Top Append

pterjan's diary


  Tuning systemd services

Recently my tor relay started crashing daily. I found out it was because the usage increased (approaching 10MB/s) and every night when logrotate asked it to reload, it failed with:

[May 30 04:02:01.000 [notice] Received reload signal (hup). Reloading config and resetting internal state.
May 30 04:02:01.000 [warn] Could not open "/etc/tor/torrc": Too many open files
May 30 04:02:01.000 [warn] Unable to open configuration file "/etc/tor/torrc".
May 30 04:02:01.000 [err] Reading config failed--see warnings above. For usage, try -h.
May 30 04:02:01.000 [warn] Restart failed (config error?). Exiting.
May 30 04:02:01.000 [warn] Couldn't open "/var/lib/tor/state.tmp" (/var/lib/tor/state) for writing: Too many open files

The problems comes from LimitNOFILE=4096 in the service file, and I had no idea how to fix it cleanly.

fcrozat gave me the answer which I'll summarize as:

mkdir /etc/systemd/system/tor.service.d/
echo "[Service]\nLimitNOFILE=16384" > /etc/systemd/system/tor.service.d/limit.conf
systemctl daemon-reload
service tor restart



I saw a link to OpenLibernet and after reading there FAQ I believed there was a fundamental problem. I quickly read the full paper but found no answer.

I guess I have missed something, please explain me :)

A peer address is the hash of a cryptographic public key. It is used to encrypt certain packets as part of the routing protocol, serve as a payment address for the payment system (similar to a Bitcoin’s wallet address), but also serves as a unique identifier for a node, similar to IP Addresses in the current internet.

Also, a node may simply generate a new Peer Address anytime it chooses to.

When the balance of a neighbor hits a certain threshold, a payment request is initiated.

Malicious nodes could however cheat their neighbors and refuse to pay them their due traffic. For that, the protocol is designed to punish such malicious behavior through ostracism. A node will be automatically isolated from the network until it pays all its dues and resolves all conflicts with its neighbors.

Turkish Cat

What is preventing some malicious node to re-join the network with a new peer address when it is getting close to receiving a payment request, and discard its balance?

The only limitation I see is First, and to eliminate the churn caused by unstable nodes, a Layer 2 link becomes active only after it has been alive for a set amount of time. but this is not a problem is you start another client in parallel when getting close to a payment threshold and switch to the new peer address when it is ready.

Today's TSUKKOMI(Total: 1) [Add a TSUKKOMI]

  memento [I believe what stops you from doing that is that first your other peer address needs to have traffic in its balance to..]


  Getting ready for RMLL

RMLL will be in Brussels next week, time to get prepared.

I tried to read the Mobib pass I got during FOSDEM and sent two patches to cardpeek + the new ATR to smartcard_list.txt.


  Mageia Mageia 3

Mageia 3 was released last month and the autobuild system I started 6 months ago showed very nice improvements: We went from 89.9% packages building succesfuly (9845/10949) on 2012-11-28 to 99% (10892/10996) on 2013-05-19!

Thanks everyone who helped fixing packages. Goal for Mageia 4: 100%.


I will be attending RMLL in Brussels next month, including Mageia Days. See you there!


  Photo Misc

After being burgled and my landlord requesting a 10% increase of my rent following the 7% last year, I have moved into a new flat in February.

On the negative side, I replaced my 40Mb/10Mb FTTC Sky connection with non working DSL (no dial tone + 1.5Mb/200kb instead of expected ~15Mb on this line). After 3 months trying to get them to fix the line, I'm moving to TalkTalk as they will be sending an engineer to setup my connection for free so I hope he can get something working soon.

On the positive side, I now have a balcony with a view on Battersea power station.

Battersea Power StationBattersea Power StationBattersea Power Station


  Thoughts on LSB

Today, during the round table at distro recipes there was a short discussion about LSB usefulness and future. I was not participating but will share my opinion here instead.

Basically, I think xdg-utils from Freedesktop is doing what LSB Desktop should have been.

LSB wants distributions to provide a set of binary API (gtk2, qt3, now also qt4...). I don’t think that’s what vendors need.

Freedesktop provides a set of commands, providing a set of features with very simple API, allowing to easily integrate in any distribution and desktop environment (not even only under Linux).

Distributing the libraries with your application is easy (I think LSB can make sense for things like libc, etc). What vendors want is to integrate with the distribution (appear in the user menu, be associated with mimetypes, be able to start a browser, disable screensaver while the play a movie, get proxy configuration, maybe send an email...) without writing much code.

Freedesktop doesn’t mandate distributions to keep obsolete unmaintained libraries, it just asks them to provide a set of simple commands implementing the features in any way they may desire.

xdg-utils is now required by LSB 4.1 and that’s a good thing, but I believe most vendors are just interested in it, not in the rest of LSB.

Today's TSUKKOMI(Total: 2) [Add a TSUKKOMI]

  Bastien [The xdg-utils' code is absolutely dreadful shell scripting. It's nowhere near clean enough.]

  Pascal [Bastien, my point is exactly that you don't need them. If you provide a GNOME only distribution you could replace some..]


  Time to get out of Linkedin?

Today I received some spam from a guy, sent by linkedin (it comes from their servers).

The message had the email address of all the recipients in the To field, meaning they gave away that email address to that random people I don't know! I was annoyed at their password leak, but it seems they deliberately give email addresses away...

Their privacy policy states that Your contact information will only be shared with another User if both of you have indicated that you would like to establish contact with each other. but this is a lie, it will be also shared if someone sends a message to both of you.

I tried to contact them, the first step to prevent it is their infinite scrolling preventing from clicking on the links at the bottom of the page unless you are very fast.

The second problem is their help center (which it seems you have to go through to contact them) which doesn't load "There has been an error with your request.".

Today's TSUKKOMI(Total: 1) [Add a TSUKKOMI]

  lolmoose [Make a report to their security team, this is a fuckup on their part they should fix ASAP, it violates their TOS.]


  Mageia Let's build it all over again... and again

Happy new year everyone. By posting something now I make sure I will post at least one this year :)

During Christmas I have been busy hacking an automated rebuild of Mageia.

I am using a single machine, and building only on x86_64. The machine has 12 cores and 32G ram so I am building 6 packages in parallel with -l12 -j12 on tmpfs, with some swap to prevent very large packages to break the build of others. It takes about 30 hours to build just under 11000 packages, creating a clean chroot each time.

I was happily surprised by the results of the first rebuild, 90.1% success (9845 packages built successfuly), and even more with the second (93.3%) after fixing a few packages breaking many others. I was less happy when the results went down in the recent runs (new version of rpm, new version of automake breaking 304 packages by removing AM_CONFIG_HEADER, %libexec changed to be different from %lib in our rpm config...), but at least we have the number, and better, the list of packages to fix!

Current main problems and limitations:

  • Packages only get rebuilt on x86_64
  • I add -lN flag in addition of -jN to _smp_mflags macro, this works well and allows me to build many packages in parallel to maximize cpu utilization but a few packages fail (at least the ones giving the flag to waf as waf handles -j but complains about -l)
  • There are some cases where the chroot is not removed (it happens for 175 chroots out of about 11000, but that's 73G used at the end of a rebuild that I manually clean, and because of that I am using a 100G swap file :) )
  • The build is started manually, and the results are copied manually
  • It runs as my user, in my home directory
  • The website is quite ugly, and lacking many things like the history of a package
  • A build creates 1.5G logs, and compressing them only gets it down to 500G at the cost of not being readable directly in the web browser, so I will have to remove some quite soon
  • Ah, and I will be attending FOSDEM as usual, so see you near some Belgian beers!



      Initial impression on the FitBit Aria scale

    I bought a FitBit Aria half price on Amazon last week and activated it today.

    The process is quite simple but managed to upset me (and also NetworkManager was not very helpful and I had to kill it once so that it accepts to reconnect after losing the connection, after killing the applet once so that clicking has any effect...)

    First, you create an account and start the web wizard. Then you conect to the AriaXXXX WiFi network and continue the wizard.

    It will detect the available WiFi networks and the page will fetch the results in js:

    GET /scale/ssid_info.js HTTP/1.1
         "networks": [
    {          "ssid": "BTWiFi-with-FON", "sig": 2, "pw": 0 },
    {          "ssid": "BTWiFi", "sig": 2, "pw": 0 },
    {          "ssid": "FOO12345", "sig": 1, "pw": 52 },
         "error_code" : 0,
         "error_msg" :  ''

    Server has an interesting description in HTTP header: Server: $ProjectRevision: $, I don't which version control system uses $ProjectRevision keyword.

    After you have selected one and entered the password, you reach the part which upset me:

    GET /scale/setup?custom_password=MyPassword&ssid=FOO12345

    It has sent my WiFi password using unencryped HTTP connection over unencrypted WiFi to my neigbours and people passing by!


      Photo Pizza

    I have spent few days in Berlin recently and found a nice small pizza restaurant which was very good.

    So, after Il Campionissimo in Paris and Franco Manca in London, I recommend you 'A Magica in Berlin :)

    It is small and you will probably need to share you table with strangers but it was delicious!

    While I'm on the topic I'll shamelessly advertise my Berlin photos.

    Auswärtiges Amt
    Ernst TälmannP1000178Friedrichswerdersche KircheP1000259P1000258

    Today's TSUKKOMI(Total: 5) [Add a TSUKKOMI]


      Chris Kühl [You should also try Pizza Nostra[1]. It's actually only a few blocks from the above mentioned Zia Maria, so you can ki..]

      ao2 [Ah if you are a great fan of Pizza consider a visit to the city of Naples, Italy, where the Pizza was invented. I can..]

      abral [There are a lot of great pizzerias in Naples, like,]


      MageiaGNOME Gtk client for HP TopTools P1218A card

    From December 19 to December 28 main server was down. This server host(s|ed) many things including this blog, Mageia website, PLF, ... The reason why it took so long is that the server is in the south of France, kindly hosted by Lost Oasis and we have no one nearby to physically access it, and in this case we had lost our main raid array.

    This server (kindly donated by HP almost 10 years ago) has a remote administration card (P1218A) but it is not really usable for anything except rebooting the machine. The remote console more or less works with some of the java versions from sun, but most of the time it only displays the top third of the screen, until next refresh when it goes black, and misses many keystrokes. This made it unsuitable for accessing the RAID BIOS and finding the problem.

    After about a week, for some unknown reason (I could have done it many times over the last 10 years), I thought of looking at the communications between the applet and the management card. Everything was clear text and very simple. The next days I wrote a ruby-gtk client for the card, accessed the BIOS, found that the 4 disks had been marked has failed without errors and were correctly syncronized, and put them back online.

    The first (and longest) part was to find how to login and get the session cookie. The exchange looks like:
    GET /cgi/challenge HTTP/1.1
    <?xml version='1.0'?><?RMCXML version='1.0'?><RMCLOGIN><CHALLENGE>DJRhNVfOWfuB8fS/6PFazg==</CHALLENGE><RC>0x0</RC></RMCLOGIN>
    GET /cgi/login?user=FOO&hash=UtPRDzFS36s0jJBgTmtS4JDR HTTP/1.1

    Challenge was obviously 16 bytes of data base64 encoded. Response was called hash and was 18 bytes whatever the password is. Given that it was written more than 10 years ago, I supposed it would be md5, even if it only gives 16 bytes.

    I then wrote a small ruby application trying various combinations (md5(challenge + password), md5(xor(callenge,password)), xor(challenge,md5(password)), ...) and found that md5(xor(challenge,md5(password))) was giving me the correct first 16 bytes.

    I then used an online CRC calculator to find that the remaining 2 bytes are "CRC-CCITT (XModem)".

    The other big part was the remote console.

    Getting the current screen content is quite easy, it's a GET on /cgi/scrtxtdump (with an optional force=1 parameter).

    In my initial tests there was 0x10 between each character so I just filtered them out. I found later that it actually gives attributes for the character (bold, color, ...) and now support the ones I have seen so far.

    Sending a keypress is quite easy too, it's a POST to /cgi/bin with data being <RMCSEQ><REQ CMD="keybsend"><KEYS>space separated scancodes</KEYS></REQ></RMCSEQ>.


    The result

    The code is now online, still very ugly, but hopefuly helpful :)

    BIOS before I handle colors