what technologies I am involved in developing, testing, and using. But I will have a plan as to what to present and on days when there is little news and I have not worked on anything exciting I will find new material to write about based on the plan.
The use of code snippets in a blog? It’s easy to split the post and have the feed not include the source code, would that be of interest or would you rather have the complete post in the feed for offline reading?

Also if you have any other suggestions for blogs that you would read if I was to write them then plese send them in via a blog comment or email.

SE Linux shirts for sale!

May 23, 2007 | etbe

Faye and I have created Cafepress stores selling shirts and other things with SE Linux logos, here are the two designs:

Play Machine

SE Linux MLS

There are shirts, coffee mugs, mouse-mats, and other things. The designs feature a graphical representation of MLS security and a variety of text about SE Linux. There are also some baby shirts etc.

If you have any ideas for other SE Linux shirts then please let me know by private mail. I’ll give a free shirt to anyone who has an idea that I implement.

SE Linux in Debian

May 18, 2007 | etbe

I have now got a Debian Xen domU running the strict SE Linux policy that can boot in enforcing mode. I expect that tomorrow I will have it working with full functionality and that I will be able to run another SE Linux Play Machine in the near future.

After getting the strict policy working I want to build a Debian kernel with CONFIG_AUDITSYSCALL and an audit package so that I can audit system calls that an application makes and also so that the auditd can collect the SE Linux log messages. Other people have talked about packaging audit for Debian, hopefully one of them will do it first and save me the effort, but it shouldn’t be too difficult to do if they don’t.

Then I need to investigate some options for training people about SE Linux. As I don’t currently have the bandwidth for serving large files I’m thinking of basing some SE Linux training on Xen images from the jailtime.org repository. My rough plan at the moment is to have people download Xen images, run through them while consulting a web page, and ask questions on an IRC channel. I’m not sure what the demand will be for this but some web pages teaching people about SE Linux will be a useful resource even if the IRC based training doesn’t work out.

Another thing I want to do is to get PolyInstantiated Directories working in Debian. The pam_namespace.so module needed for this is written for a more recent version of PAM, so I might just work on merging the Debian patches with the latest upstream PAM instead of back-porting the module to the ancient Debian PAM.

PC prices drop again!

May 18, 2007 | etbe

A few weeks ago Dell advertised new laptops for $849AU, this was a significant development but I didn’t get around to blogging about it. Now I have just discovered that they have a special deal for $799AU for a laptop including delivery! This is an amazing deal and gives you an AMD Sempron 3500 CPU (not a really fast CPU and only 32bit, but it’s faster than the 1.7GHz Pentium-M that is currently satisfying all my requirements for portable computing), 512M of RAM, an 80G hard drive and a 1280×800 display.

It’s far from a high-end laptop (having a lower screen resolution and less RAM than my 3yo Thinkpad) but it will suffice for most things you might want to do on the move apart from running Xen.

The exciting thing about this is that as it’s so cheap that most people will probably choose it in preference to a desktop system – the cheapest desktop system that Dell currently offers as a package is $898. The cheap desktop has a dual-core Athlon64, 1G of RAM, and a 160G hard drive. But for most tasks other than games such things aren’t really required.

Also a local PC company Suntrom has advertised a new Lenovo Thinkpad with a Celeron-M 1.5GHz, 256M of RAM, 1024×768 display, and a 40G hard drive for $799. The Thinkpad has considerably less compute power than the Dell laptop, but it is a bit cheaper. If Lenovo has maintained the Thinkpad quality (while IBM owned the brand Thinkpad was the Rolls-Royce of laptops) then it would probably be the better choice.

On many occasions I have heard people say that they want a laptop computer to save space. When a desktop machine cost $1200 and a laptop cost $3500 that idea was ridiculous. But now that a laptop appears to be the cheapest system in the Dell range on sale in Australia that would be quite a reasonable criteria for purchases. Of course the extra sales of laptops will help fund further laptop technology developments (such as flash storage) that will be of use to those of us who are serious about computing and use laptops they way that they were intended.

etbe – Russell Coker

Linux, politics, and other interesting things