Category Archives: Uncategorized

Conntrack table flood

Posted on by
Reply

Recently we had problems with our gateway, connections were dropped and so on.
After a bit of investigation we found that it was due to a bugged game using Javascript which, when it ran on Firefox, opened connections in a loop flooding the connection tracking table in a matter of hours. Once found, it was easy to fix. This was also the occasion to tighten the timeouts values of nf_conntrack a little bit. Indeed 5 days timeouts for established connection doesn’t really make sense when your public IPv4 change every 36hours or so.

Start XScreensaver before going to sleep

Posted on by
5

It seems rational to request XScreensaver to lock your screen when you suspend your machine. This is possible in Debian via the /etc/default/acpi-support file, especially with this line :

# Comment this out to disable screen locking on resume
LOCK_SCREEN=true

However for some obscure reason this will lock the screen (i.e. issue the “xscreensaver-command -lock” command) after suspend, that is on resume. Since the locking process is not immediate your desktop will be available for anyone to watch (and use) for a duration of about one or two second. There is no need to say that this is unacceptable.

It is possible to avoid that by disabling the default screen locking mechanism and hooking it manually to PM. So you should add a script into /etc/pm/sleep.d. The following script is the first version of the script I used (beware it doesn’t work, see below) :

#!/bin/sh
# XScreensaver should be called BEFORE going to sleep to avoid the desktop
# to be shown for a few seconds when the system resumes from sleep.

case "$1" in
  hibernate|suspend)
    xscreensaver-command -lock
    sleep 1 # annoying sleep
    ;;
  *)
    exit 0;;
esac

You may notice that the script issues a sleep just after the xscreensaver-command has returned. It ensures that the screen will be really locked when the system effectively enters into sleep. This is needed because the xscreensaver-command will not lock the screen immediately, that is it is non-blocking in a certain way and you cannot ensure that the screen is effectively locked as soon as the command has returned.

However the script above doesn’t work. As Marcus Moeller commented, the above script won’t work by default on Debian and probably with most other distributions. That is because we don’t issue the xscreensaver lock command as the user owning the xscreensaver daemon. I quote his solution here :

#!/bin/sh
# XScreensaver should be called BEFORE going to sleep to avoid the desktop
# to be shown for a few seconds when the system resumes from sleep.

IS_ACTIVE="$( pidof /usr/bin/xscreensaver )"

case "$1" in 
  hibernate|suspend) 
    # check if xscreensaver is running. if not, just skip on. 
    if [ -z "$IS_ACTIVE" ] 
      then : 
      else 
      # run the lock command as the user who owns xscreensaver process, 
      # and not as root, which won't work.
      su "$( ps aux | grep xscreensaver | grep -v grep | grep $IS_ACTIVE | awk '{print $1}' )" 
             -c "/usr/bin/xscreensaver-command -lock" &
      sleep 1
    fi
    ;;
  *)
    exit 0;;
esac

Digging in xscreensaver’s code shows that what the command actually needs is a connection to the X server. If xscreensaver-command cannot find the display from either command line or environment variables, it will fall back to “:0.0“. But this will fail if root cannot connect to the X server (which is generally the case). That’s how the ‘user approach’ fixes it. However this won’t work anymore if there are multiple instance of xscreensaver running on different displays (only one of them will be locked). Another solution would be to issue the command on each display where root can connect to. However this poses two problems :

  1. It is not as easy as it seems to reliably list all available displays. (see http://stackoverflow.com/questions/11367354/obtaining-list-of-all-xorg-displays).
  2. It requires that each lockable session allows connections from root with “xhost si:localuser:root“.
Here is the modification I posted in response which uses the ‘display approach’ instead:
#!/bin/sh
# XScreensaver should be called BEFORE going to sleep to avoid the desktop to be shown
# for a few seconds when the system resumes from sleep.

case "$1" in
  hibernate|suspend)
  # The X server may not be running
  if [ ! -d /tmp/.X11-unix ]
  then
    exit 0
  fi 

  # Lock each available display
  for socket in $(ls /tmp/.X11-unix)
  do
    display=$(echo "$socket" | tr "X" ":")
    xscreensaver-command -display "$display" -lock
  done

  sleep 1 # annoying sleep
  ;;
  *)
   exit 0;;
esac

However we are not done yet. As you can see we still rely on sleep to ensure that the screen is locked before our script returns control to the suspend procedure. With usage it became clear that one second was not sufficient as the script would return too early from time to time. Incrementing the duration of the sleep would be more than annoying and it doesn’t offer any real guarantee anyway. The only solution would be to find a way to exit the script when we are sure that the display is effectively locked. This is possible by watching at the changes of states of the screensaver while issuing the lock command. There is a slight last problem however. If multiple displays are present we want to issue that “lock ‘n watch” procedure in paralell to avoid accumulating the locking delays. That’s the solution I use in the script below, note that we don’t rely on sleep anymore:

#!/bin/sh
# XScreensaver should be called BEFORE going to sleep to avoid the desktop to be
# shown for a few seconds when the system resumes from sleep.
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

lock_display() (
  socket="$1"
  display=$(echo "$socket" | tr "X" ":")

  # Temporary pid file for the watching command
  tpid=$(mktemp)

  # Wait until the display is actually locked.
  (timeout 2s xscreensaver-command -display "$display" -watch & echo $! > $tpid) | (
    # Issue the lock command only when we know that
    # the watching pipe is ready.
    xscreensaver-command -display "$display" -lock

    while read line
    do
      line=$(echo $line | cut -d' ' -f 1)

      if [ "$line" = LOCK ]
      then
        # We have to kill the watching command manually before breaking.
        kill -TERM $(cat $tpid)
        break
      fi
    done
  )

  rm $tpid
)

case "$1" in
  hibernate|suspend)
    # The X server may not be running
    if [ ! -d /tmp/.X11-unix ]
    then
      exit 0
    fi

    # Lock each available display
    for socket in $(ls /tmp/.X11-unix)
    do
        # Lock the display
        lock_display $socket &
    done

    # Wait until every displays are locked
    wait
    ;;
  *)
    exit 0;;
esac

As stated above you still need to allow connections from root to your display. You may for example use this command when your session start :

xhost si:localuser:root

Or, as the man page of xhost states, use the file /etc/X*.hosts to do that globally.

Pidgin current song and Audacious

Posted on by
Reply

There are many plugins to change the current song within your Pidgin status (by Pidgin I mean libpurple in general) coupled with your favorite media player. In particular there are such plugins for Audacious (a modern and worthy descendant of the mighty XMMS, love it). Although I don’t use them since there is a much simplier way to do that. You may send the song directly from Audacious up to Pidgin with purple-remote. There is a plugin in Audacious to execute a command when the song change. Just add these :

New song command: purple-remote "setstatus?message=(8) %a - %T"
End of playlist : purple-remote "setstatus?message="
Title change    : purple-remote "setstatus?message=(8) %T"

This will update your status message with your current song. The status will be emptied when the playlist is over. Note that this also works with plugins such as Pidgin-PBar.

GTranslate and Weboob

Posted on by
2

This is a quick interface to translation tools. In particular it was made to interface a specific tool from Weboob. For those who don’t know Weboob is a collection of applications able to interact with websites without a browser and mostly from command line interfaces. This allows GTranslate to use web translation services such as Google-Translate. However it can also be used with others translation tools as long as they offer a simple command-line way to translate a text from one language to another. It can also be easily adapted to any tool to provide an interactive conversion from one type to another. I made this tool to try out GTK-3 and GtkBuilder and actually building interfaces with Glade is really easier.

You may found the github page at http://github.com/gawen947/gtranslate.
And a small project page at http://www.hauweele.net/~gawen/gtranslate.html.

GTranslate

Speaking about Weboob I think this is a very good initiative because I’m getting a bit sick of these overpowered web-browsers outshining the application landscape. I mean we should tend toward a web of services but instead we just spend our time recoding everything we already had in JavaScript and shiny HTML5 interfaces. And I think, or rather hope that the future of web lies outside the browsers.

Default applications with GTK-3, Chromium and beyond

Posted on by
Reply

Today I was surprised to see a GTK-3 application opening an HTTP URL with Opera. I don’t use  Opera and I just installed by curiosity long ago and forgot about it.  I configured the Debian alternatives however GTK-3 seems to use xdg-mime as confirmed with an strace of the concerned application and references to /usr/share/applications/defaults.list. Note that you may have to create a symlink for defaults.list to /usr/share/applications/mimeapps.list.

You can use the xdg-mime command to configure the default application for each protocol:

$ xdg-mime default chromium.desktop x-scheme-handler/http
$ xdg-mime default chromium.desktop x-scheme-handler/https

You can also configure this manually by editing /usr/share/applications/defaults.list.  Just add these two lines:

x-scheme-handler/http=chromium.desktop
x-scheme-handler/https=chromium.desktop

In the [Default Application] section. Thunar and Chromium also use this so you can configure them to open PDF and handle Skype calls properly. See:

[Default Applications]
x-scheme-handler/http=chromium.desktop
x-scheme-handler/https=chromium.desktop
x-scheme-handler/skype=skype.desktop
text/html=chromium.desktop
application/pdf=mupdf.desktop

This should do the trick. You can get the list of available MIME types with this command (note that the path depends on the location of the shared-mime-info database):

find /usr/local/share/mime -name "*.xml" -exec cat {} \; |g -E -o "type=\".*\"" | sort | uniq

Otherwise you may also use the dconf-editor from the dconf-tools package or gconf-editor to configure GNOME-2/3 default applications. With gconf you should search the following keys:

/desktop/gnome/applications
/desktop/gnome/url-handlers

With dconf instead you should search for:

/desktop/gnome/url-handlers
/org/gnome/desktop/applications

OMG! I just pushed the wrong branch…

Posted on by
Reply

Today I’ve done a lot of rebasing with a series of patches that I needed to push to the master branch of some project. The patches originated from a branch named injector and I prepared the merge in another branch named injector-merge. When it came time to merge my branch back into master I should have written :

git merge injector-merge

But instead I wrote :

git merge injector

Damned auto completion ! Huh… That wouldn’t be so bad if only I hadn’t pushed that to upstream too… So I had to get rid of my master branch and replace it upstream as quickly as possible before anybody could clone or pull from it. By chance this is a fairly new project and I guess nobody cloned or pulled in such a short amount of time (this whole thing lasted no more than one minute or so). So I moved my master branch and replaced it with the injector-merge branch and pushed-force everything.

git checkout master
git branch -m oldmaster
git branch -m injector-merge master
git log

Hum… Everything seems to be in order! Now push it back! 

git push -f origin master

No complaining so far? Right! Well from now on I will call the merge branches merge-* instead of *-merge.

Get rid of that Non-Breaking space

Posted on by
3

The non-breaking space is a variant of the space character which as the name suggests prevents automatic line breaking when using a space character. Another common use of it is to avoid collapsing of white-spaces in formats such as TeX or HTML. There are also some others specific typographic uses but nevermind.

From my point of view this character is a real pain, a annoying remain of a former era when the only editor you had was plain-text and which is now just good at invisibly polluting your work so that no compiler, interpreter or any other ASCII oriented tool would accept it anymore. For ASCII is not dead, it’s 7-bit, it’s common, it’s the neutral zone of all character set and No-Break Space shall not interfere therefore it must be eradicated from the very surface of earth or at least from my own keyboards.
There are several options to do that under Xorg. The first one would be to use the setxkbmap command to specify the nbsp:none option for your keyboard.
setxkbmap -option "nbsp:none"

However this won’t work as you might expect it especially when you have multiple keyboards with different layouts. So another solution would be to specify XkbOption directly within the Xorg configuration file, one for each input device. But this won’t work neither if you use a Bépo layout as this option will simply disable the use of underscore (AltGr Space). So the final solution is based on xmodmap to modify the list of keysyms assigned to the space keycode (0x41). You may just add the following line to ~/.xmodmap and ensure that the file is loaded when your session starts with xmodmap ~/.xmodmap.

keycode 65 = space space space space underscore underscore space space

Intel NIC connection problem

Posted on by
Reply

PCIe ASPM is an hardware power management protocol for PCI express devices. It allows a far better power management than what can be done with software power management at the price of an increased latency to the device. However some hardware don’t advertise it properly. And this was in fact the origin of the power regression case of 2.6.38 which was later fixed in 3.3.

It may also cause some Intel NIC (such as e1000e) to fall asleep unintentionally. So if you have an Intel NIC on Linux and it even fails to acquire an IPv4 address then you might try to add this option to your kernel command line : pcie_aspm=off. On Debian you can add this option to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub and issue an update-grub.

You may also want to change the link-state of one specific device to L0/L1 at runtime. For this I’ll point you there : http://wireless.kernel.org/en/users/Documentation/ASPM.

Raspberry Pi Ethernet speed

Posted on by
2

I’ve been a long time user of IPv6 tunnels from SixXS to provide an access to the IPv6 Internet behind my ISP. These tunnels also allow me to use static IP addresses for my home servers along with static AAAA records and this is cool !

Currently I use several Debian GNU/Linux based soft-routers with two (100 and 1000) Ethernet ports. These are often running on old recycled laptops which consumes around 40 Watts of power at peak level. Next to that the ARM Raspberry Pi platform consumes around 3 Watts of power (though I still have to measure it by myself). So I thought about replacing all my home-routers with those.

However the Raspberry Pi model B uses a SMSC LAN951x chip which includes the USB 2.0 Hub and an 10/100 Ethernet controller on top of it (which is known as smsc95xx in the Linux kernel). My  main concern was that it would not be fast enough to support the IPv6 tunnel at its peak bandwidth of 60Mbps (that is 30Mbps downstream/upstream).

I already use one RPi as an experimental home-router here. Our Internet bandwidth is a bit slow (12Mbps) so the USB-Ethernet  shouldn’t be a problem. I’ve conducted quick tests with IPerf and as you can see the results are pretty good as long as it doesn’t involve I/O on the RPi.

------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local 10.0.0.1 port 5001 connected with 10.0.0.3 port 37373
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.1 sec   114 MBytes  94.4 Mbits/sec
[  5] local 10.0.0.1 port 5001 connected with 10.0.0.3 port 37376
[  5]  0.0-10.1 sec   114 MBytes  94.5 Mbits/sec
[  4] local 10.0.0.1 port 5001 connected with 10.0.0.3 port 37377
[  4]  0.0-10.1 sec   114 MBytes  94.6 Mbits/sec
[  5] local 10.0.0.1 port 5001 connected with 10.0.0.3 port 37378
[  5]  0.0-10.1 sec   114 MBytes  94.5 Mbits/sec