technology 2009-08-17T18:00:57+05:30 gera http://www.theoldmonk.net/blog http://www.theoldmonk.net/blog/ NanoBlogger Building a mysql-server with SphinxSE patches gera http://www.theoldmonk.net/blog/archives/2009/08/05/building_a_mysql-server_with_sphinxse_patches/ 2009-08-05T09:14:04+05:30 2009-08-05T09:14:04+05:30
Sphinx patches.
  • The SSL cert used in the tests is expired, failing a bunch of tests with a SSL error (LP: #323755).
  • Some MySQL status and error messages have changed, making some tests fail. (This is not true - see update for details).
  • Upstream has a debian directory which isn't integrated and causes build failures. (There's a dpatch for this already, but it doesn't go all the way).
  • Sphinx provides a SphinxSE patch for MySQL 0.37
  • The debian/rules script skips out on the pre-build automake invocation, and the sphinx patches never make it to the build, or the compilation fails midway.

I managed to get these issues sorted out via a series of dpatches. You can download the debdiff and build the package yourself: 
$ apt-get source mysql-server
 .... [will download the source and apply the diffgz etc] ....

$ cd mysql-dfsg-5.0-5.0.1a
$ patch -p1 < /path/to/mysql-dfsg-5.0_5.0.51a-3ubuntu5-sphinx1.debdiff
.... [messages about files patched] ....

$ dpkg-buildpackage -rfakeroot -us -uc
.... [builds and unsigned package. Takes *really* long] ....
update: It turns out that the MySQL error messages didn't change after all. I should have noticed earlier, but the difference in error messages is because the build machine was using OpenDNS, which wasn't returning a NXDOMAIN for invalid/nonexistent hosts. The debdiff is now fixed and the unnecessary dpatch has been removed. But the thing to learn from this is that if your build machine is using OpenDNS in its default configuration (it's possible to fix OpenDNS' behaviour) - the MySQL test suite *WILL FAIL*.]]>
CouchDB document update notifications gera http://www.theoldmonk.net/blog/archives/2009/04/10/couchdb_document_update_notifications/ 2009-04-10T11:02:00+05:30 2009-04-10T11:02:00+05:30
CouchDB is a very cool document store which uses JavaScript map/reduce views. It is schema free and the docs are JSON. It also has an HTTP API which makes it possible to write purely JavaScript apps with persistence via CouchDB.

Couch has a concept of DB update notifications. A process is launched (and relaunched if it crashes, via an Erlang/OTP supervisor) and is notified of any updates (adds, deletes and changes) to the DBs. That's nice, but not sufficiently useful in all cases.

So I added a "document update notification" mechanism on the lines of db update notifications, which not only tells which document changed, but also what changed in the document. This makes it possible to write various kinds of "triggers" (or even "stored procedures" if you squint just right). The document update notification process gets the type of change (add/delete/update), the db name, the doc id and the bodies of the old and the new doc on each update. It can then use these to determine if something interesting changed and decide whether to take action or not.

The patch was offered upstream (annoucement) but wouldn't land up in the trunk because a feature superseding this functionality is already planned (comet notifications). However, I will maintain the patches out-of-tree till the superseding functionality lands in the trunk. The patches are fairly simple and non intrusive, and are available for both 0.8.1 and 0.9.

DocUpdateNotifications patch for CouchDB 0.9

DocUpdateNotifications patch for CouchDB 0.8.1

These patches were developed as part of my work for BaseCase. BaseCase thinks open source is cool and has gladly agreed to the release of these patches.]]>
ssh authentication via mysql (pam_mysql) gera http://www.theoldmonk.net/blog/archives/2009/02/24/ssh_authentication_via_mysql_pam_mysql/ 2009-02-24T13:39:30+05:30 2009-02-24T13:39:30+05:30
There's not much info on the interwebs on why ssh authentication via pam_mysql fails, and there are definitely some misleading answers like 
when logging in via ssh, the ssh daemon checks some files in ~/,
so it can be done if the user already have a valid home directory.
from this thread.

The real reason why it doesn't successfully authenticate is because ssh does a getpwent() call to check if the user exists on the system. If you're using just a PAM solution (which doesn't provide accounts), that call fails if there isn't any such local user. sshd then sets the password to '^H ^M INCORRECT' before passing it to PAM, which obviously thinks it's the wrong password. The simple (and probably unscalable - but then you should be using something like nss_mysql) solution is to add local accounts to the machines for these users. That will make the getpwent() call succeed, and sshd will authenticate successfully via PAM.

I've mentioned this earlier.

]]>
Trac, MySQL and authentication gera http://www.theoldmonk.net/blog/archives/2008/09/27/trac_mysql_and_authentication/ 2008-09-27T19:06:10+05:30 2008-09-27T19:06:10+05:30
work :
  • A wiki
  • VPN
  • A bug/issue tracker
Trac gave us the first and the last, and OpenVPN gave us the middle. The newer versions of Trac can use MySQL as a database instead of SQLite and have a nice AccountManager plugin.

And it all comes together with pam_mysql. The only problem was that Trac likes to store passwords hashed as HTTP-Digest style hashes (not the most secure, I know) with an empty realm, and pam_mysql doesn't work for that. The solution was a simple patch to pam_mysql which adds support for such hashes. I'll publish that soon - I'm making it more general by adding support for realms rather than assuming that realm would be empty.

OpenVPN (and apache - via mod_auth_pam) etc. can authenticate via PAM and adding authentication to anything is a simple matter of placing the right .htaccess file. And this is a *common* password across all services, which users can change on the wiki, in their browsers, with a nice polished interface. No unix shells for people who can't deal with them.

This is no Kerberos, but is infinitely simpler - which means a lot for a small startup.

There are a few gotchas though :
  • Apache doesn't like empty realms. This can be worked around by switching to Basic authentication where passwords are passed on to PAM and we ignore realm. Yes, Basic is worse, but there's always SSL. Thus, one can supply _any_ value of realm (the AuthName in .htaccess). The situation might improve if my pam_sql patch accepts realms and we manage to modify the Trac AuthManager plugin to use the same realm.
  • SSH doesn't like to authenticate users which don't have an account on the machine. It does a getpwent() call, and if it fails, it sets the password to '^H ^M INCORRECT' (the ^H and ^M represent the control chars here, but this is what you see in your logs if you debug PAM). One (ugly, in my opinion) way out is to LD_PRELOAD your own getpwent() method for sshd. The other is to grant ssh access to people on a machine by machine basis. This doesn't scale beyond a point but is good enough for small setups and the most secure. We use this. The cleaner solution of course, is to use something like nss_mysql. This might be our next step, but not in the immediate future.
Patch to come Real Soon Now.]]>
Network profiles in Ubuntu gera http://www.theoldmonk.net/blog/archives/2008/03/04/network_profiles_in_ubuntu/ 2008-03-04T22:03:31+05:30 2008-03-04T22:03:31+05:30
There are various ways of managing multiple network profiles in Ubuntu, but I've never been a fan of NetworkManager. Commandlines work for me very well, and even there - multiple solutions exist with the help of packages like resolvconf etc. Here's my setup which is very Debian-ish and depends on this nice package called ifupdown.

First, there's the /etc/network/interfaces file :

# we always want the loopback
auto lo
iface lo inet loopback

# mappings
mapping eth0
  script /etc/network/map-scheme
  map dhcp eth0-dhcp
  map emergency eth0-emergency

mapping ath0
  script /etc/network/map-scheme
  map office ath0-office
  map home ath0-home

iface eth0-dhcp inet dhcp
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface ath0-office inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/office.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

iface eth0-emergency inet static
  address 10.9.5.201
  gateway 10.9.4.1
  netmask 255.255.254.0
  up iptables -F
  up lokkit -q --high
  up echo nameserver 172.31.6.5 > /etc/resolv.conf
  up echo nameserver 203.197.12.30 >> /etc/resolv.conf

iface ath0-home inet dhcp
  wpa-driver madwifi
  wpa-conf /etc/wpa_supplicant/home.conf
  up iptables -F
  up lokkit -n -q --high --dhcp
  up /etc/init.d/lokkit restart

Notice the mappings section (and see 'man interfaces') - that allows me to say :

NETSCHEME="home" sudo ifup ath0

or

NETSCHEME="office" sudo ifup ath0

because the specified script (/etc/network/map-scheme) just looks up the NETSCHEME environment variable and spit out the correct mapping to go to. This thing, by the way, could be rigged to do arbitrarily complex tasks (look in /usr/share/doc/ifupdown/examples/ for sample scripts, including one which tries to ping some known IPs, and decides its location/profile based on successful pings - you could write one which looks for all known wireless SSIDs and then decide which profile to switch to). Here's my trivial script :

#!/usr/bin/perl -w
use strict;

my $scheme = $ENV{NETSCHEME} || "home";

while(<>) {
        if ( s/$scheme\s+// ) {
                print;
        }
}

The conf files in /etc/wpa_supplicant/* are of course wpa_supplicant configuration files. See 'man wpa_supplicant.conf' for details.

]]>