23 Apr 2014

feedPlanet Grep

Dieter Plaetinck: Metrics 2.0 now has its own website!

Metrics 2.0 started as a half-formal proposal and an implementation via graph-explorer, but is broad enough in scope that it deserves its own website, its own spec, its own community. That's why I launched metrics20.org and a discussion group.

from the website:

We have pretty good storage of timeseries data, collection agents, and dashboards. But the idea of giving timeseries a "name" or a "key" is profoundly limiting us. Especially when they're not standardized and missing information.
Metrics 2.0 aims for self-describing, standardized metrics using orthogonal tags for every dimension. "metrics" being the pieces of information that point to, and describe timeseries of data.

By adopting metrics 2.0 you can:
  • increase compatibility between tools
  • get immediate understanding of metrics
  • build graphs, plots, dashboards and alerting expressions with minimal hassle
Read more on metrics20.org.

23 Apr 2014 1:10pm GMT

22 Apr 2014

feedPlanet Grep

Philip Van Hoof: Tracker supports volume management under a minimal environment

While Nemo Mobile OS doesn't ship with udisks2 nor with the GLib/GIO GVfs2 modules that interact with it, we still wanted removable volume management working with the file indexer.

It means that types like GVolume and GVolumeMonitor in GLib's GIO will fall back to GUnixVolume and GUnixVolumeMonitor using GUnixMount and GUnixMounts instead of using the more competent GVfs2 modules.

The GUnixMounts fallback uses the _PATH_MNTTAB, which generally points to /proc/mounts, to know what the mount points are.

Removable volumes usually aren't configured in the /etc/fstab file, which would or could affect /proc/mounts, plus if you'd do it this way the UUID label can't be known upfront (you don't know which sdcard the user will insert). Tracker's FS miner needs this label to uniquely identify a removable volume to know if a previously seen volume is returning.

If you look at gunixvolume.c's g_unix_volume_get_identifier you'll notice that it always returns NULL in case the UUID label isn't set in the mtab file: the pure-Unix fall back implementations aren't fit for non-typical desktop usage; it's what udisks2 and GVfs2 normally provide for you. But we don't have it on the Nemo Mobile OS.

The mount_add in libtracker-common/tracker-storage.c luckily has an alternative that uses the mountpoint's name (line ~592). We'll use this facility to compensate for the lacking UUID.

Basically, we add the UUID of the device to the mountpoint's directory name and Tracker's existing volume management will generate a unique UUID using MD5 for each unique mountpoint directory. What follows is specific for Nemo Mobile and its systemd setup.

We added some udev rules to /etc/udev/rules.d/90-mount-sd.rules:

SUBSYSTEM=="block", KERNEL=="mmcblk1*", ACTION=="add", MODE="0660", TAG+="systemd", 
  ENV{SYSTEMD_WANTS}="mount-sd@%k.service", ENV{SYSTEMD_USER_WANTS}="tracker-miner-fs.service
  tracker-store.service"

We added /etc/systemd/system/mount-sd@.service:

[Unit]
Description=Handle sdcard
After=init-done.service dev-%i.device
BindsTo=dev-%i.device

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/mount-sd.sh add %i
ExecStop=/usr/sbin/mount-sd.sh remove %i

And we created mount-sd.sh:

if [ "$ACTION" = "add" ]; then
    eval "$(/sbin/blkid -c /dev/null -o export /dev/$2)"
    test -d $MNT/${UUID} || mkdir -p $MNT/${UUID}
    chown $DEF_UID:$DEF_GID $MNT $MNT/${UUID}
    touch $MNT/${UUID}
    mount ${DEVNAME} $MNT/${UUID} -o $MOUNT_OPTS || /bin/rmdir $MNT/${UUID}
    test -d $MNT/${UUID} && touch $MNT/${UUID}
else
    DIR=$(mount | grep -w ${DEVNAME} | cut -d \  -f 3)
    if [ -n "${DIR}" ] ; then
        umount $DIR || umount -l $DIR
    fi
fi

Now we just have to configure Tracker right:

gsettings set org.freedesktop.Tracker.Miner.Files index-removable-devices true

Let's try that:

# Insert sdcard
[nemo@Jolla ~]$ mount | grep sdcard
/dev/mmcblk1 on /media/sdcard/F6D0-FC42 type vfat (rw,nosuid,nodev,noexec,...
[nemo@Jolla ~]$ 

[nemo@Jolla ~]$ touch  /media/sdcard/F6D0-FC42/test.txt
[nemo@Jolla ~]$ tracker-sparql -q "select tracker:available(?s) nfo:fileName(?s) \
     { ?s nie:url 'file:///media/sdcard/F6D0-FC42/test.txt' }"
Results:
  true, test.txt

# Take out the sdcard

[nemo@Jolla ~]$ mount | grep sdcard
[nemo@Jolla ~]$ tracker-sparql -q "select tracker:available(?s) nfo:fileName(?s) \
     { ?s nie:url 'file:///media/sdcard/F6D0-FC42/test.txt' }"
Results:
  (null), test.txt
[nemo@Jolla ~]$

22 Apr 2014 8:05pm GMT

Mattias Geniar: Debugging HTTP requests to PHP via the CLI

You're a sysadmin. You love the CLI. You use PHP. Surely, you should be able to troubleshoot PHP applications that are normally run via an HTTP server through the CLI as well, right? Well good news; you can -- with a few caveats. This is in follow-up of a blogpost I made in 2012 titled "Running php-cgi scripts via the CLI as a webserver would (by faking them)". If you can run your PHP applications via the CLI, you can use tools such as strace to debug the PHP app's behaviour.

TL;DR: you can fake pretty much any HTTP request by setting the correct environment variables before you call the PHP binary.


First, the caveats.

Now. On with it.

Basic web application

If you have a simple PHP application you will most likely be able to run it simply via the CLI.

$ cd /path/to/your/docroot
$ php index.php

The output can (but is not necessarily the case) be the same as if it were called via the web.

Using environment variables to determine dev/staging/prod

Just like you can specify environment variables in Nginx or Apache, to allow your code to use different users/passwords/settings, it can be used via the CLI as well. If your application depends on an environment variable called "APPLICATION_ENV" to distinguish environments, you can add it to your request.

$ cd /path/to/your/docroot
$ APPLICATION_ENV=development php index.php

A framework which uses routes

If you're using a framework that has a routing controller, to map URI's directly to the index.php file, you can add environment variables to make the PHP app think you're requesting a specific URI.

$ cd /path/to/your/docroot
$ REQUEST_URI=/your-test-page php index.php

Multi-domain PHP application

If you're running your PHP application as a multi-site app, meaning your content and code behaviour can differ depending on the hostname being used in the request, you can also pass those along as environment variables.

$ cd /path/to/your/docroot
$ SERVER_NAME=www.yoursite.tld HTTP_HOST=www.yoursite.tld REQUEST_URI=/your-test-page php index.php

Sending POST requests at CLI

The HTTP method is just a environment variable -- so it's changeable.

$ cd /path/to/your/docroot
$ REQUEST_METHOD=POST CONTENT_TYPE=application/www-form-urlencoded REQUEST_URI=/your-test-page php index.php

Conclusion

Running these PHP commands via the CLI allows you to troubleshoot applications more easily, as you can now reproduce specific HTTP requests on demand. The main benefit comes from the ability to attach a debugger (such as gdb or strace) to that process. You can see all low-level system calls as well as all network traffic (such as MySQL queries, memcached requests, MongoDB traffic, ...) as your application is sending and receiving it.

22 Apr 2014 6:00pm GMT

Xavier Mertens: Heartbleed Impact in Belgium?

Heartbleed-be"Heartbleed"… Probably one of the top queries typed in search engines for a few weeks! Of course, I followed the story but I did not blog (yet) about it until today. Why repeat again and again what has been said? Some bloggers and analysts wrote very good overviews about this modern nightmare.

The bug was even covered as a breaking news by medias. Some of them, as usual, reported so stupid stuff! No, heartbleed is not a virus! Blaming medias is easy but the lack of knowledge hit also pure IT people. I found this quote particularly scarying:

CEO VS Heartbleed

I did not expect CIOs to be able to describe the bug itself, it's not their job. But in 2014, thinking that an antivirus solution protects you against anything is a fail! OpenSSL being used as a key library in so many products and solutions (free as commercial), almost everybody was unprotected. I was too! Patch, change password, revoke and create new certificates, the procedure is known for a while and IT department had hard days to patcth everything. A few weeks after the release of an OpenSSL patch (it was released on the 7th of April), it was time to ask myself if the bug is still alive at least in Belgium. This weekend, I searched for vulnerable systems across the Belgium IP space. I focused on HTTPS but keep in mind that the bug may affect much more services! Here are the results:

Those are only IPv4 addresses but many systems being dual-stacked, scanning IPv6 ranges won't make a big difference in this case IMHO. I won't disclose the list of vulnerable hosts here. The nmap NSE script was used and no real data gathering was performed of course! Some statistics looks interesting:

My feeling is strange… The Heartbleed bug is a huge one which may have big impacts however residential users and small companies can't be blamed for remaining unprotected, security is not their core business. But is it a valid reason to not take corrective actions and leave them as is? Biggest Belgian ISP have many customers infected. They could maybe use their helpdesk force and do some outgoing calls campaigns? For all the others, check if you are still vulnerable and… patch again and again! If you have some doubts, ask your service provider or IT consultant!

22 Apr 2014 3:00pm GMT

Lionel Dricot: Élections, demandez le programme !

crossed_fingers

Les élections se rapprochent et les tests en ligne fleurissent, vous annonçant que vous êtes à 65% favorable à tel parti ou 43% à tel autre. Dans les médias, les candidats se gargarisent de leur programme et critiquent celui des autres.

Une manipulation de plus à mettre sur le compte des élections. Car rien n'est plus inutile, plus absurde, plus hypocrite qu'un programme politique.

L'impossibilité mathématique

En Belgique, le scrutin proportionnel rend l'exécution d'un programme politique strictement impossible. En effet, la majorité élue sera dans tous les cas composée de plusieurs partis qui auront forcément des éléments de programme incompatibles.

Pour qu'un parti aie la moindre chance de réaliser son programme, il faudrait qu'il obtienne la majorité absolue. Quand j'étais candidat pour le Parti Pirate, les gens dans la rue me demandait souvent notre programme. Je répondais : « Dans le meilleur des cas, nous aurons un élu. Vous voulez vraiment que je vous promette n'importe quoi ? Cela ne m'engage à rien, je sais que quoi qu'il arrive, je ne pourrai pas le remplir. »

Une fantaisie idéalisée

On pourrait croire que cela ne concerne que la Belgique. Mais la France nous démontre que même un scrutin majoritaire ne permet pas la réalisation d'un programme. Arrivé au pouvoir suite à une campagne intense, le politicien se verra brusquement confronté à la réalité. Quand bien même le nouvel élu était honnête et croyait sincèrement en son programme (accordons lui le bénéfice du doute), le voilà obligé de gérer les urgences du quotidien et les conflits internes, de réagir face à l'émotion d'évênements imprévus, de revoir de fond en comble ce qu'il croyait être un programme parfait et immuable.

Imaginez-vous passer un entretien d'embauche durant lequel vous devez promettre de réaliser certaines choses durant 4 ou 5 ans ! Si vous êtes engagé à la suite de cet entretien, personne ne pourra vous virer, vous serez en poste. Il est bien entendu que promettre n'importe quoi à 4 ou 5 ans est complètement irréaliste. Mais bon, si c'est pour avoir le poste…

Une absurdité historique

Dans toute l'histoire de la démocratie moderne, aucun élu n'a jamais réalisé l'entièreté de son programme. Certes, beaucoup se targuent d'en réaliser une partie. Mais les programmes politiques sont devenus tellement vastes et complexes qu'il est statistiquement presqu'impossible de ne pas le réaliser du tout.

C'est aussi une réponse que je donne régulièrement quand on me parle du manque de programme du Parti Pirate : « Citez-moi le programme du parti pour lequel vous avez voté aux dernières élections ! ». Au fond, personne ne lit réellement les programmes politiques. D'ailleurs, la majeure partie du public ne sait pas exactement ce qui est en jeu. J'ai entendu parler d'immigration et d'emploi lors des élections communales. J'entends parler de la rénovation des trottoirs lors de ce scrutin européen.

Un outil de campagne

Parfois, on me dit que l'utilité d'un programme est d'illustrer les valeurs d'un parti. Ou de convaincre les électeurs. Mais, comme je l'ai dit, personne ne lit les programmes. Sauf… les candidats des autres partis. Les programmes servent donc à entretenir l'actualité et à alimenter les médias. Le parti X annonce une mesure qui coûtera autant de millions d'euros. Mais le parti Z a mis des spécialistes sur le coup qui ont estimé que l'impact serait en fait le double ou le triple. Gros débats sur les télévisions. Pour rien.

Car personne n'est dupe. Même le plus enthousiaste des téléspectateurs sait très bien qu'une telle mesure ne pourra jamais être mise en place, qu'elle n'a aucune chance de voir le jour avant des dizaines d'années et des aménagements conséquents. Et que, finalement, personne ne sera capable d'estimer le coût réel, même a posteriori. Bref, les programmes ne sont que d'extraordinaires machines à vent.

Nous avons besoin de souplesse

Dans le monde professionnel, on commence à comprendre que faire des prévisions et des plans quinquennaux n'a plus de sens. Il faut pouvoir s'adapter vite et bien. Les méthodes comme « Lean Startup » mettent l'emphase sur ce soucis permanent de s'adapter, d'avancer par itérations et de confronter ses croyances, son idéologie, à la réalité.

Et dans l'univers politique ? Il y a seulement deux législatures d'ici, Facebook et Youtube n'existaient même pas, vous aviez encore probablement un écran à tube cathodique sur votre bureau et dans votre salon. Lors des dernières élections européennes, il y a de grandes chances que vous ne saviez pas encore ce qu'était un smartphone. Vous aviez dans votre voiture un GPS de la taille d'un poing qui vous avait coûté le prix d'un smartphone haut de gamme actuel. Les voitures sans conducteur relevaient de la plus pure science-fiction. Aujourd'hui, on s'interroge sur la date de commercialisation de celles-ci et de leur impact sur la société. Oui, nous vivons dans le futur.

Ces évolutions très rapides ont un impact profond sur notre société. Quand il s'agit d'accepter ces changements et de s'y adapter, les politiciens se révèlent généralement la frange la population la plus incapable. Les récents exemple à Bruxelles en sont la plus parfaite illustration.

Et vous voudriez que ces mêmes politiciens fassent des prévisions à 5 ans dans un monde où même les futurologues de Google se refusent à prédire les 6 prochains mois ? Vous souhaitez réellement que les personnes qui ne s'adaptent pas au présent vous pondent un programme politique précis duquel on ne s'écarterait pas pour la durée du prochain lustre ?

À ce stade, ce ne sont plus les politiciens qu'il faut critiquer mais bien les électeurs. Tant que les électeurs demanderont des « programmes » et des « promesses » en échange de leur voix, nous n'aurons au pouvoir que les politiciens les plus auto-suffisants, les plus hypocrites et les plus capables de dire avec aplomb « je vous promets de faire ça pour les prochaines 5 années, d'ailleurs, mes 5 dernières années ont été un succès ! ».

Peut-être qu'il y a parfois un candidat qui dit « Je ne sais pas de quoi l'avenir est fait. La société est en perpétuelle évolution, il ne faut pas essayer de la figer. Essayons simplement de trouver un processus pour vivre ensemble, un processus lui-même évolutif. Même si cela implique de changer fondamentalement nos habitudes. »

Mais ce candidat là n'a jamais de voix. Car, à chaque fois, on lui réplique : « Oui, bon, d'accord. Mais c'est quoi ton programme ? »

Photo par Kygp.

Merci d'avoir pris le temps de lire ce texte. Ce blog est payant mais vous êtes libre de choisir le prix. Vous pouvez soutenir l'écriture de ces billets via Flattr, Patreon, virements IBAN, Paypal ou en bitcoins. Mais le plus beau moyen de me remercier est de simplement partager ce texte autour de vous ou de m'aider à trouver de nouveaux défis en 2014.

flattr this!

22 Apr 2014 2:00pm GMT

Frank Goossens: Music from Our Tube; “In the Dirt” by S. Carey

I've had "In the Dirt" in my YouTube favorites for some time, but forgot about it until I heard it at the end of an episode of "The Good Wife";

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Sean Carey is the drummer and supporting vocalist of Bon Iver, which puts this song right into context. The almost harsh percussive force and sometimes weird rhythms contrast beautifully with the piano and the layered voices. And there's some warm woodwind & viola in to even things out.

Possibly related twitterless twaddle:

22 Apr 2014 4:47am GMT

21 Apr 2014

feedPlanet Grep

Xavier Mertens: DahuCon Wrap-Up or … Perhaps Not?

DahuI spent the end of the week "somewhere" in Switzerland to attend a nice security event called "DahuCon" or perhaps not! Who knows! The event was organized by two Swiss guys. They successfully attracted 50 security professionals to a very nice place. Attendees came from Switzerland, France, Germany, Austria and… Belgium of course! (only with a personal invitation) The challenge was not to bring them all together in a lost place but in a place without any network coverage! A very weak mobile signal which made all data connections allmost impossible (and forget the 3G!). Honestly, everybody survived!

The particularity of DahuCon was to be based on the "Chatam House Rule". This means that, in an event held under this rule, anyone who comes to the meeting is free to quote what has been said (except if explicitely requested to not disclose it), but is not allowed to say who. The goal is to make the event more open to discussions.

If there is a domain in which information disclosure can be very touchy, it is information security! So, speakers were free to discuss about their favourite topic, no guideline was given except to be "imaginative" and it was! Some topics covered:

Thanks to the Chatam House Rule and the "anonymity" of speakers, it was an opportunity to see some talks going much deeper than in regular conferences. Some of them revealing very interesting information!

I would like to thank the organizers for inviting me. It was a pleasure and I hope to be invited to a second edition with the same format. It was really a challenge to organize this and you did it!

21 Apr 2014 7:20pm GMT

19 Apr 2014

feedPlanet Grep

Paul Cobbaut: Vagrant: Creating 10 vm's with 6 disks each

Hello lazyweb,

the Vagrantfile below works fine, but can probably be written simpler. I've been struggling to create variables like "servers=10" and "disks=6" to automate creation of 10 servers with 6 disks each.

Drop me a hint if you feel like creating those two loops.


paul@retinad:~/vagrant$ cat Vagrantfile
hosts = [ { name: 'server1', disk1: './server1disk1.vdi', disk2: 'server1disk2.vdi' },
{ name: 'server2', disk1: './server2disk1.vdi', disk2: 'server2disk2.vdi' },
{ name: 'server3', disk1: './server3disk1.vdi', disk2: 'server3disk2.vdi' }]

Vagrant.configure("2") do |config|

config.vm.provider :virtualbox do |vb|
vb.customize ["storagectl", :id, "--add", "sata", "--name", "SATA" , "--portcount", 2, "--hostiocache", "on"]
end

hosts.each do |host|

config.vm.define host[:name] do |node|
node.vm.hostname = host[:name]
node.vm.box = "chef/centos-6.5"
node.vm.network :public_network
node.vm.synced_folder "/srv/data", "/data"
node.vm.provider :virtualbox do |vb|
vb.name = host[:name]
vb.customize ['createhd', '--filename', host[:disk1], '--size', 2 * 1024]
vb.customize ['createhd', '--filename', host[:disk2], '--size', 2 * 1024]
vb.customize ['storageattach', :id, '--storagectl', "SATA", '--port', 1, '--device', 0, '--type', 'hdd', '--medium', host[:disk1] ]
vb.customize ['storageattach', :id, '--storagectl', "SATA", '--port', 2, '--device', 0, '--type', 'hdd', '--medium', host[:disk2] ]
end
end

end

end

19 Apr 2014 10:02am GMT

18 Apr 2014

feedPlanet Grep

Frederic Hornain: 2014 Red Hat Summit: Open Playground

;)

/f


18 Apr 2014 10:16am GMT

Mark Van den Borre: Reglementitis

Wie toerist laat overnachten riskeert boete





Wat we zelf regelneven regelneven we beter!

18 Apr 2014 7:49am GMT

17 Apr 2014

feedPlanet Grep

Wim Coekaerts: Oracle E-Business Suite R12 Pre-Install RPM available for Oracle Linux 5 and 6

One of the things we have been focusing on with Oracle Linux for quite some time now, is making it easy to install and deploy Oracle products on top of it without having to worry about which RPMs to install and what the basic OS configuration needs to be.

A minimal Oracle Linux install contains a really small set of RPMs but typically not enough for a product to install on and a full/complete install contains way more packages than you need. While a full install is convenient, it also means that the likelihood of having to install an errata for a package is higher and as such the cost of patching and updating/maintaining systems increases.

In an effort to make it as easy as possible, we have created a number of pre-install RPM packages which don't really contain actual programs but they 're more or less dummy packages and a few configuration scripts. They are built around the concept that you have a minimal OL installation (configured to point to a yum repository) and all the RPMs/packages which the specific Oracle product requires to install cleanly and pass the pre-requisites will be dependencies for the pre-install script.

When you install the pre-install RPM, yum will calculate the dependencies, figure out which additional RPMs are needed beyond what's installed, download them and install them. The configuration scripts in the RPM will also set up a number of sysctl options, create the default user, etc. After installation of this pre-install RPM, you can confidently start the Oracle product installer.

We have released a pre-install RPM in the past for the Oracle Database (11g, 12c,..) and Oracle Enterprise Manager 12c agent. And we now also released a similar RPM for E-Business R12.

This RPM is available on both ULN and public-yum in the addons channel.

17 Apr 2014 11:44pm GMT

Frank Goossens: Some HTML DOM parsing gotchas in PHP’s DOMDocument

Although I had used Simple HTML DOM parser for WP DoNotTrack, I've been looking into native PHP HTML DOM parsing as a possible replacement for regular expressions for Autoptimize as proposed by Arturo. I won't go into the performance comparison results just yet, but here's some of the things I learned while experimenting with DOMDocument which in turn might help innocent passers-by of this blogpost.

// loadHTML from string, suppressing errors
$dom = new DOMDocument();
@$dom->loadHTML($html);

// get all script-nodes
$_scripts=$dom->getElementsByTagName("script");

// move the result form a DomNodeList to an array
$scripts = array();
foreach ($_scripts as $script) {
   $scripts[]=$script;
}

// iterate over array and remove script-tags from DOM
foreach ($scripts as $script) {
   $script->parentNode->removeChild($script);
}

// write DOM back to the HTML-string
$html = $dom->saveHTML();

Now chop chop, back to my code to finish that performance comparison. Who know what else we'll learn ;-)

Possibly related twitterless twaddle:

17 Apr 2014 5:05pm GMT

16 Apr 2014

feedPlanet Grep

Wouter Verhelst: Call for help for DVswitch maintenance

I've taken over "maintaining" DVswitch from Ben Hutchings a few years ago, since Ben realized he didn't have the time anymore to work on it well.

After a number of years, I have to admit that I haven't done a very good job. Not becase I didn't want to work on it, but mainly because I don't have enough time to fix DVswitch against the numerous moving targets that it uses; the APIs of libav and of liblivemedia are fluent enough that just making sure everything remains compilable and in working order is quite a job.

DVswitch is used by many people; DebConf, FOSDEM, and the CCC are just a few examples, but I know of at least three more.

Most of these (apart from DebConf and FOSDEM) maintain local patches which I've been wanting to merge into the upstream version of dvswitch. However, my time is limited, and over the past few years I've not been able to get dvswitch into a state where I confidently felt I could upload it into Debian unstable for a release. One step we took in order to get that closer was to remove the liblivemedia dependency (which implied removing the support for RTSP sources). Unfortunately, the resulting situation wasn't good enough yet, since libav had changed API enough that current versions of DVswitch compiled against current versions of libav will segfault if you try to do anything useful.

I must admit to myself that I don't have the time and/or skill set to maintain DVswitch on an acceptable level all by myself. So, this is a call for help:

If you're using DVswitch for your conference and want to continue doing so, please talk to us. The first things we'll need to do:

See you there?

16 Apr 2014 4:24pm GMT

15 Apr 2014

feedPlanet Grep

Luc Stroobant: Telenet ipv6 pfSense configuratie

Na jaren gepruts met commerciele wifi routers die om de 2-3 jaar kapot gaan, heb ik eindelijk maar eens geinvesteerd in een Soekris bordje voor een veel krachtigere pfSense in de kelder. Bijkomend interessant punt van pfSense is dat IPv6 goed ondersteund is.

Wat je moet aan zetten om dit met Telenet te laten werken is niet op het eerste zicht duidelijk, dus even een overzichtje voor wie het in één zoekopdracht wil terug vinden. :)

Op nieuw geinstalleerde PFsense setups staat de optie "Allow IPv6" standaard aan. Als je een setup hebt die al een tijdje bestaat moet je dit nog aan zetten onder System: Advanced: Networking.

Op de WAN interface zet je onder "DHCP6 client configuration" "DHCPv6 Prefix Delegation size" op /56, de grootte van het prefix dat je van Telenet krijgt. De rest van de opties mag uit blijven staan.
Op de LAN interface zet je bij "IPv6 Configuration Type" "Track interface" en dan iets lager onder "Track ipv6 interface" selecteer je de WAN interface. Dat is alles... Je zou nu ipv6 adressen moeten krijgen op je pfSense interfaces en op de clients achter de pfSense.

Default wordt alle inboud verkeer geblokkeerd, als je ping wil door laten pas dan de standaard aanwezige rule voor inbound ipv4 ICMP op de WAN interface aanzodat naar IPv4+6.

NB: dit is getest en werkt met een gewone modem, geen home-gateway-Telenet-managed wifi-router-ding. Ervaringen of het daar ook mee werkt zijn altijd welkom in de comments.

15 Apr 2014 6:28pm GMT

Lionel Dricot: Lily & Lily à Ottignies

lilylily

Dans le strass et les paillettes du Hollywood des années 1930, la star sur le déclin Lily Da Costa remplit plus souvent les verres et les chroniques des journaux à scandale que les salles obscures et les plateaux de tournage. Sam, le brave imprésario dépassé par tous ses caprices, ne sait plus à quel saint se vouer. Entre un mari gigolo, un bagnard en cavale et des domestiques malhonnêtes, voici que débarque à l'improviste Déborah, la sœur jumelle de Lily, pleine de bonnes intentions. Mais l'enfer n'est-il pas pavé de bonnes intentions ?

Envie de connaître la suite ? Alors je vous invite à venir assister à l'une des représentations de Lily & Lily par les Comédiens du Petit-Ry à l'école primaire Saint-Pie X d'Ottignies-Louvain-la-Neuve :

Le prix des places est de 10€ et les réservations se font à l'adresse reservationscomry@gmail.com.

Outre le rire, les portes qui claquent, les amants sous les lits et dans les placards, Lily & Lily est également l'occasion de fêter les 30 ans d'existence de la troupe et les 25 ans de participation de Laure Destercke, qui jouera bien entendu Lily.

lily_lily

La troupe, en pleine répétition

À titre plus personnel, Lily & Lily représente ma première participation à la troupe. Lors de la lecture du texte, j'ai également eu la surprise de découvrir que la pièce a été montée en 1985 avec Jacqueline Maillan et… Francis Lemaire, mon oncle, décédé il y a un an déjà. C'est donc avec une pointe d'émotion et une certaine fierté que je monterai sur les planches en pensant à lui.

Tout cela fait beaucoup d'occasions de rire et de faire la fête. Alors prenez votre agenda, choisissez une date, faites suivre les événements, invitez vos amis et, comme Lily Da Costa, venez vous enfiler un godet avec nous durant l'entracte ! Avec les comédiens du Petit-Ry, l'ambiance est autant dans la salle que sur la scène !

Au plaisir de vous voir dans la salle un de ces soirs…

Merci d'avoir pris le temps de lire ce texte. Ce blog est payant mais vous êtes libre de choisir le prix. Vous pouvez soutenir l'écriture de ces billets via Flattr, Patreon, virements IBAN, Paypal ou en bitcoins. Mais le plus beau moyen de me remercier est de simplement partager ce texte autour de vous ou de m'aider à trouver de nouveaux défis en 2014.

flattr this!

15 Apr 2014 12:04pm GMT

14 Apr 2014

feedPlanet Grep

Xavier Mertens: xip.py: Executing Commands per IP Address

Batch ProcessingDuring a penetration test, I had to execute specific commands against some IP networks. Those networks were represented under the CIDR form (network/subnet). Being a lazy guy, I spent some time to write a small Python script to solve this problem. The idea was based on the "xargs" UNIX command which is used to build complex command lines. From the xargs man page:

"xargs reads items from the standard input, delimited by blanks (which can be protected with double or single quotes or a backslash) or newlines, and executes the command (default is /bin/echo) one or more times with any initial-arguments followed by items read from standard input. Blank lines on the standard input are ignored."

I called the tool logically "xip.py" as it allows you to execute a provided command for each IP address from a subnet or a range. The syntax is simple:

$ ./xip.py -h
Usage: xip.py [options]

Options:
 --version             show program's version number and exit
 -h, --help            show this help message and exit
 -i IPADDRESSES, --ip-addresses=IPADDRESSES
                       IP Addresses subnets to expand
 -c COMMAND, --command=COMMAND
                       Command to execute for each IP ("{}" will be replaced by the IP)
 -o OUTPUT, --output=OUTPUT
                       Send commands output to a file
 -s, --split           Split outfile files per IP address
 -d, --debug           Debug output

The IP addresses can be added in two formats: x.x.x.x/x or x.x.x.x-x. Multiple subnets can be delimited by commas and subnet starting with a "-" will be excluded. Examples:

$ ./xip.py -i 10.0.0.0/29,10.10.0.0/29,-10.0.0.1-4 -c "echo {}"

This command will return:

10.0.0.0
10.0.0.5
10.0.0.6
10.0.0.7
10.10.0.0
10.10.0.1
10.10.0.2
10.10.0.3
10.10.0.4
10.10.0.5
10.10.0.6
10.10.0.7

Like the "find" UNIX command, "{}" are replaced by the IP address (multiple {} pairs can be used). With the "-o <file>" option, the command output will be stored to the file (stderr & stdout). You can split the output across multiple files using the switch "-s". In this case, <file> will end the IP addresses.

This is a quick and dirty tool which helped me a lot. I already have some ideas to improve it, if I've time… The script is available on my github repository.

14 Apr 2014 6:50pm GMT