RSS Bilingual Reader

An interesting change to IP behavior landed in FreeBSD 15, as I discovered by accident . To quote from the general networking section of the FreeBSD 15 release notes : Making a connection to INADDR_ANY , i.e., using it as an alias for localhost , is now disabled by default. This functionality can be re-enabled by setting the net.inet.ip.connect_inaddr_wild sysctl to 1. cd240957d7ba The change's commit message has a bit of a different description: Previously connect() or sendto() to INADDR_ANY re...

There are a variety of ways to pass secrets from one program to another on Unix, and many of them may expose your secrets under some circumstances. A secret passed on the command line is visible in process listings; a secret passed in the environment can be found in the process's environment (which can usually be inspected by outside parties). When I've had to deal with this in administrative programs in our environment , I have reached for an old Unix standby: pass the secret between programs t...

UEFI is the modern firmware standard for x86 PCs and other systems; sometimes the actual implementation is called a UEFI BIOS , but the whole area is a bit confusing. I recently wrote about getting FreeBSD to use a serial console on a UEFI system and mentioned that some UEFI BIOSes could echo console output to a serial port, which caused Greg A. Woods to ask a good question in a comment: So, how does one get a typical UEFI-supporting system to use a serial console right from the firmware? The me...

As covered recently , the normal way to check simple services from outside in a Prometheus environment is with Prometheus Blackbox , which is somewhat complicated to understand . One of its abstractions is a prober , a generic way of checking some service using HTTP, DNS queries, a TCP connection, and so on. The TCP prober supports conducting a query-response dialog once you connect , but currently (as of Blackbox 0.28.0) it doesn't directly expose metrics that tell you where your TCP probe with...

One of the important roles of Linux system package managers like dpkg and RPM is providing a single interface to building programs from source even though the programs may use a wide assortment of build processes. One of the source building features that both dpkg and RPM included (I believe from the start) is patching the upstream source code, as well as providing additional files along with it. My impression is that today this is considered much less important in package managers, and some may...

Over on the Fediverse I said : Today's other work achievement: getting a UEFI booted FreeBSD 15 machine to use a serial console on its second serial port, not its first one. Why? Because the BMC's Serial over Lan stuff appears to be hardwired to the second serial port, and life is too short to wire up physical serial cables to test servers. The basics of serial console support for your FreeBSD machine are covered in the loader.conf manual page, under the ' console ' setting (in the 'Default Sett...

One of the things going on right now is that Python is doing a Python developer survey. On the Fediverse, I follow a number of people who do Python stuff, and they've been posting about various aspects of the survey, including a section on what tools people use for what. This gave me an interesting although very brief look into a world that I'm deliberately ignoring, and I'm doing that because I feel my needs are very simple and are well met by basic, essentially universal tools that I already k...

Yesterday I discussed the two sorts of program package managers , system package managers that manage the whole system and application package managers that mostly or entirely manage third party programs. Commercial Unix got application package managers in the very early 1990s , but Linux's first program managers were system package managers , in dpkg and RPM (or at least those seem to be the first Linux package managers). The abstract way to describe why is to say that Linux distributions had t...

I've written before that one of the complications of talking about package managers and package management is that there are two common types of package managers , program managers (which manage installed programs on a system level) and module managers (which manage package dependencies for your project within a language ecosystem or maybe a broader ecosystem). Today I realized that there is a further important division within program managers. I will call this division application (package) man...

Recently I saw a Go example that made me scratch my head and decode what was going on (you can see it here ). Here's what I understand about what's going on. Suppose that you want to create a general interface for a generic type that requires any concrete implementation to be a pointer type. We can do this by literally requiring a pointer: type Pointer[P any] interface { *P } That this is allowed is not entirely obvious from the specification, but it's not forbidden. We're not allowed to use jus...

We have a collection of VPN servers, some OpenVPN based and some L2TP based. They used to be based on OpenBSD, but we're moving from OpenBSD to FreeBSD and the VPN servers recently moved too. We also have a system for collecting Prometheus metrics on VPN usage , which worked by parsing the output of things . For OpenVPN, our scripts just kept working when we switched to FreeBSD because the two OSes use basically the same OpenVPN setup. This was not the case for our L2TP VPN server. OpenBSD does ...

Recently, Verisimilitude left a comment on my entry on X11's DirectColor visual type , where they mentioned that L Peter Deutsch, the author of Ghostscript, lamented using twenty-four bit colour for Ghostscript rather than a more flexible approach, which you may need in printing things with colour. As it happens, I know a bit about this area for two or three reasons, which come at it from different angles. A long time ago I was peripherally involved in desktop publishing software, which obviousl...

Prometheus Blackbox is somewhat complicated to understand . One of its fundamental abstractions is a 'prober', a generic way of probing some service (such as making HTTP requests or DNS requests). One prober is the 'tcp' prober, which makes a TCP connection and then potentially conducts a conversation with the service to verify its health. For example, here's a ClamAV daemon health check, which connects, sends a line with "PING", and expects to receive "PONG": clamd_pingpong: prober: tcp tcp: qu...

The news of the day is that Microsoft had a significant outage inside their Microsoft 365 infrastructure. We noticed when we stopped being able to deliver email to the university's institutional email system, which was a bit mysterious in the usual way of today's Internet : The joys of modern email: "Has Microsoft decided to put all of our email on hold or are they having a global M365 inbound SMTP email incident?" (For about the last hour and a half, if it's an incident someone is having a bad ...

Recently I read Understanding ZFS Scrubs and Data Integrity ( via ), which is a perfectly good article and completely accurate, bearing in mind some qualifications which I'm about to get into. One of the things this article says in the preface is: In this article, we will walk through what scrubs do, how the Merkle tree layout lets ZFS validate metadata and data from end to end, [...] This is both completely correct and misleading, because what ZFS people mean we talk about "metadata" is probabl...

The news of the time interval is that Linux's usual telnetd has had a giant security vulnerability for a decade . As people on the Fediverse observed, we've been here before; Solaris apparently had a similar bug 20 or so years ago (which was CVE-2007-0882, cf , via ), and AIX in the mid 1990s (CVE-1999-0113, source , also )), and also apparently SGI Irix, and no doubt many others ( eg ). It's not necessarily telnetd at fault, either, as I believe it's sometimes been rlogind . All of these bugs h...

One of the surprises of TCP and UDP is that when your program listens for incoming TCP connections or UDP packets, you can chose to listen only on a specific IP address instead of all of the IP addresses that the current system has. This behavior started as a de-facto standard but is now explicitly required for TCP in RFC 9293 section 3.9.1.1 . There are at least two uses of this feature; to restrict access to your listening daemon, and to run multiple daemons on the same port. The classical cas...

Modern single sign on specifications such as OIDC and SAML and systems built on top of them are fairly complex things with a lot of moving parts. It's possible to have a somewhat simple surface appearance for using them in web servers , but the actual behind the scenes implementation is typically complicated, and of course you need an identity provider server and its supporting environment as well ( which can get complicated ). One reaction to this is to suggest using X.509 certificates to authe...

Sometimes, people in technology believe that we can solve problems by getting people to pay attention. This comes up in security, anti-virus efforts, anti-phish efforts, monitoring and alert handling, warning messages emitted by programs, warning messages emitted by compilers and interpreters, and many other specific contexts. We are basically always wrong. One of the core, foundational results from human factors research, research into human vision, the psychology of perceptions, and other rela...

Recently I wrote about how Linux network interface names have a length limit , of 15 characters. You can work around this limit by giving network interfaces an 'altname' property, as exposed in (for example) 'ip link' . While you can't work around this at all in Canonical's Netplan , it looks like you can have this for your VLANs in systemd-networkd, since there's AlternativeName= in the systemd.link manual page. Except, if you look at an actual VLAN configuration as materialized by Netplan (or ...