Planet Debian

Subscribe to Planet Debian feed
Planet Debian - https://planet.debian.org/
Updated: 35 min 54 sec ago

François Marier: Time-stretch in Kodi

2 August, 2021 - 01:47

VLC has a really neat feature which consists of time-stretching audio to allow users to speed up or slow video playback with the [ and ] keys without affecting the pitch of the sound. I recently switched to Kodi as my video player of choice and I was looking for the equivalent feature.

Kodi equivalent

To enable this feature in Kodi, you first need to enable Sync playback to display in Settings | Player | Videos.

Then map the tempoup and tempodown commands to the same keyboard shorcuts as VLC.

In my case however, I wanted to map these functions to buttons on my Streamzap remote and so I put the following in my ~/.kodi/userdata/keymaps/remote.xml:

  <FullscreenVideo>
    <remote>
      <pageminus>PlayerControl(tempodown)</pageminus>
      <pageplus>PlayerControl(tempoup)</pageplus>
    </remote>
  </FullscreenVideo>

which allows me to press the Ch + and Ch - buttons on the remote to adjust the speed while the video is playing (in full-screen mode only, not with the menu displayed).

Examples

Here are three ways I use this functionality:

  • I set it to 0.9x for movies in languages I'm not totally proficient in.
  • I set it to 1.1x for almost everything since the difference is not especially perceptible, but it still allows me to watch 10% more movies in the same amount of time
  • I set it to 1.2x for Rick & Morty because it makes Rick even more hilariously reckless and impatient.

Unfortunately, I haven't found a way to set the default tempo value. The closest setting I could find is the one which allows you to set the maximum tempo value maxtempo. If you know of a way, please leave a comment!

Russ Allbery: Review: Fugitive Telemetry

1 August, 2021 - 11:26

Review: Fugitive Telemetry, by Martha Wells

Series: Murderbot Diaries #6 Publisher: Tordotcom Copyright: April 2021 ISBN: 1-250-76538-2 Format: Kindle Pages: 167

Fugitive Telemetry is the fifth Murderbot novella. It is not a sequel to the (as yet) lone novel, Network Effect. Instead, it takes place between Exit Strategy and Network Effect, filling in more of the backstory of the novel. You should not read it before Exit Strategy, but I believe it and Network Effect could be read in any order.

A human has been murdered on Preservation Station. That is not a thing that happens on Preservation Station, which is normally a peaceful place whose crime is limited to intoxication-related stupidity. Murderbot's first worry, and the first worry of his humans, is that this may be one of their enemies getting into position to target them. That risk at least makes the murder worth investigating, rather than leaving it solely to Station Security.

The problem from Murderbot's perspective is that there is an effective and efficient way of doing such an investigation, which starts with hacking into the security systems to get necessary investigative data and may end with the silent disposal of dead bodies of enemy agents. But this is Preservation Station, not the Corporation Rim, and Murderbot agreed to not do things like casually compromise all the station security systems or murder people who are security threats.

There was a big huge deal about it, and Security was all "but what if it take over the station's systems and kills everybody" and Pin-Lee told them "if it wanted to do that it would have done it by now," which in hindsight was probably not the best response.

Worse, Murderbot's human wants it to work collaboratively with Station Security. That is a challenge, given that Security has a lot of reasons not to trust SecUnits, and Murderbot has a lot of reasons not to trust a security organization (not to mention considers them largely incompetent). Also, the surveillance systems are totally inadequate compared to the Corporation Rim for various financial and civil rights reasons that are doubtless wonderful except in situations where someone has been murdered. But hopefully the humans won't get in the way too much.

This is one of those books (well, novellas) that I finished a while back but then stalled out on reviewing. I think that's because I don't have that much to say about it. Network Effect pushed the world-building and Murderbot's personal storyline forward significantly, but Fugitive Telemetry doesn't pick up those threads. Instead, this is another novella in much the same vein as the first four. If you, like me, are eager to see where Wells takes the story after the events of the novel, this is somewhat disappointing. But if you enjoyed the novellas, this is more of what you enjoyed: snarky comments about humanity, competence porn, Murderbot getting pulled into problems somewhat against its will and then trying to sort them out, and the occasional touching moment of emotional connection that Murderbot escapes from as quickly as possible.

It's quite enjoyable, helped considerably by Wells's wise choice to not make the supporting human characters idiots. Collaboration is not Murderbot's strength; it is certain the investigation will be an endless series of frustrations and annoyances given the level of suspicion Station Security starts with. But some humans (and some SecUnits) are capable of re-evaluating their conclusions when given new evidence, and watching that happen is part of the fun of this novella.

What this novella is missing is the overarching plot structure of the rest of the series, since where this story sits chronologically doesn't leave much room for advancing or even deepening the plot arc. It therefore feels incidental: delightful while I was reading it, probably missable if you have to, and not something I spent time thinking about after I finished it.

If you liked the Murderbot novellas up until now, you will want to read this one. If you haven't started the series yet, this is not a place to start. If you want something more like the Network Effect novel, or a story where Murderbot makes significant decisions about its future, the wait continues.

Rating: 8 out of 10

Paul Wise: FLOSS Activities July 2021

1 August, 2021 - 08:54
Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes Issues Review Administration
  • libusbgx/gt: triage issues
  • Debian packages: triaged bugs for reintroduced packages
  • Debian servers: debug lists mail issue, debug lists subscription issue
  • Debian wiki: unblock IP addresses, approve accounts
Communication
  • Respond to queries from Debian users and contributors on the mailing lists and IRC
Sponsors

The microsoft-authentication-library-for-python and purple-discord work was sponsored by my employer. All other work was done on a volunteer basis.

Junichi Uekawa: August comes.

1 August, 2021 - 08:29
August comes. Kids are on summer staycation. This is not sustainable.

Steinar H. Gunderson: How to optimize anything

1 August, 2021 - 06:00

Speeding up software, in four simple, universal steps:

  1. Make a benchmark.
  2. Run a profiler over that benchmark.
  3. Try something reasonable (based on #2) to speed up the benchmark.
  4. If the benchmark gets faster, clean the code up and commit.

Repeat steps 2–4 until the code is fast enough.

Of course, most people stumble in step 1 (e.g. by making a benchmark that is non-representative, like PHP 8's infamous JIT that helped 3x on the benchmark, but at most 3–5% on real code). And step 3 is naturally where all the magic happens. The cheapest wins often come out of a surprising profile, and the best wins often come from taking a step up and optimizing at a higher level. The most satisfying ideas are those that simplify code, so that you end up with just running less stuff and having things look more natural. (The worst ideas come when you skip step 2, because you end up optimizing what you think takes time, which is rarely the stuff that actually does.)

The “something reasonable” part is mandatory, or you are likely to just measure incidental effects. ryg lays down the law.

Chris Lamb: Free software activities in July 2021

31 July, 2021 - 23:08

Here is my monthly update covering what I have been doing in the free software world during July 2021 (previous month):


SPI is a non-profit corporation that acts as a fiscal sponsor for organisations that develop open source software and hardware.

As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest I attended their respective monthly meetings. As outlined in last months posts, however, my term on the OSI board has been slightly extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election is currently being re-run.

§

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

  • Updated the Lintian static analysis tool to check for Python tracebacks in manual pages, usually caused by failing help2man calls and the cause of avoidable reproducibility issues. (#984778 filed against the heudiconv package is a good example of the problem.) [...]


diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

I also made the following changes to diffoscope, including preparing and uploading versions 178 and 179 to PyPI and Debian:

  • Ensure that various LLVM tools are installed, even when testing whether a MacOS binary has no differences compared to itself. (#270)
  • Rewrite how we calculate the 'fuzzy hash' of a file to make the control flow cleaner. [...][...]
  • Don't traceback when encountering a broken symlink within a directory. (#269)
  • Update some copyright years. [...]

§


Debian Bugs filed Uploads
  • redis:

    • 6.0.15-1 — New upstream security release.
    • 6.2.5-1 (to Debian experimental) — New upstream security release.
  • python-django:

    • 3.2.5-1 (to Debian experimental) — New upstream security release.
    • 3.2.5-2 (to Debian experimental) — Don't symlink /usr/bin/django-admin to django-admin.py. Instead, ship the script generated by the Python entry_points system, otherwise we introduce a confusing django-admin.py-related deprecation message when using django-admin (ie. without the .py extension). (#991098)
  • mtools:

    • 4.0.32-1 — New upstream release.
    • 4.0.33-1 — New upstream release.
    • 4.0.33-1+really4.0.32-1 — Revert to version 4.0.32-1 due to regressions on ARM systems affecting the Debian Installer. (#991403)

§

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

You can find out more about the project via the following video:

Jamie McClelland: Fixing old PHP code

31 July, 2021 - 22:11

I wrote a control panel in 2005 using PHP, without any framework. Who could have guessed it would still be in production now?

We’ve recently decided to put off replacing it for a few years, so I have to fix all the deprecation warnings, which are almost all due to:

while(list($k, $v) = each($array)) {

At some point, early in my PHP coding life, someone told me foreach($array as $k => $v) { was bad. I don’t even remember why. But it stuck, so my code is littered with the while/list/each approach. If I ever wrote malware in PHP you could definitely fingerprint me with this one.

I’m working on some sed magic to fix them, starting with:

find . -name '*.php' -exec sed -E -i 's#while\(list\((\$[a-z_]*), ?(\$[a-z_]*)\) = each\((\$[a-z_>-]+)\)\) \{#foreach(\3 as \1 => \2) {#g' '{}' \;

But… it misses this variation:

while(list(, $v) = each($array)) {

So I also ran:

find . -name '*.php' -exec sed -E -i 's#while\(list\(,(\$[a-z_]*)\) = each\((\$[a-z_>-]+)\)\) \{#foreach(\2 as \1) {#g' '{}' \;

I ended up with 10 replacments I had to do by hand (while(list($k) = each($array)) and a few others with unusual spacing).

Russell Coker: Links July 2021

31 July, 2021 - 20:16

The News Tribune published an article in 2004 about the “Dove of Oneness”, a mentally ill woman who got thousands of people to believe her crazy ideas about NESARA [1]. In recent time the QANON conspiracy theory has drawn on the NESARA cult and encouraged it’s believers to borrow money and spend it in the belief that all debts will be forgiven (something which was not part of NESARA). The Wikipedia page about NESARA (proposed US legislation that was never considered by the US congress) notes that the second edition of the book about it was titled “Draining the Swamp: The NESARA Story – Monetary and Fiscal Policy Reform“. It seems like the Trump cult has been following that for a long time.

David Brin (best-selling SciFi Author and NASA consultant) wrote an insightful blog post about the “Tytler Calumny” [2], which is the false claim that democracy inevitably fails because poor people vote themselves money. When really the failure is of corrupt rich people subverting the government processes to enrich themselves at the expense of their country. It’s worth reading, and his entire blog is also worth reading.

Cory Doctorow has an insightful article about his own battle with tobacco addiction and the methods that tobacco companies and other horrible organisations use to prevent honest discussion about legislation [3].

Cory Doctorow has an insightful article about “consent theater” which is describes how “consent” in most agreements between corporations and people is a fraud [4]. The new GDPR sounds good.

The forum for the War Thunder game had a discussion on the accuracy of the Challenger 2 tank which ended up with a man who claims to be a UK tank commander posting part of a classified repair manual [5]. That’s pretty amusing, and also good advertising for War Thunder. After reading about this I discovered that it’s free on Steam and runs on Linux! Unfortunately it whinged about my video drivers and refused to run.

Corey Doctorow has an insightful and well researched article about the way the housing market works in the US [6]. For house prices to increase conditions for renters need to be worse, that may work for home owners in the short term but then in the long term their children and grandchildren will end up renting.

Related posts:

  1. Links April 2021 Dr Justin Lehmiller’s blog post comparing his official (academic style)...
  2. Links July 2020 iMore has an insightful article about Apple’s transition to the...
  3. Links February 2021 Elestic Search gets a new license to deal with AWS...

Russ Allbery: Summer haul

31 July, 2021 - 12:37

July ended up being a very busy month for me catching up on all sorts of things that I'd been putting off for too long, so posts have been a bit scarce recently. So have book reviews; I'm hoping to sneak one in before the end of the month tomorrow, and have a small backlog.

But for tonight, here's another list of random books, mostly new releases, that caught my eye.

Katherine Addison — The Witness for the Dead (sff)
Olivia Atwater — Half a Soul (sff)
Lloyd Biggle, Jr. — The Still, Small Voice of Trumpets (sff)
Judson Brewer — Unwinding Anxiety (nonfiction)
Eliot Brown & Maureen Farrell — The Cult of We (nonfiction)
Becky Chambers — A Psalm for the Wild-Built (sff)
Susanna Clarke — Piranesi (sff)
Eve L. Ewing — Ghosts in the Schoolyard (nonfiction)
Michael Lewis — The Premonition (nonfiction)
Courtney Milan — The Duke Who Didn't (romance)
Kit Rocha — Deal with the Devil (sff)
Tasha Suri — The Jasmine Throne (sff)
Catherynne M. Valente — The Past is Red (sff)

Quite a variety of things recently. Of course, I'm currently stalled on a book I'm not enjoying very much (but want to finish anyway since I like reviewing all award nominees).

Dirk Eddelbuettel: RcppAnnoy 0.0.19 on CRAN: Maintenance

31 July, 2021 - 09:17

A minor maintenance release, now at version 0.0.19, of RcppAnnoy is now on CRAN. RcppAnnoy is the Rcpp-based R integration of the nifty Annoy library by Erik Bernhardsson. Annoy is a small and lightweight C++ template header library for very fast approximate nearest neighbours—originally developed to drive the famous Spotify music discovery algorithm.

This release only contains internal packaging changes. Nothing changes upstream, or in package functionality. Detailed changes follow.

Changes in version 0.0.19 (2021-07-30)
  • Minor tweaks to default CI setup and DESCRIPTION file

Courtesy of my CRANberries, there is also a diffstat report for this release.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Patryk Cisek: How does Google Authenticator work? (Part 1)

31 July, 2021 - 02:20
When you’re accessing services over the WEB – let’s pick GMail as an example – couple of things have to happen upfront: The server you’re connecting to (GMail in our example) has to get to know who you are. Only after getting to know who you are it’s able to decide what resources you are allowed to access (e.g. your own email inbox, your Calendar, Drive etc.). Step 1 above is called authentication.

Jonathan Dowland: Accounting: pooling income

30 July, 2021 - 22:44

I wrote about budgeting nine years ago and I've been a little reluctant to write about it again: by far, it's the blog post that has attracted the most requests from people asking me to link to their blog, site, or service.

I wasn't good at budgeting then and I'm still not good at it now, although I have learned a few things in the intervening time. Those things more properly relate to accounting than budgeting (so there's the first thing: I learned the difference!). I wanted to write about some of the things I've learned since then, starting with our family's approach to pooling income.

Pooling

From talking to friends about how they manage stuff, this doesn't seem to be a common approach. We pay all our income into a shared account. We agree on an amount of "play money" that we can individually spend on whatever we like, and we pay that amount to ourselves from the shared account every month. Crucially, the amount we pick is the same for each of us, irrespective of our relative incomes. All of our shared family expenses come out of the shared account.

Some of my friends, especially (exclusively) the bread-winners, find this a bit alarming. One of the things I like about it is that whichever partner earns less than the other is not disadvantaged in terms of their discretionary spending. When my wife earned less than me, and I believe structural sexism was a contributing factor to that, that impacted us both equally. When my wife was not earning a salary at all, but was doing the lion's share of bringing up our children, she has the same discretionary spend as I do. Apart from the equity of it, there's a whole class of gripes and grumbles that some of my friends have about their partner's spending habits or money management that we completely avoid.

Anton Gladky: 2021/07, FLOSS activity

30 July, 2021 - 21:00
LTS

This is my fifth month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs
  1. DLA 2705-1 scilab_5.5.2-4+deb9u1

    • CVE-2021-31598: Out-of-bounds write in ezxml_decode() leading to heap corruption
    • CVE-2021-31347, CVE-2021-31348: incorrect memory handling in ezxml_parse_str() leading to out-of-bounds read
    • CVE-2021-31229: Out-of-bounds write in ezxml_internal_dtd() leading to out-of-bounds write of a one byte constant
    • CVE-2021-30485: incorrect memory handling, leading to a NULL pointer dereference in ezxml_internal_dtd()

    With this upload not all opened CVEs were closed in this package. Because some of CVEs were not fixed yet by upstream. Added links to upstream bug reports for the following CVEs: CVE-2021-31598 CVE-2021-31348 CVE-2021-31347 CVE-2021-31229 CVE-2021-30485 CVE-2021-26222 CVE-2021-26221 CVE-2021-26220 CVE-2019-20202 CVE-2019-20201 CVE-2019-20200 CVE-2019-20199 CVE-2019-20198 CVE-2019-20007 CVE-2019-20006 CVE-2019-20005 into the data/CVE/list on securoty tracker.

  2. DLA 2707-1 sogo_3.2.6-2+deb9u1

    • CVE-2021-33054: SOGo does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method.
Other LTS-related work LTS-Meeting

I attended the Debian LTS team IRC-meeting this month.

Other FLOSS activities
  1. One week before the full freeze of Debian Bullseye the release-critical bug #990895 against the package httraqt was filed. Thanks to the reporter I could fix it within the hour after the ticket was created, uploaded as the version httraqt_1.4.9-5, filed an unblock-request, which was approved.

Reproducible Builds (diffoscope): diffoscope 179 released

30 July, 2021 - 07:00

The diffoscope maintainers are pleased to announce the release of diffoscope version 179. This version includes the following changes:

* Ensure that various LLVM tools are installed, even when testing whether
  a MacOS binary has zero differences when compared to itself.
  (Closes: reproducible-builds/diffoscope#270)

You find out more by visiting the project homepage.

Patryk Cisek: Debian on TrueNAS Core under bhyve

29 July, 2021 - 05:45
Installing Debian/GNU Linux under bhyve on TrueNAS Core I got myself a TrueNAS Mini X+ couple of months ago. I have it running TrueNAS Core based on FreeBSD. In that system you can run VMs under FreeBSD’s native hypervisor, bhyve. Since there are a couple of quirks around running Debian specifically, I decided to write up a quick article about setting up Debian-based VM there. The quirks The ones I’ve stumbled upon were:

Dirk Eddelbuettel: RcppFarmHash 0.0.1: New CRAN Package

27 July, 2021 - 07:05

A new package RcppFarmHash is now on CRAN in an inaugural version 0.0.1.

RcppFarmHash wraps the Google FarmHash family of hash functions (written by Geoff Pike and contributors) that are used for example by Google BigQuery for the FARM_FINGERPRINT.

The package was prepared and uploaded yesterday afternoon, and to my surprise already on CRAN this (early) morning when I got up. So here is another #ThankYouCRAN for very smoothing operations.

The very brief NEWS entry follows:

Changes in version 0.0.1 (2021-07-25)
  • Initial version and CRAN upload

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Marco d'Itri: Run an Ansible playbook in a chroot

25 July, 2021 - 22:07

Running a playbook in a chroot or container is not supported by Ansible, but I have invented a good workaround to do it anyway.

The first step is to install Mitogen for Ansible (ansible-mitogen in Debian) and then configure ansible.cfg to use it:

[defaults]
strategy = mitogen_linear

But everybody should use Mitogen anyway, because it makes Ansible much faster.

The trick to have Ansible operate in a chroot is to make it call a wrapper script instead of Python. The wrapper can be created manually or by another playbook, e.g.:

  vars:
  - fsroot: /mnt

  tasks:
  - name: Create the chroot wrapper
    copy:
      dest: "/usr/local/sbin/chroot_{{inventory_hostname_short}}"
      mode: 0755
      content: |
        #!/bin/sh -e
        exec chroot {{fsroot}} /usr/bin/python3 "$@"

  - name: Continue with stage 2 inside the chroot
    debug:
      msg:
        - "Please run:"
        - "ansible-playbook therealplaybook.yaml -l {{inventory_hostname}} -e ansible_python_interpreter=/usr/local/sbin/chroot_{{inventory_hostname_short}}"

This works thanks to Mitogen, which funnels all remote tasks inside that single call to Python. It would not work with standard Ansible, because it copies files to the remote system with SFTP and would do it outside of the chroot.

The same principle can also be applied to containers by changing wrapper script, e.g:

#!/bin/sh -e
exec systemd-run --quiet --pipe --machine={{container_name}} --service-type=exec /usr/bin/python3 "$@"

After the wrapper will have been installed then you can run the real playbook by setting the ansible_python_interpreter variable, either on the command line, in the inventory or anywhere else that variables can be defined:

ansible-playbook therealplaybook.yaml -l {{inventory_hostname}} -e ansible_python_interpreter=/usr/local/sbin/chroot_{{inventory_hostname_short}}

Dirk Eddelbuettel: littler 0.3.13: Moar Goodies

25 July, 2021 - 00:53

The fourteenth release of littler as a CRAN package just landed, following in the now fifteen year history (!!) as a package started by Jeff in 2006, and joined by me a few weeks later.

littler is the first command-line interface for R as it predates Rscript. It allows for piping as well for shebang scripting via #!, uses command-line arguments more consistently and still starts faster. It also always loaded the methods package which Rscript only started to do in recent years.

littler lives on Linux and Unix, has its difficulties on macOS due to yet-another-braindeadedness there (who ever thought case-insensitive filesystems as a default were a good idea?) and simply does not exist on Windows (yet – the build system could be extended – see RInside for an existence proof, and volunteers are welcome!). See the FAQ vignette on how to add it to your PATH.

A few examples are highlighted at the Github repo, as well as in the examples vignette.

This release brings two new example scripts and command wrappers (compiledDeps.r, silenceTwitterAccount.r), along with extensions, corrections, or polish for a number a of other examples as detailed in the NEWS file entry below.

Changes in littler version 0.3.13 (2021-07-24)
  • Changes in examples

    • New script compiledDeps.r to show which dependencies are compiled

    • New script silenceTwitterAccount.r wrapping rtweet

    • The -c or --code option for installRSPM.r was corrected

    • The kitten.r script now passes options ‘bunny’ and ‘puppy’ on to the pkgKitten::kitten() call; new options to call the Arma and Eigen variants were added

    • The getRStudioDesktop.r and getRStudioServer.r scripts were updated for a change in rvest

    • Two typos in the tt.r help message were correct (Aaron Wolen in #86)

    • The message in cranIncoming.r was corrected.

  • Changes in package

    • Added Continuous Integration runner via run.sh from r-ci.

    • Two vignettes got two extra vignette attributes.

    • The mkdocs-material documentation input was moved.

    • The basic unit tests were slightly refactored and updated.

My CRANberries provides a comparison to the previous release. Full details for the littler release are provided as usual at the ChangeLog page, and now also on the new package docs website. The code is available via the GitHub repo, from tarballs and now of course also from its CRAN page and via install.packages("littler"). Binary packages are available directly in Debian as well as soon via Ubuntu binaries at CRAN thanks to the tireless Michael Rutter.

Comments and suggestions are welcome at the GitHub repo.

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Evgeni Golov: It's not *always* DNS

24 July, 2021 - 01:36

Two weeks ago, I had the pleasure to play with Foremans Kerberos integration and iron out a few long standing kinks.

It all started with a user reminding us that Kerberos authentication is broken when Foreman is deployed on CentOS 8, as there is no more mod_auth_kerb available. Given mod_auth_kerb hasn't seen a release since 2013, this is quite understandable. Thankfully, there is a replacement available, mod_auth_gssapi. Even better, it's available in CentOS 7 and 8 and in Debian and Ubuntu too!

So I quickly whipped up a PR to completely replace mod_auth_kerb with mod_auth_gssapi in our installer and successfully tested that it still works in CentOS 7 (even if upgrading from a mod_auth_kerb installation) and CentOS 8.

Yay, the issue at hand seemed fixed. But just writing a post about that would've been boring, huh?

Well, and then I dared to test the same on Debian…

Turns out, our installer was using the wrong path to the Apache configuration and the wrong username Apache runs under while trying to setup Kerberos, so it could not have ever worked. Luckily Ewoud and I were able to fix that too. And yet the installer was still unable to fetch the keytab from my FreeIPA server 😿

Let's dig deeper! To fetch the keytab, the installer does roughly this:

# kinit -k
# ipa-getkeytab -k http.keytab -p HTTP/foreman.example.com

And if one executes that by hand to see the a actual error, you see:

# kinit -k
kinit: Cannot determine realm for host (principal host/foreman@)

Well, yeah, the principal looks kinda weird (no realm) and the interwebs say for "kinit: Cannot determine realm for host":

  • Kerberos cannot determine the realm name for the host. (Well, duh, that's what it said?!)
  • Make sure that there is a default realm name, or that the domain name mappings are set up in the Kerberos configuration file (krb5.conf)

And guess what, all of these are perfectly set by ipa-client-install when joining the realm…

But there must be something, right? Looking at the principal in the error, it's missing both the domain of the host and the realm. I was pretty sure that my DNS and config was right, but what about gethostname(2)?

# hostname
foreman

Bingo! Let's see what happens if we force that to be an FQDN?

# hostname foreman.example.com
# kinit -k

NO ERRORS! NICE!

We're doing science here, right? And I still have the CentOS 8 box I had for the previous round of tests. What happens if we set that to have a shortname? Nothing. It keeps working fine. And what about CentOS 7? VMs are cheap. Well, that breaks like on Debian, if we force the hostname to be short. Interesting.

Is it a version difference between the systems?

  • Debian 10 has krb5 1.17-3+deb10u1
  • CentOS 7 has krb5 1.15.1-50.el7
  • CentOS 8 has krb5 1.18.2-8.el8

So, something changed in 1.18?

Looking at the krb5 1.18 changelog the following entry jumps at one: Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix.

Given Debian 11 has krb5 1.18.3-5 (well, testing has, so lets pretend bullseye will too), we can retry the experiment there, and it shows that it works with both, short and full hostname. So yeah, it seems krb5 "does the right thing" since 1.18, and before that gethostname(2) must return an FQDN.

I've documented that for our users and can now sleep a bit better. At least, it wasn't DNS, right?!

Btw, freeipa won't be in bulsseye, which makes me a bit sad, as that means that Foreman won't be able to automatically join FreeIPA realms if deployed on Debian 11.

Bits from Debian: New Debian Developers and Maintainers (May and June 2021)

22 July, 2021 - 20:45

The following contributors got their Debian Developer accounts in the last two months:

  • Timo Röhling (roehling)
  • Patrick Franz (deltaone)
  • Christian Ehrhardt (paelzer)
  • Fabio Augusto De Muzio Tobich (ftobich)
  • Taowa (taowa)
  • Félix Sipma (felix)
  • Étienne Mollier (emollier)
  • Daniel Swarbrick (dswarbrick)
  • Hanno Wagner (wagner)

The following contributors were added as Debian Maintainers in the last two months:

  • Evangelos Ribeiro Tzaras
  • Hugh McMaster

Congratulations!

Pages

Creative Commons License ลิขสิทธิ์ของบทความเป็นของเจ้าของบทความแต่ละชิ้น
ผลงานนี้ ใช้สัญญาอนุญาตของครีเอทีฟคอมมอนส์แบบ แสดงที่มา-อนุญาตแบบเดียวกัน 3.0 ที่ยังไม่ได้ปรับแก้