2010-12-07: afs-monitor 2.0
Well, I was going to start going through all my AFS software and releasing
new versions, but then various other things ate my brain and my life.
This release has been mostly ready since the beginning of November. Oh
well, better late than never.
This is the first more drastic overhaul of how I was distributing AFS
software. Previously, all my AFS monitoring scripts were distributed as
separate scripts from my web pages, which meant no history, no public
version control repository, and various other problems. As of this
release, the AFS monitoring scripts are now collected in a tarball and
there's a public Git repository for the code.
Substantial changes in this release compared to the early individual
scripts are:
Rename all the scripts to follow a standard naming pattern of
check_afs_*. This makes it easier to distinguish between these
scripts and other Nagios plugins.
A new check_afs_quotas script based on work by Steve Rader. This
plugin can monitor AFS volumes to check how close consumption is
getting to the volume quota. It can check either individual volumes
or all volumes on a particular server or partition.
check_afs_space can now check an individual partition and produces
more verbose information if only a single partition is checked. This
is also based on work by Steve Rader.
Lots of fixes for correct Nagios output in various error cases,
ignoring additional output lines from AFS commands that are harmless,
improved reporting of some warning conditions, and improved verbose
output from various commands.
Many thanks to Steve Rader for providing all the work he'd done to enhance
our original AFS monitoring scripts.
You can get the latest version from the afs-monitor distribution page. There are also now Debian packages
available (as nagios-plugins-afs) from my
personal Debian repository.
2010-12-08: afs-monitor 2.1
Every .0 release has to have some sort of obvious bug, and this is no
exception. check_afs_space didn't work properly when checking all
partitions on a server (a one-line fix). This release has just that fix
plus a new TODO file and some README documentation tweaks.
You can get the latest version from the afs-monitor distribution page.
2010-12-10: Last haul of 2010
There was a new book by Bethany McLean, so that meant another book order,
and of course I can't just buy one book.
Glen Cook — Chronicles of the Black Company (sff)
Molly Gloss — Wild Life (sff)
Jane Jacobs — Systems of Survival (nonfiction)
Michael Lewis — The Blind Side (nonfiction)
Karen Lowachee — Warchild (sff)
J. Anthony Lukas — Common Ground (nonfiction)
Bethany McLean & Joe Nocera — All the Devils Are Here
(nonfiction)
Susan Palwick — Shelter (sff)
Melissa Scott — The Jazz (sff)
Sudhir Venkatesh — Gang Leader for a Day (nonfiction)
2010-12-12: control-archive 1.4.0
This release adds preliminary support for chkscope parameters in
checkgroups control messages and filters out out-of-scope lines. The
scope is not, however, yet correctly used to determine the actual matching
control.ctl entry. It also fixes Perl warnings from processing some
malformed control messages and includes hierarchy updates since the
previous release.
You can get the latest version from the
control-archive distribution
page.
2010-12-29: C TAP Harness 1.6
Working on free software is particularly rewarding when someone notices
something you've done, decides that it's useful for their purposes as
well, and sends feedback and suggestions that you'd never thought of. The
C TAP Harness package is one of those things I wrote for a particular need
(testing INN), as a hobby, and have been maintaining when I have free time
since then. It already does everything I really need, but it's fun to
improve periodically when I have some free time. Everything in this
release is from suggestions sent by other people (particularly quite a few
suggestions and patches from Carsten Hey).
The C library function is_double() now takes an epsilon and considers two
doubles equal if they're within that epsilon, following best practices for
comparing floating point numbers. It also correctly handles various
abnormal numbers (infinity and NaN). Thanks to PICCA Frédéric-Emmanuel
for this.
There are multiple improvements to the shell libtap.sh library in this
release, most notably cleaning up ok_program. It previously stripped
error output after a colon to allow testing of programs whose error output
has an appended system-specific message. This functionality has now been
removed from ok_program, so it compares the exact output, and added to a
strip_colon_error function that implements an improved version of this
idea as a wrapper.
The files in this distribution meant to be copied to another package now
all have licenses and URLs included in the files, rather than references
to LICENSE, and compile properly with a strictly-conforming C89 compiler
(in a SUSv3 environment).
There are also some other, more minor bug fixes and improvements.
You can get the latest version from the
C TAP Harness distribution page.
2010-12-29: rra-c-util 3.0
The major additions in this release of my collection of C utility
libraries and Autoconf probes is a new PAM utility library and a fake PAM
library for testing.
The PAM utility library is something that I've been working on for much of
the year. The idea originally came from seeing how annoying and
repetitive the code for the options parsing in
pam-afs-session and particularly
pam-krb5 had become. Adding new options
required changing code in multiple places, including long, tedious if
trees, and duplicating default value information in several ways.
The core of the new PAM utility library is a table-driven option parser.
The PAM module need only provide a table of options and default values and
a struct into which those values will be written, and the option parser
does the rest. The code to write the values into the struct uses some
scary C type violations and some techniques that I developed when writing
the "new" inn.conf parser for INN. This
parser also supports reading options from krb5.conf in addition to the PAM
configuration, with appropriate handling of defaults and allowing the
krb5.conf support to be optional, and has some neat bits like using a
binary search to find an option in the option table so that there
shouldn't be much speed penalty from adding more options (apart from the
unfortunately linear check for each option in krb5.conf if that's
enabled).
Also in the utility library are logging functions that handle calling
pam_syslog with the right options and a vector library for handling
automatically resizing arrays of strings. The latter is also used for PAM
options that are actually lists of things inside the option parser.
Also in this release is a fake PAM library that implements just enough of
PAM to allow a test program to call all the entry points of a PAM module.
This is needed for good PAM module testing, since the system PAM library
always looks at the system configuration and doesn't given the caller any
control over skipping that. This library can be initialized by a test
case and provides enough of the PAM library that a module will be happy,
and allows the test case to inspect the internal PAM data if required.
This release also includes substantial improvements to the kafs
replacement library, including Mac OS X and Solaris 11 support and support
for k_haspag (even if building with a kafs library that doesn't have it).
It also includes additional Kerberos portability glue and fixes some
broken GCC attribute markers in the utility library.
You can get the latest version from the rra-c-util distribution page.
2010-12-29: pam-afs-session 2.0
pam-afs-session is a PAM module that creates a PAG and obtains tokens for
a user at login, working with a Kerberos PAM module (such as
pam-krb5) that obtains Kerberos tickets.
The main reason for the new major version is that this release finally
hopefully addresses a long-standing problem with pam-afs-session on Linux:
the PAM module creates a PAG and obtains tokens, pam_keyinit runs and
deletes both, and then the module doesn't run again because it's already
run. A lot of users have had to just remove pam_keyinit in order to make
pam-afs-session work properly.
This release takes advantage of the new VIOC_GETPAG and k_haspag interface
and checks, when run, whether the user is in a PAG. If they're not,
because it's been destroyed by pam_keyinit for example, it creates a new
PAG and obtains tokens again even if it had already run. This means that
as long as pam-afs-session is after pam_keyinit in the session stack, it
should work properly.
I also switched pam-afs-session over to Automake and Libtool in this
release rather than hand-rolling compilation rules. This, among other
things, lets me suppress all non-public symbols on all platforms, not just
on Linux. I had very positive experiences with doing this on pam-krb5
(not a single user complained or had trouble building the module), so
hopefully the same will hold with pam-afs-session.
This release also adds untested support for the new AFS system call
methods on Mac OS X and Solaris 11 (which use an ioctl in /dev instead of
a system call) and updates the configure options used to configure kafs
support.
Other bug fixes in this release include avoiding returning an
uninitialized value from pam_open_session when notokens is set, removing
module data on pam_close_session so that opening multiple sessions with
the same PAM handle should work, fixing a configure error when built with
--without-krb5, and properly reporting ignore status when debugging is
enabled.
Finally, and this should make a big difference for maintainability going
forward, this release includes a test suite and uses the new PAM utility
layer and fake PAM testing library from rra-c-util 3.0.
You can get the latest version from the
pam-afs-session distribution page.
2010-12-31: pam-krb5 4.4
I had accumulated some fixes and felt like doing one more software release
before the new year. It starts the year off on a good note.
The main change in this version is a bug fix (and, unfortunately, a bug
reintroduction) in the PKINIT support for MIT Kerberos. In trying to fix
an issue where the user's password wasn't saved in the PAM stack if PKINIT
failed and the module fell back on prompting, I added a password prompt in
all cases, even if try_pkinit was set. Since with PKINIT the user may not
have a password, that's confusing to say the least.
This release fixes that at the cost of reintroducing the problem of not
saving the user's password in the PAM stack if PKINIT fails. I know how
to fix this, but it will require a substantial reworking of the control
flow for doing PKINIT authentications under MIT Kerberos. It's something
that I've wanted to do anyway, since it will make the code more analogous
to the Heimdal code and easier to maintain, but that will have to wait for
another release.
This issue only affects MIT Kerberos. Heimdal has a much nicer (at least
for my purposes) interface for PKINIT authentication that doesn't present
the same problem.
This release also reorganizes the pam_krb5 man page to break the
configuration directives up into sections. It's still a bit hard to
follow since there are so many options at this point, but this will
hopefully make it a bit more readable. Finally, there are some additional
portability fixes.
You can get the latest version from the pam-krb5 distribution page.
All posts