Posts for August 2006

2006-08-03: AFS Hackathon

The last three days I spent in Virginia at the AFS Hackathon, which despite being perfect in almost every other way had rather bad network connectivity. That plus trying to focus on AFS is why I haven't been updating (or doing much of anything else other than working on AFS).

The hackathon was a great experience. It was about ten of us in a nice, large (and air-conditioned!) room with plenty to eat, a local network, lots of laptops, a white board, and flip charts, spending about twelve hours a day hacking on or talking about AFS. I got more done in three days than I'd gotten done on AFS in the past year, and I'm now feeling much better about fulfilling my obligations as an AFS gatekeeper. (I still need to do more work, but at least I have some concrete contributions to point to.)

A lot of the work I did over the past three days was cleaning out bits of the AFS source tree that are no longer relevant or that don't work, starting with eliminating AFS's separate pinstall program in favor of using the standard Autoconf-detected install (which required fairly substantial makefile changes). I did find the time to also add links back to the index page for the HTML generation of the command reference manuals, to design and do the first implementation of a libkopenafs library that provides just setpag, unlog, and pioctl for programs that need those functions as a self-contained library, and a new pam_aklog PAM module that will work with a Kerberos v5 PAM module to set up a PAG and then fork aklog to get AFS tokens. Not bad for three days and that doesn't count the other discussions and bug fixes.

Sunday and today were entirely devoted to travelling, since the flight is nearly six hours plus waiting and transport at either end. Tomorrow is going to be entirely devoted to catching up on work-related and planning-related things that I've been ignoring while working on this. Hopefully this weekend I can finish up a few other coding projects and keep reducing the outstanding items on my to-do list.

I was going to be good this evening and walk, but since I've been going to bed at around 10pm eastern time and it's now nearly midnight eastern, I've pretty much run out of energy. I expect I'll be waking up rather early for a few days.

I've finished Blood and Iron, Catch-22, and Dead Until Dark, have nearly finished another F&SF, and am a fair chunk of the way into Metropolitan, so there will be book reviews coming as soon as I catch up on other things.

2006-08-04: Catch-up day

The plan for today was to just get caught up on e-mail, planning, organization, and all the things that fall behind while being out of town for most of a week. That went mostly as planned, and I even got a bit of internal packaging work for our K5 upgrade done late in the afternoon.

I'm still partly on east coast time and therefore fading early in the evening, which means I didn't get a book review written. However, I do think I have enough energy to read a bit before falling asleep, and tomorrow I can do the laundry, probably do some shopping, and take care of the remaining necessary household tasks.

I'm down to exactly 100 tasks on my short term tracking list, which is down about fifty from when I first entered everything in, mostly by actually finishing things. I'd like to get that down to about 50; it will probably never get much lower than that, just because there are lots of things I want to do. It's nice to see the steady progress, though, and I do feel like fewer things are slipping between the cracks.

More on that later.

2006-08-06: AFS script releases

I finally found a chance to add to my release script a check to see if there are scripts I've modified and forgotten to release as new versions to my web site. Running it, I found a variety of modifications to my AFS scripts that had never been pushed out, so I went ahead and did that.

afs-balance 1.6 changes the solver to cplexamp from cplex. That's more correct and works with newer versions of ILOG. You can get the latest version from the AFS balancing distribution page.

afsdb-load 1.18 adds support for mailing an alert to a configurable mail address if the nightly dump script is unable to get information from one of the configured AFS servers. You can get the latest version from the AFS reporting database distribution page.

All of the AFS Nagios check scripts (check_afsspace, check_bos, check_rxdebug, and check_udebug) have been updated to prefer AFS programs on local disk and to use a different output format that Nagios is somewhat happier with. You can get the latest versions from the AFS monitoring distribution page.

loadmtpt 1.13 adds a Stanford-specific restriction to not run on 64-bit systems, since the Berkeley DB database that we use isn't portable across changes in the word size. I need to find a better way of dealing with this, probably a better centralized database mechanism. Other sites may want to remove this check. You can get the latest version from the AFS mount point tracking distribution page.

2006-08-07: remctl and PAM

After doing the main work for the day (figuring out how to export the afs service key from our K4 KDC and load it into our K5 KDC and then enable K5 authentication, all of which now works in the test cell), I started working on remctl 2.0 again. After spending the evening pounding on test suites, getting libtool working properly, and cleaning up the last few issues, I think it's done.

I've sent it off to a beta tester, and assuming they don't encounter any major problems, I'm going to redo the Debian packaging to reflect the new client library and the release it and upload it to unstable.

I've also now finished testing my new Kerberos PAM module with OpenSSH, including its ticket forwarding, and confirmed that the newly reported bugs in the old module are fixed in the new one. I think it's basically ready to release; I just have to redo my normal release procedures to work with bzr and write a few other bits of standard documentation. It doesn't have a real build system, but I can add that in the next release.

2006-08-10: remctl 2.0

Finally done.

I've just released remctl 2.0, which implements a completely new wire protocol (with down-negotiation to the existing protocol) that supports streaming of output from the server, potentially binary-cleanliness in the arguments from the client (although the server and client don't fully support this yet due to how programs are executed on the server), persistant connections, and a generally cleaner source base. There's even a test suite and it's really been tested on Heimdal.

There's a long to-do list of further enhancements I want to make, but this should be a fairly solid 2.0 release. Now I can move on to implementing the wallet.

You can get the latest version from the remctl distribution page.

2006-08-11: pam-krb5 2.0

For some time, I've been helping Sam Hartman maintain the Kerberos PAM module in Debian (the version linked against the MIT Kerberos libraries). It had accumulated quite a few bugs, and I'd started making significant modifications to fix them. Then Andres Salomon fixed some larger problems, adding support for credential reinitialization, and made a couple of new upstream releases since Frank Cusack stopped releasing new versions. But he ran out of time and I had more changes that I wanted incorporated and that we're also going to want to use at Stanford on platforms other than Debian.

So, I gave in and decided to take over upstream maintenance, using bzr so that Andres can collaborate easily (and since learning new revision control systems is generally good). I've been working on that off and on for the past few months, and today I finally finished up the last bits of packaging and documentation (and teaching my release scripts about bzr). So now a 2.0 release is out and I've uploaded new packages to Debian which can now be stabilized for the etch release.

You can get my release from the pam-krb5 distribution page.

2006-08-11: faq2html 1.25

While converting the README for pam-krb5, I discovered faq2html would stop treating centered headings at the top of a document as headings if one of the lines was too long. That seemed broken, so I tweaked faq2html to treat the entirety of a paragraph as headings if the first line looked like one.

You can get the latest release from my web tools distribution page.

2006-08-12: Debian work

We're hopefully coming up fast on the Debian etch release. I'm not sure if I really believe even yet that it's going to be out in December, but hopefully it won't be long after that (and I'm going to try to help get it out on time).

The krb5 packages are in fairly good shape, and I don't plan on trying to package 1.5 (or 1.5.1) before the freeze. It may be worth packaging 1.4.4 when it's released, although I don't expect many changes there other than the security patch that we've already applied. The only other change that might be worthwhile is adding LSB support to the init scripts, which I may do if I have time.

For OpenAFS, we should release with 1.4.2, which will hopefully be out in the next few weeks. We're still likely to lose with newer kernels, but that should be good for the kernels that Debian will release with. I'm probably not going to have the time to get a new aklog PAM module into Debian before the release; we'll have to make do with libpam-openafs-session for one more release.

I just uploaded a major new version of the Kerberos PAM module and it will require a bit of settling in, but I think it should be good for releasing. It solves all of the existing bugs, so far as I can tell, other than the timeout when the network is down which is deep in the Kerberos libraries.

My random Kerberos packages are all in good shape. remctl 2.0 may require some minor shaking out, but hopefully not much. One more minor release of WebAuth to clean up a few things would be nice, but not critical.

xfonts-jmk is good to go. gtimer needs one more bug fix that I hope to find time to do soon. gnubg could stand to be updated to a current CVS snapshot and needs a couple of translations applied, but it's otherwise ready to go.

Hopefully this release I'll be able to help out more with fixing RC bugs and uploading NMUs. I'm still pretty leery of doing that, afraid of breaking things, but every Debian developer who can needs to kick in and get those RC bugs fixed, and I have a lot of skills in that area. Hopefully I can find some time in September to start on that; if not, I'll try to help after I get back from vacation in November.

I'm not sure we're going to make etch with Shibboleth. I may try, but it's rather late and I don't have a lot of free time to clean up the two remaining packages and get them release-ready.

2006-08-15: NNTP status

It's been a long time since I've mentioned NNTP standardization here, but I'm pleased to report that all four of our documents (the base standard plus the streaming, authentication, and SSL extensions) are now in author's 48 hours. This is the final review stage before publication as RFCs, intended for the document editor to take a last pass over the edited work and make sure that nothing went awry. We have a small number of last minute changes, and then the RFCs should be out.

While in theory it's only supposed to last a couple of days, in practice author's 48 usually lasts a couple of weeks. But soon, we will have concrete documents. Then I just have to find time to update INN accordingly.

2006-08-21: Stuff

I've been doing rather bad at writing anything lately, due largely to having to get up at 6am Thursday, Saturday, and Sunday to do upgrades (and then trying to prepare for the work that I was doing). However, the good part is that Kerberos v5 authentication is now enabled for Stanford's AFS cell and it appears to all work well.

Today I sent out the extended run-down on the status of our K4 to K5 transition. There's still a lot of work to do, but we're finally nearly at the point where all of it can actually be done. There's only a small bit of blocking development left, all of which we're actively working on, and then it's just a matter of converting services over and turning things off.

In other news, the Debian Madman package apparently doesn't work properly on AMD64 and upstream development has stopped, so I gave up and switched to Quod Libet. Which meant re-entering all of my ratings from Madman into Quod Libet. Bleh. I finished tonight, though, so now I can go back to rating music and trying to finish off my collection. Only about 80 hours of music to go. The long-term goal is then to script the process of syncing music to my portable player so that I only transfer (and index) things rated "good" or higher. Hopefully Quod Libet will do the right thing for creating .m3u files or I'm going to be sad.

I'm behind on reviews (two finished books and one, soon to be two, finished magazines), but once again this evening I didn't quite get to that. Oh well. I will soon, I expect.

Now it's off to exercise and then read more of A Feast of Crows.

2006-08-22: remctl 2.1

I was going to wait for the first wallet release to do more remctl work, but having make check not work if builddir != srcdir would cause Quanah to complain when building it for pubsw. Since Ralf Wildenhues did a bunch of checking for me to be sure the latest Automake would work correctly (much appreciated!) and commented on this, I went ahead and fixed it.

I also modified the remctl server to set REMOTE_USER (the same as REMUSER), REMOTE_ADDR, and REMOTE_HOST (if available), which exposes some more interesting information that I'll need for the wallet server and which should make libraries that run in CGI environments happier.

You can get the latest version from the remctl distribution page.

2006-08-23: wallet status

Man, it was like pulling teeth to get any work done today. I'm not really sure why, although it probably has something to do with my lack of a weekend last weekend catching up with me. I had most of the weekend off, but getting up at 6am really messes with me these days when I do it three days in one week (and don't get into bed as early as I should).

I did, however, get some work done on the new wallet system (which will be our new keytab distribution system). Infrastructure work, not really getting close to finishing it, but there's now a basic test suite for the wallet client, which currently can download keytabs and show information about them if there were a server backend against which it could work. The server that I'm going to use for this isn't ready for me yet, so I think I'm going to continue working on the client for the time being, or perhaps on the remctl backend used to extract selected existing keys from the KDC.

Testing of remctl 2.1 on Solaris turned up various additional issues, and it looks like I'm going to want the remctl Perl bindings for the wallet sooner rather than later (for the wallet server to pull selected keys from the KDC), so I may move away from the wallet briefly to add Perl bindings to remctl and release remctl 2.2 with that and the Solaris fixes.

Basically, what's left before I have a keytab distribution system is writing the remctl code to extract existing keys from the KDC using a kadmin.local modification to optionally not randomize keys (replacing our existing srvtab/keytab caching); writing enough of the basic server framework to implement the keytab storage backend, Kerberos principal and principal group ACLs, and the core code to plug it together; adding additional keytab management to the client, including merging together keytabs and removing keys with old kvnos; and writing the conversion scripts to take the existing data and transfer it into the new MySQL schema. It's looking more tractable the more design I do, and I expect I'll hit my code-complete target of the 15th of next month unless something unforseen comes up, particularly since that doesn't include keytab merging or the conversion scripts. The time-consuming part is writing the test suite.

No review tonight; I was over at a friend's house talking instead. Hopefully a magazine review tomorrow and then another book review Friday. I'm still working on reading A Feast for Crows, slowly.

2006-08-26: pam-krb5 2.1

Last night was spectacularly productive. Not only did I get various work things finished, I finally finished updating the gnubg patches and uploaded a new version of it to Debian unstable and then finished a new release of pam-krb5.

This release contains a fix for ticket cache initialization when the cache name starts with FILE, but other than that is a portability release. pam-krb5 now uses Autoconf and a more portable build system to handle both MIT and Heimdal more seamlessly, and it has various portability improvements for Heimdal from Matthijs Mohlmann.

You can get the latest version from the pam-krb5 distribution page. I'm almost done with a 2.2 release already, since this release missed some documentation updates and needed a few more Heimdal fixes.

2006-08-29: pam-krb5 2.2

The motivator for another release so quickly was to fix a variety of Heimdal problems and simple build failures, but while I was in the code again, I ended up implementing proper realm support. You can now override the default realm with the PAM options, and the realm is passed in correctly to the functions that read options from krb5.conf so that configuration blocks specific to particular realms are read correctly.

I also called the standard Heimdal initialization function that reads various credential options from krb5.conf, which supports several other krb5.conf options on Heimdal for free.

You can get the latest version from the pam-krb5 distribution page. There will probably be a 2.3 release tomorrow with Solaris support and at least one additional option.

Last modified and spun 2017-03-25