kernel-xen-3.6.6-1 coming soon.


This fixes the ext4 journal corruption bug as well as a few other issues.

Changelog: * Sun Nov 11 2012 Steven Haigh - Update to kernel 3.6.6 - Notable fixes in this kernel version: ext4: fix unjournaled inode bitmap modification blkcg: Fix use-after-free of q->root_blkg and q->root_rl.blkg md/raid1: Fix assembling of arrays containing Replacements.

Full 3.6.6 changelog: http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.6.6

They're building now. It should hit the mirrors after some quick testing.

In future, release notifications will be only posted to the mailing list.

Google and the Australia Tax


Google have released a new wave of the Google Nexus devices. These devices all run Android and are not locked or limited in any way - paving a new path against carrier lockdown and interference. Their motto, "Openness at all costs" (Slashdot discussion)

Interestingly, these articles show:

Nexus 4 - $349 (16Gb) Nexus 7 - $199 (16Gb) Nexus 10 - $399 (16Gb)

Now, these prices are all in the US, so they're in $USD.

Imagine my surprise when I check the Google Play Store where they sell the devices only to find: Nexus 4 - $349 (8Gb) Nexus 4 - $399 (16Gb) Nexus 7 - $249 (16Gb) Nexus 7 - $299 (32Gb) Nexus 10 - $469 (16Gb) Nexus 10 - $569 (32Gb)

This means the 'Australia Tax' on the 16Gb Nexus 4 is $50AUD, The Nexus 7 is $50AUD, The Nexus 10 is $70AUD.

So, what I would love to see is that if the motto really is 'Openness at any cost', why are Australians being stung so much more per unit than in the US? It certainly can't be shipping costs!

SSH two factor auth with Yubikey + SSH key


I got myself a Yubikey a few weeks ago - and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.

So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.

I spent a lot of time hacking around with using SSH and ForceCommand - but it breaks scp - which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.

To configure:

    Get yourself a YubiKey
    Install and enable the epel repository
    Install the pam_yubico package

Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so: #%PAM-1.0 auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth

pam_selinux.so close should be the first session rule

session required pam_selinux.so close session required pam_loginuid.so

pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth

Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example: root:abcdabcdabcd myuser:dcbadcbadcba

Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:

RequiredAuthentications[12] Specifies required methods of authentications that has to succeed before authorizing the connec- tion. (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2) RequiredAuthentications1 method[,method...] RequiredAuthentications2 method[,method...] Example 1: RequiredAuthentications2 password,hostbased Example 2: RequiredAuthentications2 publickey,password

As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password

Restart the sshd server using service sshd restart and you should be good to go :)

Oh, and just because it isn't 100% obvious, the login details will now be: Username: <yourusername> Password: <yourpassword><press the YubiKey button>

It goes without saying that you will also need a working SSH key....

EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.

Jemena electricity wholesale and the smart meter


Just about everyone in Australia is aware of the new requirements for replacing the old spinning dial meters with a smart meter. They look pretty much like this and hide in with the circuit breakers etc.

While there has been a big drama over the changeover (with some people going berserk), there have been a lot of promises about them making our lives better. Jemena however have started tackling this head on. Once you register your meter, you can then access your electricity usage details right up to the current day (in fact, it is even updated four times a day!). As the following screenshots from the Jemena Electricity Outlook shows, you get really good data (although I didn't show my usage for today, it does break it down into hourly usage blocks!).

What is also nice is that if you can find the rate that your electricity retailer charges you (good luck on that!), then you can input both the charge per kWh AND the daily supply charge to get an estimated dollar figure - which can even include off peak and on peak splits. From what I hear, if you have a solar power setup and are feeding the grid, you will even get a separate colour bar that shows you how much power you fed to the grid.

While this is all fun, I managed to get my hands on a preview device that is still unconfirmed. Picture first, then words.

This display (after being authorised via the Jemena Electricity Outlook) connects to your smart meter wirelessly. It is powered by a single AA battery and shows up to the minute as well as trend data for your electricity usage. From my experiments, it looks as though this is updated every 30 seconds.

Interestingly, there is a lot of functionality in this display that is not yet implemented (fingers crossed it does!) such as $/hr for your electricity usage, targets for usage as well as trend monitoring.

As you can see, it doesn't look as though the outlook portal currently communicates your target levels etc to the display, nor does it transfer the tariff you set within the portal to the meter - so at this stage it won't show anything in the $/hr section.

Where does this lead us? Who knows. These devices are only just starting to be developed for use in Australia now - and as more companies get on this bandwagon, and as more people want to reduce their carbon footprint, I can see this area expanding fairly rapidly over the next few years. Until then, keep your eyes open for other wholesalers releasing the access to your usage information and use it as a basis to shop around and save yourself a considerable sum.

EDIT: Oh, and the best thing about the portal? Look for the "Download your data" link. You'll get a CSV file broken down hourly of your usage since the smart meter was first installed! Go Jemena!

IBM chooses my Xen packages for guides on IBM SmartCloud Provisioning


When you do open source stuff, sometimes its amazing where the project turn up. Today I got a big surprise.

If you're setting up an IBM Compute Node using a Xen hypervisor, some of the documentation seems rather familiar. Especially this part:

yum install http://au1.mirror.crc.id.au/repo/kernel-xen-release-6-3.noarch.rpm

Although the documentation is in a bit of a mess regarding this topic on the IBM site, it might have been much easier to link to my howto or even to the kernel-xen mailing list for support if required.

Does that make me an IBM Business Partner now? ;)

Youtube discoveries.


Ok, its been quite a while since I've posted a general post to my site here. So in order for it to not be taken over by my Xen announcements, here is what is on my YouTube playlist at the moment.

1) PSY - Gangnam Style. This is the ONLY Korean pop singer to EVER make #1 on the British charts.

2) Lonely Island feat Michael Bolton - Jack Sparrow. This one makes me chuckle probably harder than I should.

I won't bore you with others, these are good enough ;)

Xen 4.2.0 in testing & new kernel-xen package.


I've had a few emails asking about Xen 4.2.0. I've got a test version running and am monitoring it over the next few days. If it proves ok, I'll push it to the repo.

In the meantime, yesterday I pushed a new kernel-xen package (3.5.4-2) which has the option for HPSA raid adapters enabled. This was an oversight originally and should mean that the kernel will boot properly on HP servers with this type of RAID card.

Xen packages 4.1.3-2 released.


Changes in this version: * Fri Sep 07 2012 Steven Haigh <netwiz @crc.id.au> - 4.1.3-2 - XSA12 (CVE-2012-3494) - hypercall set_debugreg vulnerability - XSA13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability - XSA14 (CVE-2012-3496) - XENMEM_populate_physmap DoS vulnerability - XSA16 (CVE-2012-3498) - PHYSDEVOP_map_pirq index vulnerability - XSA17 (CVE-2012-3515) - Qemu VT100 emulation vulnerability - XSA19 guest administrator can access qemu monitor console

Everyone should update to these packages ASAP.