urn:uuid:69ca9647-272f-3b00-a395-f1e74d47d5092025-06-25T00:00:00Z2025-06-25T00:00:00Zurn:uuid:e3a6051d-0f4d-3361-a21c-88bc21451c29<h1 id="introduction">Introduction</h1> <p>The <a href="https://jointhefediverse.net/learn" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Fediverse</a> is a wonderful place, and the <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">#FreeBSD</a> community over there is rather active :-).</p> <p><a href="https://snac.smithies.me.uk/justine/p/1750438853.942123" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Justine Smithies</a> is one those people with whom we have had <a href="https://chaos.social/@evilham/111358518050155771" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">multiple</a> <a href="https://chaos.social/@evilham/111365634983238736" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">constructive interactions</a>, and she has made lovely contributions to FreeBSD&rsquo;s community, starting with her enthusiasm!</p> <p>Recently, <a href="https://snac.smithies.me.uk/justine/p/1750438853.942123" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">she&rsquo;s been toying around</a> with <a href="https://github.com/DreamMaoMao/maomaowm" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">maomao</a>, a Wayland compositor.</p> <p>And <a href="https://chaos.social/@evilham/114732177241015737" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">I promised</a> to create a port if she committed to keeping it up to date (neat trick to get new contributors!)</p> <p>Let&rsquo;s document both that process, and how she can keep those patches coming in to the <a href="https://cgit.freebsd.org/ports/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ports tree</a>!</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#freebsd-and-the-ports-tree">FreeBSD and the ports tree</a></li> <li><a href="#wayland-on-freebsd">Wayland on FreeBSD?</a></li> <li><a href="#maomao">Maomao</a></li> <li><a href="#getting-started-with-ports">Getting started with ports</a><ul> <li><a href="#setting-up-poudriere8">Setting up poudriere(8)</a></li> <li><a href="#getting-the-ports-tree">Getting the ports tree</a></li> <li><a href="#creating-the-port">Creating the port</a></li> <li><a href="#building-the-port">Building the port</a></li> <li><a href="#testing-the-port">Testing the port</a></li> <li><a href="#updating-the-port">Updating the port</a></li> <li><a href="#creating-the-patch">Creating the patch</a></li> <li><a href="#submitting-the-patch">Submitting the patch</a></li> </ul> </li> <li><a href="#conclusions">Conclusions</a></li> </ul> </div> <h1 id="freebsd-and-the-ports-tree">FreeBSD and the ports tree</h1> <p>You may want to read my (now outdated) post on <a href="/en/blog/2020-FreeBSD-updating-a-port-twisted-python/">updating a FreeBD port</a>, which goes into detail about the Source trees, but most technical bits are outdated by now, given that <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> has moved away from <code>svn</code> and now uses <code>git</code> to manage code.</p> <p>The short version about <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>&lsquo;s Source trees (plural!). Without going into much detail: <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> has a <a href="https://cgit.freebsd.org/src/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">base (or src) tree</a> and a <a href="https://cgit.freebsd.org/ports/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ports tree</a>.</p> <p>The <a href="https://cgit.freebsd.org/src/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">base tree</a> contains the whole Operating System along with any necessary system utilities and they are developed as a unit.</p> <p>While the <a href="https://cgit.freebsd.org/ports/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ports tree</a> contains a <em>description</em> of how to compile third-party software under <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> and how to install it manually or how to build an installable binary package, which can later on be built on <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>&lsquo;s infrastructure and served by official <code>pkg</code> repositories.</p> <h1 id="wayland-on-freebsd">Wayland on FreeBSD?</h1> <p>Contrary to popular belief, Wayland is not something that is exclusive to Linux. While it <em>is</em> Linux-centric, it does support FreeBSD, even as a <a href="https://gitlab.freedesktop.org/wayland/wayland/-/blob/main/.gitlab-ci.yml?ref_type=heads#L306" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">test target on its CI</a>!</p> <p>Some things that are worth checking on this topic (though some might be outdated, they are still worth it):</p> <ul> <li><a href="https://papers.freebsd.org/2020/fosdem/raichoo-x11_and_wayland-a_tale_of_two_implementations/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">X11 and Wayland: a tale of two implementations</a>, a talk by raichoo on writing hikari</li> <li><a href="https://hub.darcs.net/raichoo/hikari" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">hikari</a>: a FreeBSD-first Wayland composer</li> <li><a href="https://docs.freebsd.org/en/books/handbook/wayland/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD Handbook: Chapter 6. Wayland</a></li> <li><a href="https://forums.freebsd.org/threads/example-tutorial-pure-wayland-desktop.85930/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Example/Tutorial: Pure wayland desktop</a></li> </ul> <p>There are in fact right now 140 ports with &lsquo;Wayland&rsquo; on their description (source: quick <code>pkg(8)</code> magic).</p> <h1 id="maomao">Maomao</h1> <p>As usual with Wayland things, it is written with Linux in mind, but as it often happens, that does not mean the authors are hostile towards supporting <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>, they just might not be aware that the OS can be a target.</p> <p>In fact, the author recently <a href="https://github.com/DreamMaoMao/mmsg/commit/5f89a00fdefa97b9defb8504eb06df7fedeff831" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">committed some</a> code that helps <code>mmsg</code> (a companion tool to maomao) bulid on FreeBSD without patches.</p> <p>So if we run into issues, we can be reasonably sure that a patch will be welcome.</p> <h1 id="getting-started-with-ports">Getting started with ports</h1> <p>I have previously created several ports and update some from time to time, so I was able to take shortcuts and creating the ports was relatively quick.</p> <h2 id="setting-up-poudriere8">Setting up <code>poudriere(8)</code></h2> <p>With <code>poudriere(8)</code>, we&rsquo;ll be able to manage building the ports with jails and producing a local repository of packages, that we can easily install, as well as manage the ports tree.</p> <p>Once <code>poudriere(8)</code> is installed with <code>pkg install poudriere</code>, we can check its configuration under <code>/usr/local/etc/poudriere.conf</code>.</p> <p>Here is what I like to adapt from the sample file:</p> <div class="codehilite"><pre><span></span><code><span class="c"># Use the ZFS dataset zroot/poudriere</span> <span class="nv">ZPOOL</span><span class="o">=</span>zroot <span class="nv">ZROOTFS</span><span class="o">=</span>/poudriere <span class="c"># Which is mounted on /poudriere</span> <span class="nv">BASEFS</span><span class="o">=</span>/poudriere <span class="c"># Suggested value</span> <span class="nv">FREEBSD_HOST</span><span class="o">=</span>https://download.FreeBSD.org <span class="c"># DNS resolution for jails</span> <span class="nv">RESOLV_CONF</span><span class="o">=</span>/etc/resolv.conf <span class="c"># Use tempfs(5) for wrdir and data</span> <span class="nv">USE_TMPFS</span><span class="o">=</span>yes <span class="c"># Adapt this to your CPU count, leaving some for your regular use</span> <span class="nv">PARALLEL_JOBS</span><span class="o">=</span><span class="m">6</span> <span class="c"># I have found timestamps to be useful</span> <span class="nv">TIMESTAMP_LOGS</span><span class="o">=</span>yes <span class="c"># I like to keep old versions around</span> <span class="nv">KEEP_OLD_PACKAGES</span><span class="o">=</span>yes <span class="nv">KEEP_OLD_PACKAGES_COUNT</span><span class="o">=</span><span class="m">2</span> <span class="c"># Use the &#39;latest&#39; ports branch when fetching pre-buit binaries</span> <span class="nv">PACKAGE_FETCH_BRANCH</span><span class="o">=</span><span class="s2">&quot;latest&quot;</span> </code></pre></div> <h2 id="getting-the-ports-tree">Getting the ports tree</h2> <p>This can be done in multiple ways, the most convenient one is getting the code from the same repository that is used by developers over anonymous git with <code>poudriere(8)</code>:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Fetch the ports tree</span> &gt;<span class="w"> </span>poudriere<span class="w"> </span>ports<span class="w"> </span>-c<span class="w"> </span>-p<span class="w"> </span>default </code></pre></div> <blockquote> <p><strong>UPDATE 2025-07-01:</strong> If we want to keep the ports tree up to date, we will want to run <code>poudriere ports -u -p default</code> every once in a while.</p> </blockquote> <h2 id="creating-the-port">Creating the port</h2> <p>Luckily, this is a fairly standard port, we start by identifying a somewhat similar port, like <a href="https://cgit.freebsd.org/ports/tree/x11-wm/swayfx" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank"><code>x11-wm/swayfx</code></a>, and using it as a starting point.</p> <p>Here is roughly what that looks like:</p> <div class="codehilite"><pre><span></span><code><span class="nv">PORTNAME</span><span class="o">=</span><span class="w"> </span>maomao <span class="nv">PORTVERSION</span><span class="o">=</span><span class="w"> </span><span class="m">0</span>.7.0 <span class="nv">CATEGORIES</span><span class="o">=</span><span class="w"> </span>x11-wm<span class="w"> </span>wayland <span class="nv">MAINTAINER</span><span class="o">=</span><span class="w"> </span>ports@FreeBSD.org <span class="nv">COMMENT</span><span class="o">=</span><span class="w"> </span>A<span class="w"> </span>streamlined<span class="w"> </span>but<span class="w"> </span>feature-rich<span class="w"> </span>Wayland<span class="w"> </span>compositor <span class="nv">WWW</span><span class="o">=</span><span class="w"> </span>https://github.com/DreamMaoMao/maomaowm <span class="c"># See: https://github.com/DreamMaoMao/maomaowm/issues/127</span> <span class="nv">LICENSE</span><span class="o">=</span><span class="w"> </span>GPLv3+ <span class="nv">LICENSE_FILE</span><span class="o">=</span><span class="w"> </span><span class="si">${</span><span class="nv">WRKSRC</span><span class="si">}</span>/LICENSE <span class="nv">USES</span><span class="o">=</span><span class="w"> </span>meson<span class="w"> </span>pkgconfig<span class="w"> </span>desktop-file-utils <span class="nv">OPTIONS_DEFINE</span><span class="o">=</span><span class="w"> </span>X11 <span class="nv">OPTIONS_DEFAULT</span><span class="o">=</span>X11 <span class="nv">X11_MESON_ENABLED</span><span class="o">=</span><span class="w"> </span>xwayland <span class="nv">USE_GITHUB</span><span class="o">=</span><span class="w"> </span>yes <span class="nv">GH_ACCOUNT</span><span class="o">=</span><span class="w"> </span>DreamMaoMao <span class="nv">GH_PROJECT</span><span class="o">=</span><span class="w"> </span>maomaowm <span class="cp">.include &lt;bsd.port.mk&gt;</span> </code></pre></div> <p>We then check the <code>meson.build</code> file, which <a href="https://github.com/DreamMaoMao/maomaowm/blob/f202a16abe5bd0c79d698ad6090009c624330c60/meson.build#L74" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">lists all its dependencies</a>.</p> <p>And adapt entries acordingly:</p> <div class="codehilite"><pre><span></span><code><span class="nv">BUILD_DEPENDS</span><span class="o">=</span><span class="w"> </span>wayland-scanner:graphics/wayland<span class="w"> </span><span class="se">\</span> <span class="w"> </span>wayland-protocols&gt;0:graphics/wayland-protocols<span class="w"> </span><span class="se">\</span> <span class="w"> </span>evdev-proto&gt;0:devel/evdev-proto <span class="nv">LIB_DEPENDS</span><span class="o">=</span><span class="w"> </span>libscenefx-0.4.so:x11-toolkits/scenefx04<span class="w"> </span><span class="se">\</span> <span class="w"> </span>libwlroots-0.19.so:x11-toolkits/wlroots019 <span class="nv">X11_LIB_DEPENDS</span><span class="o">=</span><span class="w"> </span>libxcb-icccm.so:x11/xcb-util-wm <span class="nv">X11_USE</span><span class="o">=</span><span class="w"> </span><span class="nv">XORG</span><span class="o">=</span>xcb,pixman </code></pre></div> <p>I also identify that we need the same sample file, version and C flag patches that <code>x11-wm/swayfx</code> implements, so I copy and adapt those:</p> <div class="codehilite"><pre><span></span><code><span class="nf">post-patch</span><span class="o">:</span> <span class="c"># Extract (snapshot) version from the port instead of meson.build</span> <span class="w"> </span>@<span class="si">${</span><span class="nv">REINPLACE_CMD</span><span class="si">}</span><span class="w"> </span>-i<span class="w"> </span>.nogit<span class="w"> </span>-e<span class="w"> </span><span class="s1">&#39;s/git.found()/false/&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>-e<span class="w"> </span><span class="s1">&#39;/unknown/s/@0@/${DISTVERSIONFULL}/&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span><span class="si">${</span><span class="nv">WRKSRC</span><span class="si">}</span>/meson.build <span class="c"># Fix C flags</span> <span class="c"># https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275328</span> <span class="w"> </span>@<span class="si">${</span><span class="nv">REINPLACE_CMD</span><span class="si">}</span><span class="w"> </span>-e<span class="w"> </span><span class="s1">&#39;s/_POSIX_C_SOURCE=200809L/_XOPEN_SOURCE=700/&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span><span class="si">${</span><span class="nv">WRKSRC</span><span class="si">}</span>/meson.build <span class="c"># Install config file as a sample</span> <span class="w"> </span>@<span class="si">${</span><span class="nv">REINPLACE_CMD</span><span class="si">}</span><span class="w"> </span>-e<span class="w"> </span><span class="s2">&quot;s/&#39;config.conf&#39;/&#39;config.conf&#39;, rename: &#39;config.conf.sample&#39;/&quot;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span><span class="si">${</span><span class="nv">WRKSRC</span><span class="si">}</span>/meson.build <span class="c"># Respect PREFIX for system-wide config</span> <span class="w"> </span>@<span class="si">${</span><span class="nv">REINPLACE_CMD</span><span class="si">}</span><span class="w"> </span>-e<span class="w"> </span><span class="s2">&quot;s,format(&#39;/etc&#39;),format(&#39;</span><span class="si">${</span><span class="nv">PREFIX</span><span class="si">}</span><span class="s2">/etc&#39;),&quot;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span><span class="si">${</span><span class="nv">WRKSRC</span><span class="si">}</span>/meson.build </code></pre></div> <p>We update / generate the <code>distinfo</code> file with <code>make makesum</code>.</p> <p>Then the <code>pkg-plist</code> file:</p> <div class="codehilite"><pre><span></span><code><span class="n">bin</span><span class="o">/</span><span class="n">maomao</span> <span class="nv">@sample</span><span class="w"> </span><span class="o">%%</span><span class="n">ETCDIR</span><span class="o">%%/</span><span class="n">config</span><span class="p">.</span><span class="n">conf</span><span class="p">.</span><span class="n">sample</span> <span class="n">share</span><span class="o">/</span><span class="n">wayland</span><span class="o">-</span><span class="n">sessions</span><span class="o">/</span><span class="n">maomao</span><span class="p">.</span><span class="n">desktop</span> </code></pre></div> <p>And also create the <code>pkg-descr</code> file:</p> <div class="codehilite"><pre><span></span><code><span class="nx">A</span><span class="w"> </span><span class="nx">streamlined</span><span class="w"> </span><span class="nx">but</span><span class="w"> </span><span class="nx">feature</span><span class="o">-</span><span class="nx">rich</span><span class="w"> </span><span class="nx">Wayland</span><span class="w"> </span><span class="nx">compositor</span> <span class="mi">1</span><span class="p">.</span><span class="w"> </span><span class="o">**</span><span class="nx">Lightweight</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="nx">Fast</span><span class="w"> </span><span class="nx">Build</span><span class="o">**</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">_Maomao_</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nx">lightweight</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nx">_dwl_</span><span class="p">,</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">its</span><span class="w"> </span><span class="nx">build</span><span class="w"> </span><span class="nx">can</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">completed</span><span class="w"> </span><span class="nx">within</span> <span class="w"> </span><span class="nx">few</span><span class="w"> </span><span class="nx">seconds</span><span class="p">.</span><span class="w"> </span><span class="nx">Despite</span><span class="w"> </span><span class="nx">this</span><span class="p">,</span><span class="w"> </span><span class="nx">_maomao_</span><span class="w"> </span><span class="nx">does</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="nx">compromise</span><span class="w"> </span><span class="nx">on</span><span class="w"> </span><span class="nx">functionality</span><span class="p">.</span> <span class="mi">2</span><span class="p">.</span><span class="w"> </span><span class="o">**</span><span class="nx">Feature</span><span class="w"> </span><span class="nx">Highlights</span><span class="o">**</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">In</span><span class="w"> </span><span class="nx">addition</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">basic</span><span class="w"> </span><span class="nx">WM</span><span class="w"> </span><span class="nx">functionality</span><span class="p">,</span><span class="w"> </span><span class="nx">Maomao</span><span class="w"> </span><span class="nx">provides</span><span class="p">:</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Base</span><span class="w"> </span><span class="nx">tag</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="nx">workspace</span><span class="w"> </span><span class="p">(</span><span class="nx">supports</span><span class="w"> </span><span class="nx">separate</span><span class="w"> </span><span class="nx">window</span><span class="w"> </span><span class="nx">layouts</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">each</span><span class="w"> </span><span class="nx">tag</span><span class="p">)</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Smooth</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">customizable</span><span class="w"> </span><span class="nx">complete</span><span class="w"> </span><span class="nx">animations</span><span class="w"> </span><span class="p">(</span><span class="nx">window</span><span class="w"> </span><span class="nx">open</span><span class="o">/</span><span class="nx">move</span><span class="o">/</span><span class="nx">close</span><span class="p">,</span><span class="w"> </span><span class="nx">tag</span> <span class="w"> </span><span class="nx">enter</span><span class="o">/</span><span class="nx">leave</span><span class="p">)</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Excellent</span><span class="w"> </span><span class="nx">input</span><span class="w"> </span><span class="nx">method</span><span class="w"> </span><span class="nx">support</span><span class="w"> </span><span class="p">(</span><span class="nx">text</span><span class="w"> </span><span class="nx">input</span><span class="w"> </span><span class="nx">v2</span><span class="o">/</span><span class="nx">v3</span><span class="p">)</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Flexible</span><span class="w"> </span><span class="nx">window</span><span class="w"> </span><span class="nx">layouts</span><span class="w"> </span><span class="nx">with</span><span class="w"> </span><span class="nx">easy</span><span class="w"> </span><span class="nx">switching</span><span class="w"> </span><span class="p">(</span><span class="nx">scroller</span><span class="p">,</span><span class="w"> </span><span class="nx">master</span><span class="p">,</span><span class="w"> </span><span class="nx">monocle</span><span class="p">,</span> <span class="w"> </span><span class="nx">spiral</span><span class="p">,</span><span class="w"> </span><span class="nx">etc</span><span class="p">.)</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Rich</span><span class="w"> </span><span class="nx">window</span><span class="w"> </span><span class="nx">states</span><span class="w"> </span><span class="p">(</span><span class="nx">swallow</span><span class="p">,</span><span class="w"> </span><span class="nx">minimize</span><span class="p">,</span><span class="w"> </span><span class="nx">maximize</span><span class="p">,</span><span class="w"> </span><span class="nx">unglobal</span><span class="p">,</span><span class="w"> </span><span class="nx">global</span><span class="p">,</span> <span class="w"> </span><span class="nx">fakefullscreen</span><span class="p">,</span><span class="w"> </span><span class="nx">overlay</span><span class="p">,</span><span class="w"> </span><span class="nx">etc</span><span class="p">.)</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Simple</span><span class="w"> </span><span class="nx">yet</span><span class="w"> </span><span class="nx">powerful</span><span class="w"> </span><span class="kd">external</span><span class="w"> </span><span class="nx">configuration</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Sway</span><span class="o">-</span><span class="k">like</span><span class="w"> </span><span class="nx">scratchpad</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">named</span><span class="w"> </span><span class="nx">scratchpad</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Minimize</span><span class="w"> </span><span class="nx">window</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">scratchpad</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Hycov</span><span class="o">-</span><span class="k">like</span><span class="w"> </span><span class="nx">overview</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Window</span><span class="w"> </span><span class="nx">effects</span><span class="w"> </span><span class="nx">from</span><span class="w"> </span><span class="nx">scenefx</span><span class="p">(</span><span class="nx">blur</span><span class="p">,</span><span class="w"> </span><span class="nx">shadow</span><span class="p">,</span><span class="w"> </span><span class="nx">corner</span><span class="w"> </span><span class="nx">radius</span><span class="p">,</span><span class="w"> </span><span class="nx">opacity</span><span class="p">)</span> </code></pre></div> <p>And the <code>pkg-message</code> file, which gets shown upon install:</p> <div class="codehilite"><pre><span></span><code><span class="p">[</span> <span class="p">{</span><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="nx">install</span> <span class="w"> </span><span class="nx">message</span><span class="p">:</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="nx">EOM</span> <span class="nx">The</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="nx">configuration</span><span class="w"> </span><span class="nx">works</span><span class="w"> </span><span class="nx">best</span><span class="w"> </span><span class="nx">by</span><span class="w"> </span><span class="nx">installing</span><span class="w"> </span><span class="nx">foot</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">rofi</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="nx">alongside</span><span class="w"> </span><span class="nx">maomao</span><span class="p">.</span> <span class="nx">Also</span><span class="p">,</span><span class="w"> </span><span class="nx">keep</span><span class="w"> </span><span class="nx">these</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="nx">shortcuts</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">mind</span><span class="p">:</span> <span class="o">-</span><span class="w"> </span><span class="nx">alt</span><span class="o">+</span><span class="k">return</span><span class="p">:</span><span class="w"> </span><span class="nx">open</span><span class="w"> </span><span class="nx">foot</span><span class="w"> </span><span class="nx">terminal</span> <span class="o">-</span><span class="w"> </span><span class="nx">alt</span><span class="o">+</span><span class="nx">q</span><span class="p">:</span><span class="w"> </span><span class="nx">kill</span><span class="w"> </span><span class="nx">client</span> <span class="o">-</span><span class="w"> </span><span class="nx">alt</span><span class="o">+</span><span class="nx">left</span><span class="o">/</span><span class="nx">right</span><span class="o">/</span><span class="nx">up</span><span class="o">/</span><span class="nx">down</span><span class="p">:</span><span class="w"> </span><span class="nx">focus</span><span class="w"> </span><span class="nx">direction</span> <span class="o">-</span><span class="w"> </span><span class="nx">super</span><span class="o">+</span><span class="nx">m</span><span class="p">:</span><span class="w"> </span><span class="nx">quit</span><span class="w"> </span><span class="nx">maomao</span> <span class="nx">EOM</span> <span class="p">}</span> <span class="p">]</span> </code></pre></div> <h2 id="building-the-port">Building the port</h2> <p>We do this with <code>poudriere(8)</code>, which uses jails and ZFS snapshots.</p> <p>We first have to create the jail, if we haven&rsquo;t already:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Create a builder jail for amd64 based on 14.3-RELEASE</span> &gt;<span class="w"> </span>poudriere<span class="w"> </span>jail<span class="w"> </span>-c<span class="w"> </span>-j<span class="w"> </span><span class="m">143</span>-amd64<span class="w"> </span>-v<span class="w"> </span><span class="m">14</span>.3-RELEASE <span class="c1"># We also can keep the jail up to date with:</span> <span class="c1"># poudriere jail -u -j 143-amd64</span> </code></pre></div> <p>And we can now instruct <code>poudriere(8)</code> to use our ports tree with this jail to build this port:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Start jail 143-amd64, with the default ports tree, to build maomao</span> &gt;<span class="w"> </span>poudriere<span class="w"> </span>bulk<span class="w"> </span>-j<span class="w"> </span><span class="m">143</span>-amd64<span class="w"> </span>-p<span class="w"> </span>default<span class="w"> </span>x11-wm/maomao </code></pre></div> <p>This will fetch all needed packages along with their dependencies, so we only have to build locally the port we need.</p> <h2 id="testing-the-port">Testing the port</h2> <p>Once the port builds (which required a small code patch), we can install it with:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Install the resulting maomao binary pkg</span> &gt;<span class="w"> </span>pkg<span class="w"> </span>add<span class="w"> </span>/poudriere/data/packages/143Ramd64-default/All/maomao-.pkg </code></pre></div> <p>And we can then run it as usual.</p> <h2 id="updating-the-port">Updating the port</h2> <p>The recurring work of updating the port lies in updating the <code>Makefile</code> with each release. Usually dependencies are pretty stable, other than that we just have to:</p> <ul> <li>change the <code>PORTVERSION</code> to match the latest release<ul> <li>In the case of <code>mmsg</code>, that&rsquo;d be <code>DISTVERSION</code> and <code>GH_TAGNAME</code>, this is because it does not currently have actual releases</li> </ul> </li> <li>update the checksums with <code>make makesum</code></li> <li>test that the port builds and works</li> <li>submit a patch to <a href="https://bugs.FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">bugs.FreeBSD.org</a></li> </ul> <h2 id="creating-the-patch">Creating the patch</h2> <blockquote> <p><strong>UPDATE 2025-07-01:</strong> This guide was missing how to create the patch files in order to submit them.</p> </blockquote> <p>By default <code>poudriere-ports(8)</code> uses the <code>git+https</code> method of creating and managing the ports tree, which means that the ports tree will itself be a cloned copy of the <code>git(1)</code> Ports repository!</p> <p>That means that we can use standard tooling to see the diffs, and to format patches!</p> <p>In order to see everything that we have changed, we can use <code>git diff</code> from any directory in the repository.</p> <p>Now, let&rsquo;s use <code>x11-wm/maomao</code> as our <strong>current working directory</strong>.</p> <p>We can see the changes to our port with <code>git diff .</code>.</p> <p>And we can also &ldquo;stage&rdquo; any changes to the port with <code>git add .</code> (or <code>git add x11-wm/maomao</code> if running from the root of the Ports Tree).</p> <blockquote> <p>&ldquo;Staging&rdquo; in git-speak means, that we are marking some changes as something that we want to commit to the repository.</p> </blockquote> <p>In order to check what we are about to commit, we can run <code>git diff --staged</code>.</p> <p>Once that looks OK, we can add a commit to our ports tree with <code>git commit</code>.</p> <p>And in order to generate a valid <code>.diff</code> file, we ought to <code>cd</code> into the root of the Ports Tree, and run <code>git format-patch HEAD^..</code>, this means: &ldquo;please generate the diff that only includes the very last commit&rdquo;.</p> <p>This will generate a file called <code>0001-ShortNameOfCommit.patch</code>, which we can then submit as an attachment to [bugs.FreeBSD.org][bugs.FreeBSD.org].</p> <h2 id="submitting-the-patch">Submitting the patch</h2> <p>Now that we created two ports: <code>x11-wm/maomao</code> and <code>deskutils/mmsg</code>, we can submit them and hope that they get merged soon.</p> <p>Since <a href="https://bsd.network/@DianeBruce/114717436550314844" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Diane Bruce offered</a> to help commit this, we add her as a reviewer. And since further maintainership is going to <a href="https://snac.smithies.me.uk/justine/p/1750438853.942123" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Justine</a>, we add her on CC.</p> <p>You can check the patch and its state <a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287919" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">here</a> for <code>x11-wm/maomao</code>.</p> <p>For <code>deskutils/mmsg</code>, we are waiting for the <a href="https://github.com/DreamMaoMao/mmsg/issues/13" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">LICENSE to be clarified</a>; once that&rsquo;s done, we&rsquo;ll be able to submit the patch to FreeBSD&rsquo;s ports.</p> <p>[pr_mmsg]: </p> <h1 id="conclusions">Conclusions</h1> <p>Generally speaking, I would advise people who want to get into contributing to the ports tree, to start by <em>updating</em> ports that they use and care about.</p> <p>Committers and maintainers are usually happy to have a patch to quickly review and test as opposed to having to do the whole work.</p> <p>In this case, since the port did not exist, it might be easier to <a href="https://xkcd.com/356/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">nerdsnipe</a> someone into creating the ports, and then helping out with the maintenance ;-) which is always super needed and appreciated!</p>2023-11-07T00:00:00Zurn:uuid:656e1f17-cb2d-3e0c-ad7a-5baecf290e6e<h1 id="introduction">Introduction</h1> <p>As part of <a href="/en/blog/2023-trying-out-kubernetes-1-planning/">trying out Kubernetes</a>, we are going to set up <code>etcd</code>!</p> <blockquote> <p><code>etcd</code> is a &ldquo;distributed reliable key-value store for the most critical data of a distributed system &ldquo;</p> </blockquote> <p>This is where Kubernetes <a href="/en/blog/2023-trying-out-kubernetes-1-planning/#etcd">state lives</a>, given how important that is and how it seems to make sense to run it separated from the Kubernetes cluster for High Availability, we will be doing just that, using <a href="https://wikitech.wikimedia.org/wiki/Etcd" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">WMF&rsquo;s etcd guide</a> as inspiration for decisions that are important.</p> <h1 id="table-of-contents">Table of contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of contents</a></li> <li><a href="#vm-resources">VM Resources</a></li> <li><a href="#installing">Installing</a></li> <li><a href="#setting-up-the-cluster">Setting up the cluster</a><ul> <li><a href="#dns-discovery">DNS discovery</a></li> <li><a href="#provisioning-parenthesis">Provisioning parenthesis</a></li> </ul> </li> <li><a href="#testing-the-cluster">Testing the cluster</a><ul> <li><a href="#basic-functioning">Basic functioning</a></li> <li><a href="#killing-cluster-members">Killing cluster members</a></li> </ul> </li> <li><a href="#conclusion">Conclusion</a></li> </ul> </div> <h1 id="vm-resources">VM Resources</h1> <p>According to <a href="https://etcd.io/docs/v3.5/op-guide/hardware/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">etcd&rsquo;s Operations documentation</a> at least 8G RAM is recommended for each node, and 2G should be the bare minimum, so we&rsquo;ll change that for etcd hosts to something in between:</p> <div class="codehilite"><pre><span></span><code># Changing in VM_BHYVE/k8s-etcd-1/k8s-etcd-1.conf memory=4G </code></pre></div> <p>The limiting factor here will likely be the mechanical hard drives :-), but this is the hardware we have.</p> <h1 id="installing">Installing</h1> <p>Since we are using Debian and there is (so far?) no good reason here to use other binaries, we&rsquo;ll just: <code>apt-get install etcd-server</code> (currently v3.4.23, that&rsquo;s new enough, it defaults to <code>v3</code> of the protocol).</p> <h1 id="setting-up-the-cluster">Setting up the cluster</h1> <p>Since this is a small experiment, we could start the cluster with statically-defined members and that would be a breeze to set up as it is just a matter of passing the right CLI arguments / environment variables.</p> <p>But we want to try out <a href="https://etcd.io/docs/v3.5/op-guide/clustering/#dns-discovery" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">DNS discovery</a>.</p> <h2 id="dns-discovery">DNS discovery</h2> <p>I&rsquo;ll use <code>discovery-srv=lab.evilham.com</code> and <code>discovery-srv-name=c1</code>. The <code>c1</code> serves to tell this cluster apart from others which could exist in the future :-).</p> <p>Which means we need to set up following DNS entries for this cluster with my <a href="https://git.sr.ht/~evilham/cdist-evilham/tree/main/item/type/__evilham_knot_dns/man.rst" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist types</a>:</p> <div class="codehilite"><pre><span></span><code>#<span class="w"> </span>This<span class="w"> </span>is<span class="w"> </span>knot<span class="w"> </span>client<span class="w"> </span>syntax zone-unset<span class="w"> </span>evilham.com<span class="w"> </span>lab ##<span class="w"> </span>Server<span class="w"> </span>SRV<span class="w"> </span>records zone-set<span class="w"> </span>evilham.com<span class="w"> </span>_etcd-server-ssl-c1._tcp.lab<span class="w"> </span>300<span class="w"> </span>SRV<span class="w"> </span>0<span class="w"> </span>0<span class="w"> </span>2380<span class="w"> </span>k8s-etcd-1.c1.lab zone-set<span class="w"> </span>evilham.com<span class="w"> </span>_etcd-server-ssl-c1._tcp.lab<span class="w"> </span>300<span class="w"> </span>SRV<span class="w"> </span>0<span class="w"> </span>0<span class="w"> </span>2380<span class="w"> </span>k8s-etcd-2.c1.lab zone-set<span class="w"> </span>evilham.com<span class="w"> </span>_etcd-server-ssl-c1._tcp.lab<span class="w"> </span>300<span class="w"> </span>SRV<span class="w"> </span>0<span class="w"> </span>0<span class="w"> </span>2380<span class="w"> </span>k8s-etcd-3.c1.lab ##<span class="w"> </span>Client<span class="w"> </span>SRV<span class="w"> </span>records zone-set<span class="w"> </span>evilham.com<span class="w"> </span>_etcd-client-c1._tcp.lab<span class="w"> </span>300<span class="w"> </span>SRV<span class="w"> </span>0<span class="w"> </span>0<span class="w"> </span>2379<span class="w"> </span>k8s-etcd-1.c1.lab zone-set<span class="w"> </span>evilham.com<span class="w"> </span>_etcd-client-c1._tcp.lab<span class="w"> </span>300<span class="w"> </span>SRV<span class="w"> </span>0<span class="w"> </span>0<span class="w"> </span>2379<span class="w"> </span>k8s-etcd-2.c1.lab zone-set<span class="w"> </span>evilham.com<span class="w"> </span>_etcd-client-c1._tcp.lab<span class="w"> </span>300<span class="w"> </span>SRV<span class="w"> </span>0<span class="w"> </span>0<span class="w"> </span>2379<span class="w"> </span>k8s-etcd-3.c1.lab ##<span class="w"> </span>Actual<span class="w"> </span>host<span class="w"> </span>definitions zone-set<span class="w"> </span>evilham.com<span class="w"> </span>k8s-etcd-1.c1.lab<span class="w"> </span>3600<span class="w"> </span>AAAA<span class="w"> </span><span class="cp">${</span><span class="n">_k8s_v6</span><span class="cp">}</span>:1::21 zone-set<span class="w"> </span>evilham.com<span class="w"> </span>k8s-etcd-1.c1.lab<span class="w"> </span>3600<span class="w"> </span>A<span class="w"> </span>10.2.1.21 zone-set<span class="w"> </span>evilham.com<span class="w"> </span>k8s-etcd-2.c1.lab<span class="w"> </span>3600<span class="w"> </span>AAAA<span class="w"> </span><span class="cp">${</span><span class="n">_k8s_v6</span><span class="cp">}</span>:1::22 zone-set<span class="w"> </span>evilham.com<span class="w"> </span>k8s-etcd-2.c1.lab<span class="w"> </span>3600<span class="w"> </span>A<span class="w"> </span>10.2.1.22 zone-set<span class="w"> </span>evilham.com<span class="w"> </span>k8s-etcd-3.c1.lab<span class="w"> </span>3600<span class="w"> </span>AAAA<span class="w"> </span><span class="cp">${</span><span class="n">_k8s_v6</span><span class="cp">}</span>:1::23 zone-set<span class="w"> </span>evilham.com<span class="w"> </span>k8s-etcd-3.c1.lab<span class="w"> </span>3600<span class="w"> </span>A<span class="w"> </span>10.2.1.2 </code></pre></div> <blockquote> <p>I was <strong>not</strong> going to set up TLS for the cluster peers yet because traffic was internal and I run my own DNS. However! Life happened, computers happened. Apparently documentation for 3.4.X is <a href="https://github.com/etcd-io/etcd/issues/11321" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">actually wrong</a> and this is not really supported. In theory TLS SRV entries should be tried, then non-TLS entries, in reality cluster members bail out as soon as fetching TLS SRV records fails.</p> </blockquote> <h2 id="provisioning-parenthesis">Provisioning parenthesis</h2> <p>An advantage of systematically allocating IPs and hostnames is that our provisioning (with <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> here) gets easier:</p> <div class="codehilite"><pre><span></span><code><span class="ch">#!/bin/sh -eu</span> <span class="k">case</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">__target_host</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="k">in</span> <span class="w"> </span><span class="c1"># Expeted to be: peer-name.cluster-name.lab.evilham.com</span> <span class="w"> </span>k8s-etcd-*.lab.evilham.com<span class="o">)</span> <span class="w"> </span>__hostname<span class="w"> </span>--name<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">__target_host</span><span class="si">}</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">ETC_DIR</span><span class="o">=</span><span class="s2">&quot;/etc&quot;</span><span class="w"> </span><span class="c1"># targeting linux only atm</span> <span class="w"> </span><span class="c1"># Install etcd package</span> <span class="w"> </span>__package<span class="w"> </span>etcd-server <span class="w"> </span><span class="c1"># Prepare data from hostname</span> <span class="w"> </span><span class="nv">discovery_srv_name</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">__target_host</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-d<span class="w"> </span><span class="s1">&#39;.&#39;</span><span class="w"> </span>-f<span class="w"> </span><span class="m">2</span><span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">discovery_srv</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">__target_host</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-d<span class="w"> </span><span class="s1">&#39;.&#39;</span><span class="w"> </span>-f<span class="w"> </span><span class="m">3</span>-<span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="c1"># Will look like: eh-etcd-c1</span> <span class="w"> </span><span class="nv">initial_cluster_token</span><span class="o">=</span><span class="s2">&quot;eh-etcd-</span><span class="si">${</span><span class="nv">discovery_srv_name</span><span class="si">}</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">require</span><span class="o">=</span><span class="s2">&quot;__package/etcd-server&quot;</span><span class="w"> </span>__file<span class="w"> </span>/etc/default/etcd<span class="w"> </span><span class="se">\</span> <span class="w"> </span>--onchange<span class="w"> </span><span class="s2">&quot;service etcd restart&quot;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>--source<span class="w"> </span>-<span class="w"> </span><span class="s">&lt;&lt;EOF</span> <span class="s"># Managed remotely, changes will be lost!</span> <span class="s">ETCD_NAME=&#39;${__target_host}&#39;</span> <span class="s"># DNS discovery</span> <span class="s">ETCD_DISCOVERY_SRV=&#39;${discovery_srv}&#39;</span> <span class="s">ETCD_DISCOVERY_SRV_NAME=&#39;${discovery_srv_name}&#39;</span> <span class="s"># Peers use TLS</span> <span class="s">ETCD_INITIAL_ADVERTISE_PEER_URLS=&#39;https://${__target_host}:2380&#39;</span> <span class="s">ETCD_LISTEN_PEER_URLS=&#39;https://[::]:2380&#39;</span> <span class="s"># Clients do not</span> <span class="s">ETCD_LISTEN_CLIENT_URLS=&#39;http://[::]:2379&#39;</span> <span class="s">ETCD_ADVERTISE_CLIENT_URLS=&#39;http://${__target_host}:2379&#39;</span> <span class="s"># Setup TLS for peers</span> <span class="s"># This provides encryption but not authentication of peers!</span> <span class="s">ETCD_PEER_AUTO_TLS=&quot;true&quot;</span> <span class="s"># We deploy this first with _ETCD_STATE defined as &#39;new&#39;, so the</span> <span class="s"># cluster gets created. On successive runs, the state will be &#39;existing&#39;.</span> <span class="s">DAEMON_ARGS=&quot;--initial-cluster-token &#39;${initial_cluster_token}&#39; \</span> <span class="s"> --initial-cluster-state &#39;${_ETCD_STATE:-existing}&#39;&#39;&quot;</span> <span class="s">EOF</span> <span class="w"> </span><span class="p">;;</span> <span class="k">esac</span> </code></pre></div> <p>So, now we apply this manifest on all VMs on the cluster:</p> <div class="codehilite"><pre><span></span><code>env<span class="w"> </span><span class="nv">_ETCD_STATE</span><span class="o">=</span>new<span class="w"> </span>cdist<span class="w"> </span>config<span class="w"> </span>-i<span class="w"> </span>manifest/etcd<span class="w"> </span>k8s-etcd-<span class="o">{</span><span class="m">1</span>,2,3<span class="o">}</span>.c1.lab.evilham.com <span class="o">[</span>...<span class="o">]</span> VERBOSE:<span class="w"> </span><span class="o">[</span><span class="m">5341</span><span class="o">]</span>:<span class="w"> </span>config:<span class="w"> </span>Total<span class="w"> </span>processing<span class="w"> </span><span class="nb">time</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="m">3</span><span class="w"> </span>host<span class="o">(</span>s<span class="o">)</span>:<span class="w"> </span><span class="m">33</span>.292810678482056 </code></pre></div> <h1 id="testing-the-cluster">Testing the cluster</h1> <p>We will install <code>etcd-client</code> on the control-plane VM, which has access to the network, and see how things behave.</p> <h2 id="basic-functioning">Basic functioning</h2> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>etcdctl<span class="w"> </span>--discovery-srv<span class="o">=</span><span class="s1">&#39;lab.evilham.com&#39;</span><span class="w"> </span>--discovery-srv-name<span class="o">=</span><span class="s1">&#39;c1&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>put<span class="w"> </span><span class="s2">&quot;Gabon&quot;</span><span class="w"> </span><span class="s2">&quot;Bona nit&quot;</span> OK $<span class="w"> </span>etcdctl<span class="w"> </span>--discovery-srv<span class="o">=</span><span class="s1">&#39;lab.evilham.com&#39;</span><span class="w"> </span>--discovery-srv-name<span class="o">=</span><span class="s1">&#39;c1&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>get<span class="w"> </span><span class="s2">&quot;Gabon&quot;</span> Gabon Bona<span class="w"> </span>nit $<span class="w"> </span>etcdctl<span class="w"> </span>--discovery-srv<span class="o">=</span><span class="s1">&#39;lab.evilham.com&#39;</span><span class="w"> </span>--discovery-srv-name<span class="o">=</span><span class="s1">&#39;c1&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>--write-out<span class="o">=</span>fields<span class="w"> </span>get<span class="w"> </span><span class="s2">&quot;Gabon&quot;</span> <span class="s2">&quot;ClusterID&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">17681054088137536936</span> <span class="s2">&quot;MemberID&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">9829860431962910583</span> <span class="s2">&quot;Revision&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">26834</span> <span class="s2">&quot;RaftTerm&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">61940</span> <span class="s2">&quot;Key&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="s2">&quot;Gabon&quot;</span> <span class="s2">&quot;CreateRevision&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">26833</span> <span class="s2">&quot;ModRevision&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">26834</span> <span class="s2">&quot;Version&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">2</span> <span class="s2">&quot;Value&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="s2">&quot;Bona nit&quot;</span> <span class="s2">&quot;Lease&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">0</span> <span class="s2">&quot;More&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="nb">false</span> <span class="s2">&quot;Count&quot;</span><span class="w"> </span>:<span class="w"> </span><span class="m">1</span> </code></pre></div> <p>Cute! It seems to be working.</p> <h2 id="killing-cluster-members">Killing cluster members</h2> <p>Since there is no data, I want to see what happens when I kill the leader, first I have to find out who it is:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>etcdctl<span class="w"> </span>--discovery-srv<span class="o">=</span><span class="s1">&#39;lab.evilham.com&#39;</span><span class="w"> </span>--discovery-srv-name<span class="o">=</span><span class="s1">&#39;c1&#39;</span><span class="w"> </span>--write-out<span class="o">=</span>table<span class="w"> </span><span class="se">\</span> <span class="w"> </span>endpoint<span class="w"> </span>status<span class="w"> </span>--cluster </code></pre></div> <p>It seems like <code>k8s-etcd-2</code> is the chosen one (<code>IS LEADER</code>) right now, let&rsquo;s power it off.</p> <p>Repeating the previous command is not as quick as before and I get a warning <code>context deadline exceeded</code>, corresponding to <code>k8s-etcd-2</code> being down. Interestingly, there is a new leader in town, <code>k8s-etcd-1</code>!</p> <p>Not for long, let&rsquo;s kill it too.</p> <p>Now, the cluster shows an error <code>etcdserver: no leader</code>.</p> <p>This makes sense, it knows about two other peers, and it can&rsquo;t decide to be the leader on its own; there could very well be a network split and that&rsquo;d get messy when the two parts can talk to each other! This is why an <code>etcd</code> cluster has <code>2*n+1</code> peers!</p> <p>What if I try to add something to the cluster again?</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>etcdctl<span class="w"> </span>--discovery-srv<span class="o">=</span><span class="s1">&#39;lab.evilham.com&#39;</span><span class="w"> </span>--discovery-srv-name<span class="o">=</span><span class="s1">&#39;c1&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>put<span class="w"> </span><span class="s2">&quot;Egun on&quot;</span><span class="w"> </span><span class="s2">&quot;Bon dia&quot;</span> ...<span class="w"> </span>context<span class="w"> </span>deadline<span class="w"> </span>exceeded<span class="w"> </span>... </code></pre></div> <p>So, it turned read-only? good! Can I still query it?</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>etcdctl<span class="w"> </span>--discovery-srv<span class="o">=</span><span class="s1">&#39;lab.evilham.com&#39;</span><span class="w"> </span>--discovery-srv-name<span class="o">=</span><span class="s1">&#39;c1&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>get<span class="w"> </span><span class="s2">&quot;Gabon&quot;</span> ...<span class="w"> </span>context<span class="w"> </span>deadline<span class="w"> </span>exceeded<span class="w"> </span>... </code></pre></div> <p>Nope! This is also good, in this context, it is better to have no answer than a potentially wrong one.</p> <p>Let&rsquo;s revive <code>k8s-etcd-2</code> and check the cluster status again.</p> <p>Decent, with two members an election could happen and <code>k8s-etcd-3</code> is the new leader.</p> <p>Now we should be able to teach our etcd to say good morning:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>etcdctl<span class="w"> </span>--discovery-srv<span class="o">=</span><span class="s1">&#39;lab.evilham.com&#39;</span><span class="w"> </span>--discovery-srv-name<span class="o">=</span><span class="s1">&#39;c1&#39;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>put<span class="w"> </span><span class="s2">&quot;Egun on&quot;</span><span class="w"> </span><span class="s2">&quot;Bon dia&quot;</span> OK </code></pre></div> <p>Writing works again, as does reading; good!</p> <p>Now, if we bring back <code>k8s-etcd-1</code>, it should catch up and magically learn to say good morning.</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>etcdctl<span class="w"> </span>--endpoints<span class="o">=</span>http://k8s-etcd-1.c1...:2379<span class="w"> </span>get<span class="w"> </span><span class="s2">&quot;Egun on&quot;</span> Egun<span class="w"> </span>on Bon<span class="w"> </span>dia </code></pre></div> <p>Wonderful!</p> <h1 id="conclusion">Conclusion</h1> <p>Deploying <code>etcd</code> in a cluster is not terribly difficult (modulo misleading docs the implied inherent pain of running our own internal CA in production), and the effort of running the cluster outside of kubernetes is probably worth it because our kubernetes cluster state can be safer.</p> <p>Further things to check here are backups and restore from the cluster. On that note, I like this quote from <a href="https://wikitech.wikimedia.org/wiki/Etcd#Recover_a_cluster_after_a_disaster" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">WMF&rsquo;s wikitech</a>:</p> <blockquote> <p>In the sad case when RAFT consensus is lost and there is no quorum anymore, the only way to recover the cluster is to recover the data from a backup, which are regularly performed every night in /srv/backups/etcd. The procedure to bring back the cluster is roughly as follows [&hellip;]</p> </blockquote> <p>Aka: do not panic, breath in, know your emergency plans, check the emergency plan, and apply it.</p> <p>Now that <code>etcd</code> is set up, we can actually get on with kubernetes!</p> <p>These were the steps according to <a href="/en/blog/2023-trying-out-kubernetes-1-planning/">the plan</a>:</p> <ul> <li><a href="/en/blog/2023-trying-out-kubernetes-2-network/">[X]</a> we start by <a href="/en/blog/2023-trying-out-kubernetes-2-network/">setting up the network segments</a> as bridges on the physical host, taking care of NAT, firewall and IPv6 routing</li> <li><a href="/en/blog/2023-trying-out-kubernetes-3-etcd/">[X]</a> then we set up the <a href="/en/blog/2023-trying-out-kubernetes-3-etcd/"><code>etcd</code> cluster</a></li> <li>[ ] finally, we actually setup the Kubernetes cluster</li> </ul>2023-11-06T00:00:00Zurn:uuid:d8fc4cca-d7a0-311b-b002-7ad07f91cb5a<h1 id="introduction">Introduction</h1> <p>As part of <a href="/en/blog/2023-trying-out-kubernetes-1-planning/">trying out Kubernetes: planning</a>, we are going to set up the network and VMs!</p> <p>Quick reminder that this will be virtualised Linux on a FreeBSD physical host. This part is FreeBSD-specific.</p> <h1 id="table-of-contents">Table of contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of contents</a></li> <li><a href="#network">Network</a><ul> <li><a href="#ip-assignment">IP assignment</a></li> </ul> </li> <li><a href="#virtual-machines">Virtual Machines</a><ul> <li><a href="#vm-bhyve-switches">vm-bhyve switches</a></li> <li><a href="#template">Template</a></li> <li><a href="#os-debian">OS: Debian</a></li> <li><a href="#creating-the-base-vm">Creating the base VM</a></li> <li><a href="#cloning-the-vms">Cloning the VMs</a></li> </ul> </li> <li><a href="#conclusion">Conclusion</a></li> </ul> </div> <h1 id="network">Network</h1> <p>Given that <code>bhyve(8)</code>&lsquo;s networking uses <code>tap(4)</code> devices, which we can bridge and route as needed, we will only need basic FreeBSD networking knowledge.</p> <p>This actually is somewhat similar to the setup I use for <a href="/en/blog/2021-freebsd-ipv6-in-vnet-jails/">IPv6-VNET jails</a>.</p> <p>That is, we will need a bridge and a tap device for each network segment:</p> <div class="codehilite"><pre><span></span><code>#<span class="w"> </span>Adding<span class="w"> </span>following<span class="w"> </span>to<span class="w"> </span>/etc/rc.conf #<span class="w"> </span>k8s<span class="w"> </span>testing #<span class="w"> </span>Create<span class="w"> </span>tap<span class="w"> </span>and<span class="w"> </span>bridge<span class="w"> </span>interfaces cloned_interface=&quot;<span class="cp">${</span><span class="n">cloned_interfaces</span><span class="cp">}</span><span class="w"> </span>tap0<span class="w"> </span>bridge0<span class="w"> </span>tap1<span class="w"> </span>bridge1&quot; #<span class="w"> </span>Rename<span class="w"> </span>them ifconfig_bridge0_name=&quot;etcdbridge&quot; ifconfig_tap0_name=&quot;etcdtap&quot; ifconfig_bridge1_name=&quot;k8sbridge&quot; ifconfig_tap1_name=&quot;k8stap&quot; #<span class="w"> </span>Save<span class="w"> </span>our<span class="w"> </span>network<span class="w"> </span>prefix<span class="w"> </span>data _k8s_v6=&quot;2XXX:XXXX:XXXX&quot; _k8s_v4=&quot;10.2&quot; #<span class="w"> </span>Define<span class="w"> </span>etcd<span class="w"> </span>network ifconfig_etcdtap=&quot;fib<span class="w"> </span>1&quot; ifconfig_etcdbridge_descr=&quot;etcd<span class="w"> </span>cluster<span class="w"> </span>and<span class="w"> </span>k8s<span class="w"> </span>control-panel&quot; ifconfig_etcdbridge=&quot;inet<span class="w"> </span><span class="cp">${</span><span class="n">_k8s_v4</span><span class="cp">}</span>.1.1/24<span class="w"> </span>addm<span class="w"> </span>etcdtap<span class="w"> </span>up<span class="w"> </span>fib<span class="w"> </span>1&quot; ifconfig_etcdbridge_ipv6=&quot;inet6<span class="w"> </span><span class="cp">${</span><span class="n">_k8s_v6</span><span class="cp">}</span>:1::/64<span class="w"> </span>auto_linklocal&quot; #<span class="w"> </span>Define<span class="w"> </span>k8s<span class="w"> </span>network ifconfig_k8stap=&quot;fib<span class="w"> </span>1&quot; ifconfig_k8sbridge_descr=&quot;k8s<span class="w"> </span>nodes<span class="w"> </span>and<span class="w"> </span>control-panel&quot; ifconfig_k8sbridge=&quot;inet<span class="w"> </span><span class="cp">${</span><span class="n">_k8s_v4</span><span class="cp">}</span>.2.1/24<span class="w"> </span>addm<span class="w"> </span>k8stap<span class="w"> </span>up<span class="w"> </span>fib<span class="w"> </span>1&quot; ifconfig_k8sbridge_ipv6=&quot;inet6<span class="w"> </span><span class="cp">${</span><span class="n">_k8s_v6</span><span class="cp">}</span>:2::/64<span class="w"> </span>auto_linklocal&quot; </code></pre></div> <p>Remarkable is that we are assigning <code>/64</code> subnets for IPv6 and <code>/24</code> for IPv4, and that we will use static IP assignment since this is just a handful of machines.</p> <p>I am also using a different routing table (<code>fib 1</code>) in order not to mix traffic.</p> <p>Note that besides valid IPv6 routing, there are NAT rules taking care of IPv4:</p> <div class="codehilite"><pre><span></span><code><span class="cp"># k8s NAT</span> <span class="n">nat</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="err">$</span><span class="n">ext_if</span><span class="w"> </span><span class="n">inet</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="p">{</span><span class="mf">10.2.1.0</span><span class="o">/</span><span class="mi">24</span><span class="p">,</span><span class="w"> </span><span class="mf">10.2.2.0</span><span class="o">/</span><span class="mi">24</span><span class="p">}</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="kr">any</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="p">(</span><span class="err">$</span><span class="n">ext_if</span><span class="o">:</span><span class="mi">0</span><span class="p">)</span> </code></pre></div> <h2 id="ip-assignment">IP assignment</h2> <p>We will perform static IP assignment due to the small scale:</p> <table> <thead> <tr> <th>VM</th> <th>IPv4</th> <th>IPv6</th> </tr> </thead> <tbody> <tr> <td>k8s-etcd-1</td> <td><code>10.2.1.21</code></td> <td><code>${_k8s_v6}:1::21</code></td> </tr> <tr> <td>k8s-etcd-2</td> <td><code>10.2.1.22</code></td> <td><code>${_k8s_v6}:1::22</code></td> </tr> <tr> <td>k8s-etcd-3</td> <td><code>10.2.1.23</code></td> <td><code>${_k8s_v6}:1::23</code></td> </tr> <tr> <td>k8s-cp-1</td> <td><code>10.2.1.11</code></td> <td><code>${_k8s_v6}:1::11</code></td> </tr> <tr> <td></td> <td><code>10.2.2.11</code></td> <td><code>${_k8s_v6}:2::11</code></td> </tr> <tr> <td>k8s-node-N</td> <td><code>10.2.2.20+N</code></td> <td><code>${_k8s_v6}:2::20+N</code></td> </tr> </tbody> </table> <p>Now I should be able to create the Virtual Machines on each network bridge.</p> <h1 id="virtual-machines">Virtual Machines</h1> <p>As mentioned before, the virtualisation will be done with <code>bhyve(8)</code>, particularly with <code>vm-bhyve(8)</code>, as it is very lightweight and takes care of lower level details for us.</p> <h2 id="vm-bhyve-switches"><code>vm-bhyve</code> switches</h2> <p>We add following to <code>VM_BHYVE/.config/system.conf</code>:</p> <div class="codehilite"><pre><span></span><code><span class="nx">switch_list</span><span class="p">=</span><span class="s">&quot;etcdbridge k8sbridge&quot;</span> <span class="nx">type_etcdbridge</span><span class="p">=</span><span class="s">&quot;manual&quot;</span> <span class="nx">bridge_etcdbridge</span><span class="p">=</span><span class="s">&quot;etcdbridge&quot;</span> <span class="nx">type_k8sbridge</span><span class="p">=</span><span class="s">&quot;manual&quot;</span> <span class="nx">bridge_k8sbridge</span><span class="p">=</span><span class="s">&quot;k8sbridge&quot;</span> </code></pre></div> <p>Which makes sure that <code>vm-bhyve</code> will add the network interfaces to the appropriate bridges.</p> <h2 id="template">Template</h2> <p>Then we create the <code>vm-bhyve(8)</code> template:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># This lives in VM_BHYVE/.templates/k8s.conf</span> <span class="n">cat</span><span class="w"> </span><span class="n">k8s</span><span class="o">.</span><span class="n">conf</span> <span class="n">loader</span><span class="o">=</span><span class="s2">&quot;grub&quot;</span> <span class="n">cpu</span><span class="o">=</span><span class="mi">1</span> <span class="n">memory</span><span class="o">=</span><span class="mi">1</span><span class="n">G</span> <span class="n">network0_type</span><span class="o">=</span><span class="s2">&quot;virtio-net&quot;</span> <span class="n">network0_switch</span><span class="o">=</span><span class="s2">&quot;k8sbridge&quot;</span> <span class="c1"># We use sparse zvols for storage, which enables us to snapshot and clone the</span> <span class="c1"># whole disk while only allocating space as we start using it.</span> <span class="n">disk0_name</span><span class="o">=</span><span class="s2">&quot;disk0&quot;</span> <span class="n">disk0_dev</span><span class="o">=</span><span class="s2">&quot;sparse-zvol&quot;</span> <span class="n">disk0_type</span><span class="o">=</span><span class="s2">&quot;virtio-blk&quot;</span> </code></pre></div> <p>Since we will later clone this VM, we&rsquo;ll add network adapters / change bridges.</p> <h2 id="os-debian">OS: Debian</h2> <p>We&rsquo;ll use Debian&rsquo;s latest release: <code>bookworm</code>:</p> <div class="codehilite"><pre><span></span><code>curl<span class="w"> </span>-L<span class="w"> </span><span class="se">\</span> <span class="w"> </span>https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.2.0-amd64-netinst.iso<span class="w"> </span>&gt;<span class="w"> </span><span class="se">\</span> <span class="w"> </span>VM_BHYVE/.iso/debian-12.2.0-amd64-netinst.iso </code></pre></div> <h2 id="creating-the-base-vm">Creating the base VM</h2> <div class="codehilite"><pre><span></span><code>vm<span class="w"> </span>create<span class="w"> </span>-t<span class="w"> </span>k8s<span class="w"> </span>-s<span class="w"> </span>240G<span class="w"> </span>k8sbase </code></pre></div> <p>Now we install the OS using the serial console and the downloaded <code>.iso</code>:</p> <div class="codehilite"><pre><span></span><code>vm<span class="w"> </span>install<span class="w"> </span>-f<span class="w"> </span>k8sbase<span class="w"> </span>debian-12.2.0-amd64-netinst.iso </code></pre></div> <p>I use an unassigned IP for the base VM, so I can apply provisioning for the final touches.</p> <p>Still over serial, we finish up basic things like enabling SSH but only with public keys, and installing my keys.</p> <div class="codehilite"><pre><span></span><code># In /etc/ssh/sshd_config PermitRootLogin prohibit-password PasswordAuthentication no UsePAM no KbdInteractiveAuthentication no </code></pre></div> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>service<span class="w"> </span>sshd<span class="w"> </span>restart $<span class="w"> </span>mkdir<span class="w"> </span>.ssh $<span class="w"> </span>chmod<span class="w"> </span><span class="m">750</span><span class="w"> </span>.ssh $<span class="w"> </span>wget<span class="w"> </span>https://evilham.com/ssh.pubkey<span class="w"> </span>-O<span class="w"> </span>.ssh/authorized_keys $<span class="w"> </span>chmod<span class="w"> </span><span class="m">640</span><span class="w"> </span>.ssh/authorized_keys </code></pre></div> <h2 id="cloning-the-vms">Cloning the VMs</h2> <div class="codehilite"><pre><span></span><code><span class="c1"># We create a snapshot first</span> $<span class="w"> </span>vm<span class="w"> </span>snapshot<span class="w"> </span>-r<span class="w"> </span>k8sbase@clean <span class="c1"># And then actually clone it, we start with one VM of each type</span> $<span class="w"> </span>vm<span class="w"> </span>clone<span class="w"> </span>k8sbase@clean<span class="w"> </span>k8s-etcd-1 $<span class="w"> </span>vm<span class="w"> </span>clone<span class="w"> </span>k8sbase@clean<span class="w"> </span>k8s-cp-1 $<span class="w"> </span>vm<span class="w"> </span>clone<span class="w"> </span>k8sbase@clean<span class="w"> </span>k8s-node-1 </code></pre></div> <p>Now, we can edit each VM&rsquo;s <code>VM_BHYVE/VM/VM.conf</code> file in order to assign it to the corresponding network(s):</p> <div class="codehilite"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="nx">In</span><span class="w"> </span><span class="nx">VM_BHYVE</span><span class="o">/</span><span class="nx">k8s</span><span class="o">-</span><span class="nx">etcd</span><span class="o">-</span><span class="mi">1</span><span class="o">/</span><span class="nx">k8s</span><span class="o">-</span><span class="nx">etcd</span><span class="o">-</span><span class="mi">1</span><span class="p">.</span><span class="nx">conf</span><span class="p">:</span> <span class="nx">network0_type</span><span class="p">=</span><span class="s">&quot;virtio-net&quot;</span> <span class="nx">network0_switch</span><span class="p">=</span><span class="s">&quot;etcdbridge&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">In</span><span class="w"> </span><span class="nx">VM_BHYVE</span><span class="o">/</span><span class="nx">k8s</span><span class="o">-</span><span class="nx">cp</span><span class="o">-</span><span class="mi">1</span><span class="o">/</span><span class="nx">k8s</span><span class="o">-</span><span class="nx">cp</span><span class="o">-</span><span class="mi">1</span><span class="p">.</span><span class="nx">conf</span><span class="p">:</span> <span class="nx">network0_type</span><span class="p">=</span><span class="s">&quot;virtio-net&quot;</span> <span class="nx">network0_switch</span><span class="p">=</span><span class="s">&quot;etcdbridge&quot;</span> <span class="nx">network1_type</span><span class="p">=</span><span class="s">&quot;virtio-net&quot;</span> <span class="nx">network1_switch</span><span class="p">=</span><span class="s">&quot;k8sbridge&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">In</span><span class="w"> </span><span class="nx">VM_BHYVE</span><span class="o">/</span><span class="nx">k8s</span><span class="o">-</span><span class="nx">node</span><span class="o">-</span><span class="mi">1</span><span class="o">/</span><span class="nx">k8s</span><span class="o">-</span><span class="nx">node</span><span class="o">-</span><span class="mi">1</span><span class="p">.</span><span class="nx">conf</span><span class="p">:</span> <span class="nx">network0_type</span><span class="p">=</span><span class="s">&quot;virtio-net&quot;</span> <span class="nx">network0_switch</span><span class="p">=</span><span class="s">&quot;k8snode1&quot;</span> </code></pre></div> <p>And using provisioning against the unassigned IP one VM at a time, we:</p> <ul> <li>Reset the SSH keys and <code>hostid</code> so they are not shared (this is important for <code>etcd</code>)</li> <li>Apply the assigned static IP configuration on all interfaces</li> <li>Reboot and check that SSH on the new VM is possible</li> <li>Snapshot the VM</li> </ul> <h1 id="conclusion">Conclusion</h1> <p>FreeBSD&rsquo;s networking and virtualisation stack are great and it often surprises me how effortless it is to get things done.</p> <p>Networking is set up, one of each VM type is set up with outgoing dual stack internet and two separated network segments.</p> <p>Next up, <a href="/en/blog/2023-trying-out-kubernetes-3-etcd/">setting up <code>etcd</code></a>. These were the steps according to <a href="/en/blog/2023-trying-out-kubernetes-1-planning/">the plan</a></p> <ul> <li><a href="/en/blog/2023-trying-out-kubernetes-2-network/">[X]</a> we start by <a href="/en/blog/2023-trying-out-kubernetes-2-network/">setting up the network segments</a> as bridges on the physical host, taking care of NAT, firewall and IPv6 routing</li> <li><a href="/en/blog/2023-trying-out-kubernetes-3-etcd/">[X]</a> then we set up the <a href="/en/blog/2023-trying-out-kubernetes-3-etcd/"><code>etcd</code> cluster</a></li> <li>[ ] finally, we actually setup the Kubernetes cluster</li> </ul>2023-11-05T00:00:00Zurn:uuid:d3a2aa6c-9150-3ab1-afee-b27aefe267ad<h1 id="introduction">Introduction</h1> <p><a href="https://en.wikipedia.org/wiki/Kubernetes" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kubernetes</a> turned 9 years old a couple months ago, so it&rsquo;s about time I took a more serious look at it.</p> <blockquote> <p><a href="https://en.wikipedia.org/wiki/Kubernetes" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kubernetes</a> is an open-source container orchestration system for automating software deployment, scaling, and management.</p> </blockquote> <p>I have followed its development somewhat closely and kept up with the concepts and architecture, even if I haven&rsquo;t jumped to actually using it.</p> <p>First it was due to waiting for things to get stable, then I decided to let the hype wear off.</p> <p>Now, hype hasn&rsquo;t worn off, but it is at least a topic treated with some level of nuance: Kubernetes is great, but it comes with some complexity; complexity that is not necessary in many cases. And so we have to make sure that the benefits actually outweigh the overhead for our particular use-case.</p> <p>As that point nears and I have some days off, I jump in at learning the best way I know how to: <em>by actually doing things</em> and, this time around, by writing them down for future reference / to better ask for clarification.</p> <p>Let&rsquo;s create a &ldquo;High Availability Kubernetes cluster&rdquo;! (I guess we&rsquo;ll [re]define what HA means here a couple times while doing the deed)</p> <p>Note I do this from a FreeBSD laptop, against a FreeBSD physical host, but the actual Control Plane and Nodes will be running on bhyve Virtual Machines running Linux in that remote FreeBSD physical host. Should not be too relevant, it just makes networking easier =D (debatable, yes).</p> <p>This will likely take several posts :-).</p> <h1 id="table-of-contents">Table of contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of contents</a></li> <li><a href="#goals">Goals</a></li> <li><a href="#quick-resources">Quick resources</a></li> <li><a href="#the-components">The components</a><ul> <li><a href="#control-plane">Control plane</a><ul> <li><a href="#etcd">etcd</a></li> </ul> </li> <li><a href="#node-components">Node components</a></li> <li><a href="#addons">Addons</a></li> </ul> </li> <li><a href="#necessary-resources">Necessary resources</a><ul> <li><a href="#network">Network</a></li> <li><a href="#virtual-machines">Virtual Machines</a></li> </ul> </li> <li><a href="#conclusion">Conclusion</a></li> </ul> </div> <h1 id="goals">Goals</h1> <p>The main goal here is my own learning and exploring from an Operations perspective, with future quick-reference as a secondary goal.</p> <p>Particularly: duplicating documentation or getting familiar from a user&rsquo;s perspective are non-goals right now :-).</p> <p>It is for these reason that some things are deliberately made more difficult, by e.g. aiming for High Availability and &ldquo;production-ready&rdquo; configurations from the beginning, instead of starting with something more simple and self-contained like <a href="https://kubernetes.io/docs/tasks/tools/#kind" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">kind</a> and <a href="https://kubernetes.io/docs/tasks/tools/#minikube" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">minicube</a>.</p> <p>This addresses <strong>my way of learning</strong>, which includes: reading all/most of the documentation once, gaining a broad overview of what can be done, and what should be done, then implement things as close to production as practical and possible.</p> <p>Your way of learning may differ, and you may need more incremental progress and immediate feedback; <strong>use whatever works for you</strong>, if this post helps you, I&rsquo;ll be happy if you let me know! I do not know many people that share my way of learning :-).</p> <h1 id="quick-resources">Quick resources</h1> <p>First, let&rsquo;s compile a list of resources that will help us:</p> <ul> <li><a href="https://kubernetes.io/docs/home/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kubernetes docs</a>: what I&rsquo;ve used periodically to stay on top of the project to keep a general overview of the system. It is fairly complete and nicely written, certainly a good reference and also a decent starting point.</li> <li><a href="https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/New" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">WMF&rsquo;s SRE guide to creating a new cluster</a>: turns out, the <a href="https://wikimediafoundation.org/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Wikimedia Foundation</a>&lsquo;s SRE team does everything in the open, and they do very interesting things. Relevant for this context: they run their own HA Kubernetes clusters and theirs is guaranteed to be a scalable setup.</li> <li><a href="https://www.howtogeek.com/devops/how-to-start-a-kubernetes-cluster-from-scratch-with-kubeadm-and-kubectl/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">How-To Geek: how to start a Kubernetes cluster from scratch</a>: a somewhat complete, simple and to-the-point guide which helps an experienced <em>Mensch</em> plan ahead.</li> </ul> <h1 id="the-components">The components</h1> <p>Since we care about the Operations perspective, we jump straight to <a href="https://kubernetes.io/docs/concepts/overview/components/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kubernetes&rsquo; components</a>:</p> <ul> <li>Worker machines or <strong>Nodes</strong>: where <strong>Pods</strong> (set of running containers) actually live.</li> <li><strong>Control plane</strong>: manages worker Nodes and Pods in the cluster.</li> </ul> <blockquote> <p>As a temporary simplification: we will run the <strong>Control plane</strong> on a single Virtual Machine, that will not be allowed to run user containers.</p> <p>This makes the cluster less redundant, but we get somewhere faster. It also <strong>feels</strong> like adding this redundancy at a later stage shouldn&rsquo;t be too difficult; it certainly isn&rsquo;t our main goal at this stage.</p> </blockquote> <h2 id="control-plane">Control plane</h2> <p>It includes:</p> <ul> <li><code>kube-apiserver</code>: which exposes the Kubernetes API. Can be traffic balanced.</li> <li><code>etcd</code>: HA key value store, this is where <strong>all cluster data lives</strong>. It is a different piece of software used outside of the Kubernetes context.</li> <li><code>kube-scheduler</code>: picks up new <strong>Pods</strong> and assigns them a <strong>Node</strong> to run on based on the Pod&rsquo;s specifications and the cluster&rsquo;s availability.</li> <li><code>kube-controller-manager</code>: performs multiple jobs, abstractly it seems like it is in charge of reacting to changes in the cluster of various kinds (like a Pod going down, running one-off tasks by creating their Pods, etc.), the documentation doesn&rsquo;t provide an exhaustive list, so this is an extrapolation of the meaning, and could be somewhat wrong or incomplete.</li> <li><code>cloud-controller-manager</code>: this seems to be provider-specific, since we are running Kubernetes ourselves (the whole point), we will probably not see it.</li> </ul> <h3 id="etcd"><code>etcd</code></h3> <p>The documentation for a <a href="https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Highly Available Kubernetes cluster</a> gives us two options:</p> <ul> <li>Stacked Control Plane nodes, which include <code>etcd</code></li> <li>External <code>etcd</code> Nodes</li> </ul> <p>My systems intuition tells me that mixing Control Plane and state storage may not be the best of decisions, and I have heard horror stories.</p> <p>I&rsquo;d be inclined to use an external <code>etcd</code> for anything put in production. This is ratified by <a href="https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/New#etcd" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">WMF&rsquo;s Kubernetes</a> deployment.</p> <h2 id="node-components">Node components</h2> <p>These run on each Node:</p> <ul> <li><code>kubelet</code>: this makes sure containers from Pods are running and healthy</li> <li><code>kube-proxy</code>: manages the network rules to be able to provide Services. Something tells me we&rsquo;ll spend a lot of time here.</li> <li> <p>Container runtime: It seems like this is a place where we have to make a choice:</p> <ul> <li><a href="https://containerd.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">containerd</a></li> <li><a href="https://cri-o.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">CRI-O</a></li> </ul> </li> </ul> <blockquote> <p>I notice on <a href="https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/New#Node_(worker)" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">WMF techwiki</a>: &ldquo;docker is mean to be used as the CRE. Other runtime engines aren&rsquo;t currently supported.&rdquo; which is compatible with <a href="https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/New#Versions" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">the statement</a> &ldquo;This guide currently covers kubernetes 1.23&rdquo; and the way the <a href="https://gerrit.wikimedia.org/r/plugins/gitiles/operations/debs/kubernetes/+/9e353148720850f2a269243d6b7a89b476ff9e79" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">deb packages</a> are created. (<a href="https://wikitech.wikimedia.org/wiki/Kubernetes/Kubernetes_Infrastructure_upgrade_policy" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">the Kubernetes Infrastructure upgrade policy</a> differs, it likely only needs an update)</p> <p>This makes sense because Docker as a runtime stopped being supported by Kubernetes in <a href="https://github.com/kubernetes/kubernetes/blob/cf4d031dbb002d50096a4a17cb7111ecbcfc0662/CHANGELOG/CHANGELOG-1.24.md#dockershim-removed-from-kubelet" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">v1.24</a>! Jumping that minor version may be tricky.</p> </blockquote> <p>Given we will start differing from WMF&rsquo;s documentation, I will pick <a href="https://cri-o.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">CRI-O</a> for no particular reason and target the latest version of Kubernetes (1.28.3).</p> <h2 id="addons">Addons</h2> <p>These provide cluster-level features. At first I found this confusing, but after giving it some thought: it makes sense.</p> <p>This means that there can be multiple implementations (and it happens) of similar cluster services, addressing different needs and priorities.</p> <p>These are the ones I think we&rsquo;ll need:</p> <ul> <li>DNS: else we&rsquo;ll have to deal with IPs and running services gets tricky</li> <li>Dashboard (UI): want to see how it works</li> <li>Network plugin: this deals with Pod networking, we&rsquo;ll want to check <a href="https://docs.tigera.io/calico/latest/about" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Calico</a> as used at <a href="https://wikitech.wikimedia.org/wiki/Calico" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">WMF</a></li> </ul> <h1 id="necessary-resources">Necessary resources</h1> <p>With that, we have most information to start planning and allocating resources.</p> <h2 id="network">Network</h2> <p>Given the choice to run <code>etcd</code> externally, we will need two separate networks:</p> <ul> <li><code>etcd</code>: access will be network and firewall-controlled</li> <li>Kubernetes:<ul> <li>Control Plane: these must have access to <code>etcd</code> too and <strong>won&rsquo;t</strong> run user containers</li> <li>Nodes: these will be excluded from accessing <code>etcd</code></li> </ul> </li> </ul> <p>For a total of: 2 networks, where one class of machines can access both.</p> <blockquote> <p>This <strong>is</strong> a learning environment, so we&rsquo;ll NAT these IPv4 networks and assign each segment a <code>/64</code> IPv6 subnet without blocking outgoing traffic.</p> <p>Probably in production we wouldn&rsquo;t allow that directly.</p> </blockquote> <h2 id="virtual-machines">Virtual Machines</h2> <ul> <li><code>etcd</code>: following <a href="https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/New#etcd" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">WMF&rsquo;s etcd recommendations for etcd</a> we will use 3 VMs <em>dedicated</em> to etcd</li> <li> <p>Kubernetes:</p> <ul> <li>control-plane: 1 VM as a starting point. These have 2 network interfaces.</li> <li>Nodes: 1 VM as a starting point</li> </ul> </li> </ul> <p>For a total of: 5 VMs</p> <h1 id="conclusion">Conclusion</h1> <p>Aaand, this is why Kubernetes felt like overhead for some time.</p> <p>Until the cost (effort, time, energy, money) of setting up and maintaining all this is not somewhat offset by the benefits, it is the wrong tool for our scale.</p> <p>Now that we are planning ahead though, these are next steps:</p> <ul> <li><a href="/en/blog/2023-trying-out-kubernetes-2-network/">[X]</a> we start by <a href="/en/blog/2023-trying-out-kubernetes-2-network/">setting up the network segments</a> as bridges on the physical host, taking care of NAT, firewall and IPv6 routing</li> <li><a href="/en/blog/2023-trying-out-kubernetes-3-etcd/">[X]</a> then we set up the <a href="/en/blog/2023-trying-out-kubernetes-3-etcd/"><code>etcd</code> cluster</a></li> <li>[ ] finally, we actually setup the Kubernetes cluster</li> </ul>2023-10-06T00:00:00Zurn:uuid:d5ee6226-3bfd-3540-a6da-7ecc2d1fda9b<h1 id="introduction">Introduction</h1> <p>I own a few YubiKeys and use them, a lot.</p> <p>If not familiar with YubiKeys, they are hardware tokens that help improve security in multiple ways:</p> <ul> <li>They can do WebAuthn (modern web-based two factor authentication)</li> <li>They can hold secret keys in a way that cannot be extracted, supporting these operations:<ul> <li>Signature</li> <li>Encryption</li> <li>Authentication</li> </ul> </li> </ul> <p>The most common use, and what is already very useful, is using these hardware tokens for two-factor authentication. For that there are plenty of online resources (though, people certainly can use help understanding and setting that up).</p> <p>What I <strong>really</strong> care about is the latter bit: securing secret keys, particularly when it comes to securing SSH access to servers, and how that fits with PGP.</p> <p>Incidentally, this is where I see most online documentation falling short.</p> <blockquote> <p>There are similar hardware tokens, YubiKeys are what I&rsquo;m familiar with, and what I&rsquo;ll assume here.</p> </blockquote> <h1 id="table-of-contents">Table of contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of contents</a></li> <li><a href="#pgp-subkeys-and-ssh">PGP, subkeys and SSH</a><ul> <li><a href="#common-state">Common state</a></li> <li><a href="#what-we-achieve-here">What we achieve here</a></li> <li><a href="#roughly-why-we-do-it">(Roughly) why we do it</a></li> </ul> </li> <li><a href="#pgp-key-generation">PGP key generation</a><ul> <li><a href="#software-requisites">Software requisites</a></li> <li><a href="#setup-the-directory">Setup the directory</a></li> <li><a href="#configuring-gpghome">Configuring gpghome</a></li> <li><a href="#generating-the-key">Generating the key</a></li> <li><a href="#generating-the-key_1">Generating the key</a></li> </ul> </li> <li><a href="#putting-the-key-into-the-yubikey">Putting the Key into the YubiKey</a></li> <li><a href="#copy-the-public-key">Copy the public key</a></li> <li><a href="#using-the-yubikey">Using the YubiKey</a><ul> <li><a href="#ssh-authentication">SSH authentication</a></li> </ul> </li> <li><a href="#managing-expiry-dates-and-the-certification-key">Managing expiry dates and the [C]ertification key</a></li> <li><a href="#conclusion">Conclusion</a></li> </ul> </div> <h1 id="pgp-subkeys-and-ssh">PGP, subkeys and SSH</h1> <p>Keys (and subkeys, more below) in PGP may be marked as having one or multiple uses:</p> <ul> <li><code>[C]</code>ertification: a key marked like this acts as a source of truth key that can modify <em>subkeys</em> and the key itself</li> <li><code>[S]</code>ignature: a key marked like this can produce valid signatures that will be recognised as coming from the main key</li> <li><code>[E]</code>encryption: a key marked like this will be associated with the main key, and it will be used by other programs to encrypt things, so only the owner of the main key can read them. Note though: this is worded in a somewhat complicated fashion, because should the Encryption key be changed, messages encrypted for the older key cannot be read</li> <li><code>[A]</code>uthentication: a key marked like this will be associated with the main key, will be able to perform authentication e.g. against OpenSSH servers</li> </ul> <p>The bit about PGP being usable for SSH <code>[A]</code>uthentication is not very widely known, and neither is the concept of subkeys.</p> <p>Instead of thinking as a PGP key as: a single key for all things, we should think about it as: a <code>[C]</code>ertification key that I keep offline except when necessary, that is associated with multiple subkeys, one for each functionality.</p> <h2 id="common-state">Common state</h2> <p>When it comes to PGP, most advice results in keys with attributes <code>[SCEA]</code> or <code>[SCA]</code> with a <code>[E]</code> subkey.</p> <h2 id="what-we-achieve-here">What we achieve here</h2> <p>What we will achieve here is an offline <code>[C]</code> key with multiple subkeys: <code>[S]</code>, <code>[E]</code>, <code>[A]</code>, with the secret parts loaded in a YubiKey (or possibly other hardware tokens).</p> <h2 id="roughly-why-we-do-it">(Roughly) why we do it</h2> <p>Commonly people have their PGP keys locally in a file that is secured by a password, or even separated PGP and SSH keys, protected in a similar fashion (sometimes even without a password).</p> <p>When there are so many <a href="https://www.scmagazine.com/analysis/a-third-of-pypi-software-packages-contains-flaw-to-execute-code-when-downloaded" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">sneaky attack vectors</a>, making a mistake once, can mean secrets being exfiltrated and possibly systems being compromised.</p> <p>By not having such files anywhere but instead relying on the hardware token, we mitigate many parts of such risks.</p> <h1 id="pgp-key-generation">PGP key generation</h1> <p>There are a bunch of security considerations as to the system used for this, many people have written better about it.</p> <p>We will focus on:</p> <ul> <li>Using a separated directory for the keyring and settings</li> <li>Considering the directory as a temporary a in-memory thing or equivalent</li> </ul> <h2 id="software-requisites">Software requisites</h2> <p>TODO: Check debian - gnupg2 -</p> <h2 id="setup-the-directory">Setup the directory</h2> <p>On FreeBSD, to use an in-memory temporary directory, we can use following:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Create directory</span> mkdir<span class="w"> </span>pgptmp <span class="c1"># Mount in-memory filesystem</span> mount<span class="w"> </span>-t<span class="w"> </span>tmpfs<span class="w"> </span>tmpfs<span class="w"> </span>pgptmp <span class="c1"># Secure permissions</span> chmod<span class="w"> </span><span class="m">700</span><span class="w"> </span>pgptmp </code></pre></div> <p>Nothing that gets written to <code>pgptmp</code>, will be saved to disk, instead, it is temporary and is held in RAM.</p> <h2 id="configuring-gpghome">Configuring <code>gpghome</code></h2> <p>We must export the <code>GNUPGHOME</code> variable accordingly:</p> <div class="codehilite"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span>pgptmp <span class="nb">export</span><span class="w"> </span><span class="nv">GNUPGHOME</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">pwd</span><span class="k">)</span><span class="s2">&quot;</span> </code></pre></div> <p>And it is convenient to set up certain configurations:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>cat<span class="w"> </span><span class="s">&lt;&lt;EOF &gt; scdaemon.conf</span> <span class="s"># This is sometimes necessary</span> <span class="s"># TODO: Add mention fo scdaemon</span> <span class="s">disable-ccid</span> <span class="s">EOF</span> </code></pre></div> <h2 id="generating-the-key">Generating the key</h2> <p>We use <code>gpg --expert --full-generate-key</code>, as it is the only way we get asked all the questions.</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--expert<span class="w"> </span>--full-generate-key Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>what<span class="w"> </span>kind<span class="w"> </span>of<span class="w"> </span>key<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span>and<span class="w"> </span>RSA <span class="w"> </span><span class="o">(</span><span class="m">2</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span>and<span class="w"> </span>Elgamal <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">9</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>and<span class="w"> </span>encrypt<span class="o">)</span><span class="w"> </span>*default* <span class="w"> </span><span class="o">(</span><span class="m">10</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">11</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">13</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key <span class="w"> </span><span class="o">(</span><span class="m">14</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key<span class="w"> </span>from<span class="w"> </span>card Your<span class="w"> </span>selection? </code></pre></div> <p>The first question we get asked is, which kind of key we want to create.</p> <p>Unless we are cryptography with good reasons (please share!), I&rsquo;d pick the ECC, which is the default, but setting our own capabilities (Option <code>11</code>), that is:</p> <div class="codehilite"><pre><span></span><code>Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">11</span> Possible<span class="w"> </span>actions<span class="w"> </span><span class="k">for</span><span class="w"> </span>this<span class="w"> </span>ECC<span class="w"> </span>key:<span class="w"> </span>Sign<span class="w"> </span>Certify<span class="w"> </span>Authenticate Current<span class="w"> </span>allowed<span class="w"> </span>actions:<span class="w"> </span>Sign<span class="w"> </span>Certify <span class="w"> </span><span class="o">(</span>S<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>sign<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>A<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>authenticate<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>Q<span class="o">)</span><span class="w"> </span>Finished Your<span class="w"> </span>selection? </code></pre></div> <p>We will want to generate a key with <strong>only</strong> <code>[C]</code>ertification capabilities, so we will ensure <code>[S]</code> and <code>[A]</code> are disabled:</p> <div class="codehilite"><pre><span></span><code>Your<span class="w"> </span>selection?<span class="w"> </span>S Possible<span class="w"> </span>actions<span class="w"> </span><span class="k">for</span><span class="w"> </span>this<span class="w"> </span>ECC<span class="w"> </span>key:<span class="w"> </span>Sign<span class="w"> </span>Certify<span class="w"> </span>Authenticate Current<span class="w"> </span>allowed<span class="w"> </span>actions:<span class="w"> </span>Certify <span class="w"> </span><span class="o">(</span>S<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>sign<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>A<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>authenticate<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>Q<span class="o">)</span><span class="w"> </span>Finished Your<span class="w"> </span>selection?<span class="w"> </span>Q Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>which<span class="w"> </span>elliptic<span class="w"> </span>curve<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">25519</span><span class="w"> </span>*default* <span class="w"> </span><span class="o">(</span><span class="m">2</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">448</span> <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">5</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-521 <span class="w"> </span><span class="o">(</span><span class="m">6</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-512 <span class="w"> </span><span class="o">(</span><span class="m">9</span><span class="o">)</span><span class="w"> </span>secp256k1 Your<span class="w"> </span>selection? </code></pre></div> <p>As with the key type selection, unless we have cryptography knowledge that says otherwise, we will go with Curve 25519 (Option <code>1</code>):</p> <div class="codehilite"><pre><span></span><code>Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">1</span> Please<span class="w"> </span>specify<span class="w"> </span>how<span class="w"> </span>long<span class="w"> </span>the<span class="w"> </span>key<span class="w"> </span>should<span class="w"> </span>be<span class="w"> </span>valid. <span class="w"> </span><span class="nv">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire <span class="w"> </span>&lt;n&gt;<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>days <span class="w"> </span>&lt;n&gt;w<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>weeks <span class="w"> </span>&lt;n&gt;m<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>months <span class="w"> </span>&lt;n&gt;y<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>years Key<span class="w"> </span>is<span class="w"> </span>valid<span class="w"> </span><span class="k">for</span>?<span class="w"> </span><span class="o">(</span><span class="m">0</span><span class="o">)</span> </code></pre></div> <p>The use-case with which I am documenting this, requires a key that does not expire, but my usual key expires usually ~2 years in the future, which I try to extend every year. This choice is yours, more often might increase maintenance burden.</p> <div class="codehilite"><pre><span></span><code>Key<span class="w"> </span>is<span class="w"> </span>valid<span class="w"> </span><span class="k">for</span>?<span class="w"> </span><span class="o">(</span><span class="m">0</span><span class="o">)</span><span class="w"> </span><span class="m">0</span> Key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire<span class="w"> </span>at<span class="w"> </span>all Is<span class="w"> </span>this<span class="w"> </span>correct?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y GnuPG<span class="w"> </span>needs<span class="w"> </span>to<span class="w"> </span>construct<span class="w"> </span>a<span class="w"> </span>user<span class="w"> </span>ID<span class="w"> </span>to<span class="w"> </span>identify<span class="w"> </span>your<span class="w"> </span>key. Real<span class="w"> </span>name: </code></pre></div> <p>Now, PGP has a weird concept of identity, and signatures are bound to the combination of Name, Email and Comment, it is usually not convenient to change this.</p> <p>After thinking about these decisions (usually Comment is left blank):</p> <div class="codehilite"><pre><span></span><code>Real<span class="w"> </span>name:<span class="w"> </span>YourName Email<span class="w"> </span>address:<span class="w"> </span>YourEmail@example.org Comment: You<span class="w"> </span>selected<span class="w"> </span>this<span class="w"> </span>USER-ID: <span class="w"> </span><span class="s2">&quot;YourName &lt;YourEmail@Example.org&gt;&quot;</span> Change<span class="w"> </span><span class="o">(</span>N<span class="o">)</span>ame,<span class="w"> </span><span class="o">(</span>C<span class="o">)</span>omment,<span class="w"> </span><span class="o">(</span>E<span class="o">)</span>mail<span class="w"> </span>or<span class="w"> </span><span class="o">(</span>O<span class="o">)</span>kay/<span class="o">(</span>Q<span class="o">)</span>uit? </code></pre></div> <p>Now, when we confirm the identity, the key will be generated after we enter a passphrase to protect it.</p> <div class="codehilite"><pre><span></span><code>We<span class="w"> </span>need<span class="w"> </span>to<span class="w"> </span>generate<span class="w"> </span>a<span class="w"> </span>lot<span class="w"> </span>of<span class="w"> </span>random<span class="w"> </span>bytes.<span class="w"> </span>It<span class="w"> </span>is<span class="w"> </span>a<span class="w"> </span>good<span class="w"> </span>idea<span class="w"> </span>to<span class="w"> </span>perform some<span class="w"> </span>other<span class="w"> </span>action<span class="w"> </span><span class="o">(</span><span class="nb">type</span><span class="w"> </span>on<span class="w"> </span>the<span class="w"> </span>keyboard,<span class="w"> </span>move<span class="w"> </span>the<span class="w"> </span>mouse,<span class="w"> </span>utilize<span class="w"> </span>the disks<span class="o">)</span><span class="w"> </span>during<span class="w"> </span>the<span class="w"> </span>prime<span class="w"> </span>generation<span class="p">;</span><span class="w"> </span>this<span class="w"> </span>gives<span class="w"> </span>the<span class="w"> </span>random<span class="w"> </span>number generator<span class="w"> </span>a<span class="w"> </span>better<span class="w"> </span>chance<span class="w"> </span>to<span class="w"> </span>gain<span class="w"> </span>enough<span class="w"> </span>entropy. gpg:<span class="w"> </span>GNUPGHOME/trustdb.gpg:<span class="w"> </span>trustdb<span class="w"> </span>created gpg:<span class="w"> </span>directory<span class="w"> </span><span class="s1">&#39;GNUPGHOME/openpgp-revocs.d&#39;</span><span class="w"> </span>created gpg:<span class="w"> </span>revocation<span class="w"> </span>certificate<span class="w"> </span>stored<span class="w"> </span>as<span class="w"> </span><span class="s1">&#39;GNUPGHOME/openpgp-revocs.d/KEY_ID.rev&#39;</span> public<span class="w"> </span>and<span class="w"> </span>secret<span class="w"> </span>key<span class="w"> </span>created<span class="w"> </span>and<span class="w"> </span>signed. pub<span class="w"> </span>ed25519<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span><span class="o">[</span>C<span class="o">]</span> <span class="w"> </span>KEY_ID uid<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@Example.org&gt; </code></pre></div> <p>This KEY_ID will uniquely identify our PGP key.</p> <h2 id="generating-the-key_1">Generating the key</h2> <p>Since our key only has the <code>[C]</code>ertification capability, we want to add some subkeys so we can take advantage of all options.</p> <p>For this, we start editing the key in <code>--expert</code> mode, else we won&rsquo;t be able to access the <code>[A]</code>uthentication capability:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--expert<span class="w"> </span>--edit-key<span class="w"> </span>KEY_ID sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt; </code></pre></div> <p>And now we create one key for each of the missing capabilities (<code>[S]</code>ignature, <code>[E]</code>ncryption, <code>[A]</code>uthentication), trusting the current cryptography recommendations unless we have very good reasons not to, and setting the expiry according to our use-case.</p> <p>Note too that the <code>[A]</code>uthentication capability is not available directly, but rather through the <code>ECC (set your own capabilities)</code> option:</p> <div class="codehilite"><pre><span></span><code>gpg&gt;<span class="w"> </span>addkey Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>what<span class="w"> </span>kind<span class="w"> </span>of<span class="w"> </span>key<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">5</span><span class="o">)</span><span class="w"> </span>Elgamal<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">6</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">10</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">11</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">12</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">13</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key <span class="w"> </span><span class="o">(</span><span class="m">14</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key<span class="w"> </span>from<span class="w"> </span>card Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">10</span> Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>which<span class="w"> </span>elliptic<span class="w"> </span>curve<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">25519</span><span class="w"> </span>*default* <span class="w"> </span><span class="o">(</span><span class="m">2</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">448</span> <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">5</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-521 <span class="w"> </span><span class="o">(</span><span class="m">6</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-512 <span class="w"> </span><span class="o">(</span><span class="m">9</span><span class="o">)</span><span class="w"> </span>secp256k1 Your<span class="w"> </span>selection? Please<span class="w"> </span>specify<span class="w"> </span>how<span class="w"> </span>long<span class="w"> </span>the<span class="w"> </span>key<span class="w"> </span>should<span class="w"> </span>be<span class="w"> </span>valid. <span class="w"> </span><span class="nv">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire <span class="w"> </span>&lt;n&gt;<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>days <span class="w"> </span>&lt;n&gt;w<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>weeks <span class="w"> </span>&lt;n&gt;m<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>months <span class="w"> </span>&lt;n&gt;y<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>years Key<span class="w"> </span>is<span class="w"> </span>valid<span class="w"> </span><span class="k">for</span>?<span class="w"> </span><span class="o">(</span><span class="m">0</span><span class="o">)</span> Key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire<span class="w"> </span>at<span class="w"> </span>all Is<span class="w"> </span>this<span class="w"> </span>correct?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y Really<span class="w"> </span>create?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y We<span class="w"> </span>need<span class="w"> </span>to<span class="w"> </span>generate<span class="w"> </span>a<span class="w"> </span>lot<span class="w"> </span>of<span class="w"> </span>random<span class="w"> </span>bytes.<span class="w"> </span>It<span class="w"> </span>is<span class="w"> </span>a<span class="w"> </span>good<span class="w"> </span>idea<span class="w"> </span>to<span class="w"> </span>perform some<span class="w"> </span>other<span class="w"> </span>action<span class="w"> </span><span class="o">(</span><span class="nb">type</span><span class="w"> </span>on<span class="w"> </span>the<span class="w"> </span>keyboard,<span class="w"> </span>move<span class="w"> </span>the<span class="w"> </span>mouse,<span class="w"> </span>utilize<span class="w"> </span>the disks<span class="o">)</span><span class="w"> </span>during<span class="w"> </span>the<span class="w"> </span>prime<span class="w"> </span>generation<span class="p">;</span><span class="w"> </span>this<span class="w"> </span>gives<span class="w"> </span>the<span class="w"> </span>random<span class="w"> </span>number generator<span class="w"> </span>a<span class="w"> </span>better<span class="w"> </span>chance<span class="w"> </span>to<span class="w"> </span>gain<span class="w"> </span>enough<span class="w"> </span>entropy. sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt;<span class="w"> </span>addkey Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>what<span class="w"> </span>kind<span class="w"> </span>of<span class="w"> </span>key<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">5</span><span class="o">)</span><span class="w"> </span>Elgamal<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">6</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">10</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">11</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">12</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">13</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key <span class="w"> </span><span class="o">(</span><span class="m">14</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key<span class="w"> </span>from<span class="w"> </span>card Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">12</span> Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>which<span class="w"> </span>elliptic<span class="w"> </span>curve<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">25519</span><span class="w"> </span>*default* <span class="w"> </span><span class="o">(</span><span class="m">2</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">448</span> <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">5</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-521 <span class="w"> </span><span class="o">(</span><span class="m">6</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-512 <span class="w"> </span><span class="o">(</span><span class="m">9</span><span class="o">)</span><span class="w"> </span>secp256k1 Your<span class="w"> </span>selection? Please<span class="w"> </span>specify<span class="w"> </span>how<span class="w"> </span>long<span class="w"> </span>the<span class="w"> </span>key<span class="w"> </span>should<span class="w"> </span>be<span class="w"> </span>valid. <span class="w"> </span><span class="nv">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire <span class="w"> </span>&lt;n&gt;<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>days <span class="w"> </span>&lt;n&gt;w<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>weeks <span class="w"> </span>&lt;n&gt;m<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>months <span class="w"> </span>&lt;n&gt;y<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>years Key<span class="w"> </span>is<span class="w"> </span>valid<span class="w"> </span><span class="k">for</span>?<span class="w"> </span><span class="o">(</span><span class="m">0</span><span class="o">)</span> Key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire<span class="w"> </span>at<span class="w"> </span>all Is<span class="w"> </span>this<span class="w"> </span>correct?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y Really<span class="w"> </span>create?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y We<span class="w"> </span>need<span class="w"> </span>to<span class="w"> </span>generate<span class="w"> </span>a<span class="w"> </span>lot<span class="w"> </span>of<span class="w"> </span>random<span class="w"> </span>bytes.<span class="w"> </span>It<span class="w"> </span>is<span class="w"> </span>a<span class="w"> </span>good<span class="w"> </span>idea<span class="w"> </span>to<span class="w"> </span>perform some<span class="w"> </span>other<span class="w"> </span>action<span class="w"> </span><span class="o">(</span><span class="nb">type</span><span class="w"> </span>on<span class="w"> </span>the<span class="w"> </span>keyboard,<span class="w"> </span>move<span class="w"> </span>the<span class="w"> </span>mouse,<span class="w"> </span>utilize<span class="w"> </span>the disks<span class="o">)</span><span class="w"> </span>during<span class="w"> </span>the<span class="w"> </span>prime<span class="w"> </span>generation<span class="p">;</span><span class="w"> </span>this<span class="w"> </span>gives<span class="w"> </span>the<span class="w"> </span>random<span class="w"> </span>number generator<span class="w"> </span>a<span class="w"> </span>better<span class="w"> </span>chance<span class="w"> </span>to<span class="w"> </span>gain<span class="w"> </span>enough<span class="w"> </span>entropy. sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt;<span class="w"> </span>addkey Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>what<span class="w"> </span>kind<span class="w"> </span>of<span class="w"> </span>key<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">5</span><span class="o">)</span><span class="w"> </span>Elgamal<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">6</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>DSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>RSA<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">10</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>sign<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">11</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span><span class="nb">set</span><span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>capabilities<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">12</span><span class="o">)</span><span class="w"> </span>ECC<span class="w"> </span><span class="o">(</span>encrypt<span class="w"> </span>only<span class="o">)</span> <span class="w"> </span><span class="o">(</span><span class="m">13</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key <span class="w"> </span><span class="o">(</span><span class="m">14</span><span class="o">)</span><span class="w"> </span>Existing<span class="w"> </span>key<span class="w"> </span>from<span class="w"> </span>card Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">11</span> Possible<span class="w"> </span>actions<span class="w"> </span><span class="k">for</span><span class="w"> </span>this<span class="w"> </span>ECC<span class="w"> </span>key:<span class="w"> </span>Sign<span class="w"> </span>Authenticate Current<span class="w"> </span>allowed<span class="w"> </span>actions:<span class="w"> </span>Sign <span class="w"> </span><span class="o">(</span>S<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>sign<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>A<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>authenticate<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>Q<span class="o">)</span><span class="w"> </span>Finished Your<span class="w"> </span>selection?<span class="w"> </span>S Possible<span class="w"> </span>actions<span class="w"> </span><span class="k">for</span><span class="w"> </span>this<span class="w"> </span>ECC<span class="w"> </span>key:<span class="w"> </span>Sign<span class="w"> </span>Authenticate Current<span class="w"> </span>allowed<span class="w"> </span>actions: <span class="w"> </span><span class="o">(</span>S<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>sign<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>A<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>authenticate<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>Q<span class="o">)</span><span class="w"> </span>Finished Your<span class="w"> </span>selection?<span class="w"> </span>A Possible<span class="w"> </span>actions<span class="w"> </span><span class="k">for</span><span class="w"> </span>this<span class="w"> </span>ECC<span class="w"> </span>key:<span class="w"> </span>Sign<span class="w"> </span>Authenticate Current<span class="w"> </span>allowed<span class="w"> </span>actions:<span class="w"> </span>Authenticate <span class="w"> </span><span class="o">(</span>S<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>sign<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>A<span class="o">)</span><span class="w"> </span>Toggle<span class="w"> </span>the<span class="w"> </span>authenticate<span class="w"> </span>capability <span class="w"> </span><span class="o">(</span>Q<span class="o">)</span><span class="w"> </span>Finished Your<span class="w"> </span>selection?<span class="w"> </span>Q Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>which<span class="w"> </span>elliptic<span class="w"> </span>curve<span class="w"> </span>you<span class="w"> </span>want: <span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">25519</span><span class="w"> </span>*default* <span class="w"> </span><span class="o">(</span><span class="m">2</span><span class="o">)</span><span class="w"> </span>Curve<span class="w"> </span><span class="m">448</span> <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">4</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">5</span><span class="o">)</span><span class="w"> </span>NIST<span class="w"> </span>P-521 <span class="w"> </span><span class="o">(</span><span class="m">6</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-256 <span class="w"> </span><span class="o">(</span><span class="m">7</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-384 <span class="w"> </span><span class="o">(</span><span class="m">8</span><span class="o">)</span><span class="w"> </span>Brainpool<span class="w"> </span>P-512 <span class="w"> </span><span class="o">(</span><span class="m">9</span><span class="o">)</span><span class="w"> </span>secp256k1 Your<span class="w"> </span>selection? Please<span class="w"> </span>specify<span class="w"> </span>how<span class="w"> </span>long<span class="w"> </span>the<span class="w"> </span>key<span class="w"> </span>should<span class="w"> </span>be<span class="w"> </span>valid. <span class="w"> </span><span class="nv">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire <span class="w"> </span>&lt;n&gt;<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>days <span class="w"> </span>&lt;n&gt;w<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>weeks <span class="w"> </span>&lt;n&gt;m<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>months <span class="w"> </span>&lt;n&gt;y<span class="w"> </span><span class="o">=</span><span class="w"> </span>key<span class="w"> </span>expires<span class="w"> </span><span class="k">in</span><span class="w"> </span>n<span class="w"> </span>years Key<span class="w"> </span>is<span class="w"> </span>valid<span class="w"> </span><span class="k">for</span>?<span class="w"> </span><span class="o">(</span><span class="m">0</span><span class="o">)</span> Key<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>expire<span class="w"> </span>at<span class="w"> </span>all Is<span class="w"> </span>this<span class="w"> </span>correct?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y Really<span class="w"> </span>create?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y We<span class="w"> </span>need<span class="w"> </span>to<span class="w"> </span>generate<span class="w"> </span>a<span class="w"> </span>lot<span class="w"> </span>of<span class="w"> </span>random<span class="w"> </span>bytes.<span class="w"> </span>It<span class="w"> </span>is<span class="w"> </span>a<span class="w"> </span>good<span class="w"> </span>idea<span class="w"> </span>to<span class="w"> </span>perform some<span class="w"> </span>other<span class="w"> </span>action<span class="w"> </span><span class="o">(</span><span class="nb">type</span><span class="w"> </span>on<span class="w"> </span>the<span class="w"> </span>keyboard,<span class="w"> </span>move<span class="w"> </span>the<span class="w"> </span>mouse,<span class="w"> </span>utilize<span class="w"> </span>the disks<span class="o">)</span><span class="w"> </span>during<span class="w"> </span>the<span class="w"> </span>prime<span class="w"> </span>generation<span class="p">;</span><span class="w"> </span>this<span class="w"> </span>gives<span class="w"> </span>the<span class="w"> </span>random<span class="w"> </span>number generator<span class="w"> </span>a<span class="w"> </span>better<span class="w"> </span>chance<span class="w"> </span>to<span class="w"> </span>gain<span class="w"> </span>enough<span class="w"> </span>entropy. sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; </code></pre></div> <p>And finally we save the modified key</p> <div class="codehilite"><pre><span></span><code>gpg&gt;<span class="w"> </span>save </code></pre></div> <h1 id="putting-the-key-into-the-yubikey">Putting the <em>Key</em> into the YubiKey</h1> <p>This is done by editing the key we just created:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--expert<span class="w"> </span>--edit-key<span class="w"> </span>KEY_ID Secret<span class="w"> </span>key<span class="w"> </span>is<span class="w"> </span>available. sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; </code></pre></div> <p>We have to select and de-select each subkey and send them to the key with <code>keytocard</code>, and selecting the destination slot that best matches the capability:</p> <div class="codehilite"><pre><span></span><code>gpg&gt;<span class="w"> </span>key<span class="w"> </span><span class="m">1</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb*<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt;<span class="w"> </span>keytocard Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>where<span class="w"> </span>to<span class="w"> </span>store<span class="w"> </span>the<span class="w"> </span>key: <span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span><span class="w"> </span>Signature<span class="w"> </span>key <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>Authentication<span class="w"> </span>key Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">1</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb*<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; Note:<span class="w"> </span>the<span class="w"> </span><span class="nb">local</span><span class="w"> </span>copy<span class="w"> </span>of<span class="w"> </span>the<span class="w"> </span>secret<span class="w"> </span>key<span class="w"> </span>will<span class="w"> </span>only<span class="w"> </span>be<span class="w"> </span>deleted<span class="w"> </span>with<span class="w"> </span><span class="s2">&quot;save&quot;</span>. gpg&gt;<span class="w"> </span>key<span class="w"> </span><span class="m">1</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt;<span class="w"> </span>key<span class="w"> </span><span class="m">2</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb*<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt;<span class="w"> </span>keytocard Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>where<span class="w"> </span>to<span class="w"> </span>store<span class="w"> </span>the<span class="w"> </span>key: <span class="w"> </span><span class="o">(</span><span class="m">2</span><span class="o">)</span><span class="w"> </span>Encryption<span class="w"> </span>key Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">2</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb*<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; Note:<span class="w"> </span>the<span class="w"> </span><span class="nb">local</span><span class="w"> </span>copy<span class="w"> </span>of<span class="w"> </span>the<span class="w"> </span>secret<span class="w"> </span>key<span class="w"> </span>will<span class="w"> </span>only<span class="w"> </span>be<span class="w"> </span>deleted<span class="w"> </span>with<span class="w"> </span><span class="s2">&quot;save&quot;</span>. gpg&gt;<span class="w"> </span>key<span class="w"> </span><span class="m">2</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt;<span class="w"> </span>key<span class="w"> </span><span class="m">3</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb*<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; gpg&gt;<span class="w"> </span>keytocard Please<span class="w"> </span><span class="k">select</span><span class="w"> </span>where<span class="w"> </span>to<span class="w"> </span>store<span class="w"> </span>the<span class="w"> </span>key: <span class="w"> </span><span class="o">(</span><span class="m">3</span><span class="o">)</span><span class="w"> </span>Authentication<span class="w"> </span>key Your<span class="w"> </span>selection?<span class="w"> </span><span class="m">3</span> sec<span class="w"> </span>ed25519/KEY_ID <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>C <span class="w"> </span>trust:<span class="w"> </span>ultimate<span class="w"> </span>validity:<span class="w"> </span>ultimate ssb<span class="w"> </span>ed25519/KEY_ID_S <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>S ssb<span class="w"> </span>cv25519/KEY_ID_E <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>E ssb*<span class="w"> </span>ed25519/KEY_ID_A <span class="w"> </span>created:<span class="w"> </span><span class="m">2023</span>-10-06<span class="w"> </span>expires:<span class="w"> </span>never<span class="w"> </span>usage:<span class="w"> </span>A <span class="o">[</span>ultimate<span class="o">]</span><span class="w"> </span><span class="o">(</span><span class="m">1</span><span class="o">)</span>.<span class="w"> </span>YourName<span class="w"> </span>&lt;YourEmail@example.org&gt; Note:<span class="w"> </span>the<span class="w"> </span><span class="nb">local</span><span class="w"> </span>copy<span class="w"> </span>of<span class="w"> </span>the<span class="w"> </span>secret<span class="w"> </span>key<span class="w"> </span>will<span class="w"> </span>only<span class="w"> </span>be<span class="w"> </span>deleted<span class="w"> </span>with<span class="w"> </span><span class="s2">&quot;save&quot;</span>. gpg&gt; Save<span class="w"> </span>changes?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>N Quit<span class="w"> </span>without<span class="w"> </span>saving?<span class="w"> </span><span class="o">(</span>y/N<span class="o">)</span><span class="w"> </span>y </code></pre></div> <p>Note that I exit without saving, because I want to back up the <code>[C]</code>ertification key offline, and saving the key here will <strong>remove the private part</strong> from the keyring.</p> <p>It will be contained in the YubiKey and can be used with the password, but it cannot be retrieved out of it.</p> <h1 id="copy-the-public-key">Copy the public key</h1> <p>We now want to export the public key:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--export<span class="w"> </span>KEY_ID<span class="w"> </span>&gt;<span class="w"> </span>pgp.pubkey.bin $<span class="w"> </span>gpg<span class="w"> </span>--export<span class="w"> </span>-a<span class="w"> </span>KEY_ID<span class="w"> </span>&gt;<span class="w"> </span>pgp.pubkey.pem </code></pre></div> <p>Which we will need to publish and import on our daily driver.</p> <h1 id="using-the-yubikey">Using the YubiKey</h1> <p>Now we can disconnect the backed up <code>[C]</code>ertification key, reboot into our persistent environment or change computers, depending on what our security precautions were, and move to our daily driver system.</p> <p>Once there, we import the <strong>public key</strong> into our regular keyring:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># This is not the same system we were in before(!)</span> gpg<span class="w"> </span>--import<span class="w"> </span>-a<span class="w"> </span>&lt;<span class="w"> </span>pgp.pubkey.bin </code></pre></div> <p>And regular PGP operations should request unlocking the corresponding private key with its regular password.</p> <h2 id="ssh-authentication">SSH authentication</h2> <p>In order to take advantage of SSH authentication, we want to use the gpg-agent as an SSH agent.</p> <p>This is usually done by setting up the <code>gpg-agent.conf</code></p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>cat<span class="w"> </span><span class="s">&lt;&lt;EOF &gt; gpg-agent.conf</span> <span class="s">enable-ssh-support</span> <span class="s">pinentry-program /usr/local/bin/pinentry-gtk2</span> <span class="s"># Possibly on Debian-based:</span> <span class="s">#pinentry-program /usr/bin/pinentry-gtk2</span> <span class="s"># 2 min</span> <span class="s">default-cache-ttl 120</span> <span class="s"># 5 min</span> <span class="s">max-cache-ttl 300</span> <span class="s"># Grab input</span> <span class="s">grab</span> <span class="s">EOF</span> <span class="c1"># Applying this might require restarting the gpg-agent, you can use:</span> <span class="c1"># gpgconf --kill gpg-agent</span> </code></pre></div> <p>This is usually done adding to the <code>${HOME}/.profile</code> file something similar to:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Setup the environment variable so the correct SSH agent is contacted</span> <span class="nb">export</span><span class="w"> </span><span class="nv">SSH_AUTH_SOCK</span><span class="o">=</span><span class="k">$(</span>gpgconf<span class="w"> </span>--list-dirs<span class="w"> </span>agent-ssh-socket<span class="k">)</span> <span class="c1"># Tell the gpg-agent to start and update its tty</span> <span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;UPDATESTARTUPTTY&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>gpg-connect-agent<span class="w"> </span>/bye </code></pre></div> <p>Note that if you use gnome, KDE or similar, their agents might have support for something like this already.</p> <p>Once the SSH and GPG agents have been set up, the SSH agent will list the key contained in the YubiKey as available for authentication:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>ssh-add<span class="w"> </span>-L ssh-ed25519<span class="w"> </span>AAAA...J<span class="w"> </span>cardno:YY_YYY_YYY </code></pre></div> <p>By adding that line to an <code>authorized_keys</code> file, we should be able to use the <code>[A]</code>uthentication private key to enter with SSH on that system.</p> <h1 id="managing-expiry-dates-and-the-certification-key">Managing expiry dates and the <code>[C]</code>ertification key</h1> <p>This is similar to the creation and sending to card process, except we use the <code>expiry</code> gpg command after editing.</p> <p>We can change the expiry date of multiple subkeys by selecting more than one and export the resulting public key.</p> <h1 id="conclusion">Conclusion</h1> <p>Given the implications of such setup, some thought and personal/corporation-wide trade-offs must be considered, it is certainly not a 5 minute task.</p> <p>But it also isn&rsquo;t as scary as it sounds and the full described process (along with documenting it here) took about 90 minutes.</p> <p>The result is actually more usable and secure than before:</p> <ul> <li>In order to login to places, we need both something physical (the YubiKey) and something we know (its protection password)</li> <li>If we want to be sure no keys are loaded, we just unplug the YubiKey</li> <li>If we want to log in places, sign something or read an encrypted email, we plug it in</li> <li>We can backup and revoke the keys as necessary, if we ever lose the YubiKey, we can revoke the subkeys and generate new ones from the offline <code>[C]</code>ertification key, while still having access to previously encrypted content</li> <li>If something bad happens with our daily driver, odds are that not having <code>id_rsa</code> files or keys in the keyring will save us a lot of headaches and lateral jumps</li> </ul>2023-07-04T00:00:00Zurn:uuid:99e47d48-88ec-3dbb-a35f-f03c2ddad257<h1 id="introduction">Introduction</h1> <p>Back when I first started using <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> and ZFS, I needed tools with an extremely low barrier of entry, that did their job well.</p> <p>When it comes to creating and pruning <code>snapshots</code>, the job was first done by <a href="https://cgit.freebsd.org/ports/tree/sysutils/zfs-periodic" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">sysutils/zfs-periodic</a>.</p> <p>Over time however, even with minor improvements on my part, it has come short for my current needs.</p> <p>As inspired by <a href="https://dan.langille.org/2019/11/11/zfstools-sanoid-snapshots-on-the-local-host/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Dan Langille&rsquo;s wonderful blog</a> (Dan always writes great blog posts, that end up being lovely complementary documentation), I document here my somewhat bumpy road when it comes to ZFS replication tools and why you might want to use something different at each step.</p> <h1 id="table-of-contents">Table of contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of contents</a></li> <li><a href="#quick-reminder-of-zfs">Quick reminder of ZFS</a></li> <li><a href="#snapshot-creation-and-prunning-with-zfs-periodic8">Snapshot creation and prunning with zfs-periodic(8)</a><ul> <li><a href="#adding-quarter_hourly">Adding quarter_hourly</a></li> </ul> </li> <li><a href="#zfs-replication-with-zxfer8">ZFS Replication with zxfer(8)</a><ul> <li><a href="#the-caveats">The caveats</a><ul> <li><a href="#encrypted-datasets">Encrypted datasets</a></li> </ul> </li> </ul> </li> <li><a href="#snapshot-creation-and-pruning-with-sanoid">Snapshot creation and pruning with sanoid</a><ul> <li><a href="#migrating-zfs-periodic8-snapshots-to-sanoid">Migrating zfs-periodic(8) snapshots to sanoid</a></li> <li><a href="#snapshot-creation-and-pruning-with-sanoid_1">snapshot creation and pruning with sanoid</a></li> </ul> </li> <li><a href="#zfs-replication-with-syncoid">ZFS Replication with syncoid</a><ul> <li><a href="#issues-with-permissions">Issues with permissions</a></li> <li><a href="#issues-with-public-key-limitations">Issues with public key limitations</a></li> <li><a href="#encrypted-datasets_1">Encrypted datasets</a></li> <li><a href="#all-together">All together</a></li> </ul> </li> <li><a href="#remembering-zrepl">Remembering zrepl</a></li> <li><a href="#conclusion">Conclusion</a></li> <li><a href="#update-bonus-tools-from-the-fediverse">UPDATE: Bonus tools from the fediverse</a><ul> <li><a href="#zfs_autobackup">zfs_autobackup</a></li> <li><a href="#zrep">zrep</a></li> </ul> </li> </ul> </div> <h1 id="quick-reminder-of-zfs">Quick reminder of <a href="https://en.wikipedia.org/wiki/ZFS" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ZFS</a></h1> <p><a href="https://en.wikipedia.org/wiki/ZFS" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ZFS</a> is nowadays (at least on <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> and Linux) actually <a href="https://github.com/openzfs/zfs/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenZFS</a>. Let&rsquo;s see how they define it:</p> <blockquote> <p>OpenZFS is an advanced file system and volume manager which was originally developed for Solaris and is now maintained by the OpenZFS community. This repository contains the code for running OpenZFS on Linux and FreeBSD.</p> </blockquote> <p>Amongst the many beautiful things of ZFS, there is the fact that it works in a <a href="https://en.wikipedia.org/wiki/Copy-on-write" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Copy on Write</a> fashion, which, amongst other things, enables it to create <code>snapshots</code> in an instantaneous fashion.</p> <p>That is, we can assign a name to a known state with, e.g. <code>zfs snapshot -r zroot@goodstate</code>.</p> <p>Keep on working and, if we get on to a bad state, discard any changes made since then by issuing a <code>rollback</code>.</p> <p>This means, we can have a very handy way of having real-life save points, and work in a more relaxed fashion.</p> <p>Together with <code>zfs-send(8)</code> and <code>zfs-receive(8)</code>, we quickly have the basis for a remote backup system that is incremental.</p> <p>Now that ZFS data set encryption (<code>zfs-load-key(8)</code>) is a thing, it too can be encrypted.</p> <h1 id="snapshot-creation-and-prunning-with-zfs-periodic8">Snapshot creation and prunning with <code>zfs-periodic(8)</code></h1> <p>Now, back in ~2019, I was mostly a Linux user that was jumping to <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> and the last thing I wanted was to fiddle too much with a new file system.</p> <p>Luckily, there is a very simple way to manage ZFS snapshots in an automatic fashion right in the ports system: <code>zfs-periodic</code>.</p> <p>It profits from the <code>periodic(8)</code> system, to run at regular intervals, and gets configured in a minute with:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>pkg<span class="w"> </span>install<span class="w"> </span>-y<span class="w"> </span>zfs-periodic Updating<span class="w"> </span>FreeBSD<span class="w"> </span>repository<span class="w"> </span>catalogue... FreeBSD<span class="w"> </span>repository<span class="w"> </span>is<span class="w"> </span>up<span class="w"> </span>to<span class="w"> </span>date. <span class="o">[</span><span class="m">1</span>/1<span class="o">]</span><span class="w"> </span>Fetching<span class="w"> </span>zfs-periodic-1.0.20130213.pkg:<span class="w"> </span><span class="m">100</span>%<span class="w"> </span><span class="m">2</span><span class="w"> </span>KiB<span class="w"> </span><span class="m">2</span>.3kB/s<span class="w"> </span><span class="m">00</span>:01 Checking<span class="w"> </span>integrity...<span class="w"> </span><span class="k">done</span><span class="w"> </span><span class="o">(</span><span class="m">0</span><span class="w"> </span>conflicting<span class="o">)</span> <span class="o">[</span><span class="m">1</span>/1<span class="o">]</span><span class="w"> </span>Installing<span class="w"> </span>zfs-periodic-1.0.20130213... <span class="o">[</span><span class="m">1</span>/1<span class="o">]</span><span class="w"> </span>Extracting<span class="w"> </span>zfs-periodic-1.0.20130213:<span class="w"> </span><span class="m">100</span>% <span class="o">=====</span> Message<span class="w"> </span>from<span class="w"> </span>zfs-periodic-1.0.20130213: -- In<span class="w"> </span>order<span class="w"> </span>to<span class="w"> </span><span class="nb">enable</span><span class="w"> </span>periodic<span class="w"> </span>snapshots<span class="w"> </span>you<span class="w"> </span>need to<span class="w"> </span>add<span class="w"> </span>these<span class="w"> </span>lines<span class="w"> </span>to<span class="w"> </span>your<span class="w"> </span>/etc/periodic.conf <span class="nv">hourly_output</span><span class="o">=</span><span class="s2">&quot;root&quot;</span> <span class="nv">hourly_show_success</span><span class="o">=</span><span class="s2">&quot;NO&quot;</span> <span class="nv">hourly_show_info</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> <span class="nv">hourly_show_badconfig</span><span class="o">=</span><span class="s2">&quot;NO&quot;</span> <span class="nv">hourly_zfs_snapshot_enable</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> <span class="nv">hourly_zfs_snapshot_pools</span><span class="o">=</span><span class="s2">&quot;tank&quot;</span> <span class="nv">hourly_zfs_snapshot_keep</span><span class="o">=</span><span class="m">6</span> <span class="nv">daily_zfs_snapshot_enable</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> <span class="nv">daily_zfs_snapshot_pools</span><span class="o">=</span><span class="s2">&quot;tank&quot;</span> <span class="nv">daily_zfs_snapshot_keep</span><span class="o">=</span><span class="m">7</span> <span class="nv">weekly_zfs_snapshot_enable</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> <span class="nv">weekly_zfs_snapshot_pools</span><span class="o">=</span><span class="s2">&quot;tank&quot;</span> <span class="nv">weekly_zfs_snapshot_keep</span><span class="o">=</span><span class="m">5</span> <span class="nv">monthly_zfs_snapshot_enable</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> <span class="nv">monthly_zfs_snapshot_pools</span><span class="o">=</span><span class="s2">&quot;tank&quot;</span> <span class="nv">monthly_zfs_snapshot_keep</span><span class="o">=</span><span class="m">2</span> To<span class="w"> </span>get<span class="w"> </span>hourly<span class="w"> </span>snapshots<span class="w"> </span>you<span class="w"> </span>also<span class="w"> </span>need<span class="w"> </span>to<span class="w"> </span>add something<span class="w"> </span>like<span class="w"> </span>this<span class="w"> </span>to<span class="w"> </span>/etc/crontab: <span class="m">2</span><span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>root<span class="w"> </span>periodic<span class="w"> </span>hourly </code></pre></div> <p>We literally do that (adding the <code>crontab(5)</code> entry and configuring <code>zfs-periodic(8)</code> in <code>/usr/local/etc/periodic.conf</code> (*)), and we have a simple system that takes hourly, daily, weekly and monthly snapshots.</p> <p>Half way there with zero effort, this is what has kept me using it for years.</p> <blockquote> <p>(*): I prefer to use <code>/usr/local/etc/periodic.conf</code> for things outside the base system. This is a matter of taste and it helps easen administration.</p> </blockquote> <h2 id="adding-quarter_hourly">Adding <code>quarter_hourly</code></h2> <p>Given how cheap these snapshots are, I (and people at work) started wanting to have them more often, which in my case meant every 15 minutes.</p> <p>Luckily, <code>periodic(8)</code> supports arbitrary directories:</p> <div class="codehilite"><pre><span></span><code>directory An arbitrary directory containing a set of executables to be run. </code></pre></div> <p>However, it wasn&rsquo;t as simple as:</p> <div class="codehilite"><pre><span></span><code>mkdir<span class="w"> </span>/usr/local/etc/periodic/quarter_hourly/ ln<span class="w"> </span>-s<span class="w"> </span>/usr/local/etc/periodic/daily/000.zfs-snapshot<span class="w"> </span><span class="se">\</span> <span class="w"> </span>/usr/local/periodic/quarter_hourly/000.zfs-snapshot </code></pre></div> <p>Because the actual file in there depends on the name of the directory, so it has to be customised. And also because the <code>/usr/local/bin/zfs-snapshot</code> script that gets installed needs to understand all the <code>periodic.conf</code> settings.</p> <p>Luckily making these changes was fairly simple. Since I won&rsquo;t be using <code>zfs-periodic(8)</code> any longer, and the patch has been more than tested over the years, I&rsquo;m opening a <a href="https://github.com/ross/zfs-periodic/pull/10" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Merge Request</a>, which you can use to benefit from these changes.</p> <p>Take into account that it&rsquo;ll also need a corresponding <code>crontab(5)</code> entry:</p> <div class="codehilite"><pre><span></span><code>*/15 * * * * root periodic quarter_hourly </code></pre></div> <h1 id="zfs-replication-with-zxfer8">ZFS Replication with <code>zxfer(8)</code></h1> <p>Snapshots take care of local mess ups, but they don&rsquo;t serve as a backup.</p> <p>For that, I took to <a href="https://github.com/allanjude/zxfer/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">zxfer</a>, which is simple to use and has worked great with some caveats.</p> <p>A lovely thing of <code>zxfer(8)</code> is that it supports an <code>rsync(1)</code> mode, that allows us to back up remote systems that do not support ZFS, to a ZFS-based system that takes care of snapshots and so on.</p> <h2 id="the-caveats">The caveats</h2> <p>Mostly, even with a pull-based approach, <code>zxfer(8)</code> doesn&rsquo;t protect much against snapshots disappearing on the source, which means that there is a somewhat plausible scenario where pulling data results in breaking certain retention policies.</p> <p>While there is a <code>-g</code> flag to protect old snapshots, it means that we have to replicate snapshot pruning on the destination system, but cannot create snapshots as they could collide with the source snapshots.</p> <p>That means <code>zfs-periodic(8)</code> and <code>zxfer(8)</code> are better than nothing and work decently, but have important limitations.</p> <h3 id="encrypted-datasets">Encrypted datasets</h3> <p>When encrypted datasets got added to <a href="https://github.com/openzfs/zfs/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenZFS</a>, I realised that we need to use <code>zfs send -w</code>, or else the backup will happen unencrypted. So I wrote a <a href="https://github.com/allanjude/zxfer/pull/55" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">patch for zxfer</a> to do just that.</p> <p>You can help land <a href="https://github.com/allanjude/zxfer/pull/55" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">that patch</a> in <code>zxfer(8)</code>, it is basically only missing the manpage and USAGE texts, but my manpage syntax is rusty and time is not an abundantly available commodity.</p> <p>I&rsquo;d love to help you land <a href="https://github.com/allanjude/zxfer/pull/55" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">this change</a> though!</p> <h1 id="snapshot-creation-and-pruning-with-sanoid">Snapshot creation and pruning with <code>sanoid</code></h1> <p>After having read <a href="https://dan.langille.org/2019/11/11/zfstools-sanoid-snapshots-on-the-local-host/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Dan Langille&rsquo;s blog post</a> on ZFS tools several months ago, I had been wanting to give it a try, since it looked simple to setup and more akin to my current needs.</p> <p>I based my configuration mostly off Dan&rsquo;s, so checked that <a href="https://dan.langille.org/2019/11/11/zfstools-sanoid-snapshots-on-the-local-host/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">great post</a> :-).</p> <h2 id="migrating-zfs-periodic8-snapshots-to-sanoid">Migrating <code>zfs-periodic(8)</code> snapshots to sanoid</h2> <p>This ends up being somewhat simple with <a href="/en/blog/2023-ZFS-replication-tools/periodic2sanoid.sh"><code>periodic2sanoid.sh</code></a>:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Check locally and remotely that actions make sense (and results match)</span> <span class="c1"># output lists &quot;DS&quot; as the base dataset, it acts recursively</span> ./periodic2sanoid.sh<span class="w"> </span>zroot/usr/home <span class="o">[</span>...<span class="o">]</span> DS@daily-2023-06-28<span class="w"> </span>--&gt;<span class="w"> </span>DS@autosnap_2023-06-28_12:24:44_daily <span class="o">[</span>...<span class="o">]</span> <span class="c1"># Actually apply changes</span> env<span class="w"> </span><span class="nv">DRY_RUN</span><span class="o">=</span>NO<span class="w"> </span>./periodic2sanoid.sh<span class="w"> </span>zroot/usr/home </code></pre></div> <p>And here is the code for that script, you can (and should!) audit it:</p> <div class="codehilite"><pre><span></span><code><span class="ch">#!/bin/sh -eu</span> <span class="c1"># Copyright (c) 2023, Evilham (https://evilham.com)</span> <span class="c1"># BSD 2-Clause copyright and disclaimer apply.</span> <span class="c1"># See: http://www.opensource.org/licenses/bsd-license.php</span> <span class="nv">DS</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$1</span><span class="s2">&quot;</span> <span class="nv">DRY_RUN</span><span class="o">=</span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">DRY_RUN</span><span class="k">:-</span><span class="nv">YES</span><span class="si">}</span><span class="s2">&quot;</span> epoch_to_time<span class="o">()</span><span class="w"> </span><span class="o">{</span> <span class="w"> </span><span class="nv">epoch</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$1</span><span class="s2">&quot;</span> <span class="w"> </span>date<span class="w"> </span>-j<span class="w"> </span>-f<span class="w"> </span><span class="s1">&#39;%s&#39;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">epoch</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s1">&#39;+%Y-%m-%d_%H:%M:%S&#39;</span> <span class="o">}</span> target_name<span class="o">()</span><span class="w"> </span><span class="o">{</span> <span class="w"> </span><span class="nv">snap_epoch</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$1</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">snap_name</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$2</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">snap_time</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span>epoch_to_time<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_epoch</span><span class="si">}</span><span class="s2">&quot;</span><span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_name</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="k">in</span> <span class="w"> </span>quarter_hourly-*<span class="o">)</span> <span class="w"> </span><span class="c1"># quarter_hourly --&gt; frequently</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;autosnap_%s_%s&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_time</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;frequently&quot;</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span>hourly-*<span class="o">)</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;autosnap_%s_%s&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_time</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;hourly&quot;</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span>daily-*<span class="o">)</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;autosnap_%s_%s&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_time</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;daily&quot;</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span>weekly-*<span class="o">)</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;autosnap_%s_%s&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_time</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;weekly&quot;</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span>monthly-*<span class="o">)</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;autosnap_%s_%s&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_time</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;monthly&quot;</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span>yearly-*<span class="o">)</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;autosnap_%s_%s&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_time</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;yearly&quot;</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span>*<span class="o">)</span> <span class="w"> </span><span class="c1"># Empty --&gt; no renaming</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="k">esac</span> <span class="o">}</span> zfs<span class="w"> </span>list<span class="w"> </span>-rpHt<span class="w"> </span>snap<span class="w"> </span>-s<span class="w"> </span>creation<span class="w"> </span>-o<span class="w"> </span>creation,name<span class="w"> </span><span class="s2">&quot;</span><span class="nv">$DS</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nv">IFS</span><span class="o">=</span><span class="s1">&#39;&#39;</span><span class="w"> </span><span class="nb">read</span><span class="w"> </span>-r<span class="w"> </span>line<span class="p">;</span><span class="w"> </span><span class="k">do</span> <span class="w"> </span><span class="nv">snap_epoch</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">line</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-f<span class="w"> </span><span class="m">1</span><span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">full_snap</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">line</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-f<span class="w"> </span><span class="m">2</span><span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">ds_name</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">full_snap</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-d<span class="w"> </span><span class="s1">&#39;@&#39;</span><span class="w"> </span>-f<span class="w"> </span><span class="m">1</span><span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">snap_name</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">full_snap</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>cut<span class="w"> </span>-d<span class="w"> </span><span class="s1">&#39;@&#39;</span><span class="w"> </span>-f<span class="w"> </span><span class="m">2</span>-<span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">snap_target_name</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span>target_name<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_epoch</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_name</span><span class="si">}</span><span class="s2">&quot;</span><span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_target_name</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="w"> </span><span class="c1"># We use DS to facilitate comparing local and remote actions</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;%s@%s\t--&gt;\t%s@%s\n&quot;</span><span class="w"> </span><span class="s2">&quot;DS&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_name</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;DS&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">snap_target_name</span><span class="si">}</span><span class="s2">&quot;</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">DRY_RUN</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span>!<span class="o">=</span><span class="w"> </span><span class="s2">&quot;YES&quot;</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;zfs rename \&quot;</span><span class="si">${</span><span class="nv">full_snap</span><span class="si">}</span><span class="s2">\&quot; \&quot;</span><span class="si">${</span><span class="nv">ds_name</span><span class="si">}</span><span class="s2">@</span><span class="si">${</span><span class="nv">snap_target_name</span><span class="si">}</span><span class="s2">\&quot;&quot;</span> <span class="w"> </span>zfs<span class="w"> </span>rename<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">full_snap</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">ds_name</span><span class="si">}</span><span class="s2">@</span><span class="si">${</span><span class="nv">snap_target_name</span><span class="si">}</span><span class="s2">&quot;</span> <span class="w"> </span><span class="k">fi</span> <span class="w"> </span><span class="k">fi</span> <span class="k">done</span> </code></pre></div> <h2 id="snapshot-creation-and-pruning-with-sanoid_1">snapshot creation and pruning with <code>sanoid</code></h2> <p>This, as <a href="https://dan.langille.org/2019/11/11/zfstools-sanoid-snapshots-on-the-local-host/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Dan documented it</a>, works wonderfully after taking into account the <code>crontab(5)</code> caveat and using <code>lockf(1)</code>.</p> <h1 id="zfs-replication-with-syncoid">ZFS Replication with <code>syncoid</code></h1> <p>When installing <code>sanoid</code>, we also get <code>syncoid</code> as a replication tool.</p> <h2 id="issues-with-permissions">Issues with permissions</h2> <p>While trying to replicate the datasets, I realised that it expects either to run as <code>root</code> or to have <code>sudo</code> available.</p> <p>Of course, that&rsquo;s not ideal, as I prefer to rely on <code>zfs-allow(8)</code> and do not even have <code>sudo</code> as an available command.</p> <p>There is a flag <code>--no-privilege-elevation</code> which helps circumvent these checks, but the fact that it fails and requires the flag to work as non-root, is kind of a red flag for me.</p> <h2 id="issues-with-public-key-limitations">Issues with public key limitations</h2> <p>As with <code>zxfer(8)</code>, I was setting up a pull-based approach over SSH. Since this user and that SSH key should only be allowed to use <code>zfs send</code> and little more, I use the <code>authorized_keys</code> file to force the <code>command</code> to a particular script.</p> <p>This resulted in issues with <code>syncoid</code>&lsquo;s shell escaping, which lead me to this <a href="https://github.com/jimsalterjrs/sanoid/issues/719" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">reported issue</a> from 2022. I believe the person that reported it was in a similar position to mine.</p> <p>I ended up &ldquo;fixing it&rdquo; (the security implications are still to be determined), by expanding the list of allowed commands and using <code>sh -s</code> with <code>$SSH_ORIGINAL_COMMAND</code>:</p> <div class="codehilite"><pre><span></span><code><span class="ch">#!/bin/sh</span> <span class="k">case</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">SSH_ORIGINAL_COMMAND</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="k">in</span> <span class="w"> </span><span class="s2">&quot;uname&quot;</span><span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;zfs get &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;/sbin/zfs get &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;zfs list &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;/sbin/zfs list &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;zfs send -n &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;zfs send -w &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot; zfs send -w &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;/sbin/zfs send -w &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;echo -n&quot;</span><span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;command -v lzop&quot;</span><span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;command -v mbuffer&quot;</span><span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;zpool get -o value -H feature@extensible_dataset &quot;</span>*<span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span><span class="s2">&quot;exit&quot;</span><span class="o">)</span> <span class="w"> </span><span class="p">;;</span> <span class="w"> </span>*<span class="o">)</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;Command not allowed! See ya!&quot;</span> <span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">1</span> <span class="w"> </span><span class="p">;;</span> <span class="k">esac</span> <span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">SSH_ORIGINAL_COMMAND</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/tmp/test sh<span class="w"> </span>-s<span class="w"> </span><span class="s">&lt;&lt;EOF</span> <span class="s">${SSH_ORIGINAL_COMMAND}</span> <span class="s">EOF</span> </code></pre></div> <h2 id="encrypted-datasets_1">Encrypted datasets</h2> <p>This is also a bit of an issue, and we need to specify <code>--sendoptions="w"</code>.</p> <h2 id="all-together">All together</h2> <div class="codehilite"><pre><span></span><code>syncoid<span class="w"> </span>-r<span class="w"> </span>--no-privilege-elevation<span class="w"> </span>--sendoptions<span class="o">=</span><span class="s2">&quot;w&quot;</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>sucker@HOST:zroot/usr/home<span class="w"> </span>backups/pools/HOST/zroot/usr/home </code></pre></div> <p>This kind of works, but when looking to refine it, I realised that it does not offer me any benefit regarding <code>zxfer(8)</code> when it comes to protecting the snapshots.</p> <h1 id="remembering-zrepl">Remembering <code>zrepl</code></h1> <p>After getting frustrated again, I realised this wasn&rsquo;t quite looking as I was expecting (I was so sure this was doable!).</p> <p>Turns out, I had read about <a href="https://zrepl.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">zrepl</a> some months ago, and checked the documentation and determined it was something I needed to use.</p> <p>So, this misremembering caused me to look deeply into <code>sanoid</code> and <code>syncoid</code>.</p> <p>But hey, at least now I am very sure about what I want, and I can probably quickly adapt my renaming script for a migration to zrepl.</p> <h1 id="conclusion">Conclusion</h1> <p>I really should blog more often, if anything to save me some time.</p> <p>This will have to be a two-parter, with this one being what I&rsquo;ve tried and why I&rsquo;m not keeping it, and the second one being how I get to setup <a href="https://zrepl.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">zrepl</a> to my liking.</p> <h1 id="update-bonus-tools-from-the-fediverse">UPDATE: Bonus tools from the fediverse</h1> <p>I <a href="https://chaos.social/@evilham/110657917872957344" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">posted this</a> on the fediverse, and some people shared what they use and why!</p> <iframe src="https://chaos.social/@evilham/110657917872957344/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe> <script src="https://chaos.social/embed.js" async="async"></script> <h3 id="zfs_autobackup"><code>zfs_autobackup</code></h3> <p><a href="https://mdon.stefanomarinelli.it/@stefano/110658001245769750" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">@stefano@mdon.stefanomarinelli.it</a> mentioned <a href="https://github.com/psy0rz/zfs_autobackup" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">zfs_autobackup</a>, and they have a very nice <a href="https://it-notes.dragas.net/2022/05/30/how-we-are-migrating-many-of-our-servers-from-linux-to-freebsd-part-2/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">blog post series</a> documenting this, and other steps they took on migrating from Linux to <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>.</p> <iframe src="https://mdon.stefanomarinelli.it/@stefano/110658001245769750/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe> <h2 id="zrep"><code>zrep</code></h2> <p><a href="https://radiosocial.de/@dk3jf/110660370655210749" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">@dk3jf@radiosocial.de</a> mentioned <a href="https://github.com/bolthole/zrep" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">zrep</a>:</p> <iframe src="https://radiosocial.de/@dk3jf/110660370655210749/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" allowfullscreen="allowfullscreen"></iframe>2022-08-28T00:00:00Zurn:uuid:4585092c-9260-39e7-8120-25ad65079d49<h1 id="introduccio">Introducció</h1> <p>El company Pedro està aprenent a fer anar <a href="https://docs.scrapy.org/en/latest/index.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Scrapy</a> i em comenta espontàniament:</p> <blockquote> <p>una cosa meravellosa d&rsquo;emacs és que està tot molt ben documentat, i de seguida estàs mirant el codi font còmodament (tant sigui emacs lisp que c); hi ha algun equivalent a python? he intentat això:</p> <p>(ara m&rsquo;he posat amb el scrapy tutorial)</p> </blockquote> <div class="codehilite"><pre><span></span><code><span class="mf">12345678910</span><span class="err">[</span><span class="mf">13</span><span class="p">:</span><span class="mf">49</span><span class="p">:</span><span class="mf">28</span><span class="err">]</span><span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">ipython3</span> <span class="n">Python</span><span class="w"> </span><span class="mf">3.9.2</span><span class="w"> </span><span class="p">(</span><span class="kd">def</span><span class="n">ault</span><span class="p">,</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mf">28</span><span class="w"> </span><span class="mf">2021</span><span class="p">,</span><span class="w"> </span><span class="mf">17</span><span class="p">:</span><span class="mf">03</span><span class="p">:</span><span class="mf">44</span><span class="p">)</span> <span class="n">Type</span><span class="w"> </span><span class="err">&#39;</span><span class="n">copyright</span><span class="err">&#39;</span><span class="p">,</span><span class="w"> </span><span class="err">&#39;</span><span class="n">credits</span><span class="err">&#39;</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="err">&#39;</span><span class="n">license</span><span class="err">&#39;</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="n">more</span><span class="w"> </span><span class="n">information</span> <span class="n">IPython</span><span class="w"> </span><span class="mf">7.20.0</span><span class="w"> </span><span class="o">--</span><span class="w"> </span><span class="n">An</span><span class="w"> </span><span class="n">enhanced</span><span class="w"> </span><span class="nb">Int</span><span class="n">eractive</span><span class="w"> </span><span class="n">Python</span><span class="mf">.</span><span class="w"> </span><span class="n">Type</span><span class="w"> </span><span class="err">&#39;?&#39;</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="n">help</span><span class="mf">.</span> <span class="n">In</span><span class="w"> </span><span class="err">[</span><span class="mf">1</span><span class="err">]</span><span class="p">:</span><span class="w"> </span><span class="n">help</span><span class="p">(</span><span class="n">yield</span><span class="p">)</span> <span class="w"> </span><span class="n">File</span><span class="w"> </span><span class="s">&quot;&lt;ipython-input-1-b8899ae5635b&gt;&quot;</span><span class="p">,</span><span class="w"> </span><span class="n">line</span><span class="w"> </span><span class="mf">1</span> <span class="w"> </span><span class="n">help</span><span class="p">(</span><span class="n">yield</span><span class="p">)</span> <span class="w"> </span><span class="o">^</span> <span class="n">SyntaxError</span><span class="p">:</span><span class="w"> </span><span class="n">invalid</span><span class="w"> </span><span class="n">syntax</span> </code></pre></div> <p>El poc que sé de <a href="https://docs.scrapy.org/en/latest/index.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Scrapy</a> és que és una eina molt potent i que paga la pena aprendre (però encara no hi he tingut ocasió!) i, encara més important: que està escrita en <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a>, fent servir la llibreria <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a>.</p> <p>Amb aquesta informació i havent après <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a> fa més anys dels que voldria admetre, entenc immediatament que el dubte darrere la pregunta, no va de <code>yield</code> únicament, sinó de com funciona la <strong>programació asíncrona</strong> en <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a>.</p> <p>Anem a fer-hi una ullada, amb l&rsquo;explicació que a mi m&rsquo;hagués agradat tenir quan ho aprenia i de pas mirem els generadors!</p> <h1 id="taula-de-continguts">Taula de continguts</h1> <div class="toc"> <ul> <li><a href="#introduccio">Introducció</a></li> <li><a href="#taula-de-continguts">Taula de continguts</a></li> <li><a href="#helpyield">help(yield)?</a><ul> <li><a href="#que-es-help">Què és help?</a></li> <li><a href="#i-per-que-no-funciona-helpyield">I per què no funciona help(yield)?</a></li> <li><a href="#la-manera-correcta-helpyield">La manera correcta: help(&ldquo;yield&rdquo;)</a></li> </ul> </li> <li><a href="#us-normal-de-yield-en-python">Ús normal de yield en Python</a><ul> <li><a href="#una-funcio-generadora-de-nombres-de-fibonacci">Una funció generadora de nombres de Fibonacci</a></li> </ul> </li> <li><a href="#per-que-cal-el-yield-amb-scrapytwisted">Per què cal el yield amb Scrapy/Twisted?</a><ul> <li><a href="#parentesi-de-programacio-asincrona">Parèntesi de programació asíncrona</a></li> <li><a href="#programacio-asincrona-en-python-modern">Programació asíncrona en Python modern</a></li> <li><a href="#programacio-asincrona-amb-twisted">Programació asíncrona amb Twisted</a></li> </ul> </li> <li><a href="#conclusio">Conclusió</a></li> </ul> </div> <h1 id="helpyield"><code>help(yield)</code>?</h1> <p>Comencem per respondre la pregunta concreta: &ldquo;com puc obtenir informació sobre <code>yield</code> des de <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a>?&rdquo;</p> <p>Doncs no anàvem malament amb <code>help(yield)</code>!</p> <p>Aturem-nos però a pensar què passa quan fem alguna consulta que sí funciona, com ara <code>help("")</code>:</p> <div class="codehilite"><pre><span></span><code>&gt;&gt;&gt; help(&quot;&quot;) Help on class str in module builtins: class str(object) [...] </code></pre></div> <h2 id="que-es-help">Què és <code>help</code>?</h2> <p>Des de la terminal interactiva podem esbrinar-ho:</p> <div class="codehilite"><pre><span></span><code><span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="k">type</span><span class="p">(</span><span class="nx">help</span><span class="p">)</span> <span class="p">&lt;</span><span class="kd">class</span><span class="w"> </span><span class="err">&#39;</span><span class="nx">_sitebuiltins</span><span class="p">.</span><span class="nx">_Helper</span><span class="err">&#39;</span><span class="p">&gt;</span> </code></pre></div> <p>És a dir, que és una instància de la classe <code>_sitebuiltins._Helper</code>, un objecte!</p> <p>Podem fer-hi coses curioses?</p> <div class="codehilite"><pre><span></span><code>&gt;&gt;&gt; a = help &gt;&gt;&gt; a(&quot;&quot;) Help on class str in module builtins: class str(object) [...] &gt;&gt;&gt; dir(help) [&#39;__call__&#39;, &#39;__class__&#39;, &#39;__delattr__&#39;, &#39;__dict__&#39;, &#39;__dir__&#39;, &#39;__doc__&#39;, &#39;__eq__&#39;, &#39;__format__&#39;, &#39;__ge__&#39;, &#39;__getattribute__&#39;, &#39;__gt__&#39;, &#39;__hash__&#39;, &#39;__init__&#39;, &#39;__init_subclass__&#39;, &#39;__le__&#39;, &#39;__lt__&#39;, &#39;__module__&#39;, &#39;__ne__&#39;, &#39;__new__&#39;, &#39;__reduce__&#39;, &#39;__reduce_ex__&#39;, &#39;__repr__&#39;, &#39;__setattr__&#39;, &#39;__sizeof__&#39;, &#39;__str__&#39;, &#39;__subclasshook__&#39;, &#39;__weakref__&#39;] </code></pre></div> <p>Interessant! Veiem que implementa <code>__call__</code>, és a dir, és un objecte <code>callable</code>:</p> <div class="codehilite"><pre><span></span><code><span class="nv">callable</span><span class="ss">(</span><span class="nv">obj</span>,<span class="w"> </span><span class="o">/</span><span class="ss">)</span> <span class="w"> </span><span class="k">Return</span><span class="w"> </span><span class="nv">whether</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">object</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">callable</span><span class="w"> </span><span class="ss">(</span><span class="nv">i</span>.<span class="nv">e</span>.,<span class="w"> </span><span class="nv">some</span><span class="w"> </span><span class="nv">kind</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">function</span><span class="ss">)</span>. <span class="w"> </span><span class="nv">Note</span><span class="w"> </span><span class="nv">that</span><span class="w"> </span><span class="nv">classes</span><span class="w"> </span><span class="nv">are</span><span class="w"> </span><span class="nv">callable</span>,<span class="w"> </span><span class="nv">as</span><span class="w"> </span><span class="nv">are</span><span class="w"> </span><span class="nv">instances</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">classes</span><span class="w"> </span><span class="nv">with</span><span class="w"> </span><span class="nv">a</span> <span class="w"> </span><span class="nv">__call__</span><span class="ss">()</span><span class="w"> </span><span class="nv">method</span>. </code></pre></div> <h2 id="i-per-que-no-funciona-helpyield">I per què no funciona <code>help(yield)</code>?</h2> <p>Ara que sabem que <code>help</code> és un objecte, i que és un <code>callable</code>, entenem que <code>help(yield)</code> no fa res més que cridar <code>help</code> amb <code>yield</code> com a argument&hellip;</p> <p>Però <code>yield</code> és una paraula reservada! D&rsquo;aquí que tinguem un error de sintaxi.</p> <h2 id="la-manera-correcta-helpyield">La manera correcta: <code>help("yield")</code></h2> <p>Per evitar aquest error de sintaxi, podem posar la paraula <code>yield</code> entre cometes, d&rsquo;aquesta manera és una sintaxi vàlida, i <code>help</code> comprovarà si correspon a un concepte conegut.</p> <p>Aquesta estratègia no només ens és útil aquí, si volem saber com funciona <code>|</code> o <code>+</code> podem fer el mateix: <code>help("|")</code> o <code>help("+")</code>.</p> <div class="codehilite"><pre><span></span><code><span class="o">&gt;&gt;&gt;</span><span class="w"> </span><span class="nf">help</span><span class="p">(</span><span class="s">&quot;yield&quot;</span><span class="p">)</span> <span class="nv">The</span><span class="w"> </span><span class="s">&quot;yield&quot;</span><span class="w"> </span><span class="nv">statement</span> <span class="o">*********************</span> <span class="w"> </span><span class="nv">yield_stmt</span><span class="w"> </span><span class="o">::=</span><span class="w"> </span><span class="nv">yield_expression</span> <span class="nv">A</span><span class="w"> </span><span class="s">&quot;yield&quot;</span><span class="w"> </span><span class="nv">statement</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">semantically</span><span class="w"> </span><span class="nv">equivalent</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="nv">expression</span><span class="o">.</span> <span class="nv">The</span><span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="nv">statement</span><span class="w"> </span><span class="nv">can</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">used</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nv">omit</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">parentheses</span><span class="w"> </span><span class="nv">that</span><span class="w"> </span><span class="nv">would</span> <span class="nv">otherwise</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">required</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">equivalent</span><span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="nv">expression</span><span class="w"> </span><span class="nv">statement</span><span class="o">.</span> <span class="nv">For</span><span class="w"> </span><span class="nv">example</span><span class="p">,</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="nv">statements</span> <span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="o">&lt;</span><span class="nv">expr</span><span class="o">&gt;</span> <span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="o">&lt;</span><span class="nv">expr</span><span class="o">&gt;</span> <span class="nv">are</span><span class="w"> </span><span class="nv">equivalent</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="nv">expression</span><span class="w"> </span><span class="nf">statements</span> <span class="w"> </span><span class="p">(</span><span class="nv">yield</span><span class="w"> </span><span class="o">&lt;</span><span class="nv">expr</span><span class="o">&gt;</span><span class="p">)</span> <span class="w"> </span><span class="p">(</span><span class="nv">yield</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="o">&lt;</span><span class="nv">expr</span><span class="o">&gt;</span><span class="p">)</span> <span class="nv">Yield</span><span class="w"> </span><span class="nv">expressions</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="nv">statements</span><span class="w"> </span><span class="nv">are</span><span class="w"> </span><span class="nv">only</span><span class="w"> </span><span class="nv">used</span><span class="w"> </span><span class="nv">when</span><span class="w"> </span><span class="nv">defining</span><span class="w"> </span><span class="nv">a</span> <span class="o">*</span><span class="nv">generator</span><span class="o">*</span><span class="w"> </span><span class="nv">function</span><span class="p">,</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="nv">are</span><span class="w"> </span><span class="nv">only</span><span class="w"> </span><span class="nv">used</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">body</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">generator</span> <span class="nv">function</span><span class="o">.</span><span class="w"> </span><span class="nv">Using</span><span class="w"> </span><span class="nv">yield</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">function</span><span class="w"> </span><span class="nv">definition</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">sufficient</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nv">cause</span> <span class="nv">that</span><span class="w"> </span><span class="nv">definition</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nv">create</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">generator</span><span class="w"> </span><span class="nv">function</span><span class="w"> </span><span class="nv">instead</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">normal</span> <span class="nv">function</span><span class="o">.</span> <span class="nv">For</span><span class="w"> </span><span class="nv">full</span><span class="w"> </span><span class="nv">details</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="s">&quot;yield&quot;</span><span class="w"> </span><span class="nv">semantics</span><span class="p">,</span><span class="w"> </span><span class="nv">refer</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">Yield</span><span class="w"> </span><span class="nv">expressions</span> <span class="nv">section</span><span class="o">.</span> </code></pre></div> <h1 id="us-normal-de-yield-en-python">Ús normal de <code>yield</code> en Python</h1> <p>El text de <code>help("yield")</code> ens explica que es fa servir en funcions generadores, però no hi entra molt en detall. Tot i que podríem seguir amb la documentació amb <code>help</code>, ja és útil canviar a explicacions més casolanes!</p> <h2 id="una-funcio-generadora-de-nombres-de-fibonacci">Una funció generadora de <a href="https://ca.wikipedia.org/wiki/Successi%C3%B3_de_Fibonacci" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">nombres de Fibonacci</a></h2> <div class="codehilite"><pre><span></span><code><span class="k">def</span> <span class="nf">fib</span><span class="p">():</span> <span class="w"> </span><span class="sd">&quot;&quot;&quot;Generador de nombres de Fibonacci&quot;&quot;&quot;</span> <span class="n">a</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">b</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> <span class="k">yield</span> <span class="n">a</span> <span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="o">=</span> <span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="n">a</span> <span class="o">+</span> <span class="n">b</span><span class="p">)</span> </code></pre></div> <p>La faríem servir així:</p> <div class="codehilite"><pre><span></span><code><span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">fib</span><span class="p">()</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="k">type</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="p">&lt;</span><span class="kd">class</span><span class="w"> </span><span class="err">&#39;</span><span class="nx">generator</span><span class="err">&#39;</span><span class="p">&gt;</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">next</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="mi">1</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">next</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="mi">1</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">next</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="mi">2</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">next</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="mi">3</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">next</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="mi">5</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">next</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="mi">8</span> <span class="o">&gt;&gt;</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">next</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="mi">13</span> </code></pre></div> <p>Si ens hi fixem, la funció <code>fib</code> conté un bucle infinit (<code>while True</code>)! Però <code>a = fib()</code> retorna de seguida! No només això, <code>a</code> acaba essent de tipus <code>generator</code>.</p> <p>La màgia és que aquest <code>generator</code> és iterable, en particular podem anar-hi avançant amb <code>next</code> per obtenir el següent nombre de Fibonacci.</p> <p>Només es generen exactament aquells nombres de Fibonacci que necessitem.</p> <p>Aquest concepte és força útil i en <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> modern es fa servir moltíssim.</p> <p>Hi ha maneres molt, i molt interessants de fer-los servir :-) però no era el tema, el tema era per què cal <code>yield</code> amb <a href="https://docs.scrapy.org/en/latest/index.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Scrapy</a>, i amb <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a>.</p> <h1 id="per-que-cal-el-yield-amb-scrapytwisted">Per què cal el <code>yield</code> amb <a href="https://docs.scrapy.org/en/latest/index.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Scrapy</a>/<a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a>?</h1> <p>Doncs&hellip; Perquè a <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> no hi havia <code>async</code> i <code>await</code> fa 20 anys!</p> <p>La primera versió de <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a> va sortir al 2002. Aleshores el concepte de programació asíncrona no era tan comú com ho és ara, i per descomptat <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> no ho suportava.</p> <h2 id="parentesi-de-programacio-asincrona">Parèntesi de programació asíncrona</h2> <p>Ja que hem mencionat el concepte un parell de vegades, caldrà il·lustrar-ho breument:</p> <p>Tradicionalment un programa s&rsquo;executa de forma seqüencial, és a dir en l&rsquo;ordre en què estan escrites les instruccions.</p> <p>En el món real però, especialment en el món de les xarxes, fer-ho d&rsquo;aquesta manera és altament ineficient.</p> <p>Ja que parlem de <a href="https://docs.scrapy.org/en/latest/index.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Scrapy</a>, pensem en la tasca <em>&ldquo;descarregar la primera plana de 1000 pàgines web&rdquo;</em>.</p> <p>Si ho fem de manera seqüencial, trigarem la suma de tots els temps de descàrrega, és a dir, si es triga <code>1 segon</code> per cada pàgina, trigarem <code>1000 segons</code>.</p> <p>Si ho fem de manera asíncrona, es facilita paral·lelitzar aquesta tasca, el que fem és començar la descàrrega d&rsquo;una pàgina web i rebre una notificació / &ldquo;callback&rdquo; quan aquesta descàrrega finalitza. Així, si podem fer 10 descàrregues paral·leles i triguem <code>1 segon</code> per descàrrega, la mateixa tasca trigarà <code>100 segons</code> (100 blocs de <code>1 segon</code> amb 10 descàrregues per bloc).</p> <h2 id="programacio-asincrona-en-python-modern">Programació asíncrona en <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> modern</h2> <p>En <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> modern es pot fer programació asíncrona sense necessitar altres llibreries, aquesta implementació va estar <a href="https://peps.python.org/pep-3156/#acknowledgments" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">molt influenciada</a> per les maneres de fer de <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a> i els 10 anys d&rsquo;experiència mantenint aquest tipus de codi en <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a>.</p> <p>Molt per sobre, per definir una funció asíncrona:</p> <div class="codehilite"><pre><span></span><code><span class="n">async</span><span class="w"> </span><span class="n">def</span><span class="w"> </span><span class="n">f</span><span class="p">()</span><span class="o">:</span> <span class="w"> </span><span class="c1"># Pausa l&#39;execució fins que `g` retorni</span> <span class="w"> </span><span class="n">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">await</span><span class="w"> </span><span class="n">g</span><span class="p">()</span> <span class="w"> </span><span class="c1"># Segueix fent altres coses</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">b</span><span class="o">**</span><span class="mi">2</span> </code></pre></div> <p>Podem fer servir <code>async def</code> per marcar la funció <code>f</code> com a asíncrona, i en el cos d&rsquo;aquesta funció podem fer servir <code>await</code> per &ldquo;esperar&rdquo; a que altres funcions asíncrones acabin, i així poder escriure codi que sembli seqüencial.</p> <p>En executar <code>f()</code>, no obtenim directament el resultat, sinó que obtenim una <code>coroutine</code> (segons com una <code>Promise</code>).</p> <p>Aquests són els noms que més es fan servir avui dia per aquests conceptes, en part perquè es van popularitzar amb <a href="https://nodejs.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Node.js</a> al 2009.</p> <h2 id="programacio-asincrona-amb-twisted">Programació asíncrona amb <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a></h2> <p>No és molt diferent! Però per aconseguir-ho va caldre abusar conceptes que ja estaven disponibles en <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> aleshores, com ara els generators!</p> <div class="codehilite"><pre><span></span><code><span class="kn">from</span> <span class="nn">twisted.internet</span> <span class="kn">import</span> <span class="n">defer</span> <span class="nd">@defer</span><span class="o">.</span><span class="n">inlineCallbacks</span> <span class="k">def</span> <span class="nf">f</span><span class="p">():</span> <span class="c1"># Pausa l&#39;execució fins que `g` retorni</span> <span class="n">b</span> <span class="o">=</span> <span class="k">yield</span> <span class="n">g</span><span class="p">()</span> <span class="c1"># Segueix fent altres coses</span> <span class="n">defer</span><span class="o">.</span><span class="n">returnValue</span><span class="p">(</span><span class="n">b</span><span class="o">**</span><span class="mi">2</span><span class="p">)</span> </code></pre></div> <p>Podem fer servir el decorador <code>defer.inlineCallbacks</code> per &ldquo;marcar la funció <code>f</code> com a asíncrona&rdquo;, i en el cos d&rsquo;aquesta funció podem fer servir <code>yield</code> per &ldquo;esperar&rdquo; a que altres funcions asíncrones acabin, i així poder escriure codi que sembli seqüencial.</p> <p>En executar <code>f()</code>, no obtenim directament el resultat, sinó que obtenim un <code>twisted.internet.defer.Deferred</code>.</p> <p>Conceptualment molt semblant, però força diferent a la vista. Per què?</p> <p>Doncs en no tenir els conceptes dintre del llenguatge, desenvolupadors com <a href="https://en.wikipedia.org/wiki/Glyph_Lefkowitz" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Glyph Lefkowitz</a> van tenir idees molt bones; si ens hi fixem, fer servir <code>yield</code> al cos de la funció, vol dir que <code>f</code> retorna un <code>generator</code> i no pas un resultat.</p> <p>De fet, no tenim ben bé una manera de marcar &ldquo;el que <code>f</code> retorna&rdquo;, perquè cada operació que fem de manera asíncrona necessitarà un <code>yield</code>.</p> <p>D&rsquo;aquí que necessitem ambdós: <code>defer.inlineCallbacks</code> i <code>defer.returnValue</code>.</p> <p>Amb el decorador <a href="https://docs.twistedmatrix.com/en/stable/api/twisted.internet.defer.html#inlineCallbacks" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank"><code>defer.inlineCallbacks</code></a>, el que fem és convertir aquesta funció, en quelcom que ens retorna un <code>Deferred</code>, i amb <code>defer.returnValue</code> el que fem és especificar quin serà el valor de retorn d&rsquo;aquest <code>Deferred</code>.</p> <p>Els <a href="https://docs.twistedmatrix.com/en/stable/api/twisted.internet.defer.Deferred.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank"><code>Deferreds</code></a>, com les <code>Promises</code>, en el fons són molt equivalents, són un objecte de <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a>, que ens representa un procés o càlcul que encara no ha finalitzat.</p> <p>A aquests objectes els podem afegir manualment <code>callbacks</code>, per tal d&rsquo;encadenar processos o podem fer servir <code>yield</code> dintre de funcions marcades com a asíncrones amb <code>defer.inlineCallbacks</code> per tal d&rsquo;esperar el seu resultat.</p> <h1 id="conclusio">Conclusió</h1> <p>La sintaxi &ldquo;nova&rdquo; de <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> per programació asíncrona és molt bonica!</p> <p>I <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a>, en ser una llibreria tan innovadora, encara no se&rsquo;n beneficia al 100%. En part és perquè el canvi de Python 2 a Python 3 va trigar força, perquè la base de codi és molt extensa (hi ha <em>molts</em> protocols implementats), en part també perquè l&rsquo;ecosistema <code>async</code> a <a href="https://python.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python</a> va trigar en estabilitzar-se.</p> <p>La realitat és que a dia d&rsquo;avui es pot escriure codi que faci servir <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a> amb la sintaxi nova! Tot i això, molt sovint és útil saber d&rsquo;on venim :-) perquè la compatibilitat no és perfecta, i a vegades ens trobem amb la necessitat d&rsquo;escriure codi amb la sintaxi antiga; a més a més, entenent això podrem entendre els tutorials i el codi de les llibreries que necessitem, com <a href="https://docs.scrapy.org/en/latest/index.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Scrapy</a>!</p> <p>Per cert, que quedi clar que <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a> encara és un projecte rellevant! De fet, avui mateix s&rsquo;ha anunciat la pre-release d&rsquo;una nova versió: <a href="https://mail.python.org/archives/list/twisted@python.org/thread/LBYWFR4LL3WYG3YEHQBRHAWMHR7CTOK5/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">22.8.0</a>.</p>2021-06-05T00:00:00Zurn:uuid:f0cdb7f4-a848-37b2-8b0e-d370bad1949e<h1 id="introduccio">Introducció</h1> <p>A molts webs, particularment els de les <a href="consadmin">administracions</a> és evident que les coses es dissenyen perquè siguin pràctiques per qui les desenvolupa (teòricament més barat) i no pas per qui les utilitza (major utilitat).</p> <p>Una cosa que no es coneix gaire, és que molt sovint podem afegir les nostres personalitzacions a sobre per arreglar aquestes pífies.</p> <p>Aquí veurem un exemple del portal de notes de la Generalitat de Catalunya, es diu Esfer@.</p> <h1 id="taula-de-continguts">Taula de continguts</h1> <div class="toc"> <ul> <li><a href="#introduccio">Introducció</a></li> <li><a href="#taula-de-continguts">Taula de continguts</a></li> <li><a href="#les-pifies">Les pífies</a></li> <li><a href="#les-millores">Les millores</a></li> <li><a href="#obtenint-o-creant-aquestes-millores">Obtenint (o creant) aquestes millores</a><ul> <li><a href="#primer-pas-firefox-amb-greasemonkey">Primer pas: Firefox amb Greasemonkey</a></li> <li><a href="#segon-pas-millores-esfera">Segon pas: millores esfera</a></li> <li><a href="#tercer-pas-libreoffice">Tercer pas: LibreOffice</a></li> <li><a href="#altres-webs">Altres webs</a></li> </ul> </li> <li><a href="#conclusio">Conclusió</a></li> </ul> </div> <h1 id="les-pifies">Les pífies</h1> <p>En la Educació Secundària Obligatòria és necessari posar un comentari per cada alumne, veiem com és la interfície per fer-ho:</p> <p><img alt="esfera_pifia" src="/en/blog/2021-fixing-web-pitfalls-with-greasemonkey/esfera_pifia.png" /></p> <p>A l&rsquo;esquerra hi ha un desplegable per seleccionar la nota de cada alumne (representat en una fila) i a la dreta hi ha un botó, en color <em>vermell</em> ens informa que hi ha un comentari posat, en color <em>gris</em> que no n&rsquo;hi ha.</p> <p>En fer-hi click, s&rsquo;obre un diàleg modal (que &ldquo;ocupa&rdquo; tota la pantalla) on podem posar el comentari, hem de fer click de nou en <strong>desa</strong> i anar pel següent alumne.</p> <p>Sembla poc pràctic? Ho és. Addicionalment, la sessió d&rsquo;usuari caduca després de 30 minuts, així que: posa comentari personalitzat a tots els alumnes del curs de la ESO en 30 minuts o tota la teva feina es perd.</p> <p>És un desastre, vaja.</p> <h1 id="les-millores">Les millores</h1> <p>Les millores fan aquesta pinta tan senzilla:</p> <p><img alt="esfera_millores" src="/en/blog/2021-fixing-web-pitfalls-with-greasemonkey/esfera_millores.png" /></p> <p>Afegim 3 botons a l&rsquo;apartat d&rsquo;avaluacions per grup i matèria:</p> <ul> <li><code>Explicació millores Esfer@</code>: un enllaç a aquest document explicatiu</li> <li><code>Baixar CSV</code>: genera i baixa un fitxer <code>notes.csv</code> on podreu emplenar les notes i els comentaris amb tranquilitat. Aquest fitxer <code>CSV</code> és quasi un full de càlcul, no cal explicar res més; heu de modificar/emplenar les columnes de <code>Nota</code> i de <code>Comentari</code>. Caldrà que feu servir <a href="https://www.libreoffice.org/download/download/?lang=ca" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">LibreOffice</a> (vegeu també més abaix el perquè).</li> <li><code>Importar CSV</code>: demana triar el fitxer <code>notes.csv</code> modificat i aplica els canvis de nota i comentari, posteriorment refresca la pàgina perquè ho comproveu. Recordeu que la responsabilitat és vostra!</li> </ul> <p>Ha estat provat amb la ESO i el Batxillerat (per tant amb notes &ldquo;qualitatives&rdquo; i quantitatives), i en notes de trimestre i finals.</p> <h1 id="obtenint-o-creant-aquestes-millores">Obtenint (o creant) aquestes millores</h1> <h2 id="primer-pas-firefox-amb-greasemonkey">Primer pas: <a href="https://getfirefox.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Firefox</a> amb <a href="https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Greasemonkey</a></h2> <p>Fem servir <a href="https://getfirefox.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Firefox</a> i la extensió <a href="https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Greasemonkey</a>.</p> <p>La extensió <a href="https://www.greasespot.net" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Greasemonkey</a>, permet afegir &ldquo;scripts&rdquo; (codi) personalitzat a certs webs, d&rsquo;aquesta manera podem interactuar amb aquests webs amb Interfície d&rsquo;Usuari / Experiència d&rsquo;Usuari poc satisfactòria i&hellip; Bé, solucionar-nos la vida una mica.</p> <h2 id="segon-pas-millores-esfera">Segon pas: <a href="/en/blog/2021-fixing-web-pitfalls-with-greasemonkey/esfera.user.js">millores esfera</a></h2> <p>Un cop instal·lat el <a href="https://www.greasespot.net" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Greasemonkey</a>, només cal que <a href="/en/blog/2021-fixing-web-pitfalls-with-greasemonkey/esfera.user.js">feu click aquí</a>. I ara, sempre que estigueu a la part d&rsquo;avaluacions de l&rsquo;Esfer@ (per grup i matèria), després d&rsquo;uns segons apareixeran aquests 3 botons que hem mencionat.</p> <p>En visitar qualsevol enllaç que acabi amb <code>.user.js</code> ensenyarà un diàleg preguntant si volem instal·lar aquest codi personalitzat.</p> <p>Això és una cosa que hem de fer amb cura, en aquest cas però, espero que us en fieu (i si no, comproveu o demaneu a algú que comprovi el codi!).</p> <h2 id="tercer-pas-libreoffice">Tercer pas: <a href="https://www.libreoffice.org/download/download/?lang=ca" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">LibreOffice</a></h2> <p>És super important fer servir <a href="https://www.libreoffice.org/download/download/?lang=ca" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">LibreOffice</a> i no pas Excel o semblants.</p> <p>El motiu és que Excel no reconeix el format del fitxer fàcilment i tampoc el manté de manera senzilla; en canvi amb <a href="https://www.libreoffice.org/download/download/?lang=ca" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">LibreOffice</a> només heu de confirmar que fa bona pinta i fer click en <code>Ok</code>. I sobre tot en desar canvis: <code>Desar en format CSV</code> sempre.</p> <h2 id="altres-webs">Altres webs</h2> <p>En altres webs podeu fer coses semblants, el web de <a href="https://www.greasespot.net" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Greasemonkey</a> te molta informació (en anglès), us podeu administrar aquest tipus de millores com vulgueu.</p> <h1 id="conclusio">Conclusió</h1> <p>Tot te solució :-). No sempre hem d&rsquo;acceptar el que ens ofereixen, que hi ha molts interessos i no sempre estan alineats amb els nostres.</p> <p>En aquest cas, amb 4 clicks us podeu estalviar molta frustració, errades i podeu revisar que els comentaris (i per tant la vostra feina) estiguin ben fets.</p> <p>Recordeu també que <strong>és la vostra responsabilitat comprovar que tot estigui bé</strong>. Això us pot ajudar i donar comoditat, però al final la responsabilitat és vostra!</p> <p>Si això us és útil, em podeu <a href="/ca/quant-a/">convidar a un cafè o a dinar</a> o també em podeu <a href="/ca/quant-a/">contractar</a> en alguna de les moltes coses relacionades amb ordinadors, xarxes, sistemes, etc. que faig ^^.</p>2021-01-05T00:00:00Zurn:uuid:70264264-a090-3eac-93b7-a6532afbc691<h1 id="introduction">Introduction</h1> <p>Fellow human <a href="https://bsd.network/@LeJax/105498957095356726" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">@LeJax@bsd.network</a> has been trying to setup IPv6-enabled VNET Jails in <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>.</p> <p>This, turns out, can be a bit frustrating, because all the tools are there, but the tricks are not widely documented.</p> <p>In an attempt to fix that, I am going to document all the tricks and sources I have found (and remember) that were necessary until I got a working and reproducible setup. Hopefully this will not only help LeJax, but also it will review my notes and allow them (or someone else) to prepare a nice general-use write up on this topic that might be useful to others.</p> <p>I use <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> and <a href="https://github.com/iocage/iocage/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">iocage</a> extensively, but the general tricks should be valid without any or either of those.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#general-notes">General notes</a><ul> <li><a href="#reminder-about-freebsd-jails">Reminder about FreeBSD jails</a></li> <li><a href="#note-on-iocage">Note on iocage</a></li> <li><a href="#note-on-cdist">Note on cdist</a></li> </ul> </li> <li><a href="#networking-options-for-ipv6-vnet-jails">Networking options for IPv6 VNET jails</a><ul> <li><a href="#vnet-virtualised-network-stack">VNET: virtualised network stack</a></li> <li><a href="#option-a-jail-host-acts-as-a-router">Option A: jail host acts as a router</a></li> <li><a href="#option-b-bridge-to-public-interface">Option B: bridge to public interface</a></li> <li><a href="#option-c-no-slaac-static-routing">Option C: no SLAAC, static routing</a></li> <li><a href="#ipv6-accept_rtadv-and-auto_linklocal">IPv6: accept_rtadv and auto_linklocal</a></li> </ul> </li> <li><a href="#firewall-passing-the-devices">Firewall &ndash; Passing the devices</a></li> <li><a href="#using-my-cdist-types">Using my cdist types</a></li> <li><a href="#conclusion">Conclusion</a></li> </ul> </div> <h1 id="general-notes">General notes</h1> <h2 id="reminder-about-freebsd-jails">Reminder about <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> jails</h2> <p>Jails on <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> are a very useful OS tool that is tightly integrated with the rest of the Operating System, which means that, for the most part, issues regarding IPv6 in jails are actually issues with general networking and not specific to jails.</p> <h2 id="note-on-iocage">Note on <a href="https://github.com/iocage/iocage/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">iocage</a></h2> <p><a href="https://github.com/iocage/iocage/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">iocage</a> is a helper to create and manage jails, some like it, some don&rsquo;t. It itself doesn&rsquo;t do much magic, but has some ZFS integrations that I find useful. These notes should mostly apply to jails created with <code>jail(8)</code> as well.</p> <h2 id="note-on-cdist">Note on <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a></h2> <p><a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> is a &ldquo;usable configuration management system&rdquo;. It&rsquo;s basically shell on steroids to manage servers. If I cite a type, the <code>manifest</code> and <code>gencode-remote</code> (optionally the <code>explorer/*</code>) files should be reviewed. These should contain enough comments to be understandable and to identify the relevant bits.</p> <h1 id="networking-options-for-ipv6-vnet-jails">Networking options for IPv6 VNET jails</h1> <h2 id="vnet-virtualised-network-stack">VNET: virtualised network stack</h2> <blockquote> <p>From <code>vnet(9)</code>:</p> <div class="codehilite"><pre><span></span><code><span class="n">VNET</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">technique</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">virtualize</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">stack</span><span class="o">.</span><span class="w"> </span><span class="n">The</span> <span class="n">basic</span><span class="w"> </span><span class="n">idea</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">change</span><span class="w"> </span><span class="n">global</span><span class="w"> </span><span class="n">resources</span><span class="w"> </span><span class="n">most</span><span class="w"> </span><span class="n">notably</span><span class="w"> </span><span class="n">variables</span><span class="w"> </span><span class="n">into</span><span class="w"> </span><span class="n">per</span> <span class="n">network</span><span class="w"> </span><span class="n">stack</span><span class="w"> </span><span class="n">resources</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="n">functions</span><span class="p">,</span><span class="w"> </span><span class="n">sysctls</span><span class="p">,</span><span class="w"> </span><span class="n">eventhandlers</span><span class="p">,</span><span class="w"> </span><span class="n">etc</span><span class="o">.</span> <span class="n">access</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">handle</span><span class="w"> </span><span class="n">them</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">context</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">correct</span><span class="w"> </span><span class="n">instance</span><span class="o">.</span><span class="w"> </span><span class="n">Each</span> <span class="p">(</span><span class="n">virtual</span><span class="p">)</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">stack</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">attached</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">prison</span><span class="p">,</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">vnet0</span><span class="w"> </span><span class="n">being</span><span class="w"> </span><span class="n">the</span> <span class="n">unrestricted</span><span class="w"> </span><span class="n">default</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">stack</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">base</span><span class="w"> </span><span class="n">system</span><span class="o">.</span> </code></pre></div> </blockquote> <p>With <code>VNET(9)</code>, our jails basically become a separated machine network-wise. We can (and maybe want to) also run a firewall on the jail itself.</p> <p>It also means we have to take care of networking somehow; this is usually the tricky bit. For IPv4 that means: static addresses or DHCP, for IPv6 that might mean SLAAC.</p> <p>Because of IPv6 nature, the usual tricks for IPv4 of using NAT / port forwarding are a subpar solution, so we shouldn&rsquo;t necessarily just try to replicate that.</p> <h2 id="option-a-jail-host-acts-as-a-router">Option A: jail host acts as a router</h2> <p>Depending on how that is happening, our host might need to act as a router (the <code>sysctl</code> nodes: <code>net.inet.ip.forwarding</code> / <code>net.inet6.ip6.forwarding</code> set to <code>1</code>, <code>dhcpd(8)</code> and <code>rtadvd(8)</code> running, &hellip;, see: <a href="/en/blog/2019-FreeBSD-eXO-router/">FreeBSD router</a>).</p> <p>This might be the case if, e.g. we assign a <code>/64</code> to the jails in a given host.</p> <div class="codehilite"><pre><span></span><code><span class="o">|</span><span class="w"> </span><span class="n">jail</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">jail</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">vnet</span><span class="w"> </span><span class="o">|</span> <span class="o">|</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">&lt;--&gt;</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">bridge</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">&lt;--&gt;</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">jail</span><span class="w"> </span><span class="o">|</span> <span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="p">(</span><span class="n">optional</span><span class="p">)</span><span class="w"> </span><span class="o">|</span> <span class="n">Has</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">Receives</span><span class="w"> </span><span class="n">uses</span><span class="w"> </span><span class="n">SLAAC</span> <span class="n">routed</span><span class="w"> </span><span class="n">rtadv</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">gain</span><span class="w"> </span><span class="n">IPv6</span> <span class="o">/</span><span class="mi">64</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="o">/</span><span class="mi">64</span><span class="w"> </span><span class="n">connectivity</span> <span class="n">Runs</span> <span class="n">rtadvd</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> </code></pre></div> <p>If we do this, some important things to take into account:</p> <ul> <li>The jail host will need to forward packages (<code>ipv6_gateway_enable=YES</code> in <code>/etc/rc.conf</code>, which results in <code>sysctl net.inet6.ip6.forwarding=1</code>)</li> <li>The jail host will have to run <code>rtadvd(8)</code> in a way that reaches the jails</li> <li>Depending on the setup, <code>ipv6_cpe_wanif</code> should be set in <code>/etc/rc.conf</code> if the jail host needs to accept route advertisements on some interface.</li> </ul> <p>In any case <code>rc.conf(5)</code> has more information on these settings.</p> <h2 id="option-b-bridge-to-public-interface">Option B: bridge to public interface</h2> <p>This might be easier to setup if it matches our security needs and we already have a working router with SLAAC.</p> <div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="err">·</span><span class="o">--&gt;</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">jail</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">firewall</span><span class="w"> </span><span class="n">passes</span> <span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="kr">interface</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">traffic</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">bridge</span> <span class="o">|</span><span class="w"> </span><span class="n">router</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">&lt;--&gt;</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">jail</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">&lt;--</span><span class="err">·</span><span class="w"> </span><span class="p">(</span><span class="n">switch</span><span class="o">-</span><span class="n">like</span><span class="p">)</span> <span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">bridge</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">&lt;--</span><span class="err">·</span> <span class="w"> </span><span class="err">\</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">vnet</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">uses</span><span class="w"> </span><span class="n">SLAAC</span><span class="w"> </span><span class="n">to</span> <span class="n">Pre</span><span class="o">-</span><span class="n">existing</span><span class="w"> </span><span class="err">·</span><span class="o">--&gt;</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">jail</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">gain</span><span class="w"> </span><span class="n">IPv6</span> <span class="n">Does</span><span class="w"> </span><span class="n">SLAAC</span><span class="w"> </span><span class="n">Connectivity</span> </code></pre></div> <h2 id="option-c-no-slaac-static-routing">Option C: no SLAAC, static routing</h2> <p>This gets a tad complicated to manage and I haven&rsquo;t tested it.</p> <p>The network schemes might look a lot like Option A and Option B depending on how we actually do it, but it doesn&rsquo;t have to.</p> <p>The main difference being that instead of SLAAC + ND + DAD, we are potentially routing things somehow else.</p> <h2 id="ipv6-accept_rtadv-and-auto_linklocal">IPv6: <code>accept_rtadv</code> and <code>auto_linklocal</code></h2> <p>This is actually the key point to get everything to work.</p> <p>There is a bug in the latest <a href="https://github.com/iocage/iocage/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">iocage</a> release (1.2 in January 2021), in which newly created jails are not properly prepared for IPv6. This is fixed in the development branch (see <a href="https://github.com/iocage/iocage/commit/5f1574e4a738108ad2bd1b6454bec2e9a14f4c6c" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">commit</a>).</p> <p>For regular jails, and before <a href="https://github.com/iocage/iocage/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">iocage</a> has release beyond 1.2, we have to manually ensure that the interface is properly setup.</p> <p>In any case, we do need linklocal addresses, in order for Neighbour Discovery (ND) to work.</p> <div class="codehilite"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="nx">Inside</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">Jail</span> <span class="err">#</span><span class="w"> </span><span class="nx">Partial</span><span class="w"> </span><span class="nx">contents</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="o">/</span><span class="nx">etc</span><span class="o">/</span><span class="nx">rc</span><span class="p">.</span><span class="nx">conf</span> <span class="err">#</span><span class="w"> </span><span class="nx">Get</span><span class="w"> </span><span class="nx">an</span><span class="w"> </span><span class="nx">IPv4</span><span class="w"> </span><span class="nx">on</span><span class="w"> </span><span class="nx">jail</span><span class="w"> </span><span class="nx">start</span><span class="w"> </span><span class="nx">with</span><span class="w"> </span><span class="nx">DHCP</span> <span class="nx">ifconfig_epair0b</span><span class="p">=</span><span class="s">&quot;SYNCDHCP&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">Ensure</span><span class="w"> </span><span class="nx">we</span><span class="w"> </span><span class="nx">accept</span><span class="w"> </span><span class="nx">route</span><span class="w"> </span><span class="nx">advertisements</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">have</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">linklocal</span><span class="w"> </span><span class="nx">address</span> <span class="nx">ifconfig_emailr0b_ipv6</span><span class="p">=</span><span class="s">&quot;inet6 accept_rtadv auto_linklocal&quot;</span> </code></pre></div> <h1 id="firewall-passing-the-devices">Firewall &ndash; Passing the devices</h1> <p>Nowadays it should be safe to use, e.g. <code>pf(4)</code> on VNET jails (TODO: citation needed, it&rsquo;s somewhere on the freebsd-net/freebsd-questions ML).</p> <p>We basically setup the firewall as usual, except that, by default, the <code>devfs.rules(5)</code> do not expose the necessary packet filter devices.</p> <p>Something similar might apply for <code>ipfw(4)</code>.</p> <div class="codehilite"><pre><span></span><code>#<span class="w"> </span><span class="nv">In</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">Jail</span><span class="w"> </span><span class="nv">Host</span>: #<span class="w"> </span><span class="nv">Partial</span><span class="w"> </span><span class="nv">contents</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="o">/</span><span class="nv">etc</span><span class="o">/</span><span class="nv">devfs</span>.<span class="nv">rules</span> [<span class="nv">devfsrules_iocage</span><span class="o">=</span><span class="mi">5</span>] <span class="nv">add</span><span class="w"> </span><span class="k">include</span><span class="w"> </span><span class="mh">$de</span><span class="nv">vfsrules_jail</span> <span class="nv">add</span><span class="w"> </span><span class="nv">path</span><span class="w"> </span><span class="nv">pf</span><span class="w"> </span><span class="nv">unhide</span> <span class="nv">add</span><span class="w"> </span><span class="nv">path</span><span class="w"> </span><span class="nv">pflog</span><span class="w"> </span><span class="nv">unhide</span> <span class="nv">add</span><span class="w"> </span><span class="nv">path</span><span class="w"> </span><span class="nv">pfsynv</span><span class="w"> </span><span class="nv">unhide</span> </code></pre></div> <p>Changing this file requires a <code>service devfs restart</code>.</p> <p>And we have to make sure that our jails use this set of <code>devfs</code> rules.</p> <div class="codehilite"><pre><span></span><code>iocage<span class="w"> </span>set<span class="w"> </span>devfs_ruleset=5<span class="w"> </span><span class="cp">${</span><span class="n">JAIL</span><span class="cp">}</span> </code></pre></div> <p>In any case, care should be taken not to block too much (e.g. blocking all <code>icmp6</code> will utterly break IPv6 connectivity).</p> <h1 id="using-my-cdist-types">Using my <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> types</h1> <p>I wrote a couple <a href="https://git.sr.ht/~evilham/cdist-evilham/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist types</a> that take care of all this in a reliable fashion. You can find them and the source for other useful <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> types on <a href="https://git.sr.ht/~evilham/cdist-evilham/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">my cdist repository</a>.</p> <ul> <li><a href="https://git.sr.ht/~evilham/cdist-evilham/tree/main/item/type/__evilham_iocage" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">__evilham_iocage</a>: Setup the jail host with iocage to be ready for IPv6-enabled jails.</li> <li><a href="https://git.sr.ht/~evilham/cdist-evilham/tree/main/item/type/__evilham_iocage_jail" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">__evilham_iocage_jail</a>: Create and maintain an IPv6-enabled jail.</li> </ul> <p>And the <code>manifest</code> for the jail host looks like this:</p> <div class="codehilite"><pre><span></span><code># Setup the jail host __evilham_iocage --zpool jails # Create/update the necessary jails require=&quot;__evilham_iocage&quot; __evilham_iocage_jail \ &quot;jail.example.org&quot; \ --bridge &quot;bridge0&quot; </code></pre></div> <p>Then I can setup DNS and <code>ssh -6 jail.example.org</code>, or use a <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> manifest to set up the service.</p> <h1 id="conclusion">Conclusion</h1> <p>Hopefully this contains enough pointers to help others figure out IPv6-enabled jails, and to document this in a more generic fashion for everyone else.</p> <p>If this was useful for you, do <a href="/en/about/">let me know</a>.</p>2020-12-12T00:00:00Zurn:uuid:cae3bdd1-a43c-3cbc-8a49-fabf0f27767f<h1 id="introduction">Introduction</h1> <p>Putting this here because of its overall quality, significance and for easy future access.</p> <h1 id="the-letter">The letter</h1> <h2 id="envelope">Envelope</h2> <p>von: Rainer Maria Rilke</p> <p>an: Friedrich Westhoff</p> <p>Rom, am 29. April 1904</p> <h2 id="body">Body</h2> <p>Mein lieber Friedrich,</p> <p>wir haben durch Mutter in dieser Zeit öfters von dir gehört, und, ohne Genaueres von dir zu wissen, fühlen wir doch, dass du eine schwere Zeit hast. Mutter wird dir nicht helfen können, denn im Grunde kann keiner im Leben dem anderen helfen; das erfährt man immer wieder in jedem Konflikt und jeder Verwirrung: dass man allein ist.</p> <p>Das ist nicht so schlimm, wie es auf den ersten Blick scheinen mag; es ist auch wieder das Beste im Leben, dass jeder alles in sich selbst hat: sein Schicksal, seine Zukunft, seine ganze Weite und Welt. Nun gibt es freilich Momente, wo es schwer ist, in sich zu sein und innerhalb des eigenen Ichs auszuhalten; es geschieht, dass man gerade in den Augenblicken, da man fester und – fast müsste man sagen – eigensinniger denn je an sich festhalten sollte, sich an etwas Äußeres anschließt, während wichtiger Ereignisse den eigenen Mittelpunkt aus sich heraus in Fremdes, in einen anderen Menschen verlegt. Das ist gegen die allereinfachsten Gesetze des Gleichgewichts, und es kann nur Schweres dabei herauskommen.</p> <p>Clara und ich, lieber Friedrich, wir haben uns gerade darin gefunden und verstanden, dass alle Gemeinsamkeit nur im Erstarken zweier benachbarter Einsamkeiten bestehen kann, dass aber alles, was man Hingabe zu nennen pflegt, seinem Wesen nach der Gemeinsamkeit schädlich ist: Denn wenn ein Mensch sich verlässt, so ist er nichts mehr, und wenn zwei Menschen beide sich selbst aufgeben, um zueinander zu treten, so ist kein Boden mehr unter ihnen und ihr Beisammensein ist ein fortwährendes Fallen. – Wir haben, mein lieber Friedrich, nicht ohne große Schmerzen, solches erfahren, haben erfahren, was jeder, der ein eigenes Leben will, so oder so zu wissen bekommt.</p> <p>Ich werde einmal, wenn ich reifer und älter bin, vielleicht dazu kommen, ein Buch zu schreiben, ein Buch für junge Menschen; nicht etwa, weil ich glaube, etwas besser gekonnt zu haben als andere. Im Gegenteil, weil mir alles so viel schwerer geworden ist als anderen jungen Menschen von Kindheit an während meiner ganzen Jugend.</p> <p>Da habe ich immer und immer wieder erfahren, dass es kaum etwas Schwereres gibt, als sich lieb haben. Dass das Arbeit ist, Tagelohn, Friedrich, Tagelohn; weiß Gott, es gibt kein anderes Wort dafür. Sieh, und nun kommt noch dazu, dass die jungen Menschen auf so schweres Lieben nicht vorbereitet werden; denn die Konvention hat diese komplizierteste und äußerste Beziehung zu etwas Leichtem und Leichtsinnigem zu machen versucht, ihr den Schein gegeben, als könnten sie alle. Dem ist nicht so. Liebe ist etwas Schweres, und sie ist schwerer denn anderes, weil bei anderen Konflikten die Natur selbst den Menschern anhält, sich zu sammeln, sich ganz fest mit aller Kraft zusammenzufassen, während in der Steigerung der Liebe der Anreiz liegt, sich ganz fortzugeben. Aber denke doch nur, kann das etwas Schönes sein, sich fortzugeben nicht als Ganzes und Geordnetes, sondern so dem Zufall nach, Stück für Stück, wie es sich trifft? Kann solche Fortgabe, die einem Fortwerfen und Zerreißen so ähnlich sieht, etwas Gutes, kann sie Glück, Freude, Fortschritt sein? Nein, sie kann es nicht … Wenn du jemandem Blumen schenkst, so ordnest du sie vorher, nicht wahr? Aber junge Menschen, die sich lieb haben werfen sich einander hin in der Ungeduld und Hast ihrer Leidenschaft, und sie merken gar nicht, welcher Mangel an gegenseitiger Schätzung in dieser unaufgeräumten Hingabe liegt, merken es erst mit Staunen und Unwillen an dem Zerwürfnis, das aus aller dieser Unordnung zwischen ihnen entsteht. Und ist erst Uneinheit unter ihnen, dann wächst die Wirrnis mit jedem Tage; keiner von den beiden hat mehr etwas Unzerschlagenes, Reines und Unverdorbenes um sich, und mitten in der Trostlosigkeit eines Abbruchs suchen sie den Schein ihres Glückes [denn um des Glückes willen sollte all das doch sein] festzuhalten. Ach, sie vermögen sich kaum mehr zu entsinnen, was sie mit Glück meinten. In seiner Unsicherheit wird jeder immer ungerechter gegen den anderen; die einander wohltun wollten, berühren einer den anderen nun auf herrische und unduldsame Art, und im Bestreben, aus dem unhaltbaren und unerträglichen Zustand ihrer Wirrnis irgendwie herauszukommen, begehen sie den größten Fehler, der an menschlichen Beziehungen geschehen kann: sie werden ungeduldig. Sie drängen sich zu einem Abschluss, zu einer, wie sie glauben, endgültigen Entscheidung zu kommen, sie versuchen ihr Verhältnis, dessen überraschende Veränderungen sie erschreckt haben, ein für allemal festzustellen, damit es von nun ab „ewig“ [wie sie sagen] dasselbe bleibe. Das ist nur der letzte Irrtum in dieser langen Kette von aneinander festhaltenden Irrungen. Totes nicht einmal lässt sich endgültig festhalten [denn es zerfällt und verändert sich in seiner Art] wie viel weniger lässt sich Lebendes und Lebendiges ein für alle Mal abschließend behandeln. Leben ist ja gerade Sichverwandeln, und menschliche Beziehungen, die ein Lebensextrakt sind, sind das Veränderlichste von allem, steigen und fallen von Minute zu Minute, und Liebende sind diejenigen, in deren Beziehung und Berührung kein Augenblick dem anderen gleicht. Menschen, zwischen denen nie etwas Gewohntes, etwas schon einmal Dagewesenes vor sich geht, sondern lauter Neues, Unerwartetes, Unerhörtes. Es gibt solche Verhältnisse, die ein sehr großes, fast unerträgliches Glück sein müssen, aber sie können nur zwischen sehr reichen Menschen eintreten und zwischen solchen, die jeder für sich, reich, geordnet und versammelt sind, nur zwei weite, tiefe, eigene Welten können sie verbinden. – Junge Menschen – das liegt auf der Hand – können ein solches Verhältnis nicht gewinnen, aber sie können, wenn sie ihr Leben recht begreifen, langsam zu solchem Glück anwachsen und sich vorbereiten dafür. Sie müssen, wenn sie lieben, nicht vergessen, dass sie Anfänger sind, Stümper des Lebens, Lehrlinge in der Liebe, – müssen Liebe lernen, und dazu gehört [wie zu jedem Lernen] Ruhe, Geduld und Sammlung!</p> <p>Liebe ernst nehmen und leiden und wie eine Arbeit lernen, das ist es, Friedrich, was jungen Menschen nottut. – Die Leute haben, wie so vieles andere, auch die Stellung der Liebe im Leben missverstanden, sie haben sie zu Spiel und Vergnügen gemacht, weil sie meinten, dass Spiel und Vergnügen seliger denn Arbeit sei; es gibt aber nichts Glücklicheres als die Arbeit, und Liebe, gerade weil sie das äußerste Glück ist, kann nichts anderes als Arbeit sein. – Wer also liebt, der muss versuchen, sich zu benehmen, als ob er eine große Arbeit hätte: Er muss viel allein sein und in sich gehen und sich zusammenfassen und sich festhalten; er muss arbeiten; er muss etwas werden!</p> <p>Denn, Friedrich, glaube mir, je mehr man ist, je reicher ist alles, was man erlebt. Und wer in seinem Leben eine tiefe Liebe haben will, der muss sparen und sammeln dafür und Honig zusammentragen.</p> <p>Man muss nie verzweifeln, wenn einem etwas verloren geht, ein Mensch oder eine Freude oder ein Glück; es kommt alles noch herrlicher wieder. Was abfallen muss, fällt ab; was zu uns gehört, bleibt uns, denn es geht alles nach Gesetzen vor sich, die größer als unsere Einsicht sind und mit denen wir nur scheinbar im Widerspruch stehen. Man muss in sich selber leben und an das ganze Leben denken, an alle seine Millionen Möglichkeiten, Weiten und Zukünfte, denen gegenüber es nichts Vergangenes und Verlorenes gibt. –</p> <p>Wir denken so viel an dich, lieber Friedrich; unsere Überzeugung ist die: Dass du in der Wirrnis der Ereignisse längst, aus dir heraus, den eigenen einsamen Ausweg gefunden hättest, der allein helfen kann, wenn nicht die ganze Last des Militärjahres noch auf dir läge … Ich erinnere mich, dass nach meiner eingesperrten Militärschulzeit mein Freiheitsdrang und mein entstelltes Selbstgefühl [das sich erst allmählich von Bügen und Beulen, die man ihm beigebracht hatte, erholen musste] mich zu Verirrungen und Wünschen, die gar nicht zu meinem Leben gehören, treiben wollte, und es war mein Glück, dass meine Arbeit da war: In ihr fand ich mich und finde mich täglich in ihr und suche mich nirgends anders mehr. So tun wir beide; so ist Claras und mein Leben. Und du wirst auch dazu kommen, ganz gewiss. Sei guten Mutes, alles ist vor dir, und die Zeit, die mit Schwerem hingeht, ist nie verloren. Wir grüßen dich, lieber Friedrich, von Herzen:</p> <p>Rainer und Clara</p>2020-10-31T00:00:00Zurn:uuid:60ea9709-ef2f-3a06-9594-3453f9c635cf<h1 id="introduccion">Introducción</h1> <p>En tiempos de Pandemia, los encuentros sociales son principalmente digitales, esto incluye también encuentros técnicos, en el contexto de &ldquo;cosas de ordenadores&rdquo;.</p> <p>En los últimos meses hemos hecho talleres regulares de <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a>, y también algún curso de IPv6 con <a href="https://maadix.net" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">MaadiX</a>.</p> <p>Como la mayoría de contenido es texto, las herramientas habituales para compartir pantalla no son ideales. Esto se debe a que estas herramientas no transmiten el texto, sino que transmiten vídeo; es decir, imágenes comprimidas (simplificando un poco).</p> <p>Al enviar vídeo, tenemos varios problemas:</p> <ul> <li>Cada persona espectadora no puede configurar la fuente a sus necesidades / preferencias</li> <li>Se requiere un ancho de banda bastante superior</li> <li>Si la calidad de la conexión no es perfecta, esto puede resultar en que la herramienta usada baje la calidad y el texto sea ilegible</li> </ul> <p>Así que, como siempre, hacemos las cosas diferente. A petición &ldquo;popular&rdquo;, vamos a ver cómo.</p> <h1 id="tabla-de-contenido">Tabla de contenido</h1> <div class="toc"> <ul> <li><a href="#introduccion">Introducción</a></li> <li><a href="#tabla-de-contenido">Tabla de contenido</a></li> <li><a href="#una-terminal">Una terminal</a><ul> <li><a href="#varias-terminales-en-una-tmux">Varias terminales (en una): tmux</a></li> </ul> </li> <li><a href="#compartiendo-la-terminal-gotty">Compartiendo la terminal: GoTTY</a><ul> <li><a href="#integracion-con-tmux">Integración con tmux</a></li> <li><a href="#configurando-gotty">Configurando GoTTY</a></li> <li><a href="#usandolo-con-otras-personas-nginx-como-reverse-proxy-tls">Usándolo con otras personas: Nginx como reverse proxy + TLS</a></li> </ul> </li> <li><a href="#diapositivas-en-la-terminal-patat">&ldquo;Diapositivas&rdquo; en la terminal: patat</a></li> <li><a href="#otras-cosas-editando-texto">Otras cosas: editando texto, &hellip;</a></li> <li><a href="#conclusion">Conclusión</a></li> </ul> </div> <h1 id="una-terminal">Una terminal</h1> <p>Lo hacemos todo desde una terminal. La mayoría de personas involucradas están cómodas con la línea de comandos; y las que no, están cómodas leyendo documentación, así que es una elección bastante correcta.</p> <h2 id="varias-terminales-en-una-tmux">Varias terminales (en una): <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a></h2> <p>Una terminal única puede ser algo limitante, así que usamos <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a>. Un &ldquo;multiplexor&rdquo; de terminal.</p> <p>Para la persona que lo está usando, es como si hubiera una única terminal, pero realmente, con <code>Ctrl+b+c</code> podemos <strong>c</strong>ear una nueva terminal y con <code>Ctrl+b+n</code> y <code>Ctrl+b+p</code> respectivamente podemos movernos a la terminal siguiente (<strong>n</strong>ext) o la anterior (<strong>p</strong>revious).</p> <p>Para instalar <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a> podemos usar habitualmente los paquetes del sistema. En sistemas como <a href="https://OpenBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a>, no hace falta porque está incluido en el sistema base :-).</p> <h1 id="compartiendo-la-terminal-gotty">Compartiendo la terminal: <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a></h1> <p>Esta es la parte interesante, después de evaluar varias opciones, <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a> es la que mejor configuración por defecto tenía y la que más control permitía a la persona usuaria.</p> <p>Para instalar <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a> en <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> podemos usar <code>pkg install gotty</code>; en otros sistemas este paquete puede no estar disponible, pero hay versiones pre-compiladas en su repositorio. Ante la duda, compilar binarios de <a href="golang.org">Go</a> es sencillo :-). (Y hay instrucciones en la web de <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a>)</p> <h2 id="integracion-con-tmux">Integración con <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a></h2> <p>Este es el contenido de mi configuración de <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a>, en <code>~/.tmux.conf</code>:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Activar y desactivar barra con: Ctrl+F3</span> <span class="n">bind</span><span class="o">-</span><span class="n">key</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="n">C</span><span class="o">-</span><span class="n">F3</span><span class="w"> </span><span class="n">set</span><span class="o">-</span><span class="n">option</span><span class="w"> </span><span class="o">-</span><span class="n">g</span><span class="w"> </span><span class="n">status</span> <span class="c1"># Compartir la sessión con GoTTY con: Ctrl+F2</span> <span class="n">bind</span><span class="o">-</span><span class="n">key</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="n">C</span><span class="o">-</span><span class="n">F2</span><span class="w"> </span><span class="n">new</span><span class="o">-</span><span class="n">window</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="n">ttyshare</span><span class="w"> </span><span class="s2">&quot;gotty tmux attach -r -t </span><span class="se">\\</span><span class="s2">$(tmux display -p &#39;#S&#39;)&quot;</span> </code></pre></div> <p>Si nos fijamos, con esta configuración añado dos atajos de teclado:</p> <ul> <li><code>Ctrl+F3</code>: para activar y desactivar la barra de estado de <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a></li> <li><code>Ctrl+F2</code>: para empezar a compartir la sesión de <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a> con <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a>.</li> </ul> <p>Analicemos un poco más la línea:</p> <p><code>bind-key -n C-F2 new-window -n ttyshare</code>: Cuando se presione <code>Ctrl+F2</code> Crear una nueva &ldquo;ventana&rdquo; de <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a> llamada <code>ttyshare</code>.</p> <p>Y en esa nueva &ldquo;ventana&rdquo; ejecutaremos el comando: <code>gotty tmux attach -r -t $(tmux display -p '#S')</code></p> <p>Esto significa que <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a> empezará a ejecutarse, y para cada cliente que se conecte, se ejecutará: <code>tmux attach -r -t $(tmux display -p '#S')</code></p> <p>Excepto que&hellip; <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a> reemplaza <code>'#S'</code> con el nombre de la sesión actual, es decir, donde presionamos <code>Ctrl+F2</code></p> <p>De esta forma, para cada persona que visite la dirección de <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a>, empezaremos un <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a> al que le decimos: &ldquo;conéctate a la sesión donde presionamos <code>Ctrl+F2</code> de forma sólo lectura&rdquo;. Para obtener el efecto sólo lectura, usamos <code>-r</code> como argumento de <code>tmux attach</code>.</p> <p>Vale la pena mencionar que: por defecto <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a> también crea sesiones de sólo lectura, al hacerlo aquí también, conseguimos seguridad por capas: para comprometer nuestra sesión, haría falta que haya un problema en <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a> y también que haya un problema en <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a>.</p> <p>Así, al presionar <code>Ctrl+F2</code>, se crea la ventana <code>ttyshare</code> y vemos lo siguiente:</p> <div class="codehilite"><pre><span></span><code><span class="mf">2020</span><span class="o">/</span><span class="mf">11</span><span class="o">/</span><span class="mf">08</span><span class="w"> </span><span class="mf">23</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">43</span><span class="w"> </span><span class="kr">Load</span><span class="n">ing</span><span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">at</span><span class="p">:</span><span class="w"> </span><span class="err">${</span><span class="n">HOME</span><span class="err">}</span><span class="o">/</span><span class="mf">.</span><span class="kr">go</span><span class="n">tty</span> <span class="mf">2020</span><span class="o">/</span><span class="mf">11</span><span class="o">/</span><span class="mf">08</span><span class="w"> </span><span class="mf">23</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">43</span><span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">starting</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">command</span><span class="p">:</span><span class="w"> </span><span class="n">tmux</span><span class="w"> </span><span class="n">attach</span><span class="w"> </span><span class="o">-</span><span class="n">r</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="err">$</span><span class="mf">0</span> <span class="mf">2020</span><span class="o">/</span><span class="mf">11</span><span class="o">/</span><span class="mf">08</span><span class="w"> </span><span class="mf">23</span><span class="p">:</span><span class="mf">06</span><span class="p">:</span><span class="mf">43</span><span class="w"> </span><span class="n">URL</span><span class="p">:</span><span class="w"> </span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="err">[</span><span class="p">::</span><span class="mf">1</span><span class="err">]</span><span class="p">:</span><span class="mf">8080</span><span class="o">/</span><span class="mf">17</span><span class="n">lmim3q</span><span class="o">/</span> </code></pre></div> <p>Es decir, que dese el navegador, puedo abrir la dirección <code>http://[::1]:8080/17lmim3q/</code> y ver, en vivo, mi sesión de <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a></p> <h2 id="configurando-gotty">Configurando <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a></h2> <p>A este programa no le hace falta mucha configuración porque los valores por defecto son bastante razonables, pero hay alguna cosa que sí prefiero cambiar.</p> <p>A partir de la <a href="https://github.com/yudai/gotty/blob/master/.gotty" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">configuración completa</a>:</p> <div class="codehilite"><pre><span></span><code><span class="o">//</span><span class="w"> </span><span class="o">[</span><span class="n">string</span><span class="o">]</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">listen</span><span class="p">,</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">addresses</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="k">when</span><span class="w"> </span><span class="n">empty</span> <span class="o">//</span> <span class="o">//</span><span class="w"> </span><span class="n">Limitar</span><span class="w"> </span><span class="n">conexiones</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">la</span><span class="w"> </span><span class="n">máquina</span><span class="w"> </span><span class="k">local</span><span class="p">,</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="nl">IPv6</span><span class="p">:</span> <span class="n">address</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;::1&quot;</span> <span class="o">//</span><span class="w"> </span><span class="o">[</span><span class="n">bool</span><span class="o">]</span><span class="w"> </span><span class="n">Enable</span><span class="w"> </span><span class="n">random</span><span class="w"> </span><span class="n">URL</span><span class="w"> </span><span class="n">generation</span> <span class="o">//</span> <span class="o">//</span><span class="w"> </span><span class="n">De</span><span class="w"> </span><span class="n">esta</span><span class="w"> </span><span class="n">forma</span><span class="p">,</span><span class="w"> </span><span class="n">tenemos</span><span class="w"> </span><span class="n">una</span><span class="w"> </span><span class="n">capa</span><span class="w"> </span><span class="n">de</span><span class="w"> </span><span class="n">seguridad</span><span class="w"> </span><span class="n">más</span><span class="p">,</span><span class="w"> </span><span class="n">al</span><span class="w"> </span><span class="n">requerir</span><span class="w"> </span><span class="n">compartir</span> <span class="o">//</span><span class="w"> </span><span class="n">un</span><span class="w"> </span><span class="n">enlace</span><span class="w"> </span><span class="n">con</span><span class="w"> </span><span class="n">las</span><span class="w"> </span><span class="n">personas</span><span class="w"> </span><span class="n">que</span><span class="w"> </span><span class="n">queremos</span><span class="w"> </span><span class="n">compartir</span><span class="w"> </span><span class="n">la</span><span class="w"> </span><span class="n">terminal</span><span class="p">.</span> <span class="n">enable_random_url</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">true</span> <span class="o">//</span><span class="w"> </span><span class="o">[</span><span class="n">string</span><span class="o">]</span><span class="w"> </span><span class="n">Title</span><span class="w"> </span><span class="nf">format</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">browser</span><span class="w"> </span><span class="k">window</span> <span class="o">//</span> <span class="o">//</span><span class="w"> </span><span class="n">Aquí</span><span class="w"> </span><span class="n">podemos</span><span class="w"> </span><span class="n">personalizar</span><span class="w"> </span><span class="n">el</span><span class="w"> </span><span class="n">título</span><span class="w"> </span><span class="n">de</span><span class="w"> </span><span class="n">la</span><span class="w"> </span><span class="n">pestaña</span><span class="w"> </span><span class="n">en</span><span class="w"> </span><span class="n">el</span><span class="w"> </span><span class="n">navegador</span> <span class="n">title_format</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;Hola!&quot;</span> <span class="o">//</span><span class="w"> </span><span class="o">[</span><span class="n">int</span><span class="o">]</span><span class="w"> </span><span class="n">Timeout</span><span class="w"> </span><span class="n">secodns</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">waiting</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">client</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">disable</span><span class="p">)</span> <span class="o">//</span> <span class="o">//</span><span class="w"> </span><span class="n">Por</span><span class="w"> </span><span class="n">defecto</span><span class="p">,</span><span class="w"> </span><span class="n">si</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">se</span><span class="w"> </span><span class="n">conecta</span><span class="w"> </span><span class="n">un</span><span class="w"> </span><span class="n">cliente</span><span class="w"> </span><span class="n">en</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="n">segundos</span><span class="p">,</span><span class="w"> </span><span class="n">GoTTY</span><span class="w"> </span><span class="n">se</span><span class="w"> </span><span class="n">cierra</span> <span class="o">//</span><span class="w"> </span><span class="n">esto</span><span class="w"> </span><span class="n">es</span><span class="w"> </span><span class="n">poco</span><span class="w"> </span><span class="n">práctico</span><span class="w"> </span><span class="n">si</span><span class="w"> </span><span class="n">lo</span><span class="w"> </span><span class="n">configuramos</span><span class="w"> </span><span class="n">todo</span><span class="w"> </span><span class="n">y</span><span class="w"> </span><span class="n">esperamos</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">las</span><span class="w"> </span><span class="n">otras</span> <span class="o">//</span><span class="w"> </span><span class="n">personas</span><span class="p">.</span><span class="w"> </span><span class="n">Al</span><span class="w"> </span><span class="n">ponerlo</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="ss">&quot;0&quot;</span><span class="p">,</span><span class="w"> </span><span class="n">desactivamos</span><span class="w"> </span><span class="n">esta</span><span class="w"> </span><span class="n">desconexión</span> <span class="n">timeout</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span> </code></pre></div> <h2 id="usandolo-con-otras-personas-nginx-como-reverse-proxy-tls">Usándolo con otras personas: Nginx como reverse proxy + TLS</h2> <p>Si nos fijamos, configuro <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a> para escuchar únicamente en la máquina local via IPv6.</p> <p>Justamente esto no es lo que queremos, si no que queremos que otras personas puedan acceder a nuestra terminal. Si no usamos cifrado en el transporte (TLS), nuestra comunicación es como una postal, cualquiera puede leerla.</p> <p>Este trabajo lo hace <a href="https://nginx.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">nginx</a> mucho mejor que lo podría hacer <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a>, además ya tenemos una serie de automatizaciones para obtener certificados con <a href="https://letsencrypt.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Let&rsquo;s Encrypt</a>, así que es ideal usarlo para recibir las llamadas del mundo exterior y pasarlas a <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a>.</p> <p>Esto es bastante estándard, excepto que tenemos que tener en cuenta que <a href="https://github.com/yudai/gotty/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">GoTTY</a> usa Web Sockets para actualizar las terminales de los clientes en &ldquo;tiempo real&rdquo;:</p> <div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="nx">location</span><span class="w"> </span><span class="o">~</span><span class="w"> </span><span class="o">/</span><span class="nx">sh</span><span class="p">(</span><span class="o">/</span><span class="p">[</span><span class="o">^/</span><span class="p">]</span><span class="o">+</span><span class="p">)?</span><span class="o">/</span><span class="nx">ws</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">Upgrade</span><span class="w"> </span><span class="err">$</span><span class="nx">http_upgrade</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">Connection</span><span class="w"> </span><span class="s">&quot;Upgrade&quot;</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">Host</span><span class="w"> </span><span class="err">$</span><span class="nx">host</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Real</span><span class="o">-</span><span class="nx">IP</span><span class="w"> </span><span class="err">$</span><span class="nx">remote_addr</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Forwarded</span><span class="o">-</span><span class="nx">For</span><span class="w"> </span><span class="err">$</span><span class="nx">proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Forwarded</span><span class="o">-</span><span class="nx">Proto</span><span class="w"> </span><span class="err">$</span><span class="nx">scheme</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Forwarded</span><span class="o">-</span><span class="nx">Port</span><span class="w"> </span><span class="mi">443</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_pass</span><span class="w"> </span><span class="nx">https</span><span class="p">:</span><span class="c1">//MyComputerHost;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="nx">location</span><span class="w"> </span><span class="o">/</span><span class="nx">sh</span><span class="o">/</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">Host</span><span class="w"> </span><span class="err">$</span><span class="nx">host</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Real</span><span class="o">-</span><span class="nx">IP</span><span class="w"> </span><span class="err">$</span><span class="nx">remote_addr</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Forwarded</span><span class="o">-</span><span class="nx">For</span><span class="w"> </span><span class="err">$</span><span class="nx">proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Forwarded</span><span class="o">-</span><span class="nx">Proto</span><span class="w"> </span><span class="err">$</span><span class="nx">scheme</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_set_header</span><span class="w"> </span><span class="nx">X</span><span class="o">-</span><span class="nx">Forwarded</span><span class="o">-</span><span class="nx">Port</span><span class="w"> </span><span class="mi">443</span><span class="p">;</span> <span class="w"> </span><span class="nx">proxy_pass</span><span class="w"> </span><span class="nx">https</span><span class="p">:</span><span class="c1">//MyComputerHost;</span> <span class="w"> </span><span class="p">}</span> </code></pre></div> <p>De esta forma, puedo enviar enlaces del tipo: <code>https://evilham.com/sh/17lmim3q/</code> y las personas que lo reciban podrán seguir lo que sea que tenga en la terminal.</p> <h1 id="diapositivas-en-la-terminal-patat">&ldquo;Diapositivas&rdquo; en la terminal: <a href="https://github.com/jaspervdj/patat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">patat</a></h1> <p>También hay muchas alternativas de programas o utilidades para hacer presentaciones en la terminal, pero todas tenían algún tipo de inconveniente lo suficientemente grande como para no ser prácticas.</p> <p>Todas excepto <a href="https://github.com/jaspervdj/patat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">patat</a>, que consigue hacerlo todo bien por defecto.</p> <p>Sólo hace falta escribir Markdown, y ejecutar <code>patat presentacion.md</code> y ya estamos presentando con nuestras fantásticas diapositivas.</p> <p>Para instalar esta herramienta en Linux, podemos usar algunos paquetes, o descargar el binario precompilado desde <a href="https://github.com/jaspervdj/patat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">su repositorio</a>.</p> <p>Es posible que me anime a crear un <em>port</em> para <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> pronto ^^.</p> <h1 id="otras-cosas-editando-texto">Otras cosas: editando texto, &hellip;</h1> <p>Al interactuar con nuestros humanos seguro que salen dudas, o queremos comprobar un manual, o queremos mirar un fichero, o queremos entrar en una máquina remota, &hellip;</p> <p>¿Lo mejor de estas presentaciones? Al hacerlo todo en una única sesión de <a href="http://tmux.github.io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tmux</a>, podemos rápidamente presionar <code>Ctrl+b+c</code>, usar las herramientas habituales (<code>man</code>, <code>vim</code>, <code>ssh</code>, &hellip;) y volver a la presentación; y nuestros humanos sabrán de qué hablamos.</p> <h1 id="conclusion">Conclusión</h1> <p>Estas herramientas son bastante sencillas, y una vez las hemos configurado, le dan a las otras personas plena flexibilidad a la hora de configurar el tamaño de letra y demás, y a nosotros también a la hora de salirnos un poco de lo que habíamos preparado.</p> <p>No es para todas las presentaciones, pero para muchas&hellip; Seguro que es más eficiente y agradable ^^.</p>2020-08-18T00:00:00Zurn:uuid:cd0e51fb-2ebd-3936-a122-6740925eb279<h1 id="introduccio">Introducció</h1> <p>He hagut de fer servir les meves <a href="../2020-words-of-summer/" title="Paraules d'estiu">paraules d&rsquo;estiu</a> per qüestions personals i professionals; així que la continuació d&rsquo;aquell fil d&rsquo;idees ha trigat una mica en arribar.</p> <p>Per coses de la vida, aquests dies ha arribat un <em>mini-server</em> a les meves mans. Així que agafarem un petit desviament en coses &ldquo;tècniques&rdquo; abans de tornar al per què, que és segurament la única cosa que importa al final.</p> <p>Aquí agafarem aquest <em>mini-server</em> i hi instal·larem <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> com a sistema operatiu.</p> <p>Per què és interessant? Doncs aquesta màquina tindrà certs serveis digitals que sempre està bé tenir sota el nostre control.</p> <p>I el procés, des de zero, no és una cosa que es documenti habitualment en aquesta llengua ;-).</p> <h1 id="taula-de-continguts">Taula de continguts</h1> <div class="toc"> <ul> <li><a href="#introduccio">Introducció</a></li> <li><a href="#taula-de-continguts">Taula de continguts</a></li> <li><a href="#que-es-freebsd">Què és FreeBSD?</a></li> <li><a href="#per-que-freebsd">Per què FreeBSD?</a><ul> <li><a href="#diferencies-de-desenvolupament-amb-linux">Diferències de desenvolupament amb Linux</a></li> </ul> </li> <li><a href="#installant-freebsd">Instal·lant FreeBSD</a><ul> <li><a href="#versions-linies-de-suport">Versions / línies de suport</a><ul> <li><a href="#current-futur-130">CURRENT &ndash; Futur 13.0</a></li> <li><a href="#release-actualment-121">RELEASE &ndash; Actualment 12.1</a></li> <li><a href="#stable-actualment-114-i-113">STABLE &ndash; Actualment 11.4 [i 11.3]</a></li> </ul> </li> <li><a href="#muntant-un-usb-dinstallacio">Muntant un USB d&rsquo;instal·lació</a></li> <li><a href="#installant">Instal·lant!</a></li> <li><a href="#assegurant-el-sistema-una-mica">Assegurant el sistema una mica</a></li> </ul> </li> <li><a href="#conclusio">Conclusió</a></li> </ul> </div> <h1 id="que-es-freebsd">Què és <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>?</h1> <p><a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> és un &ldquo;<a href="https://ca.wikipedia.org/wiki/Sistema_operatiu" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Sistema Operatiu</a> <a href="https://ca.wikipedia.org/wiki/Llic%C3%A8ncia_BSD" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Algú hauria de traduir la llicència a la Viquipèdia">obert i gratuït</a>, semblant o compatible amb <a href="https://ca.wikipedia.org/wiki/Unix-like" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Unix-like">Unix</a>&rdquo;.</p> <p>Això, pels que som resultat dels mitjans i l&rsquo;educació digital que ens forma per ser consumidors passius, potser implica directament hores i hores de lectura.</p> <p>Anem a fer-ho una mica més fàcil:</p> <ul> <li><strong><a href="https://ca.wikipedia.org/wiki/Sistema_operatiu" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Sistema operatiu</a>:</strong> sense això, un ordinador és un aparell més aviat inútil. No ens permetria engegar cap programa, llegir cap correu, no hi podríem fer res. El sistema operatiu és necessari, perquè és el que &ldquo;sap parlar&rdquo; amb els components físics que conformen l&rsquo;ordinador. Tot i ser necessari, no sempre és evident; en general, el que volem com a usuaris és fer servir els programes que necessitem. Però en algun moment veurem que tenir la possibilitat de modificar el sistema a la nostra voluntat, també te els seus avantatges.</li> <li><strong><a href="https://ca.wikipedia.org/wiki/Llic%C3%A8ncia_BSD" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Algú hauria de traduir la llicència a la Viquipèdia">Obert i gratuït</a>:</strong> aquest és un gran tema, i el món està dividit en interpretacions. Bàsicament, obert, vol dir que tenim accés al codi font del sistema, és a dir als fitxers de text que ha escrit algun humà, molt sovint de manera altruista, que després un ordinador processa per convertir-ho en instruccions que pugui executar. I gratuït, vol dir que no cal pagar res per fer-ho servir. El món es divideix en interpretacions per la <em>manera</em> en que el programari pot ser obert i gratuït. Pels que tinguin curiositat, internet està plena de diverses perspectives en el tema de les llicències, per exemple <a href="https://ca.wikipedia.org/wiki/Llic%C3%A8ncia_BSD" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Algú hauria de traduir la llicència a la Viquipèdia">BSD</a> (permissives) o <a href="https://ca.wikipedia.org/wiki/GNU_General_Public_License" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Llicència Pública General GNU">GPL</a> (<em><a href="https://ca.wikipedia.org/wiki/Copyleft" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">copyleft</a></em>).</li> <li><strong><a href="https://ca.wikipedia.org/wiki/Unix-like" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Unix-like">Semblant a Unix</a>:</strong> Unix és un sistema operatiu que es va crear vora els anys 1970, amb unes idees molt clares que han marcat el desenvolupament del món dels ordinadors. Aquell sistema, era comercial i requeria unes llicències, però es distribuïa amb el codi font, cosa que va fer que es fes molt popular a les universitats. En particular, a Berkeley (d&rsquo;aquí la B de BSD &ndash; la distribució de programari de Berkeley). Per qüestions de llicència i propietat intel·lectual, el codi de BSD ja no està basat en el codi de Unix, però sí que manté les idees bàsiques i un alt nivell de compatibilitat (una cosa que es diu <a href="https://ca.wikipedia.org/wiki/POSIX" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">compatibilitat POSIX</a>).</li> </ul> <h1 id="per-que-freebsd">Per què <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>?</h1> <p>Perquè funciona, funciona bé, i és senzill d&rsquo;administrar.</p> <p>Això no vol dir que altres sistemes no funcionin bé o siguin difícils d&rsquo;administrar; fins a un cert punt, el tema va &ldquo;a gustos&rdquo;.</p> <p>Bàsicament, en aquest punt de la meva vida professional, me&rsquo;n surto força bé amb el sistema que em posin davant; ara, també tinc clar que <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> (i <a href="https://OpenBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a> en alguns casos) és el que em permet fer més, més ràpid, i sense preocupar-me gaire del com perquè la càrrega mental associada és mínima.</p> <p>Naturalment hi ha altres alternatives que compleixin amb &ldquo;obert i gratuït&rdquo;, per exemple <a href="https://ca.wikipedia.org/wiki/Linux" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Linux</a>; però hi ha <a href="http://techrights.org/2020/08/02/red-hat-layoffs/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">tendències preocupants</a> al món de Linux actualment.</p> <p>Un altre factor per no fer servir Linux és que la experiència ja m&rsquo;ha portat a &ldquo;aprendre Linux&rdquo; tres vegades a la meva vida (sense comptar haver fet servir diverses distribucions, que fins a cert punt són cadascuna un món). És a dir, canvia massa ràpid i en general sense prou bons motius; o bé perquè els canvis es fan massa ràpid i s&rsquo;arriba a solucions poc ideals o bé perquè els problemes que s&rsquo;hi estan solucionant, són els problemes de quatre empreses, i no els problemes dels usuaris.</p> <h2 id="diferencies-de-desenvolupament-amb-linux">Diferències de desenvolupament amb Linux</h2> <p>Els sistemes BSD es desenvolupen en conjunt, és a dir que quan obtenim el codi font o un binari, realment estem obtenint <em>tot</em> el que ens cal per compilar o instal·lar un sistema operatiu sencer amb: <em>kernel</em> (o <a href="https://ca.wikipedia.org/wiki/Nucli_del_sistema_operatiu" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">nucli</a>, més o menys la part que parla amb allò físic), i utilitats d&rsquo;usuari (o <em>world</em>).</p> <p>Sense les utilitats d&rsquo;usuari, no tindríem manera d&rsquo;interactuar amb el kernel, i per tant amb l&rsquo;ordinador.</p> <p>I, sense el kernel, els programes no poden parlar amb la part física, i per tant són capaços ni d&rsquo;ensenyar-nos alguna cosa per pantalla (és una aproximació més o menys intuïtiva i no 100% acurada).</p> <p>Això sembla una diferència menor, però realment és un gran avantatge; en tenir control de les utilitats d&rsquo;usuari <strong>i també</strong> del kernel, hi ha també una co-responsabilitat, és a dir, si es vol introduir un canvi en el kernel, es fa necessari fer en paral·lel els canvis adients a les utilitats d&rsquo;usuari.</p> <p>I també si es fan canvis en una utilitat d&rsquo;usuari, cal assegurar-se que les altres utilitats que fan part del sistema operatiu, mantinguin una compatibilitat i consistència general.</p> <p>Això, al món de Linux no és possible, perquè les utilitats d&rsquo;usuari solen ser &ldquo;GNU&rdquo; (o busybox) i Linux és únicament el kernel. D&rsquo;aquesta manera, la responsabilitat pels canvis es mou d&rsquo;una banda a l&rsquo;altra, i, molt sovint, els canvis no tenen lloc, i s&rsquo;acaben generant noves eines per salvaguardar les limitacions de les eines existents.</p> <p>Per exemple, <code>ifconfig</code>, la comanda tradicional per administrar interfícies de xarxa, a Linux es considera arcaica, perquè ara existeix <code>ip</code>. I no és que <code>ip</code> sigui dolent, és que és un canvi, que només és necessari, perquè els problemes inherents al sistema de desenvolupament <a href="https://blog.farhan.codes/2018/06/25/linux-maintains-bugs-the-real-reason-ifconfig-on-linux-is-deprecated/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">no són adreçables</a>.</p> <p>En canvi, als BSD, <code>ifconfig</code> és molt més potent del que mai ho va ser a Linux i també te molt més sentit; aquest desenvolupament conjunt del kernel i les utilitats d&rsquo;usuari hi te molt a veure.</p> <h1 id="installant-freebsd">Instal·lant <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a></h1> <p>Com sempre, el primer pas és descarregar l&rsquo;instal·lador, això en en aquest cas es fa al web de <a href="https://www.freebsd.org/releases/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>.</p> <p>Ens trobem amb la primera decisió: quina versió triem? Depèn de l&rsquo;ús de cada, així que anem a entendre com funcionen.</p> <h2 id="versions-linies-de-suport">Versions / línies de suport</h2> <p>Hi ha 3 línies del sistema operatiu <a href="https://lists.freebsd.org/pipermail/freebsd-announce/2015-February/001624.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">suportades</a>. Per mantenir-se al dia, recomanaria subscriure&rsquo;s a la <a href="https://lists.freebsd.org/mailman/listinfo/freebsd-announce" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">llista d&rsquo;anuncis de FreeBSD</a>.</p> <p>Com a regla general, per un sistema que vulguem que funcioni sense problemes, recomanaria fer servir sempre l&rsquo;<a href="https://www.freebsd.org/security/security.html#sup" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">última versió suportada</a> de <strong>RELEASE</strong>.</p> <h3 id="current-futur-130"><strong>CURRENT</strong> &ndash; Futur 13.0</h3> <p>Aquesta és la línia de desenvolupament, literalment és on vénen a parar tots els canvis, tant al kernel com a les utilitats d&rsquo;usuari. Per aquest motiu, no es recomana per usuaris novells, sinó per aquells que vulguin ajudar el desenvolupament, encara que sigui només provant i trobant problemes. Havent dit això, la línia de desenvolupament sol ser molt estable, hi ha empreses com Netflix que actualitzen un parell de vegades al mes a la línia de desenvolupament i jo ho faig gairebé a diari al meu sistema principal.</p> <p>Al món de BSD hi ha una dita, i és que si no vols que els bugs/problemes t&rsquo;arribin, els has de trobar tu abans. Com més persones ajudin a provar la línia de desenvolupament, més segurs podem estar que les altres línies de suport no tenen grans problemes.</p> <p>Quan ja ha passat un temps (mínim dos anys) i les persones que desenvolupen el sistema troben que és el moment, aquesta línia es &ldquo;congela&rdquo; i després d&rsquo;una feina de solucionar problemes diversos, acabar d&rsquo;actualitzar documentació i demés, s&rsquo;acaba convertint en una versió <strong>RELEASE</strong>.</p> <h3 id="release-actualment-121"><strong>RELEASE</strong> &ndash; Actualment 12.1</h3> <p>Aquesta és l&rsquo;última versió major (en aquest cas 12, amb 1 essent la versió menor). Des del moment en que es va publicar la versió 12.0, aquesta línia de desenvolupament te garantit el suport (actualitzacions de seguretat, disponibilitat de binaris oficials, &hellip;) un <strong>mínim de 5 anys</strong>.</p> <p>És a dir, que FreeBSD 12 te suport, com a mínim, fins el 30 de Juny de 2024.</p> <p>Ara, quan es publica una versió <em>menor</em>, com ara la 12.2 que vindrà aviat, la versió menor anterior (l&rsquo;actual 12.1) deixa de ser suportada 3 mesos després.</p> <p>És a dir, que tenim un període de 3 mesos per fer una actualització menor; és una cosa que cal tenir en compte. Normalment s&rsquo;avisa amb mesos d&rsquo;antelació.</p> <h3 id="stable-actualment-114-i-113"><strong>STABLE</strong> &ndash; Actualment 11.4 [i 11.3]</h3> <p>Les versions <strong>STABLE</strong> són antigues <strong>RELEASE</strong> que encara estan suportades, és a dir, des que es va publicar FreeBSD 11.0, s&rsquo;ha publicat la 12.0.</p> <p>Però com que la versió FreeBSD 11 te suport garantit de 5 anys, seguirà existint, com a mínim, fins el 10 d&rsquo;octubre de 2021.</p> <p>Ara, veiem que a data d&rsquo;avui hi ha <em>dues</em> versions de FreeBSD 11, això vol dir que fa menys de 3 mesos que es va publicar la versió 11.4 i, per tant, la versió 11.3 encara està suportada.</p> <p>En efecte, FreeBSD 11.4 es va publicar el 16 de juny de 2020, i per tant FreeBSD 11.3 deixa de tenir suport el 30 de setembre de 2020.</p> <h2 id="muntant-un-usb-dinstallacio">Muntant un USB d&rsquo;instal·lació</h2> <p>A data d&rsquo;avui, amb el criteri que he explicat anteriorment, ens decidiríem per FreeBSD 12.1, així que podem descarregar <a href="https://download.freebsd.org/ftp/releases/ISO-IMAGES/12.1/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">la imatge d&rsquo;instal·lació</a> (també hi ha imatges per <a href="https://download.freebsd.org/ftp/releases/VM-IMAGES/12.1-RELEASE/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">màquines virtuals pre-instal·lades</a>).</p> <p>En general, voldrem descarregar el fitxer <code>-disc1.iso</code> de la nostra arquitectura de hardware, si no sabem el que és, segurament sigui <code>amd64</code>. És a dir que volem el fitxer <code>FreeBSD-12.1-RELEASE-amd64-disc1.iso</code>.</p> <blockquote> <p>Pels paranòics entre nosaltres, els anuncis d&rsquo;una nova versió també es <a href="https://www.FreeBSD.org/releases/12.1R/announce.asc" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">publiquen signats</a>. I el llistat de claus PGP del projecte es troba al famòs <a href="https://www.freebsd.org/doc/handbook/pgpkeys.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Handbook de FreeBSD</a>.</p> <p>Comprovant la signatura, i després la integritat del fitxer, podem estar segurs que el fitxer que hem descarregat, és el fitxer que les persones que desenvolupen el sistema operatiu han generat.</p> </blockquote> <p>Un cop l&rsquo;hem descarregat, hi ha utilitats que ens ajuden a gravar aquesta imatge en un CD o, molt millor, en un USB.</p> <p>Si heu descarregat la imatge sota Windows, <a href="https://rufus.ie" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">rufus</a> és un programa molt bo per fer-ho.</p> <p>Si, en canvi, ho heu fet en Linux o en un Mac, el més senzill és fer-ho amb la comanda <code>dd</code> (si algú te un mètode més &ldquo;gràfic&rdquo;, que m&rsquo;avisi ;-)). En particular:</p> <div class="codehilite"><pre><span></span><code>#<span class="w"> </span><span class="nv">dd</span><span class="w"> </span><span class="k">if</span><span class="o">=</span><span class="nv">FreeBSD</span><span class="o">-</span><span class="mi">12</span>.<span class="mi">1</span><span class="o">-</span><span class="nv">RELEASE</span><span class="o">-</span><span class="nv">amd64</span><span class="o">-</span><span class="nv">disc1</span>.<span class="nv">iso</span><span class="w"> </span>\ <span class="w"> </span><span class="nv">of</span><span class="o">=/</span><span class="nv">dev</span><span class="o">/</span><span class="nv">EL_MEU_USB</span><span class="w"> </span><span class="nv">bs</span><span class="o">=</span><span class="mi">1</span><span class="nv">m</span><span class="w"> </span><span class="nv">conv</span><span class="o">=</span><span class="nv">sync</span> </code></pre></div> <p>Cal que us assegureu de reemplaçar <code>EL_MEU_USB</code> amb el nom del vostre USB, recordeu que si us equivoqueu molt, <strong>això pot voler dir perdre les vostres dades</strong>!</p> <h2 id="installant">Instal·lant!</h2> <p>Havent escrit la imatge al meu USB, engego el micro-server iniciant des de l&rsquo;USB.</p> <p>I ara ve la part &ldquo;fàcil&rdquo;, on un menú ens anirà guiant per instal·lar <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>; la majoria de les decisions es poden canviar un cop instal·lat el sistema, així que no és molt crític, i els valors per defecte són raonables en general.</p> <ol> <li>Sense tocar res veig una pantalla de benvinguda que em dóna a triar entre <code>Install</code>, <code>Shell</code> i <code>LiveCD</code>; volem <code>Install</code>.</li> <li>Configuro el meu teclat</li> <li>Li dono un nom a la màquina</li> <li>Desactivo <code>kernel-dbg</code> i <code>lib32</code> que no em fan falta (tampoc fa mal deixar-los)</li> <li>Trio instal·lació automàtica amb ZFS (<code>Auto (ZFS)</code>)</li> <li>Vaig a <code>Pool Type/Disks</code> i trio <code>stripe</code> en el disc dur que vull</li> <li>Configuro <code>Encrypt Swap</code> com <code>YES</code></li> <li>Vaig a <code>Install: Proceed with installation</code></li> <li>Confirmo els canvis al disc dur (si m&rsquo;he equivocat, podria perdre dades!)</li> <li>Espero aproximadament 2 minuts mentre el sistema s&rsquo;instal·la</li> <li>Configuro una contrasenya pel super usuari (no hi ha feedback visual, però està agafant els vostres caracters. Després desactivarem la contrasenya)</li> <li>Trio la interfície de xarxa principal (en tinc dues)</li> <li>Confirmo que vull IPv4 amb DHCP (és el més habitual)</li> <li>Confirmo que vull IPv6 amb SLAAC (<em>hauria</em> de ser més habitual)</li> <li>Confirmo la configuració que hem obtingut de la xarxa</li> <li>La hora interna de la meva màquina és UTC (així no hi ha problemes de canvis horaris)</li> <li>Configuro la meva zona horària</li> <li>Confirmo la data i l&rsquo;hora</li> <li>Com a serveis activo <code>sshd</code>, <code>ntpd</code> i <code>powerd</code>, desactivo <code>dumpdev</code> (es pot canviar a posteriori)</li> <li>Activo totes les opcions de seguretat a <code>System Hardening</code> (es pot canviar a posteriori)</li> <li>No afegeixo usuaris, ho faig a posteriori</li> <li>Trio <code>Exit</code> per indicar que ja hem instal·lat el sistema</li> <li>Trio que vull una consola (<code>shell</code>) al nou sistema abans de reiniciar</li> <li>Edito <code>/etc/sshd/sshd.conf</code> amb <code>vi /etc/sshd/sshd.conf</code> per habilitar les sessions remotes de super usuari canviant <code>#PermitRootLogin no</code> per <code>PermitRootLogin yes</code> (ho canviarem tot seguit, no és una configuració gens segura)</li> <li>Tanco aquesta consola amb <code>exit</code></li> <li>Trio <code>Reboot</code> i trec l&rsquo;USB d&rsquo;instal·lació</li> <li>El sistema inicia i ja el puc acabar de configurar remotament</li> </ol> <p>És a dir, que esperem un total de 2 minuts i contestem preguntes majoritàriament senzilles; el procès triga en total uns 5 minuts si ja coneixem les preguntes i uns 20 minuts si no.</p> <h2 id="assegurant-el-sistema-una-mica">Assegurant el sistema una mica</h2> <p>Compte! Durant la instal·lació hem près una decició temporal que cal desfer tan aviat com sigui possible: hem de deshabilitar l&rsquo;inici de sessió remot amb contrasenya.</p> <p>Si no ho fem, com que hem deixat accés de super usuari remot amb contrasenya, potencialment, algú a la nostra xarxa podria intentar esbrinar la contrasenya i fer-se amb el control de l&rsquo;equip.</p> <p>El motiu d&rsquo;aquesta decisió és, que jo faig servir autenticació amb claus públiques, però configurar aquesta autenticació només amb un teclat és una mica farragós.</p> <p>Per això inicio sessió al <em>micro-server</em> amb usuari <code>root</code> i la contrasenya que he configurat abans. Executo:</p> <div class="codehilite"><pre><span></span><code># ifconfig bge0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500 options=c019b&lt;RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE&gt; ether XX:XX:XX:XX:XX:XX inet6 fe80::9640:XXXX:XXXX:XXXX%bge0 prefixlen 64 scopeid 0x1 inet6 2a0f:de00:X:X:X:X:X:X prefixlen 64 autoconf inet 192.168.1.12 netmask 0xfffff000 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT &lt;full-duplex&gt;) status: active nd6 options=23&lt;PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL&gt; </code></pre></div> <p>Que em diu que la IP local de la màquina és <code>192.168.1.12</code>.</p> <p>I llavors des del meu ordinador:</p> <div class="codehilite"><pre><span></span><code><span class="o">&gt;</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="n">root</span><span class="mf">@192.168.1.12</span> <span class="n">root</span><span class="p">@</span><span class="n">host</span><span class="o">:~</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">mkdir</span><span class="w"> </span><span class="p">.</span><span class="n">ssh</span><span class="p">;</span><span class="w"> </span><span class="n">chmod</span><span class="w"> </span><span class="mi">700</span><span class="w"> </span><span class="p">.</span><span class="n">ssh</span> <span class="n">root</span><span class="p">@</span><span class="n">host</span><span class="o">:~</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="err">&#39;</span><span class="n">ssh</span><span class="o">-</span><span class="n">rsa</span><span class="w"> </span><span class="n">AAAAB3NzaC1yc2EAAA</span><span class="p">[..]</span><span class="w"> </span><span class="n">evilham</span><span class="p">.</span><span class="n">pgp_auth</span><span class="err">&#39;</span><span class="w"> </span>\ <span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="p">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">authorized_keys</span> <span class="n">root</span><span class="p">@</span><span class="n">host</span><span class="o">:~</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">chmod</span><span class="w"> </span><span class="mi">400</span><span class="w"> </span><span class="p">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">authorized_keys</span> </code></pre></div> <p>És a dir, configuro la meva clau pública per iniciar sessió (els detalls&hellip; són tema d&rsquo;un altre dia).</p> <p>I ara ja puc desactivar l&rsquo;inici de sessió amb contrasenya amb <code>vi /etc/ssh/sshd_config</code> i canviant <code>PermitRootLogin yes</code> per <code>PermitRootLogin without-password</code> i reiniciant el servei amb <code>service sshd restart</code>.</p> <h1 id="conclusio">Conclusió</h1> <p>Fins aquí avui, ara tenim un sistema <a href="https://FreeBSD.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> instal·lat de nou, que servirà com a base per fer-hi &ldquo;qualsevol cosa&rdquo;.</p> <p>Abans d&rsquo;això caldrà configurar el sistema d&rsquo;una manera una manera més segura, i d&rsquo;una manera automatizada, per si mai cal reinstal·lar-ho.</p> <p>Totes aquestes coses les configuro automàticament amb <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a>, que és un tema prou gran per per un altre dia.</p> <p>PS: 2826 paraules han estat escrites pels <a href="https://ca.wikipedia.org/wiki/Teorema_dels_micos_infinits" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="És una bona aproximació de com funciona el meu cervell">micos infinits</a>.</p>2020-08-10T00:00:00Zurn:uuid:00d14260-9ca9-3d83-bac5-7c808cc5b8a0<h1 id="introduccio">Introducció</h1> <p>Dilluns, tarda d&rsquo;estiu pandèmic. Temperatura, massa alta; humitat relativa, 9001%; vent, gairebé inexistent; estat de la mar&hellip; tranquil·la.</p> <p>Així és com llegeixo que <a href="https://nitter.net/jamiattenberg" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Jami Attenberg">una escriptora</a>, encoratja persones des de fa un parell d&rsquo;anys a escriure 1000 paraules cada dia en sessions de dues setmanes, un parell de vegades l&rsquo;any. I que això, que es diu <a href="https://1000wordsofsummer.substack.com/about" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="1000 paraules d'estiu">#1000wordsofsummer</a>, comença avui.</p> <p>Penso:</p> <blockquote> <p>Hauria d&rsquo;escriure més, em cal més pràctica.</p> <p>M&rsquo;hi apunto! Si més no, es pot intentar. El pitjor que pot passar és que ho deixis en <em>#500wordsofsummer</em>, que tampoc està gens malament; o que ho facis dos dies i ho deixis, que tampoc passa res. <em>¡Dale!</em></p> <p>Com a motivació, fes-ho en català, que últimament no hi escrius gairebé mai.</p> </blockquote> <p>Així doncs, sobre què escric? El que més bé se&rsquo;m dóna (per a alguns valors de <code>b</code>) és escriure qüestions tècniques, i no és una cosa que es trobi habitualment en català.</p> <p>Vet aquí que, en un acte subversiu lingüístic: escriurem qüestions tècniques en català.</p> <p>Però&hellip; Qüestions tècniques sense rerefons tampoc és una cosa que em motivi del tot.</p> <p>Solució: popurri d&rsquo;actualitat amb motivacions socials, per tal d&rsquo;aconseguir un fil conductor per quatre coses tècniques amb cohesió i coherència internes <em>justetes</em> però, amb una mica de sort, existents. Som-hi!</p> <h1 id="taula-de-continguts">Taula de continguts</h1> <div class="toc"> <ul> <li><a href="#introduccio">Introducció</a></li> <li><a href="#taula-de-continguts">Taula de continguts</a></li> <li><a href="#conjuntura-socioeconomica">Conjuntura socioeconòmica</a></li> <li><a href="#la-dualitat-privilegi-factor-dexclusio">La dualitat: privilegi | factor d&rsquo;exclusió</a><ul> <li><a href="#acces-a-tecnologia-i-coneixement">Accés a tecnologia i coneixement</a><ul> <li><a href="#el-privilegi">El privilegi</a></li> <li><a href="#el-factor-dexclusio">El factor d&rsquo;exclusió</a></li> </ul> </li> <li><a href="#llengues">Llengües</a><ul> <li><a href="#el-privilegi_1">El privilegi</a></li> <li><a href="#el-factor-dexclusio_1">El factor d&rsquo;exclusió</a></li> </ul> </li> <li><a href="#cultura-de-consum-no-passiu">Cultura de consum (no passiu)</a><ul> <li><a href="#el-privilegi_2">El privilegi</a></li> <li><a href="#el-factor-dexclusio_2">El factor d&rsquo;exclusió</a></li> </ul> </li> <li><a href="#no-endogamia-intellectual">No endogàmia intel·lectual</a><ul> <li><a href="#el-privilegi_3">El privilegi</a></li> <li><a href="#el-factor-dexclusio_3">El factor d&rsquo;exclusió</a></li> </ul> </li> </ul> </li> <li><a href="#temes-a-treballar">Temes a treballar</a></li> <li><a href="#conclusio">Conclusió</a></li> </ul> </div> <h1 id="conjuntura-socioeconomica">Conjuntura socioeconòmica</h1> <p>Arran de <a href="https://www.theverge.com/2020/3/4/21164553/youtube-coronavirus-demonetization-sensitive-subjects-advertising-guidelines-revenue" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Les circumstàncies actuals són l'eufemisme dels YouTubers quan Google els canvia les regles sobre la marxa; ja sabeu que, realment, parlo de la COVID19">les circumstàncies actuals</a>, Catalunya te unes <a href="https://www.ara.cat/economia/Catalunya-tercera-economia-mes-afectada-covid-19-PIB-Airef-segon-trimestre-coronavirus-covid19_0_2502949782.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="El PIB Català cau al 2020 un 26% respecte el 2n trimestre del 2019">dades</a> <a href="http://www.elpuntavui.cat/economia/article/18-economia/1827269-es-dispara-la-destruccio-de-llocs-de-treball-a-catalunya-per-la-covid-19.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Atur del 12.78%, és un 9.67% més que al 2019">macroeconòmiques</a> nefastes. I, no és que no hi pensi de normal, però és especialment en les crisis quan penso en coses com <a href="https://www.ccma.cat/tv3/alacarta/quatre-gats/yayo-herrero-cal-repensar-com-es-pot-reconvertir-el-model-economic-perque-no-torni-a-passar-el-mateix/video/6053540/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Hi ha gent que parla molt més bé del que considero assolible per mi">model econòmic</a>, <a href="https://estudiants.msf.cat/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Iniciatives que intenten adreçar la diferència d'oportunitats">igualtat d&rsquo;oportunitats</a>, etc.</p> <h1 id="la-dualitat-privilegi-factor-dexclusio">La dualitat: privilegi | factor d&rsquo;exclusió</h1> <p>Crec que un factor clau per reconèixer els nostres privilegis és ser conscients que, conceptualment, els privilegis formen una dualitat amb els factors d&rsquo;exclusió. És a dir, que l&rsquo;absència d&rsquo;un factor d&rsquo;exclusió, és un privilegi, i viceversa.</p> <p>Aquesta dualitat és útil per mi, perquè trobo més fàcil imaginar-me un factor d&rsquo;exclusió, que un privilegi. Els privilegis poden ser subtils i estar interioritzats, en canvi, imaginar-nos que en la absència de quelcom, ens podríem veure exclosos, és més factible.</p> <p>No és que jo sigui una persona en una posició tan privilegiada, com per influenciar aquestes macrodades o adreçar problemes sistèmics de manera eficaç.</p> <p>Però sí que he tingut alguns privilegis, dels quals vull ser molt conscient, i que potser puc fer servir per eliminar el seu dual, en forma de factor d&rsquo;exclusió, per algú altre.</p> <h2 id="acces-a-tecnologia-i-coneixement">Accés a tecnologia i coneixement</h2> <h3 id="el-privilegi">El privilegi</h3> <p>Vaig tenir el meu <a href="/en/blog/2012-How-I-got-into-programming/" title="Fa molts anys que vaig escriure això... Ni ho he revisat">primer ordinador</a> als 6 anys i una connexió a internet (56kbps!) als 8 ó 9 anys.</p> <p>Com a experiència curiosa, durant la meva infantesa era l&rsquo;únic nen amb un ordinador a casa. I, ja aleshores, vaig ensenyar a tots els humans petits del meu carrer a engegar, apagar i fer servir un ordinador. A escriure-hi, a dibuixar-hi, &hellip;</p> <p>Es pot dir que ja anava descobrint, la meva línia més <em><a href="https://dle.rae.es/jáquer" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Jáquer, Cyber, Cyber, Jáquer">jáquer</a></em> (<a href="https://it.wikipedia.org/wiki/Etica_hacker" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Algú hauria de traduir aquest article al català">la hacker de debò</a>, no la de la RAE). És a dir, que aquest món es tracta de: compartir, obrir, descentralitzar, facilitar accés a les tecnologies de la informació i&hellip; millorar el món mateix.</p> <p>Tenint en compte que aleshores vivia en un país d&rsquo;Amèrica Llatina, on encara avui els habitants amb accés a internet representen només un 63.2% de la població (UE: 89.4%, CAT: 93.7%); és evident que hi tenia algun avantatge.</p> <h3 id="el-factor-dexclusio">El factor d&rsquo;exclusió</h3> <p>D&rsquo;altra banda, aquests mesos hem vist com, fins i tot a Catalunya amb una penetració d&rsquo;accés a internet tan alta (93.7%), les tasques educatives s&rsquo;han vist afectades de manera negativa i han fet més evident el caràcter privilegiat de l&rsquo;accés al coneixement alhora que el factor d&rsquo;exclusió es feia més gran.</p> <p>Arreu el món persones altruistes han intentat mitigar aquest factor mitjançant <a href="https://c3d2.de/news/pentaradio24-20200526.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Entrevista on es parla d'infraestructures compartides a escoles">infraestructures compartides</a>, <a href="https://estudiants.msf.cat/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Iniciatives que intenten adreçar la diferència d'oportunitats">iniciatives socials</a>, <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Associació per l'expansió de la Xarxa Oberta -- l'únic proveïdor d'internet que no em posa de nervis">cultura associativa</a>, &hellip;</p> <p>No tot és dolent.</p> <h2 id="llengues">Llengües</h2> <h3 id="el-privilegi_1">El privilegi</h3> <p>Parlo i escric <a href="https://chaos.social/@evilham/104607623045948898" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">quatre idiomes</a> amb fluïdesa i a nivells cultes (n&rsquo;entenc més, n&rsquo;aprenc &ldquo;seriosament&rdquo; un altre).</p> <p>No tot el mèrit és meu; vaig tenir la &ldquo;sort&rdquo; d&rsquo;anar a una escola privada on, de sèrie, teníem el doble d&rsquo;hores d&rsquo;anglès.</p> <p>També tenia accés a un ordinador i a internet a casa des de molt petit. Resulta que l&rsquo;anglès és l&rsquo;idioma dels ordinadors, aleshores els jocs no es traduïen gaire, a internet l&rsquo;anglès era bàsicament la única llengua (la Wikipedia i Google no existien. Ja tinc una edat&hellip;). Així que tenia força motius per agafar un diccionari i anar traduint la història dels meus Jocs de Rol (RPG) o els manuals dels programes que feia servir.</p> <p>** Els privilegis s&rsquo;acumulen i creen un bucle de retroalimentació positiu. **</p> <h3 id="el-factor-dexclusio_1">El factor d&rsquo;exclusió</h3> <p>L&rsquo;anglès ja era l&rsquo;idioma dels ordinadors fa 20 anys, i encara és el cas.</p> <p>Sense saber anglès, l&rsquo;accés a la documentació és sovint limitat, arriba tard, o no està actualitzat. Molts programes es tradueixen quan arriben a un punt &ldquo;prou estable&rdquo; o directament no es tradueixen en absolut o no es tradueixen a certes llengües.</p> <p>Fins i tot a països com Alemanya amb una llengua parlada per molts referents de l&rsquo;àmbit, no parlar anglès és un inconvenient.</p> <p>Ara, també es produeix tecnologia en alemany. També es parla de tecnologia en alemany.</p> <h2 id="cultura-de-consum-no-passiu">Cultura de consum (no passiu)</h2> <h3 id="el-privilegi_2">El privilegi</h3> <p>De petit no tenia ningú que em solucionés els problemes amb l&rsquo;ordinador o els electrònics, el que en principi sona com un factor d&rsquo;exclusió, combinat amb la meva curiositat va esdevenir un privilegi.</p> <p>Mai he percebut la tecnologia com un consumible, com una cosa estàtica, inalterable.</p> <p>Això és, en part, perquè eren altres temps; comprar un disc dur o una ampliació de memòria requeria estalviar molt, tot el que es pogués reutilitzar, era molt benvingut.</p> <p>Tampoc hi havia una indústria tecnològica orientada al consum i al recanvi, però començava a desenvolupar-se.</p> <h3 id="el-factor-dexclusio_2">El factor d&rsquo;exclusió</h3> <p>Els nostres mitjans de comunicació ens parlen de <em>tuitàires</em>, <em>YouTubers</em>, <em>Instagrammers</em>, <em>Influencers</em>, de <em>WhatsApp</em>, <em>Telegram</em>, <em>iPhones</em> i tantes altres empreses i productes exclusivament com si fóssim consumidors passius.</p> <p>El fet que una d&rsquo;aquestes plataformes (centralitzades, autoritàries i tancades) implementi una funcionalitat banal es torna digne de 5 minuts de tele-diari o de dotzenes d&rsquo;articles de &ldquo;tecnologia&rdquo;.</p> <p>És a dir, se&rsquo;ns educa per consumir, per acceptar el que ens ofereixin, per no qüestionar, criticar, modificar, millorar.</p> <p>El millor exemple d&rsquo;això és el programa <a href="https://www.ccma.cat/catradio/popap/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Popap</a> de Catalunya Radio.</p> <p>No és un mal programa, al contrari, és entretingut, però no eś crític, no ofereix noves perspectives, va sempre enrere; és passiu.</p> <p>Si som consumidors passius, sempre estarem en una posició de desavantatge.</p> <h2 id="no-endogamia-intellectual">No endogàmia intel·lectual</h2> <h3 id="el-privilegi_3">El privilegi</h3> <p>He tingut la sort de tenir al meu costat persones fantàstiques i alienes a aquest àmbit, que han ajudat a que no caigui en les trampes habituals d&rsquo;una indústria, en general, bastant malaltissa quan es tracta de posar les persones endavant.</p> <p>Sense persones crítiques i amb perspectives diferents, passa que generem persones d&rsquo;ufana i supèrbia infinites.</p> <p>Persones que són capaces de considerar el <a href="https://www.theguardian.com/technology/2016/feb/17/san-francisco-tech-open-letter-i-dont-want-to-see-homeless-riff-raff" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="Una mica antic. L'esperit no canvia."><strong>veure</strong> persones sense sostre un problema</a>, en comptes de considerar com un problema el fet que l&rsquo;accés a l&rsquo;habitatge no sigui universal.</p> <p>La part positiva, a més de poder viure amb mi mateix, és que de manera totalment orgànica i espontània es generen xarxes de solidaritat amb persones que comparteixen la teva manera de veure el món.</p> <p>Sense connexió humana, emocional, intel·lectual; res més te sentit.</p> <h3 id="el-factor-dexclusio_3">El factor d&rsquo;exclusió</h3> <p>Aquest&hellip; No serà ben bé un factor d&rsquo;exclusió. Tristament, la societat en que vivim premia aquest tipus de comportament i aquestes persones poden sobreviure bastant bé amb altres de semblants.</p> <p>El meu &ldquo;consol&rdquo; és que aquestes persones sovint conviuen amb una buidor interna, no accediran a una xarxa de solidaritat, no sabran el que és poder comptar amb altres persones i tenir una certa seguretat de que no estaràs sola en el món.</p> <p>Sembla que en el nostre món, aquesta xarxa de solidaritat serà cada vegada més necessària, fins i tot pels benestants.</p> <h1 id="temes-a-treballar">Temes a treballar</h1> <p>Tenint en compte aquests factors (<em>quasi segurament</em> no exhaustius), se&rsquo;m planteja com a fil conductor:</p> <p>Maneres de mitigar alguns d&rsquo;aquests factors d&rsquo;exclusió digital.</p> <p>El com, l&rsquo;anirem descobrint. Molt segurament passi per comentar l&rsquo;<em>status-quo</em>, explicar breument per què calen alternatives, i explicar com es pot passar de ser una persona que consumeix tecnologia de manera passiva, a coproduir tecnologia o, com a mínim, a consumir-la de manera conscient i crítica.</p> <h1 id="conclusio">Conclusió</h1> <p>Demà més, <em>hopefully</em>. Si hi ha algun tema que trobeu especialment interessant, alguna qüestió que no hagi previst o algun error campant, <a href="/ca/quant-a/">poseu-vos en contacte</a> i m&rsquo;ho penso / ho analitzo :-).</p> <p>La nota que no hauria de sobrar a internet però que no sobra: els insults us els podeu quedar, la crítica constructiva, si us plau, <a href="/ca/quant-a/">feu-la arribar</a> ^^.</p> <p>PS: 1822 paraules han estat escrites pels <a href="https://ca.wikipedia.org/wiki/Teorema_dels_micos_infinits" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank" title="És una bona aproximació de com funciona el meu cervell">micos infinits</a>.</p>2020-07-30T00:00:00Zurn:uuid:3472f753-72d1-3ccb-bb2d-aa0880e0c146<h1 id="introduction">Introduction</h1> <p>At work I use <a href="https://www.phacility.com/phabricator/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">phabricator</a> to collaborate with my employees, usually I know what they are working on and have a rough idea that things are going fine, so we currently don&rsquo;t rely on pre-commit code reviews, which are a wonderful tool, but instead rely on semi-regular audits. (Check <a href="https://secure.phabricator.com/book/phabricator/article/reviews_vs_audit/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">this</a> for an overview on <a href="https://www.phacility.com/phabricator/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">phabricator</a> reviews and audits)</p> <p>This means, that every once in a while, I have to go through my audit queue and check that indeed things are going mostly alright. I raise concerns about particular changes seldom, because of a fluid communication, so I mostly just read and accept changes to keep having a reasonably up-to-date overview.</p> <p>The issue is: <a href="https://www.phacility.com/phabricator/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">phabricator</a>&lsquo;s UI is very slow for this workflow.</p> <p>The good news is that it has a very good API that allows automation of many things.</p> <p>This is about how I implemented <a href="./phabaudit.sh">phabaudit.sh</a>, a batch audit workflow for <a href="https://www.phacility.com/phabricator/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">phabricator</a> that works-for-me(tm).</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#conduit-phabricators-api">Conduit: phabricator&rsquo;s API</a><ul> <li><a href="#guessing-the-api-endpoint">Guessing the API endpoint</a></li> <li><a href="#choosing-the-interaction-tool">Choosing the interaction tool</a></li> <li><a href="#parsing-the-output">Parsing the output</a></li> <li><a href="#getting-the-diff-introduced-changes">Getting the diff (introduced changes)</a></li> <li><a href="#approving-the-changes">Approving the changes</a></li> </ul> </li> <li><a href="#putting-it-all-together">Putting it all together</a></li> <li><a href="#conclusion">Conclusion</a></li> </ul> </div> <h1 id="conduit-phabricators-api">Conduit: <a href="https://www.phacility.com/phabricator/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">phabricator</a>&lsquo;s API</h1> <p>Even before <a href="https://swagger.io" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">swagger</a> was a thing, <a href="https://www.phacility.com/phabricator/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">phabricator</a> had a built-in page documenting the conduit API and allowing users to explore the API in a somewhat interactive fashion.</p> <p>This is found at <code>https://phabricator_instance/conduit/</code>.</p> <h2 id="guessing-the-api-endpoint">Guessing the API endpoint</h2> <p>Since I know audits are associated with commits, I searched for <code>commit</code>-related API endpoints. Indeed, <code>diffusion.commit.search</code> is a good place to start and it contains a simple example, which satisfies my current needs:</p> <div class="codehilite"><pre><span></span><code>{ ... &quot;queryKey&quot;: &quot;active&quot;, ... } </code></pre></div> <p>Where <code>"queryKey": "active"</code> means that I want to list <strong>active audits</strong> only. There is also a mention of the <code>order</code> parameter which can be <code>oldest</code> to list entries in chronological order.</p> <p>Let&rsquo;s test that.</p> <h2 id="choosing-the-interaction-tool">Choosing the interaction tool</h2> <p>The <strong>examples</strong> section in the <code>conduit</code> page offers <code>curl</code> and <code>arc call-conduit</code> examples, both have pros and cons.</p> <p><code>curl</code> is a mostly standard tool nearly guaranteed to be available, which means that it can be mostly tested directly from the shell with:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>curl<span class="w"> </span>https://phabricator_instance/api/diffusion.commit.search<span class="w"> </span><span class="se">\</span> <span class="w"> </span>-d<span class="w"> </span>api.token<span class="o">=</span>api-token<span class="w"> </span><span class="se">\</span> <span class="w"> </span>-d<span class="w"> </span><span class="nv">order</span><span class="o">=</span>oldest<span class="w"> </span><span class="se">\</span> <span class="w"> </span>-d<span class="w"> </span><span class="nv">queryKey</span><span class="o">=</span>active<span class="w"> </span>&gt;<span class="w"> </span>audits.json </code></pre></div> <p>But there is another option: <code>arc call-conduit</code>, that is <a href="https://www.phacility.com/phabricator/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">phabricator</a>&lsquo;s very well thought out Command Line Interface.</p> <p>It enables many workflows and takes care of managing the API tokens (which I don&rsquo;t have to pass int he command line every time). Audits though are a workflow that is currently not supported, but <code>call-conduit</code> enables arbitrary API calls.</p> <p>I happen to use <code>arc</code>, amongst others, to contribute to <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>, which does use pre-commit code reviews, that enables me and the project members and community to review changes before they land, raise concerns, suggest improvements, ensure nothing fishy is trying to be committed, &hellip;</p> <p>Since I already have <code>arc</code>, I will use that to forget about authentication.</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s1">&#39;{&quot;queryKey&quot;: &quot;active&quot;, &quot;order&quot;: &quot;oldest&quot;}&#39;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span>--conduit-uri<span class="w"> </span>https://phabricator_instace/<span class="w"> </span><span class="se">\</span> <span class="w"> </span>diffusion.commit.search<span class="w"> </span>&gt;<span class="w"> </span>audits.json </code></pre></div> <h2 id="parsing-the-output">Parsing the output</h2> <p>The output of both tools is JSON piped to an <code>audits.json</code> file which can be &ldquo;easily&rdquo; manipulated with <code>jq</code>. I write &ldquo;easily&rdquo; because it takes some getting used to, but using <code>jq</code> is certainly doable.</p> <p>This gives me the information I need to an <code>audit_commits.json</code> file:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span>jq<span class="w"> </span>-c<span class="w"> </span><span class="s1">&#39;.response.data[] | {&quot;commit&quot;: .fields.identifier, &quot;repository&quot;: .fields.repositoryPHID}&#39;</span><span class="w"> </span>audits.json<span class="w"> </span>&gt;<span class="w"> </span>audit_commits.json </code></pre></div> <h2 id="getting-the-diff-introduced-changes">Getting the <code>diff</code> (introduced changes)</h2> <p>In order to get the <code>diff</code>, so I can audit it locally, we need a couple more API calls that can also be guessed from the <code>https://phabricator_instance/conduit/</code> page:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s1">&#39;{&quot;commit&quot;: COMMIT, &quot;repository&quot;: REPOSITORY}&#39;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span>--conduit-uri<span class="w"> </span>https://phabricator_instance/<span class="w"> </span><span class="se">\</span> <span class="w"> </span>diffusion.rawdiffquery <span class="o">{</span> <span class="w"> </span><span class="s2">&quot;error&quot;</span>:<span class="w"> </span>null, <span class="w"> </span><span class="s2">&quot;errorMessage&quot;</span>:<span class="w"> </span>null, <span class="w"> </span><span class="s2">&quot;response&quot;</span>:<span class="w"> </span><span class="o">{</span> <span class="w"> </span><span class="s2">&quot;tooSlow&quot;</span>:<span class="w"> </span>false, <span class="w"> </span><span class="s2">&quot;tooHuge&quot;</span>:<span class="w"> </span>false, <span class="w"> </span><span class="s2">&quot;filePHID&quot;</span>:<span class="w"> </span><span class="s2">&quot;PHID-FILE-00000000&quot;</span> <span class="w"> </span><span class="o">}</span> <span class="o">}</span> </code></pre></div> <p>And with that <code>filePHID</code>, we can get the actual diff data:</p> <div class="codehilite"><pre><span></span><code><span class="o">$</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="s1">&#39;{&quot;phid&quot;: &quot;PHID-FILE-00000000&quot;}&#39;</span><span class="w"> </span><span class="o">|</span><span class="w"> </span>\ <span class="w"> </span><span class="n">arc</span><span class="w"> </span><span class="n">call</span><span class="o">-</span><span class="n">conduit</span><span class="w"> </span><span class="o">--</span><span class="n">conduit</span><span class="o">-</span><span class="n">uri</span><span class="w"> </span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">phabricator_instance</span><span class="o">/</span><span class="w"> </span>\ <span class="w"> </span><span class="n">file</span><span class="o">.</span><span class="n">download</span> <span class="p">{</span> <span class="w"> </span><span class="s2">&quot;error&quot;</span><span class="p">:</span><span class="w"> </span><span class="nb nb-Type">null</span><span class="p">,</span> <span class="w"> </span><span class="s2">&quot;errorMessage&quot;</span><span class="p">:</span><span class="w"> </span><span class="nb nb-Type">null</span><span class="p">,</span> <span class="w"> </span><span class="s2">&quot;response&quot;</span><span class="p">:</span><span class="w"> </span><span class="n">BASE_64_STUFF</span> <span class="p">}</span> </code></pre></div> <p>Which is <a href="https://en.wikipedia.org/wiki/Base64" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">base64 encoded</a>, so we need to decode it. By checking <code>man 1 b64decode</code> I realise I need the <code>-r</code> flag, so getting the diff file to <code>test.diff</code> in the hard drive looks like this:</p> <div class="codehilite"><pre><span></span><code><span class="o">$</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="s1">&#39;{&quot;phid&quot;: &quot;PHID-FILE-00000000&quot;}&#39;</span><span class="w"> </span><span class="o">|</span><span class="w"> </span>\ <span class="w"> </span><span class="n">arc</span><span class="w"> </span><span class="n">call</span><span class="o">-</span><span class="n">conduit</span><span class="w"> </span><span class="o">--</span><span class="n">conduit</span><span class="o">-</span><span class="n">uri</span><span class="w"> </span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">phabricator_instance</span><span class="o">/</span><span class="w"> </span>\ <span class="w"> </span><span class="n">file</span><span class="o">.</span><span class="n">download</span><span class="w"> </span><span class="o">|</span><span class="w"> </span>\ <span class="w"> </span><span class="n">jq</span><span class="w"> </span><span class="o">-</span><span class="n">r</span><span class="w"> </span><span class="o">.</span><span class="n">response</span><span class="w"> </span><span class="o">|</span><span class="w"> </span>\ <span class="w"> </span><span class="n">b64decode</span><span class="w"> </span><span class="o">-</span><span class="n">r</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">test</span><span class="o">.</span><span class="n">diff</span> </code></pre></div> <h2 id="approving-the-changes">Approving the changes</h2> <p>After opening <code>test.diff</code> in my favourite editor, I decide that the change is valid and I want to mark it as approved.</p> <p>Again, since audits are associated with commits, this will be in <code>diffusion.commit.edit</code>:</p> <div class="codehilite"><pre><span></span><code>$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s1">&#39;{&quot;objectIdentifier&quot;: COMMIT_PHID,</span> <span class="s1"> &quot;transactions&quot;: [{&quot;type&quot;: &quot;accept&quot;, &quot;value&quot;: true}]}&#39;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span>--conduit-uri<span class="w"> </span>https://phabricator_instance/<span class="w"> </span><span class="se">\</span> <span class="w"> </span>diffusion.commit.edit </code></pre></div> <h1 id="putting-it-all-together">Putting it all together</h1> <p>Now that I have all the pieces, I can finish automating it with some POSIX shell as follows (download the full script <a href="./phabaudit.sh">here</a>):</p> <div class="codehilite"><pre><span></span><code><span class="ch">#!/bin/sh</span> <span class="c1">#</span> <span class="c1"># Find the latest version at:</span> <span class="c1"># https://evilham.com/en/blog/2020-phabricator/batch-audit/phabaudit.sh</span> <span class="c1"># With the accompanying post:</span> <span class="c1"># https://evilham.com/en/blog/2020-phabricator/batch-audit/</span> <span class="c1"># </span> <span class="c1"># Copyright 2020 Evilham &lt;code@evilham.com&gt;</span> <span class="c1">#</span> <span class="c1"># Redistribution and use in source and binary forms, with or without</span> <span class="c1"># modification, are permitted provided that the following conditions are met:</span> <span class="c1">#</span> <span class="c1"># 1. Redistributions of source code must retain the above copyright notice,</span> <span class="c1"># this list of conditions and the following disclaimer.</span> <span class="c1">#</span> <span class="c1"># 2. Redistributions in binary form must reproduce the above copyright notice,</span> <span class="c1"># this list of conditions and the following disclaimer in the documentation</span> <span class="c1"># and/or other materials provided with the distribution.</span> <span class="c1">#</span> <span class="c1"># THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot;</span> <span class="c1"># AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE</span> <span class="c1"># IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE</span> <span class="c1"># ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE</span> <span class="c1"># LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR</span> <span class="c1"># CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF</span> <span class="c1"># SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS</span> <span class="c1"># INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN</span> <span class="c1"># CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)</span> <span class="c1"># ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE</span> <span class="c1"># POSSIBILITY OF SUCH DAMAGE.</span> <span class="c1">#</span> <span class="c1"># Process environment variables.</span> <span class="c1">#</span> <span class="c1"># User may provide CONDUIT_ARGS or PHABRICATOR_INSTANCE</span> <span class="c1"># If PHABRICATOR_INSTANCE is passed, CONDUIT_ARGS will be adapted so that</span> <span class="c1"># arc call-conduit always uses: --conduit-uri ${PHABRICATOR_INSTANCE}</span> <span class="c1">#</span> <span class="c1"># If CONDUIT_ARGS is passed, it will be used verbatim (modulo appending</span> <span class="c1"># --conduit-uri as explained before).</span> <span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">PHABRICATOR_INSTANCE</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="w"> </span><span class="nv">CONDUIT_ARGS</span><span class="o">=</span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">CONDUIT_ARGS</span><span class="si">}</span><span class="s2"> --conduit-uri &#39;</span><span class="si">${</span><span class="nv">PHABRICATOR_INSTANCE</span><span class="si">}</span><span class="s2">&#39;&quot;</span> <span class="k">fi</span> <span class="c1"># Temp dir for the audit diffs</span> <span class="nv">TMP_DIR</span><span class="o">=</span><span class="k">$(</span>mktemp<span class="w"> </span>-d<span class="w"> </span>-t<span class="w"> </span>audits<span class="k">)</span> get_audits<span class="o">()</span> <span class="o">{</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s1">&#39;{&quot;queryKey&quot;: &quot;active&quot;, &quot;order&quot;: &quot;oldest&quot;}&#39;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span><span class="si">${</span><span class="nv">CONDUIT_ARGS</span><span class="si">}</span><span class="w"> </span>diffusion.commit.search <span class="o">}</span> filter_commit_data<span class="o">()</span> <span class="o">{</span> <span class="w"> </span>jq<span class="w"> </span>-c<span class="w"> </span><span class="s1">&#39;.response.data[] | </span> <span class="s1"> {</span> <span class="s1"> &quot;phid&quot;: .phid,</span> <span class="s1"> &quot;commit&quot;: .fields.identifier,</span> <span class="s1"> &quot;repository&quot;: .fields.repositoryPHID</span> <span class="s1"> }&#39;</span> <span class="o">}</span> get_diff_phid<span class="o">()</span> <span class="o">{</span> <span class="w"> </span>jq<span class="w"> </span>-c<span class="w"> </span><span class="s1">&#39;{&quot;commit&quot;: .commit, &quot;repository&quot;: .repository}&#39;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span><span class="si">${</span><span class="nv">CONDUIT_ARGS</span><span class="si">}</span><span class="w"> </span>diffusion.rawdiffquery<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>jq<span class="w"> </span>-r<span class="w"> </span>.response.filePHID <span class="o">}</span> save_diff<span class="o">()</span> <span class="o">{</span> <span class="w"> </span><span class="nv">diff_phid</span><span class="o">=</span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">1</span><span class="si">}</span><span class="s2">&quot;</span> <span class="w"> </span><span class="c1"># Download the diff to disk</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;{\&quot;phid\&quot;: \&quot;</span><span class="si">${</span><span class="nv">diff_phid</span><span class="si">}</span><span class="s2">\&quot;}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span><span class="si">${</span><span class="nv">CONDUIT_ARGS</span><span class="si">}</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>file.download<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>jq<span class="w"> </span>-r<span class="w"> </span>.response<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>b64decode<span class="w"> </span>-r<span class="w"> </span>&gt;<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">TMP_DIR</span><span class="si">}</span><span class="s2">/</span><span class="si">${</span><span class="nv">diff_phid</span><span class="si">}</span><span class="s2">.diff&quot;</span> <span class="w"> </span><span class="c1"># Return path to diff in stdout</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">TMP_DIR</span><span class="si">}</span><span class="s2">/</span><span class="si">${</span><span class="nv">diff_phid</span><span class="si">}</span><span class="s2">.diff&quot;</span> <span class="o">}</span> get_phid_url<span class="o">()</span> <span class="o">{</span> <span class="w"> </span>jq<span class="w"> </span>-c<span class="w"> </span><span class="s1">&#39;{&quot;names&quot;: [.phid]}&#39;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span><span class="si">${</span><span class="nv">CONDUIT_ARGS</span><span class="si">}</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>phid.lookup<span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>jq<span class="w"> </span>-r<span class="w"> </span><span class="s1">&#39;.response | to_entries | .[] | .value.uri&#39;</span> <span class="o">}</span> accept_changes<span class="o">()</span> <span class="o">{</span> <span class="w"> </span>jq<span class="w"> </span>-c<span class="w"> </span><span class="s1">&#39;{</span> <span class="s1"> &quot;objectIdentifier&quot;: .phid,</span> <span class="s1"> &quot;transactions&quot;: [{&quot;type&quot;: &quot;accept&quot;, &quot;value&quot;: true}]</span> <span class="s1"> }&#39;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>arc<span class="w"> </span>call-conduit<span class="w"> </span><span class="si">${</span><span class="nv">CONDUIT_ARGS</span><span class="si">}</span><span class="w"> </span><span class="se">\</span> <span class="w"> </span>diffusion.commit.edit <span class="o">}</span> <span class="k">for</span><span class="w"> </span>audit<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="k">$(</span>get_audits<span class="w"> </span><span class="p">|</span><span class="w"> </span>filter_commit_data<span class="k">)</span><span class="p">;</span><span class="w"> </span><span class="k">do</span> <span class="w"> </span><span class="nv">audit_url</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">audit</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>get_phid_url<span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nb">printf</span><span class="w"> </span><span class="s2">&quot;\n\nAudit URL: </span><span class="si">${</span><span class="nv">audit_url</span><span class="si">}</span><span class="s2">\n&quot;</span> <span class="w"> </span><span class="nv">diff_phid</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">audit</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>get_diff_phid<span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="nv">diff_file</span><span class="o">=</span><span class="s2">&quot;</span><span class="k">$(</span>save_diff<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">diff_phid</span><span class="si">}</span><span class="s2">&quot;</span><span class="k">)</span><span class="s2">&quot;</span> <span class="w"> </span><span class="c1"># Open in editor for easy review</span> <span class="w"> </span><span class="si">${</span><span class="nv">EDITOR</span><span class="si">}</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">diff_file</span><span class="si">}</span><span class="s2">&quot;</span> <span class="w"> </span><span class="c1"># Ask for feedback as necessary</span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">&quot;Do you accept this change? [Y/n] &quot;</span> <span class="w"> </span><span class="nb">read</span><span class="w"> </span>accept <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span>-z<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">accept</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="o">]</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">accept</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span>!<span class="o">=</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">accept</span><span class="p">#[Yy]</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span> <span class="w"> </span><span class="c1"># Close audit </span> <span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">audit</span><span class="si">}</span><span class="s2">&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>accept_changes <span class="w"> </span><span class="k">fi</span> <span class="k">done</span> </code></pre></div> <h1 id="conclusion">Conclusion</h1> <p>Now that I&rsquo;m done designing a workflow that is reasonable for me, I better start doing some auditing <code>/o\</code> and real-world testing of <a href="./phabaudit.sh">phabaudit.sh</a>.</p> <p>If this happens to be useful to you, <a href="/en/about/">let me know</a>!</p>2020-04-01T00:00:00Zurn:uuid:61bdb670-e222-3c1a-8b47-264a089de3e1<h1 id="introduction">Introduction</h1> <p><a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> is a wonderful Operating System, one of its many interesting ideas is a division between the <strong>base system</strong> and other pieces of software, which are called <strong>ports</strong>.</p> <p>Since <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> is an operating system, this also means that there are exactly two <em>source trees</em> or repositories: the main tree (base system) and the ports tree.</p> <p>The <strong>base system</strong> is developed together and therefore is kept consistent, whenever an API or a behaviour changes, all pieces of the <strong>base system</strong> must be updated as well.</p> <p>This makes changes somewhat seamless and easy to deal with.</p> <p>On the other hand, <strong>ports</strong> provide a <em>description</em> of how to compile third-party software under <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> and how to install it manually or how to build an installable binary package.</p> <p>However, <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> development, including maintaining the ports tree, is a voluntary-based effort; which means sometimes it lacks human power.</p> <p>Being a good open source user sometimes goes through being aware that people&rsquo;s time is limited, and helping out when things fall through the cracks.</p> <p>Here I document a bit how the general process of updating a port you detect as being outdated is.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#communication-and-coordination">Communication and coordination</a><ul> <li><a href="#documentation">Documentation</a></li> <li><a href="#chat-irc">Chat &ndash; IRC</a></li> <li><a href="#bugzilla-problem-reports-prs">Bugzilla &ndash; Problem Reports (PRs)</a></li> <li><a href="#phabricator-code-reviews">Phabricator &ndash; Code Reviews</a></li> </ul> </li> <li><a href="#live-example-updating-twisted-python">Live example: Updating Twisted python</a><ul> <li><a href="#finding-out-more-about-the-port">Finding out more about the port</a></li> <li><a href="#telling-people-well-be-updating-the-port">Telling people we&rsquo;ll be updating the port</a></li> <li><a href="#getting-the-port-tree">Getting the port tree</a><ul> <li><a href="#poudriere">Poudriere</a></li> </ul> </li> <li><a href="#testing-that-the-port-builds-currently">Testing that the port builds currently</a></li> <li><a href="#actually-updating-the-port">Actually updating the port</a><ul> <li><a href="#changing-the-version">Changing the version</a></li> <li><a href="#dependencies">Dependencies</a></li> </ul> </li> <li><a href="#building-the-new-version">Building the new version</a></li> <li><a href="#testing-the-port">Testing the port</a></li> <li><a href="#submitting-the-patch">Submitting the patch</a></li> </ul> </li> <li><a href="#conclusions">Conclusions</a></li> </ul> </div> <h1 id="communication-and-coordination">Communication and coordination</h1> <p>Contrary to &ldquo;common wisdom&rdquo; in the industry, it is not &ldquo;the technical bits&rdquo;, that is difficult when trying to help with a project; it is communication and coordination that are difficult things when many people are involved. And nothing big or useful enough gets built and maintained without people.</p> <p>In a nutshell, when interacting with a project of this kind:</p> <ul> <li>Be kind</li> <li>Respect and appreciate other people&rsquo;s time and energy</li> <li>Don&rsquo;t assume incompetence or unwillingness, when it can be explained by lack of resources (usually: time, human, money, infra)</li> <li>Make sure you research before demanding time or effort from people</li> </ul> <p>Interestingly, the <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> project has the communication and coordination bits mostly quite well-defined.</p> <h2 id="documentation">Documentation</h2> <p><a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>&lsquo;s documentation is really good, but there are multiple places to look for information, depending on the nature of the information.</p> <ul> <li><a href="https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD Handbook</a>: General system information and administration</li> <li><a href="https://www.freebsd.org/cgi/man.cgi" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Man pages</a>: Information about specific bits of the system</li> <li><a href="https://wiki.freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD wiki</a>: Information that is prone to change often</li> </ul> <h2 id="chat-irc">Chat &ndash; IRC</h2> <p>Following list of channels on <code>irc.freenode.net</code> are a great place to start, there are usually people who will point you out to the right resource, the right person or the right place to deal with things.</p> <p>Just make sure you are patient since not everyone is online always (timezones!) and express your question in as much of an accurate fashion as possible.</p> <ul> <li><code>#freebsd</code>: For general OS questions and support</li> <li><code>#freebsd-ports</code>: For questions more specific to maintenance of the ports tree</li> <li><code>#freebsd-dev</code>: For questions more specific to development of the OS</li> </ul> <h2 id="bugzilla-problem-reports-prs">Bugzilla &ndash; Problem Reports (PRs)</h2> <p><a href="https://bugs.freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD&rsquo;s Bugzilla</a> is used to track problems with the base system or ports and also to document what is being worked on by whom.</p> <p>It also serves a special purpose with the ports workflow: when a change is proposed to a specific port, if there is no feedback from the port maintainer within a reasonable time, that change times out and can be accepted and merged by anyone with permissions (commit bit) to the ports tree.</p> <h2 id="phabricator-code-reviews">Phabricator &ndash; Code Reviews</h2> <p>Code reviews are <em>wonderful</em>. <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> has a <a href="https://reviews.freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Phabricator instance</a> that is used for precisely this purpose.</p> <p>It requires getting used to it, but <a href="https://phabricator.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Phabricator</a> is a very reasonable piece of software and the review workflow is incredibly useful.</p> <p>Don&rsquo;t be afraid, most people who might review your code will be kind and it means that the end result will be better.</p> <h1 id="live-example-updating-twisted-python">Live example: Updating <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted python</a></h1> <p>As of this writing <a href="https://www.freshports.org/devel/py-twisted/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted python&rsquo;s port</a> is at version 18.9.0, because of the way Twisted manages versions, this means it dates back to September 2018.</p> <p>In between, Twisted has gotten significantly better and has had some security fixes, as recently as a couple weeks ago: March 2020.</p> <p>So we really should update the port to version 20.3.0.</p> <h2 id="finding-out-more-about-the-port">Finding out more about the port</h2> <p>A good place to find out about ports is <a href="https://www.freshports.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">www.freshports.org</a>.</p> <p>If we go there and search for <code>twisted</code>, we&rsquo;ll come to the <a href="https://www.freshports.org/devel/py-twisted/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">port&rsquo;s page</a>.</p> <p>Amongst other things, it tells us that the port is a build dependency for 4 other ports and a run dependency for 55 ports.</p> <p>And it also tells us a very interesting bit, the full name of the port is: <code>devel/py-twisted</code>.</p> <p>Each port has a main category, which is then followed by the port name, separated by a <code>/</code>.</p> <p>Indeed, this is where we will find the code defining the <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> port.</p> <h2 id="telling-people-well-be-updating-the-port">Telling people we&rsquo;ll be updating the port</h2> <p>First things first, we search on <a href="https://bugs.freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD&rsquo;s Bugzilla</a> for open Problem Reports (PRs) relating the port we want to update. Maybe someone is already working on it or there are subtleties that escape our uninitiated knowledge (like dependencies, external blockers, &hellip;).</p> <p>In this case there are none, so we open a PR informing that we&rsquo;ll be updating this port.</p> <p>This is done on <a href="https://bugs.freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD&rsquo;s Bugzilla</a> by <strong>filing a new bug</strong> against the <strong>Ports and packages</strong> &ldquo;product&rdquo;.</p> <p>There is a very good write-up about this by koobs in the <a href="https://wiki.freebsd.org/KubilayKocak/ThePerfectPortsIssue" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD wiki</a>.</p> <p>Very important bits here are how to write the <code>Summary</code> field and how to manage the <code>Flags</code> of the PR.</p> <p>In particular, this will be our <code>Summary</code>:</p> <div class="codehilite"><pre><span></span><code>devel/py-twisted: WIP: Update to 20.3.0 (includes security updates) </code></pre></div> <p>Severity, hardware and OS are not that important here, so we leave the defaults.</p> <p>Now, <em>something</em> will do magic and this PR will be assigned to the <strong>maintainer</strong> of the port, in this case that&rsquo;s <code>python@freebsd.org</code>, which means there is no particular person, but a general Python team maintaining the port.</p> <p>Let&rsquo;s tell them about our intentions, this will be the body:</p> <div class="codehilite"><pre><span></span><code><span class="n">Hello</span><span class="p">,</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">noticed</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">FreeBSD</span><span class="s1">&#39;s twisted version is a bit outdated, so I&#39;</span><span class="n">ll</span> <span class="k">try</span><span class="w"> </span><span class="n">taking</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="k">go</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="n">it</span><span class="p">.</span> <span class="n">It</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">entirely</span><span class="w"> </span><span class="n">impossible</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">I</span><span class="s1">&#39;ll have to update other ports</span> <span class="s1">like attrs, we&#39;</span><span class="n">ll</span><span class="w"> </span><span class="n">see</span><span class="p">.</span> <span class="n">I</span><span class="err">&#39;</span><span class="n">m</span><span class="w"> </span><span class="n">also</span><span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">chance</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">document</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">whole</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">myself</span><span class="w"> </span><span class="p">(</span><span class="n">my</span><span class="w"> </span><span class="n">future</span> <span class="n">self</span><span class="w"> </span><span class="n">too</span><span class="p">)</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">hopefully</span><span class="w"> </span><span class="n">people</span><span class="w"> </span><span class="n">who</span><span class="w"> </span><span class="n">would</span><span class="w"> </span><span class="n">consider</span><span class="w"> </span><span class="n">doing</span><span class="w"> </span><span class="n">things</span><span class="w"> </span><span class="ow">like</span><span class="w"> </span><span class="n">this</span><span class="p">.</span> <span class="n">Will</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">posting</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">patch</span><span class="w"> </span><span class="k">over</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">next</span><span class="w"> </span><span class="n">few</span><span class="w"> </span><span class="n">days</span><span class="p">.</span> <span class="n">Cheers</span><span class="p">,</span> </code></pre></div> <p>This way, if someone came wanting to do they same thing, they&rsquo;d ask before if we are still working on it, and we won&rsquo;t duplicate efforts.</p> <p>Or maybe someone knows something we don&rsquo;t, so they will use the chance to tell us in our <a href="twistedpr">PR #245252</a>.</p> <h2 id="getting-the-port-tree">Getting the port tree</h2> <p>This can be done in multiple ways, the most convenient one is getting the code from the same repository that is used by developers over anonymous SVN:</p> <div class="codehilite"><pre><span></span><code>svn checkout svn://svn.freebsd.org/ports ports </code></pre></div> <p>Another one is <code>portsnap</code>, which is in the base system, but instead of explaining that, I&rsquo;ll go a bit into my favourite: <code>poudriere</code>.</p> <h3 id="poudriere">Poudriere</h3> <p>Poudriere makes it simple to manage a <code>pkg</code> repository and to build customised packages, it also makes it simple to work on the ports tree.</p> <p>There is a wonderful <a href="https://wiki.freebsd.org/VladimirKrstulja/Guides/Poudriere" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Poudriere guide</a> on the <a href="https://wiki.freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD wiki</a>, so I&rsquo;ll just do the TL;DR:</p> <div class="codehilite"><pre><span></span><code>#<span class="w"> </span><span class="nv">Install</span><span class="w"> </span><span class="nv">poudriere</span><span class="w"> </span><span class="nv">from</span><span class="w"> </span><span class="nv">pre</span><span class="o">-</span><span class="nv">built</span><span class="w"> </span><span class="nv">ports</span><span class="w"> </span><span class="nv">with</span><span class="w"> </span><span class="nv">pkg</span> <span class="o">&gt;</span><span class="w"> </span><span class="nv">pkg</span><span class="w"> </span><span class="nv">install</span><span class="w"> </span><span class="nv">poudriere</span> #<span class="w"> </span><span class="nv">Create</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">builder</span><span class="w"> </span><span class="nv">jail</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">amd64</span><span class="w"> </span><span class="nv">based</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="mi">12</span><span class="o">-</span><span class="mi">1</span><span class="o">-</span><span class="nv">RELEASE</span> <span class="o">&gt;</span><span class="w"> </span><span class="nv">poudriere</span><span class="w"> </span><span class="nv">jail</span><span class="w"> </span><span class="o">-</span><span class="nv">c</span><span class="w"> </span><span class="o">-</span><span class="nv">j</span><span class="w"> </span><span class="mi">121</span><span class="o">-</span><span class="nv">amd64</span><span class="w"> </span><span class="o">-</span><span class="nv">v</span><span class="w"> </span><span class="mi">12</span>.<span class="mi">1</span><span class="o">-</span><span class="nv">RELEASE</span> #<span class="w"> </span><span class="nv">Only</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nv">you</span><span class="w"> </span><span class="nv">have</span><span class="w"> </span><span class="nv">something</span><span class="w"> </span><span class="nv">under</span><span class="w"> </span><span class="o">/</span><span class="nv">usr</span><span class="o">/</span><span class="nv">ports</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">are</span><span class="w"> </span><span class="nv">completely</span><span class="w"> </span><span class="nv">sure</span><span class="w"> </span><span class="nv">you</span><span class="w"> </span><span class="nv">never</span> #<span class="w"> </span><span class="nv">messed</span><span class="w"> </span><span class="nv">with</span><span class="w"> </span><span class="nv">it</span>,<span class="w"> </span><span class="nv">clean</span><span class="w"> </span><span class="nv">that</span><span class="w"> </span><span class="nv">up</span><span class="w"> </span><span class="nv">with</span>: #<span class="w"> </span><span class="nv">rm</span><span class="w"> </span><span class="o">-</span><span class="nv">rf</span><span class="w"> </span><span class="o">/</span><span class="nv">usr</span><span class="o">/</span><span class="nv">ports</span> #<span class="w"> </span><span class="nv">Create</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">ports</span><span class="w"> </span><span class="nv">tree</span> <span class="o">&gt;</span><span class="w"> </span><span class="nv">poudriere</span><span class="w"> </span><span class="nv">ports</span><span class="w"> </span><span class="o">-</span><span class="nv">c</span><span class="w"> </span><span class="o">-</span><span class="nv">p</span><span class="w"> </span><span class="nv">default</span> #<span class="w"> </span><span class="nv">Or</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nv">you</span><span class="w"> </span><span class="nv">prefer</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">have</span><span class="w"> </span><span class="nv">it</span><span class="w"> </span><span class="nv">somewhere</span><span class="w"> </span><span class="k">else</span>: #<span class="w"> </span><span class="nv">poudriere</span><span class="w"> </span><span class="nv">ports</span><span class="w"> </span><span class="o">-</span><span class="nv">c</span><span class="w"> </span><span class="o">-</span><span class="nv">p</span><span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="o">-</span><span class="nv">M</span><span class="w"> </span><span class="o">/</span><span class="nv">poudriere</span><span class="o">/</span><span class="nv">ports</span><span class="o">/</span><span class="nv">default</span> </code></pre></div> <h2 id="testing-that-the-port-builds-currently">Testing that the port builds currently</h2> <p>Before making any modifications, let&rsquo;s test that the port builds as it is, to discard that there is an issue somewhere else.</p> <p>For that we can execute:</p> <div class="codehilite"><pre><span></span><code>poudriere bulk -j 121-amd64 -p default devel/py-twisted </code></pre></div> <p>Now Poudriere will build the <code>devel/py-twisted</code> port and everything it depends on. The first time this will take a while, but afterwards only the ports that have changed will be rebuilt.</p> <h2 id="actually-updating-the-port">Actually updating the port</h2> <p>Since this is a Python port, the <a href="https://wiki.freebsd.org/Python/PortsPolicy" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Python Ports Policy</a> has precedence over the <a href="https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/index.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Porter&rsquo;s handbook</a>, both are worth a read.</p> <p>We go to the place where the ports tree is located and navigate to the <code>devel/py-twisted</code> subdirectory.</p> <p>All ports have at least following structure:</p> <ul> <li><code>Makefile</code>: Describes what is going to be built and how</li> <li><code>distinfo</code>: Contains the checksums of any needed external files (like source code!)</li> <li><code>pkg-descr</code>: Is what users see when they search for this port/package.</li> </ul> <p>Since Twisted&rsquo;s is a simple port, we just have to edit its <code>Makefile</code>:</p> <h3 id="changing-the-version">Changing the version</h3> <p>The most obvious change is going to be&hellip; The version, that&rsquo;s following diff:</p> <div class="codehilite"><pre><span></span><code><span class="w"> </span>PORTNAME= twisted <span class="gd">-PORTVERSION= 18.9.0</span> <span class="gd">-PORTREVISION= 1</span> <span class="gi">+PORTVERSION= 20.3.0</span> <span class="w"> </span>CATEGORIES= devel net python </code></pre></div> <p>We change the <code>PORTVERSION</code> and since there now is no <code>PORTREVISION</code>, because this is a new version, we remove that line.</p> <p>This <em>might</em> be enough, but also, Twisted is not an island, it has dependencies, and they might have changed in between.</p> <h3 id="dependencies">Dependencies</h3> <p>Port dependencies are also listed in the port&rsquo;s <code>Makefile</code>, in particular in the <code>BUILD_DEPENDS</code> variable.</p> <p>How we update this depends a bit on how comfortable we are with the project&rsquo;s tooling.</p> <p>A perfectly valid option could be just to eyeball the code from a web interface, since I contribute to <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a> when time allows, I have the code locally and can use following:</p> <div class="codehilite"><pre><span></span><code>git diff twisted-18.9.0..twisted-20.3.0 -- src/twisted/python/_setup.py </code></pre></div> <p>Which tells me exactly how the dependencies have changed between these two versions. Resulting in following diff:</p> <div class="codehilite"><pre><span></span><code><span class="w"> </span>BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}constantly&gt;=15.1:devel/py-constantly@${PY_FLAVOR} \ <span class="gd">- ${PYTHON_PKGNAMEPREFIX}attrs&gt;17.4.0:devel/py-attrs@${PY_FLAVOR} \</span> <span class="gi">+ ${PYTHON_PKGNAMEPREFIX}attrs&gt;19.2.0:devel/py-attrs@${PY_FLAVOR} \</span> <span class="w"> </span> ${PYTHON_PKGNAMEPREFIX}hyperlink&gt;=17.1.1:www/py-hyperlink@${PY_FLAVOR} \ <span class="w"> </span> ${PYTHON_PKGNAMEPREFIX}incremental&gt;=16.10.1:devel/py-incremental@${PY_FLAVOR} \ <span class="w"> </span> ${PYTHON_PKGNAMEPREFIX}PyHamcrest&gt;=1.9.0:textproc/py-pyhamcrest@${PY_FLAVOR} \ <span class="gu">@@ -23,7 +22,7 @@</span> <span class="w"> </span> ${PYTHON_PKGNAMEPREFIX}zope.interface&gt;=4.4.0:devel/py-zope.interface@${PY_FLAVOR} \ <span class="w"> </span> ${PYTHON_PKGNAMEPREFIX}Automat&gt;=0.3.0:devel/py-Automat@${PY_FLAVOR} <span class="w"> </span>RUN_DEPENDS:= ${BUILD_DEPENDS} <span class="gd">-TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}service_identity&gt;0:security/py-service_identity@${PY_FLAVOR}</span> <span class="gi">+TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}service_identity&gt;=18.1.0:security/py-service_identity@${PY_FLAVOR}</span> <span class="w"> </span>USES= python tar:bzip2 <span class="w"> </span>USE_PYTHON= autoplist concurrent distutils </code></pre></div> <p>We might need to update <code>devel/py-attrs</code> and <code>sercurity/py-service_identity</code> as well. Time will tell.</p> <p>Since the <em>distfiles</em> for the port have changed, because we now are building a different version, we also have to update the checksums file.</p> <p>This is easily done by running:</p> <div class="codehilite"><pre><span></span><code>make makesum </code></pre></div> <p>Which downloads all needed distfiles, calculates the checksums and updates the corresponding file.</p> <h2 id="building-the-new-version">Building the new version</h2> <p>Is the same as before our changes, Poudriere will notice that the port&rsquo;s definition has changed and trigger a rebuild:</p> <div class="codehilite"><pre><span></span><code>poudriere bulk -j 121-amd64 -p default devel/py-twisted </code></pre></div> <p>Turns out, <code>devel/py-attrs</code> is already at version <code>19.3.0</code>, and <code>security/py-service_identity</code> at version <code>18.1.0</code> both of which satisfy Twisted&rsquo;s requirements. So the port builds without issues \o/.</p> <p>Time to party now? Well, not quite. We still have to make sure the port still works as intended.</p> <h2 id="testing-the-port">Testing the port</h2> <p>We can test the port with <code>make test</code>, which runs upstream&rsquo;s testing suite.</p> <p>But also, if we are caring enough to update this port, odds are that we are using it in way or another, that&rsquo;s the best kind of test.</p> <p>In my case, I&rsquo;ll also keep developing my custom software, which depends on Twisted, but using the new version.</p> <h2 id="submitting-the-patch">Submitting the patch</h2> <p>After we have tested the newly built port, we should send the patch; this is done by adding an attachment to our PR with the diff (obtained by <code>svn diff</code>).</p> <p>For a more complex patch than this one, we might want to use the Code Review flow <strong>as well as this one</strong>, and keep the patch in Bugzilla updated as it evolves.</p> <p>This is because Bugzilla is where maintainer timeouts and triage happen and in general things are better tracked.</p> <p>When we add the attachment, we&rsquo;ll request maintainer feedback by setting the flag with the same name to <code>?</code>, the <code>patch</code> keyword will be added automatically, and we&rsquo;ll also remove <code>WIP:</code> from the PR&rsquo;s title and add the <code>security</code> keyword.</p> <p>To make things easier for maintainers / reviewers / ports security team, we&rsquo;ll also add more information in the comments:</p> <div class="codehilite"><pre><span></span><code><span class="n">Changelog</span><span class="o">:</span> <span class="w"> </span><span class="n">https</span><span class="o">://</span><span class="n">github</span><span class="o">.</span><span class="na">com</span><span class="sr">/twisted/twisted/blob/twisted-20.3.0/</span><span class="n">NEWS</span><span class="o">.</span><span class="na">rst</span> <span class="n">QA</span><span class="o">:</span> <span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">portlint</span><span class="o">:</span><span class="w"> </span><span class="n">OK</span><span class="w"> </span><span class="o">(</span><span class="n">looks</span><span class="w"> </span><span class="n">fine</span><span class="o">.)</span> <span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">testport</span><span class="o">:</span><span class="w"> </span><span class="n">OK</span><span class="w"> </span><span class="o">(</span><span class="n">poudriere</span><span class="o">:</span><span class="w"> </span><span class="mf">3.3</span><span class="o">.</span><span class="mi">3</span><span class="o">,</span><span class="w"> </span><span class="n">amd64</span><span class="o">)</span> <span class="n">Related</span><span class="w"> </span><span class="n">Security</span><span class="w"> </span><span class="n">issues</span><span class="o">:</span> <span class="w"> </span><span class="n">CVE</span><span class="o">-</span><span class="mi">2020</span><span class="o">-</span><span class="mi">10108</span> <span class="w"> </span><span class="n">CVE</span><span class="o">-</span><span class="mi">2019</span><span class="o">-</span><span class="mi">9512</span> <span class="w"> </span><span class="n">CVE</span><span class="o">-</span><span class="mi">2019</span><span class="o">-</span><span class="mi">9514</span> <span class="w"> </span><span class="n">CVE</span><span class="o">-</span><span class="mi">2019</span><span class="o">-</span><span class="mi">9515</span> <span class="w"> </span><span class="n">CVE</span><span class="o">-</span><span class="mi">2019</span><span class="o">-</span><span class="mi">12387</span> <span class="w"> </span><span class="n">CVE</span><span class="o">-</span><span class="mi">2019</span><span class="o">-</span><span class="mi">12855</span> <span class="w"> </span><span class="n">https</span><span class="o">://</span><span class="n">twistedmatrix</span><span class="o">.</span><span class="na">com</span><span class="sr">/trac/ticket/</span><span class="mi">9420</span> </code></pre></div> <p>And now someone will hopefully check our PR soon and commit it.</p> <h1 id="conclusions">Conclusions</h1> <p>Sometimes the quickest way to have something be done is doing it yourself :-D. This doesn&rsquo;t even take that long, so get into the habit of considering updating ports and proposing patches yourself.</p> <p>Also, these things have effects, e.g. I know for a fact that <a href="https://matrix.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Matrix</a> <a href="https://www.freshports.org/net-im/py-matrix-synapse/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Synapse</a> depends on <a href="https://twistedmatrix.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Twisted</a>! This was probably being a blocker :-p.</p>2020-01-05T00:00:00Zurn:uuid:871318f0-5283-3713-b5f9-a8a3f900be4c<h1 id="introduction">Introduction</h1> <p>After being fed up with mostly non-serviceable phones and my previous one suffering a bit of an accident; it was the perfect time to align consumer values with portable device because the <a href="https://fairphone.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Fairphone 3</a> started selling in late 2019.</p> <p>This is about setting up an <a href="https://android.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Android</a> phone with a stock OS, but getting rid of as much of Google as possible, while still having the option to use the &ldquo;necessary&rdquo; regular things.</p> <p>As a friend put it:</p> <blockquote> <p>&ldquo;I don&rsquo;t believe in free. Not anymore.&rdquo;</p> </blockquote> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#hardware">Hardware</a></li> <li><a href="#setting-up-the-phone">Setting up the phone</a><ul> <li><a href="#f-droid-the-libre-app-store">F-Droid &ndash; The Libre App store</a></li> <li><a href="#disabling-most-google-apps">Disabling (most) Google apps</a><ul> <li><a href="#disable-auto-update">Disable auto-update</a></li> <li><a href="#disable-and-remove-unnecessary-google-apps">Disable and remove unnecessary Google apps</a></li> </ul> </li> <li><a href="#installing-alternative-software">Installing alternative software</a></li> <li><a href="#list-of-great-apps-on-f-droid">List of great apps on F-Droid</a></li> </ul> </li> <li><a href="#being-a-responsible-consumer">Being a responsible consumer</a></li> </ul> </div> <h1 id="hardware">Hardware</h1> <p>I went with the <a href="https://fairphone.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Fairphone 3</a>, one of their catchy slogans kind of say it all:</p> <blockquote> <p>&ldquo;If your phone doesn&rsquo;t care about the planet, it&rsquo;s not that smart&rdquo;</p> </blockquote> <p>They care about the source of the materials and the working conditions of the supply chain; besides that, they actively encourage electronics recycling by taking your old phone against a voucher.</p> <p>Besides the ethical bits, a few great points that matter-to-me (tm) as just a consumer:</p> <ul> <li>It supports dual-SIM <em>and</em> micro-SD card simultaneously</li> <li>It is highly serviceable, having a perfect <a href="https://ifixit.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">iFixit</a> score</li> <li>It feels robust</li> <li>It does its job</li> </ul> <h1 id="setting-up-the-phone">Setting up the phone</h1> <h2 id="f-droid-the-libre-app-store"><a href="https://f-droid.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">F-Droid</a> &ndash; The Libre App store</h2> <p>Setting up <a href="https://f-droid.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">F-Droid</a> is about the very first thing I do on any android device.</p> <p><a href="https://f-droid.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">F-Droid</a> is an alternative &ldquo;app store&rdquo; for <a href="https://android.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Android</a>, its main features:</p> <ul> <li>All apps in the main repository are Free and Open Source</li> <li>You get warned if they contain &ldquo;undesirable features&rdquo; (ads, relying on closed-source servers, &hellip;)</li> <li>You can host and setup your own repository.</li> </ul> <h2 id="disabling-most-google-apps">Disabling (most) Google apps</h2> <h3 id="disable-auto-update">Disable auto-update</h3> <p>The very first thing to do here, is to setup Google&rsquo;s Play Store to <strong>not</strong> use automatic updates.</p> <p>I discovered that even if you disable apps, <a href="https://android.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Android</a> will &ldquo;helpfully&rdquo; reinstall and enable them if there is an update available.</p> <p>This is done by:</p> <ul> <li>Opening the Play Store app</li> <li>Clicking the &ldquo;hamburger&rdquo; menu (the three horizontal lines)</li> <li>Picking &ldquo;Settings&rdquo;</li> <li>Under &ldquo;General&rdquo; find &ldquo;Automatic app updates&rdquo;</li> <li>Pick &ldquo;Do not update apps automatically&rdquo;</li> </ul> <p>This is a necessary trade-off between: keeping apps from the Play Store up-to-date and having Gooogle sneak their apps back in. Which still does happen from time to time with, e.g. Chrome.</p> <h3 id="disable-and-remove-unnecessary-google-apps">Disable and remove unnecessary Google apps</h3> <p>This is done in the phone&rsquo;s settings:</p> <ul> <li>Settings</li> <li>Apps and notifications</li> <li>Show all apps</li> </ul> <p>Once we have the list of all apps, we have to iterate through those that are unwanted and perform following:</p> <ul> <li>Touch the app on the list</li> <li>Touch on &ldquo;Deactivate&rdquo;</li> <li>Confirm that you want to Deactivate</li> <li>When asked if you want to uninstall any updates to the app, say &ldquo;Yes&rdquo;. This has the decent side-effect that you get some space back.</li> <li>Touch on &ldquo;Force exit&rdquo; and confirm</li> <li>Go to &ldquo;Storage&rdquo;</li> <li>Delete data and delete cache</li> <li>Go back to the apps list</li> </ul> <p>And this is the list of forced-upon-me apps for which I do this; since the <a href="https://fairphone.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Fairphone 3</a> does not contain crapware of their own, it&rsquo;s just Google&rsquo;s:</p> <ul> <li>Digital Wellbeing</li> <li>Drive</li> <li>Duo</li> <li>Fotos</li> <li>Gboard (care! Install an alternative before!)</li> <li>Gmail</li> <li>Google</li> <li>Google Play Films and Series</li> <li>Calendar</li> <li>Contacts</li> <li>Maps</li> <li>YouTube</li> <li>YouTube Music</li> </ul> <h2 id="installing-alternative-software">Installing alternative software</h2> <p>Some of the alternative software on the <a href="https://f-droid.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">F-Droid</a> repositories is actually significantly better than that of Google.</p> <p>The best example of this would be NewPipe, a replacement for the YouTube app. Amongst the most appreciated features from people I&rsquo;ve shown this to is the ability to play videos as a pop-up window or in the background (with the screen off).</p> <h2 id="list-of-great-apps-on-f-droid">List of great apps on <a href="https://f-droid.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">F-Droid</a></h2> <p>A quick and dirty list of apps on <a href="https://f-droid.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">F-Droid</a> that are a must for me:</p> <ul> <li>Alarmio: alarms, timers, &hellip;</li> <li>andOTP (replaces Google Authenticator): second factor authentication</li> <li>AntennaPod: podcasts</li> <li>Simple Gallery (replaces Google Fotos): offline photo browser</li> <li>Ghost Commander: file browser</li> <li>K-9 Mail (replaces Gmail): E-mail client supporting encryption and most email providers. It looks like Gmail is going to stop being email, and they will stop supporting the standard protocols. So, you are forced to use Gmail if that&rsquo;s where your mail is. Notice how &ldquo;embrace extend extinguish&rdquo; is not from your usual source.</li> <li>Simple Calendar (replaces Google Calendar): offline or CalDAV-based calendars.</li> <li>KISS Launcher (any app launcher): search-based app launcher. It&rsquo;s simple, and zeroes the mental burden of finding the app you need.</li> <li>Simple Contacts (replaces Google Contacts): offline contacts.</li> <li>Nextcloud (Google Drive): cloud-based storage.</li> <li>OpenKeychain: for encryption / signature checking while on the go.</li> <li>PassAndroid: Manage tickets</li> <li>Simple Keyboard (replaces Gboard): it lets you type without having to correct every single word.</li> </ul> <h1 id="being-a-responsible-consumer">Being a responsible consumer</h1> <p>The <a href="https://f-droid.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">F-Droid</a> project itself and several of these apps are long-standing Open Source projects, with ways to donate some money to the developers. Please do so at least for a few!</p>2020-01-02T00:00:00Zurn:uuid:6800943c-af4d-3120-9f11-d8dfbe75bd92<h1 id="introduction">Introduction</h1> <p>I&rsquo;ve been writing about setting up a <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>-based <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> router, first the <a href="../2019-FreeBSD-eXO-router/">upstream and PPPoE details</a> were covered, then <a href="../2020-FreeBSD-home-router-ipv6/">how to setup the gateway, access point and an IPv6-only network</a>. This builds upon a system that can properly route IPv6 and IPv4 as well as has a means to connect other clients and possibly providing them with an IPv6 address and route.</p> <p>The goal here is to setup the bits of the router needed for everyday usage.</p> <blockquote> <p>This is part of a series on home routing with FreeBSD.</p> <ul> <li><a href="../2019-FreeBSD-eXO-router/">FreeBSD eXO router &ndash; Get to ping6</a></li> <li><a href="../2020-FreeBSD-home-router-ipv6/">FreeBSD home router &ndash; Access Point and IPv6-only</a></li> <li><a href="../2020-FreeBSD-home-router-legacy-ipv4/">FreeBSD home router &ndash; Legacy IPv4: NAT+DHCP</a> (this one)</li> </ul> </blockquote> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#home-router">Home router</a></li> <li><a href="#local-legacy-ipv4-networking-nat-half-rant">Local legacy IPv4 networking: NAT (half-rant)</a></li> <li><a href="#local-legacy-ipv4-networking-nat-implementing">Local legacy IPv4 networking: NAT (implementing)</a><ul> <li><a href="#dhcp-providing-the-local-ipv4-addresses">DHCP: providing the local IPv4 addresses</a></li> <li><a href="#nat-with-pf-forwarding-packets-properly">NAT with pf: forwarding packets properly</a></li> </ul> </li> <li><a href="#remaining-work">Remaining work</a><ul> <li><a href="#internal-network-bits">Internal network bits</a></li> </ul> </li> </ul> </div> <h1 id="home-router">Home router</h1> <p>As mentioned on the <a href="../2019-FreeBSD-eXO-router/">first post</a>, this setup is based on an APU2d4, with three ethernet interfaces: <code>igb0</code> for egress/wan, <code>igb1</code> for local devices and, <code>igb2</code> as a management interface.</p> <p>The current state is that the machine can setup the connection to <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> and can correctly accept the IPv6 and IPv4 routes and delegations, furthermore it creates an access point <code>wlan0</code> that is bridged to <code>igb1</code> (bridge is called <code>lair</code>) and any devices that connect to these interfaces are able to use only the IPv6 internet.</p> <h1 id="local-legacy-ipv4-networking-nat-half-rant">Local legacy IPv4 networking: NAT (half-rant)</h1> <p><a href="https://en.wikipedia.org/wiki/Network_address_translation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Network Address Translation</a>, one of those things that are secretly quite complex and a bit of a PITA to debug.</p> <p>The Internet was made to be End-To-End, to have all members of the network be equal in the sense that they can provide and consume services the exact same way [old knowledge; citation needed].</p> <p><a href="https://en.wikipedia.org/wiki/Network_address_translation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">NAT</a> gets in the way of that and it was a necessary evil. Virtually all ISPs that provide you with an internet connection, will also assign you a single IPv4 address (either dynamically or statically), but you surely have more than one device at any given home/company location.</p> <p>Since, except in very specific cases, it&rsquo;s not valid for multiple devices to work with the same IP, <a href="https://en.wikipedia.org/wiki/Network_address_translation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">NAT</a> shows up everywhere.</p> <p>In a nutshell, <a href="https://en.wikipedia.org/wiki/Network_address_translation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">NAT</a> makes sure that your <code>192.168.X.Y</code> IPv4 doesn&rsquo;t leave the local network (because it&rsquo;s &ldquo;non-routable&rdquo;, aka shouldn&rsquo;t leave the premises) and then connects on your behalf to whatever other peers you requested.</p> <p>Then, when the answer comes back, it&rsquo;s &ldquo;smart enough&rdquo; to know that that reply has to go to your <code>192.168.X.Y</code> instead of to some <code>192.168.W.Z</code> in the network.</p> <p>That&rsquo;s trickier than it sounds and indeed means that, without some kind of permanent port-forwarding, it is not possible to reach devices behind the NAT for better and for worse.</p> <p>Since <a href="https://www.ripe.net/manage-ips-and-asns/ipv4/ipv4-run-out" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">RIPE ran out of IPv4 in 2019</a>, this is specially important: now ISPs are starting to use <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Carrier-Grade NAT</a>, some even &ldquo;sell it&rdquo; as a feature because it means they can give you a crappier internet at lower prices.</p> <p>Crappier internet? Well, if you or someone you know/trust manage your NAT, it is possible to do things like port-forwarding, if in reality, your NAT is behind another NAT that hosts thousands of customers; there is no real option for that.</p> <p>Random trivia: The Nintendo Switch will happily tell you how crappy your NAT is :-) on a scale from &ldquo;A: mostly works&rdquo; to &ldquo;F: how did this happen?&rdquo;. <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">CGNAT</a> will automatically place you somewhere between &ldquo;C&rdquo; and &ldquo;D&rdquo;.</p> <h1 id="local-legacy-ipv4-networking-nat-implementing">Local legacy IPv4 networking: NAT (implementing)</h1> <p>So, <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> is in this regard only different, in that they assign a static IPv4 address to the connection that is directly addressable by any device connected to the IPv4 internet.</p> <p>Which means, I do need <a href="https://en.wikipedia.org/wiki/Network_address_translation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">NAT</a> if I want IPv4 support.</p> <p>Side note for some other time: <a href="https://en.wikipedia.org/wiki/NAT64" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">NAT64</a> and <a href="https://en.wikipedia.org/wiki/IPv6_transition_mechanism#DNS64" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">DNS64</a> make it mostly unnecessary to have IPv4 (and <a href="https://en.wikipedia.org/wiki/Network_address_translation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">NAT</a>!) in the first place. This has been tested out successfully at length by many, but specially by the awesome people at <a href="https://ungleich.ch" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ungleich.ch</a> at last <a href="https://hack4glarus.ch" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Hack4Glarus</a> and with their <a href="https://ipv6onlyhosting.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">IPv6 only hosting</a> Virtual Private Server (VPS) offering.</p> <h2 id="dhcp-providing-the-local-ipv4-addresses">DHCP: providing the local IPv4 addresses</h2> <p>Before actually translating addresses, we have to provide those addresses to devices in the network. That&rsquo;s what DHCP is good for.</p> <p>The along with the DHCP6 client (<code>dhcp6c</code>), DHCP server is the second bit that we need that is not part of the base system.</p> <p>In this case, I&rsquo;ll use <a href="https://openbsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a>&lsquo;s <code>dhcpd</code>, which is packaged as a port for <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>.</p> <p>As with <code>dhcp6c</code>, installing <code>dhcpd</code> is a matter of:</p> <div class="codehilite"><pre><span></span><code>pkg install dhcpd </code></pre></div> <p>And the magical man pages are <code>man 5 dhcpd.conf</code> and <code>man 8 dhcpd</code> and, even if it is focused on <code>isc-dhcpd-server</code>, the <a href="https://www.freebsd.org/doc/en/books/handbook/network-dhcp.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Chapter on DHCP from the FreeBSD Handbook</a>.</p> <p>Familiar pattern by now, setup <code>/usr/local/etc/dhcpd.conf</code> (since <code>dhcpd</code> is not part of the base system, its config lives in <code>/usr/local/etc</code>) as follows:</p> <div class="codehilite"><pre><span></span><code>#<span class="w"> </span>Add<span class="w"> </span>a<span class="w"> </span>suffix<span class="w"> </span>for<span class="w"> </span>local<span class="w"> </span>name<span class="w"> </span>queries option<span class="w"> </span>domain-name<span class="w"> </span>&quot;evilham.local&quot;; #<span class="w"> </span>TODO:<span class="w"> </span>change<span class="w"> </span>to<span class="w"> </span>own<span class="w"> </span>DNS.<span class="w"> </span>Using<span class="w"> </span>quad9<span class="w"> </span>for<span class="w"> </span>now option<span class="w"> </span>domain-name-servers<span class="w"> </span>9.9.9.9,<span class="w"> </span>114.112.112.112; #<span class="w"> </span>Default<span class="w"> </span>to<span class="w"> </span>a<span class="w"> </span>1<span class="w"> </span>day<span class="w"> </span>lease default-lease-time<span class="w"> </span>86400; #<span class="w"> </span>Limit<span class="w"> </span>the<span class="w"> </span>lease<span class="w"> </span>to,<span class="w"> </span>say<span class="w"> </span>a<span class="w"> </span>month<span class="w"> </span>if<span class="w"> </span>someone #<span class="w"> </span>requests<span class="w"> </span>a<span class="w"> </span>longer<span class="w"> </span>lease. max-lease-time<span class="w"> </span>2592000; #<span class="w"> </span>2^16<span class="w"> </span>should<span class="w"> </span>be<span class="w"> </span>enough<span class="w"> </span>addresses<span class="w"> </span>for<span class="w"> </span>everyone<span class="w"> </span>(&#39;<span class="w"> </span>^.^) option<span class="w"> </span>subnet-mask<span class="w"> </span>255.255.0.0; #<span class="w"> </span>This<span class="w"> </span>will<span class="w"> </span>have<span class="w"> </span>to<span class="w"> </span>be<span class="w"> </span>the<span class="w"> </span>internal<span class="w"> </span>IPv4<span class="w"> </span>of<span class="w"> </span>the<span class="w"> </span>router option<span class="w"> </span>routers<span class="w"> </span>192.168.0.1; subnet<span class="w"> </span>192.168.0.0<span class="w"> </span>netmask<span class="w"> </span>255.255.0.0<span class="w"> </span>{ <span class="w"> </span>#<span class="w"> </span>I<span class="w"> </span>want<span class="w"> </span>to<span class="w"> </span>&quot;reserve&quot;<span class="w"> </span>some<span class="w"> </span>addresses<span class="w"> </span>for<span class="w"> </span><span class="cp">${</span><span class="n">reasons</span><span class="cp">}</span> <span class="w"> </span>range<span class="w"> </span>192.168.77.0<span class="w"> </span>192.168.99.255; } </code></pre></div> <p>And setup <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="nx">Modify</span><span class="w"> </span><span class="nx">this</span><span class="w"> </span><span class="nx">existing</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">add</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">router</span><span class="err">&#39;</span><span class="nx">s</span><span class="w"> </span><span class="nx">IPv4</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">subnet</span> <span class="nx">ifconfig_lair</span><span class="p">=</span><span class="s">&quot;inet 192.168.0.1/16 addm igb1 addm wlan0&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">Start</span><span class="w"> </span><span class="nx">giving</span><span class="w"> </span><span class="nx">out</span><span class="w"> </span><span class="nx">IPv4</span><span class="w"> </span><span class="nx">addresses</span> <span class="nx">dhcpd_enable</span><span class="p">=</span><span class="s">&quot;YES&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">And</span><span class="w"> </span><span class="nx">explicitly</span><span class="w"> </span><span class="nx">do</span><span class="w"> </span><span class="nx">that</span><span class="w"> </span><span class="nx">only</span><span class="w"> </span><span class="nx">locally</span> <span class="nx">dhcpd_flags</span><span class="p">=</span><span class="s">&quot;lair&quot;</span> </code></pre></div> <p>Then start the <code>dhcpd</code> service:</p> <div class="codehilite"><pre><span></span><code>service dhcpd start </code></pre></div> <p>Now any device connected to the bridge interface will get an IPv4 address \o/.</p> <p>BUT! We have no NAT yet, so, things will get weird soon! (*)</p> <blockquote> <p>(*): they got weirder than expected, <code>ppp</code> was doing NAT?</p> <p>That doesn&rsquo;t sound right :-D. Let&rsquo;s trust <code>pf</code> more than <code>ppp</code> for that job.</p> <p>Modified <code>/etc/ppp/ppp.conf</code> so that the <code>exo</code> profile also contains a line: <code>nat enable no</code> This should have been the default if I understood documentation properly.</p> <p>TODO: Figure out why this was the default behaviour and fix documentation/open a bug</p> </blockquote> <p>Besides talking to our local network, these addresses are not good for anything. Since they are not routable, any routers must refuse to forward the packets any further.</p> <h2 id="nat-with-pf-forwarding-packets-properly">NAT with pf: forwarding packets properly</h2> <p><a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> has two main firewalls, I like <code>pf</code>. It originated in <a href="https://openbsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a> like so many great things, and was ported to <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>.</p> <p><a href="https://www.youtube.com/watch?v=RYtwx7Jj8aE" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kristof Provost&rsquo;s talk</a> on automated firewall testing, explains a bit how it came to be that <a href="https://openbsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a>&lsquo;s <code>pf</code> and <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>&lsquo;s <code>pf</code> are actually different. The TL;DR is: nobody has done the work to upgrade it, it works mostly fine, and the diff is not as small as one would expect.</p> <p><a href="https://openbsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a>&lsquo;s <code>pf</code> has a bunch of goodies, like support for <code>NAT64</code> :-). Hopefully things catch up soon.</p> <p>Back to topic: <code>man 4 pf</code>, <code>man 5 pf.conf</code> and <code>man 8 pfctl</code> are the magical man pages.</p> <p>And a super-tiny but permissive example on how to do NAT was already done by <a href="https://kamila.is" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kamila</a> <a href="https://kamila.is/learning/building-my-home-router/#basic-router-setup-gateway--nat-for-v4" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">here</a>, so go steal that into <code>/etc/pf.conf</code>.</p> <p>With an important addition for <code>dhcp6c</code>:</p> <div class="codehilite"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="nx">TODO</span><span class="p">:</span><span class="w"> </span><span class="nx">update</span><span class="w"> </span><span class="nx">with</span><span class="w"> </span><span class="nx">provisioning</span><span class="w"> </span><span class="nx">example</span> <span class="err">#</span><span class="w"> </span><span class="nx">In</span><span class="w"> </span><span class="nx">practise</span><span class="p">,</span><span class="w"> </span><span class="nx">this</span><span class="w"> </span><span class="nx">should</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">limited</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">link</span><span class="w"> </span><span class="nx">local</span><span class="w"> </span><span class="nx">addresses</span> <span class="nx">pass</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">quick</span><span class="w"> </span><span class="nx">proto</span><span class="w"> </span><span class="nx">udp</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">port</span><span class="w"> </span><span class="nx">dhcpv6</span><span class="o">-</span><span class="nx">client</span> </code></pre></div> <p>Now we have to apply those rules, since I was already loading <code>pf</code>, albeit with an empty set of rules, this means running:</p> <div class="codehilite"><pre><span></span><code><span class="n">service</span><span class="w"> </span><span class="n">pf</span><span class="w"> </span><span class="n">reload</span> </code></pre></div> <p>And boom, now everything in the network can talk to the outside over IPv4.</p> <h1 id="remaining-work">Remaining work</h1> <ul> <li>Finish securing the firewall with <code>pf</code></li> <li>Create and publish <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> types for all the things</li> </ul> <h2 id="internal-network-bits">Internal network bits</h2> <ul> <li>Monitoring (Prometheus)</li> <li>DNS (unbound)</li> <li>Traffic dashboards (taking into account the percentiles)</li> </ul>2020-01-01T00:00:00Zurn:uuid:a7e2dd78-93c4-3940-ab0f-e7bd31b6396c<h1 id="introduction">Introduction</h1> <p><a href="../2019-FreeBSD-eXO-router/">Last time</a> I wrote about setting up a <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>-based <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> router, this builds upon a system that can correctly <code>ping</code> and <code>ping6</code> to the internet.</p> <p>The goal here is to setup the bits of the router needed for everyday usage.</p> <blockquote> <p>This is part of a series on home routing with FreeBSD.</p> <ul> <li><a href="../2019-FreeBSD-eXO-router/">FreeBSD eXO router &ndash; Get to ping6</a></li> <li><a href="../2020-FreeBSD-home-router-ipv6/">FreeBSD home router &ndash; Access Point and IPv6-only</a> (this one)</li> <li><a href="../2020-FreeBSD-home-router-legacy-ipv4/">FreeBSD home router &ndash; Legacy IPv4: NAT+DHCP</a></li> </ul> </blockquote> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#home-router">Home router</a><ul> <li><a href="#create-the-bridge">Create the bridge</a></li> <li><a href="#setup-the-wireless-network">Setup the wireless network</a></li> <li><a href="#become-a-gateway">Become a gateway</a></li> <li><a href="#provide-ipv6-connectivity-with-slaac">Provide IPv6 connectivity with SLAAC</a></li> <li><a href="#secure-the-firewall">Secure the firewall</a></li> </ul> </li> <li><a href="#remaining-work">Remaining work</a><ul> <li><a href="#legacy-ipv4">Legacy IPv4</a></li> <li><a href="#internal-network-bits">Internal network bits</a></li> </ul> </li> </ul> </div> <h1 id="home-router">Home router</h1> <p>As mentioned on the <a href="../2019-FreeBSD-eXO-router/">previous post</a>, this setup is based on an APU2d4, with three ethernet interfaces: <code>igb0</code> for egress/wan, <code>igb1</code> for local devices and, <code>igb2</code> as a management interface.</p> <p>The current state is that the machine can setup the connection to <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> and can correctly accept the IPv6 and IPv4 routes and delegations, and is able to <code>ping</code> and <code>ping6</code> devices on the internet.</p> <p>This is similar to what <a href="https://kamila.is" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kamila</a> did with <a href="https://kamila.is/learning/building-my-home-router/#installation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">her router</a>, but has a few twists and only focuses on the home router bits, leaving the <a href="https://kamila.is/learning/building-my-home-router/#installation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">installation and 3G</a> and <a href="../2019-FreeBSD-eXO-router/">PPPoE</a> bits somewhere else.</p> <h2 id="create-the-bridge">Create the bridge</h2> <p>Creating network bridges on <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> is pretty straightforward with <code>man 8 ifconfig</code> and <code>man 5 rc.conf</code> being the magical man pages.</p> <p>To do it once:</p> <div class="codehilite"><pre><span></span><code># Create the bridge with a deterministic name ifconfig bridge create name lair # Add the necessary interfaces ifconfig lair addm igb1 addm wlan0 inet6 auto_linklocal </code></pre></div> <p>To do it permanently, add in <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code><span class="nx">cloned_interfaces</span><span class="p">=</span><span class="s">&quot;bridge0&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">Have</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">deterministic</span><span class="w"> </span><span class="nx">name</span> <span class="nx">ifconfig_bridge0_name</span><span class="p">=</span><span class="s">&quot;lair&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">Add</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">necessary</span><span class="w"> </span><span class="nx">interfaces</span> <span class="nx">ifconfig_lair</span><span class="p">=</span><span class="s">&quot;addm igb1 addm wlan0&quot;</span> <span class="err">#</span><span class="w"> </span><span class="nx">While</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">it</span><span class="p">,</span><span class="w"> </span><span class="nx">ensure</span><span class="w"> </span><span class="nx">we</span><span class="w"> </span><span class="nx">have</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">link</span><span class="w"> </span><span class="nx">local</span><span class="w"> </span><span class="nx">address</span> <span class="nx">ifconfig_lair_ipv6</span><span class="p">=</span><span class="s">&quot;auto_linklocal&quot;</span> </code></pre></div> <h2 id="setup-the-wireless-network">Setup the wireless network</h2> <p>This is done with <code>hostapd</code>, which is also in the base system. The magical man pages for this are <code>man 8 hostapd</code> and <code>man 5 hostapd.conf</code> as well as <code>man 5 rc.conf</code>.</p> <p>First of all, we setup things in <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code><span class="p">#</span><span class="w"> </span><span class="n">Setup</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">wireless</span><span class="w"> </span><span class="n">interface</span> <span class="n">wlans_ath0</span><span class="o">=</span><span class="s">&quot;wlan0&quot;</span> <span class="n">ifconfig_wlan0</span><span class="o">=</span><span class="s">&quot;HOSTAP&quot;</span> <span class="p">#</span><span class="w"> </span><span class="n">Respect</span><span class="w"> </span><span class="n">local</span><span class="w"> </span><span class="n">regulations</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="o">--</span><span class="w"> </span><span class="n">ES</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">country</span><span class="w"> </span><span class="n">code</span> <span class="n">create_args_wlan0</span><span class="o">=</span><span class="s">&quot;wlanmode hostap country ES&quot;</span> <span class="p">#</span><span class="w"> </span><span class="n">Enable</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">point</span><span class="w"> </span><span class="n">daemon</span> <span class="n">hostapd_enable</span><span class="o">=</span><span class="s">&quot;YES&quot;</span> </code></pre></div> <p>Now, we create <code>/etc/hostapd-wlan0.conf</code> as follows:</p> <div class="codehilite"><pre><span></span><code><span class="n">interface</span><span class="o">=</span><span class="n">wlan0</span> <span class="n">debug</span><span class="o">=</span><span class="mi">0</span> <span class="n">ctrl_interface</span><span class="o">=/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">hostapd</span> <span class="n">ctrl_interface_group</span><span class="o">=</span><span class="n">wheel</span> <span class="n">ssid</span><span class="o">=</span><span class="n">eXO</span><span class="o">-</span><span class="n">wlan</span> <span class="n">wpa</span><span class="o">=</span><span class="mi">2</span> <span class="n">wpa_passphrase</span><span class="o">=</span><span class="n">WirelessPassword</span> <span class="n">wpa_key_mgmt</span><span class="o">=</span><span class="n">WPA</span><span class="o">-</span><span class="n">PSK</span> <span class="n">wpa_pairwise</span><span class="o">=</span><span class="n">CCMP</span> </code></pre></div> <h2 id="become-a-gateway">Become a gateway</h2> <p>Now most of the things are in place in order to forward traffic for other clients in the local network.</p> <p>A very important step that is missing is becoming a gateway! Here also <code>man 5 rc.conf</code> is a magical man page.</p> <p>Add following to <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code>#<span class="w"> </span><span class="nv">Act</span><span class="w"> </span><span class="nv">as</span><span class="w"> </span><span class="nv">gateway</span> <span class="nv">gateway_enable</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> <span class="nv">ipv6_gateway_enable</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> #<span class="w"> </span><span class="nv">Setup</span><span class="w"> </span><span class="nv">dependent</span>:<span class="w"> </span><span class="nv">Accept</span><span class="w"> </span><span class="nv">Route</span><span class="w"> </span><span class="nv">Advertisements</span><span class="w"> </span><span class="nv">even</span><span class="w"> </span><span class="nv">with</span> #<span class="w"> </span><span class="nv">IPv6</span><span class="w"> </span><span class="nv">forwarding</span><span class="w"> </span><span class="nv">enabled</span>. #<span class="w"> </span><span class="nv">In</span><span class="w"> </span><span class="nv">my</span><span class="w"> </span><span class="nv">case</span>,<span class="w"> </span><span class="nv">this</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">not</span><span class="w"> </span><span class="nv">needed</span><span class="w"> </span><span class="nv">as</span><span class="w"> </span><span class="nv">DHCP6</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">used</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">prefix</span><span class="w"> </span><span class="nv">delegation</span>. #<span class="w"> </span><span class="nv">The</span><span class="w"> </span><span class="nv">value</span><span class="w"> </span><span class="nv">should</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">where</span><span class="w"> </span><span class="nv">your</span><span class="w"> </span><span class="nv">ISP</span><span class="w"> </span><span class="nv">will</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">doing</span><span class="w"> </span><span class="nv">RA</span>. #<span class="nv">ipv6_cpe_wanif</span><span class="o">=</span><span class="s2">&quot;exoppp&quot;</span> </code></pre></div> <p>This is effective after a reboot, using <code>sysctl</code> and so on is possible, but&hellip;</p> <h2 id="provide-ipv6-connectivity-with-slaac">Provide IPv6 connectivity with SLAAC</h2> <p>This is also done with the base system, in this case <code>man 5 rtadvd.conf</code>, <code>man 5 rc.conf</code> and <code>man 8 rtadvd</code> are the magic man pages.</p> <p>It further follows the pattern, we setup <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code>rtadvd_enable=&quot;YES&quot; rtadvd_interfaces=&quot;lair&quot; </code></pre></div> <p>And the software in <code>/etc/rtadvd.conf</code>:</p> <div class="codehilite"><pre><span></span><code># rtadvd will try to get the data from the kernel&#39;s routing table # TODO: use own DNS servers, this uses quad9. lair:\ :mininterval#5:\ :maxinterval#10:\ :rdnss=&quot;2620:fe::fe,2620:fe::9&quot;\ :mtu#auto:\ :rltime#60: </code></pre></div> <p>And then start it with</p> <div class="codehilite"><pre><span></span><code>service rtadvd start </code></pre></div> <p>At this point we also modify <code>/usr/local/etc/dhcp6c.conf</code> to assign a delegated <code>/64</code> to the <code>lair</code> interface as opposed to the <code>igb1</code> one. See <a href="../2019-FreeBSD-eXO-router/">previous post</a> for the base config.</p> <p>Now, when another system connects to the <code>lair</code> bridge (that includes the access point on <code>wlan0</code>), it will automagically receive the <code>/64</code> prefix information and derive its addresses as necessary (temporary, non-temporary, random, it&rsquo;s all black magic).</p> <p>BUT! Keep on reading, this is important!</p> <h2 id="secure-the-firewall">Secure the firewall</h2> <p>Up until now only our router was accessible from the internet without a firewall, but it also had no services running (besides SSH with Public Key based authentication); with the previous step though, besides providing internet to the network, we provide our internal network to the internet :-).</p> <blockquote> <p>Remember that up until now <code>/etc/pf.conf</code> was empty.</p> </blockquote> <p>My firewall rules are non-trivial and keep evolving, so they won&rsquo;t be replicated here, instead there will be some <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> type with them soon.</p> <p>Needless to say, <code>man pf.conf</code>, <code>man pf</code> and <code>man pfctl</code> are the magical man pages and block all the things.</p> <blockquote> <p>TODO: publish the <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> types and link them here</p> </blockquote> <h1 id="remaining-work">Remaining work</h1> <h2 id="legacy-ipv4">Legacy IPv4</h2> <ul> <li>Setup <code>dhcpd</code> to hand out local IPv4s</li> <li>Setup NAT</li> <li>Create <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> types for all the things</li> </ul> <h2 id="internal-network-bits">Internal network bits</h2> <ul> <li>Monitoring (Prometheus)</li> <li>DNS (unbound)</li> <li>Traffic dashboards (taking into account the percentiles)</li> </ul>2019-12-31T00:00:00Zurn:uuid:dd2df2eb-8bb8-3b0c-8031-ed91ea7d037e<h1 id="introduction">Introduction</h1> <p><a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> &ndash; expansió Xarxa Oberta (open network expansion) is an non-profit association based in Barcelona and since 2019, it&rsquo;s also a <a href="https://www.ripe.net" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">RIPE</a> member.</p> <blockquote> <p><a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> […] promotes open telecommunication networks, technological sovereignty, access to wholesale Internet services and reduces the digital gap.</p> </blockquote> <p>They are also pretty much the only decent way to access native <a href="https://ipv6.barcelona" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">IPv6 in Barcelona</a> and since <a href="https://www.ripe.net/manage-ips-and-asns/ipv4/ipv4-run-out" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">RIPE ran out of IPv4</a> in 2019, it&rsquo;s also pretty much the only decent Internet Service Provider around.</p> <p>Also, the fact that you are not a customer but a member who can make things work out if necessary, kicks ass over <code>&lt;rant&gt;</code> Customer Service that keeps you waiting for hours and then insults your time and intelligence, or a service that forces you to use crappy routers, uses <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">CGNAT</a> or one that basically mobs you into joining them by aggressively calling you multiple times a week. (Who does these terrible things? Search for &ldquo;biggest ISPs in Spain&rdquo;) <code>&lt;/rant&gt;</code></p> <p>Also: you get to pick your router and, besides something running <a href="https://openwrt.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenWRT</a> (default), do it your self and e.g. run <a href="https://openbsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a> or <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a>.</p> <p>This is roughly about how internet with <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> works and mainly about how to setup a <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> system as a router for it.</p> <p>PS: <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> does more than just fiber, there are also community-owned wireless mesh networks, but that&rsquo;s for another day.</p> <blockquote> <p>This is part of a series on home routing with FreeBSD.</p> <ul> <li><a href="../2019-FreeBSD-eXO-router/">FreeBSD eXO router &ndash; Get to ping6</a> (this one)</li> <li><a href="../2020-FreeBSD-home-router-ipv6/">FreeBSD home router &ndash; Access Point and IPv6-only</a></li> <li><a href="../2020-FreeBSD-home-router-legacy-ipv4/">FreeBSD home router &ndash; Legacy IPv4: NAT+DHCP</a></li> </ul> </blockquote> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#hardware">Hardware</a><ul> <li><a href="#fiber-network">Fiber network</a></li> <li><a href="#going-ethernet">Going Ethernet</a></li> <li><a href="#router">Router</a></li> </ul> </li> <li><a href="#software-and-installation">Software and installation</a><ul> <li><a href="#hardware-specific-bits">Hardware-specific bits</a></li> <li><a href="#external-network-bits">External network bits</a><ul> <li><a href="#wholesale-provider-requirements-pcp-vlan">Wholesale provider requirements (PCP + VLAN)</a></li> <li><a href="#pppoe">PPPoE</a></li> <li><a href="#ipv6-connectivity">IPv6 connectivity</a></li> </ul> </li> </ul> </li> <li><a href="#remaining-work">Remaining work</a><ul> <li><a href="#optional">Optional</a></li> <li><a href="#internal-network-bits">Internal network bits</a></li> </ul> </li> </ul> </div> <h1 id="hardware">Hardware</h1> <h2 id="fiber-network">Fiber network</h2> <p>Since Barcelona is one of those regions, particularly cities, that missed the &ldquo;let&rsquo;s own our digital infrastructure&rdquo; wagon, and it&rsquo;s prohibitively expensive to install your own, the physical layer gets leased from a wholesale provider which, in turn, pays to the owner of the network (see &ldquo;biggest ISPs in Spain&rdquo;) for its use.</p> <p>Depending on where in the metropolitan area, that provider changes, in the case of the city of Barcelona, it&rsquo;s Sarenet.</p> <p>Once Sarenet has done its job (which was extremely quick!), there is an optical fiber cable arriving at its future usage location, <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> gets notified and receives some details like the connection&rsquo;s required VLAN and they also setup users and assign a fixed IP block from their pool to the connection.</p> <h2 id="going-ethernet">Going Ethernet</h2> <p>Before we can use our regular router, an <a href="https://en.wikipedia.org/wiki/Network_interface_device#Optical_network_terminals" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Optical Network Terminal</a> is needed. In this case <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> offered me a <a href="https://e.huawei.com/uk/products/enterprise-transmission-access/access/ont/echolife-eg8010h" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Huawei EchoLife EG8010H</a> which is kind of cute and does the job. Plus side: now I <em>own</em> the li&rsquo;l box (no BS equipment rental or crappy hardware).</p> <h2 id="router">Router</h2> <p>I&rsquo;m re-purposing electronics, whose intended initial use has developed beyond its capabilities.</p> <p>In this case, that&rsquo;s an APU2d4 from <a href="https://pcengines.ch" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">PCEngines</a>, with a 1T mSATA drive for home storage and booting off a 32G SD card. Some more drives will be attached but are not relevant.</p> <p>I decided to boot off a 32G SD card, because if anything happens, I can have it back up in no time. And it slightly simplifies the management of the data drive.</p> <h1 id="software-and-installation">Software and installation</h1> <p>Since, because of the somewhat large mSATA, I&rsquo;ll be using the APU as home storage as well, I will prefer <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> over <a href="https://openbsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a> for this use-case, as the former will give me the wonders of ZFS, minus some of the easy routing awesomeness of the latter, while still being good at it.</p> <h2 id="hardware-specific-bits">Hardware-specific bits</h2> <p>Installing <a href="https://freebsd.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD</a> on a <a href="https://pcengines.ch" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">PCEngines</a> APU2 is somewhat easy with the right equipment and a couple important tips.</p> <p><a href="https://kamila.is" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kamila</a> covered that when she did her router, so do <a href="https://kamila.is/learning/building-my-home-router/#installation" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">read that</a>.</p> <p>Once the OS is installed and before rebooting into the newly installed system, I prepare a few things for provisioning over local network:</p> <ol> <li>Setup my <code>root</code> SSH key in <code>/root/.ssh/authorized_keys</code></li> <li>Ensure password logins are disabled in SSH</li> <li>Enable <code>root</code> login over SSH</li> <li>Add <code>pf_enable="YES"</code> to <code>/etc/rc.conf</code> and <code>kldload pf</code></li> <li>Create an empty <code>/etc/pf.conf</code></li> <li>Make sure things like <code>sendmail</code> and the like are fully disabled</li> <li>I make sure I can use the router as a client over a local network with</li> </ol> <div class="codehilite"><pre><span></span><code># In /etc/rc.conf ifconfig_igb2=&quot;DHCP&quot; ifconfig_igb2_ipv6=&quot;inet6 accept_rtadv&quot; </code></pre></div> <h2 id="external-network-bits">External network bits</h2> <p>I&rsquo;ve been switching to <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> for provisioning, so this might be easier for you once I finish publishing the types.</p> <p>Since I&rsquo;ll be doing the provisioning over local network on <code>igb2</code> (mangement), <code>igb0</code> is assumed to be the egress, wan interface and <code>igb1</code> will be treated as a client-facing interface.</p> <h3 id="wholesale-provider-requirements-pcp-vlan">Wholesale provider requirements (PCP + VLAN)</h3> <p>The wholesale provider requires a specific IEEE 802.1p Priority Code Point and VLAN for the connection.</p> <p>The magical man pages are <code>man 8 ifconfig</code> and <code>man 4 vlan</code> as well as the <a href="https://www.freebsd.org/doc/handbook/network-vlan.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Chapter on VLANs from the FreeBSD Handbook</a>.</p> <p>This is achieved one time with:</p> <div class="codehilite"><pre><span></span><code># VLAN 24 -- Called exovlan because of ppp # We also setup IEEE 802.1p priority code point ifconfig igb0.24 create name exovlan vlan 24 vlanpcp 3 </code></pre></div> <p>And permanently by adding following to <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code># Wholesale provider requirements # Create VLAN inteface # It doesn&#39;t look like ppp likes dots in interfaces, let&#39;s give this # interface a friendly name. vlans_igb0=&quot;exovlan&quot; # Setup the VLAN number create_args_exovlan=&quot;vlan 24&quot; # IEEE 802.1p priority code point ifconfig_exovlan=&quot;vlanpcp 3&quot; </code></pre></div> <h3 id="pppoe">PPPoE</h3> <p>This is what is actually used by <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> to provide the service.</p> <p>The magical man pages are <code>man 8 ppp</code> and the <a href="https://www.freebsd.org/doc/handbook/ppp-and-slip.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Chapter on PPP from the FreeBSD Handbook</a>.</p> <p>And this is what the resulting <code>/etc/ppp/ppp.conf</code> looks like:</p> <div class="codehilite"><pre><span></span><code>default: <span class="w"> </span>#<span class="w"> </span>An<span class="w"> </span>address<span class="w"> </span>is<span class="w"> </span>required <span class="w"> </span>set<span class="w"> </span>ifaddr<span class="w"> </span>0<span class="w"> </span>0<span class="w"> </span>255.255.255.255 exo: <span class="w"> </span>#<span class="w"> </span>I&#39;ll<span class="w"> </span>be<span class="w"> </span>using<span class="w"> </span>my<span class="w"> </span>own<span class="w"> </span>DNS,<span class="w"> </span>otherwise<span class="w"> </span>use<span class="w"> </span>&quot;enable<span class="w"> </span>dns&quot; <span class="w"> </span>disable<span class="w"> </span>dns <span class="w"> </span>#<span class="w"> </span>Reminder<span class="w"> </span>that<span class="w"> </span>ppp<span class="w"> </span>does<span class="w"> </span>not<span class="w"> </span>like<span class="w"> </span>dots<span class="w"> </span>in<span class="w"> </span>interface<span class="w"> </span>names <span class="w"> </span>#<span class="w"> </span>so<span class="w"> </span>we<span class="w"> </span>created<span class="w"> </span>the<span class="w"> </span>VLAN<span class="w"> </span>24<span class="w"> </span>as<span class="w"> </span>exovlan<span class="w"> </span>and<span class="w"> </span>not<span class="w"> </span>igb0.24 <span class="w"> </span>set<span class="w"> </span>device<span class="w"> </span>PPPoE:exovlan <span class="w"> </span>#<span class="w"> </span>Set<span class="w"> </span>a<span class="w"> </span>deterministic<span class="w"> </span>name <span class="w"> </span>iface<span class="w"> </span>name<span class="w"> </span>exoppp <span class="w"> </span>#<span class="w"> </span>Replace<span class="w"> </span>with<span class="w"> </span>your<span class="w"> </span>own<span class="w"> </span>data <span class="w"> </span>set<span class="w"> </span>authname<span class="w"> </span><span class="cp">${</span><span class="n">EXO_USER</span><span class="cp">}</span> <span class="w"> </span>set<span class="w"> </span>authkey<span class="w"> </span><span class="cp">${</span><span class="n">EXO_PASS</span><span class="cp">}</span> <span class="w"> </span>set<span class="w"> </span>dial <span class="w"> </span>set<span class="w"> </span>login <span class="w"> </span>#<span class="w"> </span>Use<span class="w"> </span>LQR<span class="w"> </span>and<span class="w"> </span>echo <span class="w"> </span>set<span class="w"> </span>echoperiod<span class="w"> </span>15 <span class="w"> </span>set<span class="w"> </span>lqrperiod<span class="w"> </span>15 <span class="w"> </span>#<span class="w"> </span>mssfixup<span class="w"> </span>should<span class="w"> </span>be<span class="w"> </span>enabled<span class="w"> </span>by<span class="w"> </span>default <span class="w"> </span>enable<span class="w"> </span>echo<span class="w"> </span>lqr<span class="w"> </span>mssfixup <span class="w"> </span>set<span class="w"> </span>timeout<span class="w"> </span>0 <span class="w"> </span>#<span class="w"> </span>Pause<span class="w"> </span>of<span class="w"> </span>5,<span class="w"> </span>increment<span class="w"> </span>+5,<span class="w"> </span>-5<span class="w"> </span>times <span class="w"> </span>set<span class="w"> </span>redial<span class="w"> </span>5+5-5<span class="w"> </span>0 <span class="w"> </span>#<span class="w"> </span>Wait<span class="w"> </span>random<span class="w"> </span>(1-30)<span class="w"> </span>to<span class="w"> </span>reconnect <span class="w"> </span>set<span class="w"> </span>reconnect<span class="w"> </span>random<span class="w"> </span>0 <span class="w"> </span>add!<span class="w"> </span>default<span class="w"> </span>HISADDR <span class="w"> </span>add!<span class="w"> </span>default<span class="w"> </span>HISADDR6 </code></pre></div> <p>Now PPPoE can be used once with:</p> <div class="codehilite"><pre><span></span><code>ppp -ddial exo </code></pre></div> <p>And permanently by adding following to <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code># PPPoE bits ppp_enable=&quot;YES&quot; ppp_mode=&quot;ddial&quot; ppp_profile=&quot;exo&quot; </code></pre></div> <p>Now pinging some IPv4 address should work :-).</p> <h3 id="ipv6-connectivity">IPv6 connectivity</h3> <p>IPv6 connectivity is slightly more difficult as <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a> must delegate the <code>/56</code> prefix to us.</p> <p>In this case, I&rsquo;ll want to quickly assign a <code>/64</code> to the remaining ethernet interface, <code>igb1</code>.</p> <p>Sadly <code>dhclient</code> in the base system does not include this feature, and that&rsquo;s the kind of situation when ports are needed.</p> <p>Good thing we now have some legacy (v4) network connectivity!</p> <p>Let&rsquo;s get the <code>dhcp6</code> port:</p> <div class="codehilite"><pre><span></span><code># The first time pkg runs, it will bootstrap itself, since it&#39;s # actually maintained as a port. pkg install dhcp6 </code></pre></div> <p>Since this does not belong to the base system, its settings are under <code>/usr/local/etc</code> and there is indeed a <code>dhcp6c.conf.sample</code> with nearly all we need.</p> <p>By reviewing that, <code>man 8 dhcp6c</code> and specially <code>man 5 dhcp6c.conf</code>, following results:</p> <div class="codehilite"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="nx">This</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="o">/</span><span class="nx">usr</span><span class="o">/</span><span class="nx">local</span><span class="o">/</span><span class="nx">etc</span><span class="o">/</span><span class="nx">dhcp6c</span><span class="p">.</span><span class="nx">conf</span> <span class="kd">interface</span><span class="w"> </span><span class="nx">exoppp</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">This</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">solicit</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">non</span><span class="o">-</span><span class="nx">temporary</span><span class="w"> </span><span class="nx">address</span><span class="w"> </span><span class="nx">on</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">wan</span><span class="w"> </span><span class="kd">interface</span> <span class="w"> </span><span class="nx">send</span><span class="w"> </span><span class="nx">ia</span><span class="o">-</span><span class="nx">na</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">This</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">solicit</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">prefix</span><span class="w"> </span><span class="nx">on</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">exoppp</span><span class="w"> </span><span class="kd">interface</span> <span class="w"> </span><span class="nx">send</span><span class="w"> </span><span class="nx">ia</span><span class="o">-</span><span class="nx">pd</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">};</span> <span class="err">#</span><span class="w"> </span><span class="nx">An</span><span class="w"> </span><span class="nx">id</span><span class="o">-</span><span class="nx">assoc</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">always</span><span class="w"> </span><span class="nx">needed</span><span class="p">,</span><span class="w"> </span><span class="nx">even</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">NAs</span> <span class="nx">id</span><span class="o">-</span><span class="nx">assoc</span><span class="w"> </span><span class="nx">na</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">{</span> <span class="p">};</span> <span class="err">#</span><span class="w"> </span><span class="nx">This</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">use</span><span class="w"> </span><span class="nx">that</span><span class="w"> </span><span class="nx">delegated</span><span class="w"> </span><span class="nx">prefix</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">assign</span><span class="w"> </span><span class="nx">it</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">igb1</span><span class="w"> </span><span class="nx">ethernet</span><span class="p">.</span> <span class="nx">id</span><span class="o">-</span><span class="nx">assoc</span><span class="w"> </span><span class="nx">pd</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nx">prefix</span><span class="o">-</span><span class="kd">interface</span><span class="w"> </span><span class="nx">igb1</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">This</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">how</span><span class="w"> </span><span class="nx">many</span><span class="w"> </span><span class="nx">bits</span><span class="w"> </span><span class="nx">we</span><span class="w"> </span><span class="nx">have</span><span class="w"> </span><span class="s">&quot;free&quot;</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">Since</span><span class="w"> </span><span class="nx">IPv6</span><span class="w"> </span><span class="nx">addresses</span><span class="w"> </span><span class="nx">are</span><span class="w"> </span><span class="mi">128</span><span class="w"> </span><span class="nx">bits</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">eXO</span><span class="w"> </span><span class="nx">delegates</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="o">/</span><span class="mi">56</span><span class="p">,</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">we</span><span class="w"> </span><span class="nx">have</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="nx">bits</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">freedom</span><span class="w"> </span><span class="nx">until</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="o">/</span><span class="mi">64</span><span class="p">.</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">The</span><span class="w"> </span><span class="nx">remaining</span><span class="w"> </span><span class="mi">64</span><span class="w"> </span><span class="nx">bits</span><span class="p">,</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">used</span><span class="w"> </span><span class="nx">by</span><span class="w"> </span><span class="nx">SLAAC</span><span class="w"> </span><span class="nx">locally</span> <span class="w"> </span><span class="nx">sla</span><span class="o">-</span><span class="nx">len</span><span class="w"> </span><span class="mi">8</span><span class="p">;</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">This</span><span class="w"> </span><span class="o">*</span><span class="nx">decimal</span><span class="o">*</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">turned</span><span class="w"> </span><span class="nx">binary</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">sla</span><span class="o">-</span><span class="nx">len</span><span class="w"> </span><span class="nx">bits</span> <span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">representation</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">used</span><span class="w"> </span><span class="nx">along</span><span class="w"> </span><span class="nx">with</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">delegated</span><span class="w"> </span><span class="nx">prefix</span><span class="p">.</span> <span class="w"> </span><span class="nx">sla</span><span class="o">-</span><span class="nx">id</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="p">};</span> <span class="p">};</span> </code></pre></div> <p>In order to use this, following must be added to <code>/etc/rc.conf</code>:</p> <div class="codehilite"><pre><span></span><code># Just enabling dhcp6c has issues when reconnecting #dhcp6c_enable=&quot;YES&quot; dhcp6c_interfaces=&quot;exoppp&quot; </code></pre></div> <p>And it can be tested out with</p> <div class="codehilite"><pre><span></span><code>service dhcp6c start </code></pre></div> <p>Now <code>ifconfig igb1</code> should have a globally routable unicast IPv6 in a <code>/64</code> under your control and <code>ping6</code> should work (real-time update: happy 2020!).</p> <p><strong>Update (2020-01-28):</strong> Just enabling dhcp6c has issues with IPv6 on reconnect after connection loss. Bright side of this is that we detected an anomaly on <a href="https://exo.cat" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">eXO</a>&lsquo;s ppp server that will be solved in the upcoming planned maintenance.</p> <p>In order to reconnect properly, let&rsquo;s use ppp&rsquo;s hook functionality.</p> <p>On <code>/etc/ppp/ppp.linkup</code>:</p> <div class="codehilite"><pre><span></span><code>MYADDR: # This should block as little as possible, we use !bg to keep going # &quot;in the background&quot; so ppp is not blocked. !bg /usr/sbin/service dhcp6c onerestart </code></pre></div> <p>On <code>/etc/ppp/ppp.linkdown</code>:</p> <div class="codehilite"><pre><span></span><code><span class="nv">MYADDR</span>: <span class="w"> </span>#<span class="w"> </span><span class="nv">dhcp6c</span><span class="w"> </span><span class="nv">can</span><span class="w"> </span><span class="nv">take</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">bit</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">close</span>,<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">link</span><span class="w"> </span><span class="nv">came</span><span class="w"> </span><span class="nv">back</span><span class="w"> </span><span class="nv">up</span> <span class="w"> </span>#<span class="w"> </span><span class="nv">meanwhile</span><span class="w"> </span><span class="nv">things</span><span class="w"> </span><span class="nv">can</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">messy</span>.<span class="w"> </span><span class="nv">We</span><span class="w"> </span><span class="nv">won</span><span class="err">&#39;t use !bg here.</span> <span class="err"> ! /usr/sbin/service dhcp6c onestop</span> </code></pre></div> <h1 id="remaining-work">Remaining work</h1> <ul> <li>Create a bridge interface for ethernet and wlan.</li> <li>Setup the wireless network</li> <li>Setup SLAAC</li> <li>Secure the firewall</li> <li>Create <a href="https://cdi.st" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">cdist</a> types for all the things</li> </ul> <h2 id="optional">Optional</h2> <ul> <li>Setup <code>dhcpd</code> to hand out local IPv4s</li> <li>Setup NAT</li> </ul> <h2 id="internal-network-bits">Internal network bits</h2> <ul> <li>Monitoring (Prometheus)</li> <li>DNS (unbound)</li> <li>Traffic dashboards (taking into account the percentiles)</li> </ul>2019-08-03T00:00:00Zurn:uuid:ff80fa99-f771-36e4-8f31-942b4898edc3<h1 id="introduction">Introduction</h1> <p>I&rsquo;ve always thought diversity is an important thing, which is why Linux&rsquo; hegemony on servers, as great as it is, can also be a threat for future network stability.</p> <p>Most people having something to do with computers have probably come across the BSD term at one point or another, yet not everyone is aware of OpenBSD and FreeBSD being reasonable alternative Operating Systems with their own strengths.</p> <p>Since my previous laptop was way too fragile to be a mobile computer any longer, I had to relegate it to a virtualisation server and start the hunt for a powerful, mobile and flexible laptop.</p> <p>Easier said than done, after much researching I settled in May 2019 for a ThinkPad A485 as being the closest thing to a good trade-off for me. Amongst other things it features an AMD Ryzen™ processor and 32G RAM.</p> <p>There is a great article covering support for this laptop on <a href="https://deftly.net/posts/2018-10-15-openbsd-on-lenovo-a485.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">OpenBSD</a>.</p> <p>Since it&rsquo;s not the case for FreeBSD and, at that point, support for this laptop was not ideal, this is intended as some kind of documentation that will hopefully help other people in the near future, that is in the transition to full support.</p> <p>The wish to document this started when <a href="https://lists.freebsd.org/pipermail/freebsd-current/2019-July/073859.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">someone asked</a> on the <code>freebsd-current</code> Mailing List about getting the A485 to work with FreeBSD.</p> <blockquote> <p><strong>Note:</strong> This can be copied / adapted to be on the FreeBSD wiki. Let me know if you adapt it. Sadly the username policies go against my strong preference for pseudonymous internet. Not that figuring out &ldquo;real names&rdquo; would be difficult for really interested parties, it&rsquo;s just a matter of preference and online identity.</p> </blockquote> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#installation">Installation</a><ul> <li><a href="#12-release">12-RELEASE</a></li> <li><a href="#13-current">13-CURRENT</a></li> </ul> </li> <li><a href="#operation">Operation</a></li> <li><a href="#graphics">Graphics</a><ul> <li><a href="#12-release_1">12-RELEASE</a></li> <li><a href="#13-current_1">13-CURRENT</a></li> </ul> </li> <li><a href="#wireless">Wireless</a></li> <li><a href="#sd-card-reader">SD Card reader</a></li> <li><a href="#overview-of-relevant-bugs-and-issues">Overview of relevant bugs and issues</a><ul> <li><a href="#231760-freebsd-halts-at-acpi-on-amd-ryzen-laptops">#231760 - FreeBSD halts at ACPI on AMD Ryzen laptops</a></li> <li><a href="#239351-panic-spin-lock-held-too-long-a485-bios-bug">#239351 - PANIC spin lock held too long - A485 BIOS bug</a></li> <li><a href="#-rtl8822be-is-not-supported">? - RTL8822BE is not supported</a></li> <li><a href="#204521-support-for-realtek-sd-card-reader">#204521 - Support for Realtek SD card reader</a></li> </ul> </li> </ul> </div> <h1 id="installation">Installation</h1> <h2 id="12-release">12-RELEASE</h2> <p>Installing FreeBSD on an AMD Ryzen™ laptop is not as easy as it could be these days, support in 12-RELEASE is not quite there due to some peculiarities in ACPI, <a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231760" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">FreeBSD bug #231760</a> tracks that.</p> <p>That bug report also lists the necessary workaround to manage to boot and install FreeBSD on the A485:</p> <p>The <code>hw.pci.mcfg</code> kernel parameter must be set to <code>0</code>, that&rsquo;s done from the boot loader by typing <code>set hw.pci.mcfg=0</code>.</p> <p>After installation, it is quite important to edit <code>/boot/loader.conf</code> and add a line with <code>hw.pci.mcfg=0</code>, that way the system will be able to boot without manual intervention.</p> <h2 id="13-current">13-CURRENT</h2> <p>For those willing and knowledgeable enough to compile and debug things, 13-CURRENT is where development happens, and diff <a href="https://reviews.freebsd.org/D20327" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">D20327</a> just landed! This means I can stop maintaining my own branch :-).</p> <p>As of this writing, the latest installation media dates August 1st 2019, which is about 48 hours too old, so the above kernel parameter is still needed to install FreeBSD on a new A485 for those tracking 13-CURRENT, but it can be removed from <code>/boot/loader.conf</code> after compiling and installing <code>HEAD</code>.</p> <p>Whenever an image is built after August 3rd 2019, it should not need the kernel parameter, <a href="https://download.freebsd.org/ftp/snapshots/amd64/amd64/ISO-IMAGES/13.0/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">check here</a> to see if it has happened.</p> <blockquote> <p><strong>Note:</strong> 13-CURRENT is not intended to be used if you can&rsquo;t fix things yourself or are not willing to debug them. If, however, like me you are curious about the development process and want to be detecting issues before they hit 12-RELEASE, it can useful to use 13-CURRENT.</p> </blockquote> <h1 id="operation">Operation</h1> <p>After installing FreeBSD on the A485, the system behaved well over all but I was experiencing some random kernel panics, which I could reliably trigger by stressing a WireGuard VPN connection; that sent me down the wrong path until Konstantin mentioned in <a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239351" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">bug #239351</a> that AMD is very secretive about processor features and erratas, which are sometimes fixed in BIOS, so I should make absolutely sure I had the <a href="https://support.lenovo.com/de/en/downloads/ds504078" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">latest BIOS</a>.</p> <p>In early June 2019, my A485 came with BIOS version 1.16, but in July 2019 versions 1.22 and 1.24 came out, apparently one of these versions fixed something in the way the processor is used, which totally fixed these random panics.</p> <h1 id="graphics">Graphics</h1> <p>X is the best terminal multiplexer around, luckily this is supported out of the box these days both in 12-RELEASE and 13-CURRENT.</p> <p>Support for the graphics card is done through the <code>drm-kmod</code> port, which automagically installs and loads the appropriate drivers.</p> <p>Without this, external screens or graphics acceleration cannot be used.</p> <h2 id="12-release_1">12-RELEASE</h2> <p>Under 12-RELEASE this worked perfectly fine with <code>drm-kmod</code> version <code>4.16.g20190722</code> until I upgraded the BIOS to 1.24. After this upgrade, the system started hanging after boot when trying to load the graphics driver.</p> <p>On a <a href="https://lists.freebsd.org/pipermail/freebsd-current/2019-July/073864.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">message</a> on the mailing list someone had suggested previously to test version <code>5.0</code> of <code>drm-kmod</code>, as the first wrong hint at tackling the random panics involved this port.</p> <p>Getting <code>5.0</code> on 12-RELEASE involves building the port from source, which I didn&rsquo;t try, but should be doable.</p> <h2 id="13-current_1">13-CURRENT</h2> <p>After the BIOS upgrade to 1.24, 13-CURRENT with <code>drm-kmod</code> also stopped booting, since this is a development release, it was slightly easier to fix than compiling a newer version of the port, indeed there is a <code>drm-devel-kmod</code> port, which has version <code>5.0.g20190722</code>.</p> <p>With this newer version of <code>drm-kmod</code>, FreeBSD boots into X without issues.</p> <h1 id="wireless">Wireless</h1> <p>The A485 comes with a Realtek RTL8822BE, which is not supported, luckily enough it can be swapped by an Intel Dual Band Wireless-AC 8265, which is.</p> <p>Adding support for this wireless card is as simple as adding following to <code>/boot/loader.conf</code>:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># Wireless Intel AC8265</span> <span class="c1"># Not strictly necessary, but the Realtek that is shipped is not</span> <span class="w"> </span><span class="n">supported</span> <span class="c1"># You can easily (and carefully) change the wireless cards.</span> <span class="n">if_iwm_load</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> <span class="n">iwm8265fw_load</span><span class="o">=</span><span class="s2">&quot;YES&quot;</span> </code></pre></div> <h1 id="sd-card-reader">SD Card reader</h1> <p>The SD card reader is currently not supported, <a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">bug #204521</a> is tracking this and has a bounty of 175 USD (mostly from arrowd, but I added to the bounty).</p> <p>Basically, driver <code>rtsx</code> should be ported from OpenBSD.</p> <h1 id="overview-of-relevant-bugs-and-issues">Overview of relevant bugs and issues</h1> <h2 id="231760-freebsd-halts-at-acpi-on-amd-ryzen-laptops"><a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231760" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">#231760 - FreeBSD halts at ACPI on AMD Ryzen laptops</a></h2> <p>Solved by <a href="https://reviews.freebsd.org/D20327" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">D20327</a>, and therefore in 13-CURRENT images built after August 3rd 2019.</p> <p>Workaround for 12-RELEASE is booting with <code>set hw.pci.mcfg=0</code> and setting <code>hw.pci.mcfg=0</code> in <code>/boot/loader.conf</code>.</p> <h2 id="239351-panic-spin-lock-held-too-long-a485-bios-bug"><a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239351" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">#239351 - PANIC spin lock held too long - A485 BIOS bug</a></h2> <p>Solved by upgrading BIOS to 1.24 or newer.</p> <h2 id="-rtl8822be-is-not-supported">? - RTL8822BE is not supported</h2> <p>Can be swapped by an Intel AC8265, ideally there would be drivers for Realtek cards, but that&rsquo;s harder to manage.</p> <h2 id="204521-support-for-realtek-sd-card-reader"><a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204521" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">#204521 - Support for Realtek SD card reader</a></h2> <p>Bounty of 175 USD, <code>rtsx</code> needs porting from OpenBSD to FreeBSD.</p>2016-03-15T00:00:00Zurn:uuid:7bad2f26-f54e-3da5-afd8-592d49ae82ea<h1 id="introduction">Introduction</h1> <p>Following up on my <a href="/en/blog/2016-AutoCAD-.net-cloud.html">previous post</a>, I&rsquo;ll introduce a small AutoCAD <a href="http://usa.autodesk.com/adsk/servlet/index?id=18162650&amp;siteID=123112" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">.Net plugin</a> that can run on the <a href="http://through-the-interface.typepad.com/through_the_interface/2012/02/the-autocad-2013-core-console.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AcCoreConsole</a>.</p> <p>This could work as a hands-on, quick and dirty tutorial to writing .Net plugins for AutoCAD, I recommend reading the <a href="http://usa.autodesk.com/adsk/servlet/index?id=18162650&amp;siteID=123112" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">official documentation</a> though. If you are already comfortable writing .Net plugins for AutoCAD, you can skip to the <a href="#customising-execution-command-line-arguments">Customising execution (Command Line Arguments)</a> section.</p> <p>The idea of this plugin is to perform a computation that takes <em>a while</em> and exit; nothing fancy.</p> <p>The reason for this, is to test my implementation of something similar to <a href="https://developer.autodesk.com/api/autocadio/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AutocadIO</a> that runs locally and in a much smaller scale; the main motivation for that is that many companies are not (yet) ready to handle over their files to Autodesk and having the files processed in their amazing cloud.</p> <p>At some point, my implementation should provide for an easy way to choose between using all local resources and sending jobs to <a href="https://developer.autodesk.com/api/autocadio/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AutocadIO</a>; that would give maximum flexibility to both users and developers as well, all while giving end-users (companies) a peek into the potential of massively parallel running processes.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#previous-setup">Previous setup</a></li> <li><a href="#project-setup">Project setup</a><ul> <li><a href="#code">Code</a><ul> <li><a href="#the-plugin-class">The Plugin class</a></li> </ul> </li> <li><a href="#the-commands-class">The Commands class</a></li> <li><a href="#the-class-attributes">The class attributes</a></li> </ul> </li> <li><a href="#the-actual-workload-simulation-plugin">The actual workload simulation plugin</a><ul> <li><a href="#the-workload">The workload</a></li> <li><a href="#first-plugin-version">First Plugin version</a></li> <li><a href="#customising-execution-command-line-arguments">Customising execution (Command Line Arguments)</a></li> <li><a href="#using-the-plugin">Using the plugin</a></li> </ul> </li> <li><a href="#closing">Closing</a></li> </ul> </div> <h1 id="previous-setup">Previous setup</h1> <p>The officially supported way to write .Net plugins for Autocad is using Visual Studio, something like <a href="http://mono-project.com" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Mono</a> would probably work as well.</p> <p>Basically, you need a copy of the <a href="http://usa.autodesk.com/adsk/servlet/index?siteID=123112&amp;id=773204" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ObjectARX SDK</a> which is a set of dlls that define AutoCAD&rsquo;s API.</p> <p>There are two ways to get (and license!) the ObjectARX SDK:</p> <ul> <li>Downloading it directly from the <a href="http://usa.autodesk.com/adsk/servlet/index?siteID=123112&amp;id=773204" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">official website</a>.</li> <li>Using <a href="https://www.nuget.org/packages/AutoCAD.NET/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">nuget</a>, which sets up everything for you. This currently only supports AutoCAD 2016; the binaries will usually be compatible with AutoCAD 2014 and 2015 though.</li> </ul> <p>I recommend using nuget since it&rsquo;s the most straightforward way to set up the development environment.</p> <p>If you do choose the other way, you will get a zip file with some samples, documentation and lots of other files. Most of these files are for ObjectARX developers, which is the underlying C++ API for AutoCAD.</p> <p>The most important files in the zip are in the <code>inc</code> directory: <code>AcCoreMgd.dll</code>, <code>AcDbMgd.dll</code>, <code>AcTcMgd.dll</code>. You should make sure to add references to these dlls in your Visual Studio project.</p> <h1 id="project-setup">Project setup</h1> <p>The Visual Studio project needs to have <em>Class Library</em> as its output type, this means that after compiling we will get a dll file containing the classes that make up the plugin.</p> <p>This dll gets imported in runtime by AutoCAD or the AcCoreConsole, which will also call the relevant bits of your code.</p> <h2 id="code">Code</h2> <p>There are basically two classes that make a .Net plugin for AutoCAD: the <code>Plugin</code> class and the <code>Commands</code> class.</p> <h3 id="the-plugin-class">The <code>Plugin</code> class</h3> <p>This class is optional, the basic idea is that this class is instantiated <strong>once</strong> and should contain data that is static for the plugin.</p> <p>The <code>Plugin</code> class makes more sense when running a command inside AutoCAD as opposed to the AcCoreConsole; the reason for that is that this class gets instantiated just once for the whole AutoCAD session, allowing you to share data across command executions in different documents and so on.</p> <p>Since in AcCoreConsole you only open one document, I think its usefulness is rather limited.</p> <p>A typical <code>Plugin</code> class would look like this:</p> <div class="codehilite"><pre><span></span><code><span class="k">using</span><span class="w"> </span><span class="nn">Autodesk.AutoCAD.Runtime</span><span class="p">;</span> <span class="na">[assembly: ExtensionApplication(typeof(MyPlugin.Plugin))]</span> <span class="k">namespace</span><span class="w"> </span><span class="nn">MyPlugin</span><span class="w"> </span> <span class="p">{</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="nc">Plugin</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">IExtensionApplication</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">void</span><span class="w"> </span><span class="nf">Initialize</span><span class="p">()</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Initialize some resources to be shared across documents</span> <span class="w"> </span><span class="c1">// and executions of any commands define by this plugin.</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">void</span><span class="w"> </span><span class="nf">Terminate</span><span class="p">()</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Dispose of any resources that need to be manually released.</span> <span class="w"> </span><span class="c1">// Remember that AutoCAD is already closing at this point!</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>The class name <code>Plugin</code> is totally arbitrary and could easily be something else.</p> <p>The important part here is that the class implements the <code>IExtensionApplication</code> interface.</p> <p>Signalising the <code>ExtensionApplication</code> attribute on a class is recommended, but not mandatory.</p> <h2 id="the-commands-class">The <code>Commands</code> class</h2> <p>This doesn&rsquo;t have to be a class <em>per se</em> but I do like to create a unique class that contains any custom defined commands.</p> <p>My typical <code>Commands</code> class looks like this:</p> <div class="codehilite"><pre><span></span><code><span class="k">using</span><span class="w"> </span><span class="nn">Autodesk.AutoCAD.Runtime</span><span class="p">;</span> <span class="k">using</span><span class="w"> </span><span class="nn">Autodesk.AutoCAD.ApplicationServices.Core</span><span class="p">;</span> <span class="na">[assembly: CommandClass(typeof(MyPlugin.Commands))]</span> <span class="k">namespace</span><span class="w"> </span><span class="nn">MyPlugin</span> <span class="p">{</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="nc">Commands</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="na">[CommandMethod(&quot;MyCommand&quot;, &quot;MyCommand&quot;, &quot;MyCommand&quot;,</span> <span class="na"> CommandFlags.Modal &amp; CommandFlags.Session)]</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="k">void</span><span class="w"> </span><span class="nf">MyCommandMethod</span><span class="p">()</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Do something with the current drawing</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>In addition to the class name <code>Commands</code>, the method name <code>MyCommandMethod</code> is arbitrary. The defined commands don&rsquo;t even have to be all in a single class.</p> <p>To define a command, we just use the <code>CommandMethod</code> attribute on a <code>static</code> method in a class as shown.</p> <p>As before, the <code>CommandClass</code> attribute is recommended but not mandatory</p> <p>To my understanding, the <code>Commands</code> class never gets instantiated since AutoCAD and AcCoreConsole invoke the static method directly.</p> <h2 id="the-class-attributes">The class attributes</h2> <p>The main benefit of using the <code>ExtensionApplication</code> and <code>CommandClass</code> attributes is load time. That way AutoCAD (and AcCoreConsole) know exactly where the Plugin&rsquo;s entry point is and where any commands are defined.</p> <p>If you use class attributes once, you must use them all the time in the plugin, otherwise any commands defined in a class not signalised with the <code>CommandClass</code> attribute won&rsquo;t be defined.</p> <p>More information on the class and method attributes can be found in the official documentation, as well as in <a href="https://about.me/keanw" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kean</a>&lsquo;s incredibly informative <a href="http://through-the-interface.typepad.com/through_the_interface/2006/09/optimizing_the_.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">blog</a>.</p> <h1 id="the-actual-workload-simulation-plugin">The actual workload simulation plugin</h1> <h2 id="the-workload">The workload</h2> <p>Because of my Math background, I love the <a href="https://en.wikipedia.org/wiki/Fibonacci_number" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Fibonacci sequence</a>. Turns out, it&rsquo;s also a very popular programming exercise that shows how badly recursive algorithms can make something easy complicated.</p> <p>Which is why I picked this as a way to occupy the CPU in the plugin.</p> <div class="codehilite"><pre><span></span><code><span class="c1">/// &lt;summary&gt;</span> <span class="c1">/// Workload simulation. Naïve calculation of the n-th Fibonacci number.</span> <span class="c1">/// A significant workload can be achieved with n &gt;= 42.</span> <span class="c1">/// &lt;/summary&gt;</span> <span class="c1">/// &lt;param name=&quot;n&quot;&gt;&lt;/param&gt;</span> <span class="c1">/// &lt;returns&gt;&lt;/returns&gt;</span> <span class="k">private</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="kt">ulong</span><span class="w"> </span><span class="nf">Fib</span><span class="p">(</span><span class="kt">uint</span><span class="w"> </span><span class="n">n</span><span class="p">)</span> <span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">n</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="m">2</span><span class="p">)</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">n</span><span class="p">;</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nf">Fib</span><span class="p">(</span><span class="n">n</span><span class="o">-</span><span class="m">1</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">Fib</span><span class="p">(</span><span class="n">n</span><span class="o">-</span><span class="m">2</span><span class="p">);</span> <span class="p">}</span> </code></pre></div> <h2 id="first-plugin-version">First Plugin version</h2> <p>Now, a very quick way to have a plugin that simulates workload would be to calculate <code>Fib(60)</code>; that would look something like this:</p> <div class="codehilite"><pre><span></span><code><span class="k">using</span><span class="w"> </span><span class="nn">System</span><span class="p">;</span> <span class="k">using</span><span class="w"> </span><span class="nn">Autodesk.AutoCAD.Runtime</span><span class="p">;</span> <span class="k">using</span><span class="w"> </span><span class="nn">Autodesk.AutoCAD.ApplicationServices.Core</span><span class="p">;</span> <span class="na">[assembly: CLSCompliant(true)]</span> <span class="na">[assembly: CommandClass(typeof(TestAcCorePlugin.Commands))]</span> <span class="k">namespace</span><span class="w"> </span><span class="nn">TestAcCorePlugin</span> <span class="p">{</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="nc">Commands</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="na">[CommandMethod(&quot;TestAcCore&quot;, &quot;TestAcCore&quot;, &quot;TestAcCore&quot;,</span> <span class="na"> CommandFlags.Modal &amp; CommandFlags.Session)]</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="k">void</span><span class="w"> </span><span class="nf">TestAcCoreCommand</span><span class="p">()</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">Application</span><span class="p">.</span><span class="n">DocumentManager</span><span class="p">.</span><span class="n">MdiActiveDocument</span><span class="p">.</span><span class="n">Editor</span><span class="p">.</span><span class="n">WriteMessage</span><span class="p">(</span> <span class="w"> </span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">&quot;\nFib {0}:\t{1}&quot;</span><span class="p">,</span><span class="w"> </span><span class="m">60</span><span class="p">,</span><span class="w"> </span><span class="n">Fib</span><span class="p">(</span><span class="m">60</span><span class="p">)));</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">/// &lt;summary&gt;</span> <span class="w"> </span><span class="c1">/// Workload simulation. Naïve calculation of the n-th Fibonacci number.</span> <span class="w"> </span><span class="c1">/// A significant workload can be achieved with n &gt;= 42.</span> <span class="w"> </span><span class="c1">/// &lt;/summary&gt;</span> <span class="w"> </span><span class="c1">/// &lt;param name=&quot;n&quot;&gt;&lt;/param&gt;</span> <span class="w"> </span><span class="c1">/// &lt;returns&gt;&lt;/returns&gt;</span> <span class="w"> </span><span class="k">private</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="kt">ulong</span><span class="w"> </span><span class="nf">Fib</span><span class="p">(</span><span class="kt">uint</span><span class="w"> </span><span class="n">n</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">n</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="m">2</span><span class="p">)</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">n</span><span class="p">;</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nf">Fib</span><span class="p">(</span><span class="n">n</span><span class="o">-</span><span class="m">1</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">Fib</span><span class="p">(</span><span class="n">n</span><span class="o">-</span><span class="m">2</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>But I want this plugin to be a bit more flexible than that and since it will be running in the AcCoreConsole&hellip;</p> <h2 id="customising-execution-command-line-arguments">Customising execution (Command Line Arguments)</h2> <p>To my knowledge, there is no defined way to pass information to AcCoreConsole plugins; a suggestion <a href="https://about.me/keanw" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kean</a> made when we met last year in Prague was to pass arguments in the Command Line to the plugin.</p> <p>This is possible because the AcCoreConsole ignores any arguments it doesn&rsquo;t recognise. That leaves us with the issue of telling AcCoreConsole&rsquo;s arguments and those for our plugin apart.</p> <p>One way to do that is the good ol&rsquo; UNIX way of using two consecutive dashes: <code>--</code> to signalise the beginning of our arguments.</p> <p>That leads us to this method:</p> <div class="codehilite"><pre><span></span><code><span class="c1">/// &lt;summary&gt;</span> <span class="c1">/// Ignore any command line arguments before the last &quot;--&quot; word.</span> <span class="c1">/// &lt;/summary&gt;</span> <span class="c1">/// &lt;returns&gt;A list of the gotten arguments.&lt;/returns&gt;</span> <span class="k">private</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="n">List</span><span class="o">&lt;</span><span class="kt">string</span><span class="o">&gt;</span><span class="w"> </span><span class="n">ParseArgs</span><span class="p">()</span> <span class="p">{</span> <span class="w"> </span><span class="kt">var</span><span class="w"> </span><span class="n">args</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">List</span><span class="o">&lt;</span><span class="kt">string</span><span class="o">&gt;</span><span class="p">(</span><span class="n">Environment</span><span class="p">.</span><span class="n">GetCommandLineArgs</span><span class="p">());</span> <span class="w"> </span><span class="kt">var</span><span class="w"> </span><span class="n">parsedArgs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">List</span><span class="o">&lt;</span><span class="kt">string</span><span class="o">&gt;</span><span class="p">();</span> <span class="w"> </span><span class="kt">var</span><span class="w"> </span><span class="n">lastIndex</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">args</span><span class="p">.</span><span class="n">FindLastIndex</span><span class="p">((</span><span class="n">x</span><span class="p">)</span><span class="w"> </span><span class="o">=&gt;</span><span class="w"> </span><span class="n">x</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&quot;--&quot;</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">lastIndex</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">lastIndex</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="n">args</span><span class="p">.</span><span class="n">Count</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">parsedArgs</span><span class="p">.</span><span class="n">AddRange</span><span class="p">(</span> <span class="w"> </span><span class="n">args</span><span class="p">.</span><span class="n">GetRange</span><span class="p">(</span><span class="n">lastIndex</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="m">1</span><span class="p">,</span><span class="w"> </span><span class="n">args</span><span class="p">.</span><span class="n">Count</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="p">(</span><span class="n">lastIndex</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="m">1</span><span class="p">)));</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">parsedArgs</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>This method reads the arguments from the <code>Environment</code> variable, finds the last appearance of <code>--</code> and ignores everything behind that. That way we don&rsquo;t have to worry about parsing and understanding AcCoreConsole&rsquo;s arguments.</p> <p>Furthermore, it provides us with a (probably) forward compatible way of passing arguments. If Autodesk decides to add more Command Line arguments to the AcCoreConsole in the future, that&rsquo;s OK since we just ignore everything before the last <code>--</code>.</p> <p>Now, to use the gotten arguments we have to modify the <code>TestAcCoreCommand</code> method:</p> <div class="codehilite"><pre><span></span><code><span class="k">public</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="k">void</span><span class="w"> </span><span class="nf">TestAcCoreCommand</span><span class="p">()</span> <span class="p">{</span> <span class="w"> </span><span class="kt">var</span><span class="w"> </span><span class="n">args</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ParseArgs</span><span class="p">();</span> <span class="w"> </span><span class="kt">var</span><span class="w"> </span><span class="n">fibs</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">List</span><span class="o">&lt;</span><span class="kt">uint</span><span class="o">&gt;</span><span class="p">();</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">Count</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="m">0</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">foreach</span><span class="w"> </span><span class="p">(</span><span class="kt">var</span><span class="w"> </span><span class="n">arg</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">args</span><span class="p">)</span> <span class="w"> </span><span class="n">fibs</span><span class="p">.</span><span class="n">Add</span><span class="p">(</span><span class="kt">uint</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">arg</span><span class="p">));</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">uint</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="m">0</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="m">45</span><span class="p">;</span><span class="w"> </span><span class="o">++</span><span class="n">i</span><span class="p">)</span> <span class="w"> </span><span class="n">fibs</span><span class="p">.</span><span class="n">Add</span><span class="p">(</span><span class="n">i</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">foreach</span><span class="w"> </span><span class="p">(</span><span class="kt">var</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">fibs</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">Application</span><span class="p">.</span><span class="n">DocumentManager</span><span class="p">.</span><span class="n">MdiActiveDocument</span><span class="p">.</span><span class="n">Editor</span><span class="p">.</span><span class="n">WriteMessage</span><span class="p">(</span> <span class="w"> </span><span class="kt">string</span><span class="p">.</span><span class="n">Format</span><span class="p">(</span><span class="s">&quot;\nFib {0}:\t{1}&quot;</span><span class="p">,</span><span class="w"> </span><span class="n">i</span><span class="p">,</span><span class="w"> </span><span class="n">Fib</span><span class="p">(</span><span class="n">i</span><span class="p">)));</span> <span class="w"> </span><span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>In this case, we treat the arguments as a list of integers that tells us which members of the Fibonacci sequence are to be calculated.</p> <p>When no argument is passed (or if the command runs inside AutoCAD), we calculate the first 45 Fibonacci numbers.</p> <h2 id="using-the-plugin">Using the plugin</h2> <p>After compiling, a <code>TestAcCorePlugin.dll</code> file will be generated. This file can be loaded with <code>netload</code> from both inside AutoCAD and the AcCoreConsole; that will define the <code>testaccore</code> command.</p> <p>To automate loading and command calling, I created a Script file called <code>ac.scr</code>, with following content:</p> <div class="codehilite"><pre><span></span><code><span class="n">secureload</span><span class="w"> </span><span class="mi">0</span> <span class="n">netload</span><span class="w"> </span><span class="s2">&quot;${PathToDll}\TestAcCorePlugin.dll&quot;</span> <span class="n">testaccore</span> <span class="n">secureload</span><span class="w"> </span><span class="mi">1</span> </code></pre></div> <p>The <code>secureload</code> part is because we are not (yet) signing this dll; which we should.</p> <p>Now with an open Command Prompt, I can invoke my plugin with:</p> <div class="codehilite"><pre><span></span><code>&quot;<span class="cp">${</span><span class="n">PathToAutoCAD</span><span class="cp">}</span>\accoreconsole.exe&quot;<span class="w"> </span>/s<span class="w"> </span>&quot;%{PathToScript}\ac.scr&quot;<span class="w"> </span>--<span class="w"> </span>30<span class="w"> </span>40<span class="w"> </span>45 </code></pre></div> <p>Which will produce following output:</p> <div class="codehilite"><pre><span></span><code><span class="n">AutoCAD</span><span class="w"> </span><span class="n">Core</span><span class="w"> </span><span class="n">Engine</span><span class="w"> </span><span class="n">Console</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="n">Autodesk</span><span class="p">,</span><span class="w"> </span><span class="n">Inc</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mf">2013.</span> <span class="n">Regenerating</span><span class="w"> </span><span class="n">model</span><span class="o">.</span> <span class="n">Command</span><span class="p">:</span><span class="w"> </span><span class="n">netload</span><span class="w"> </span><span class="n">Assembly</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;${PathToDll}\TestAcCorePlugin.dll&quot;</span> <span class="n">Command</span><span class="p">:</span><span class="w"> </span><span class="n">testaccore</span> <span class="n">Fib</span><span class="w"> </span><span class="mi">30</span><span class="p">:</span><span class="w"> </span><span class="mi">832040</span> <span class="n">Fib</span><span class="w"> </span><span class="mi">40</span><span class="p">:</span><span class="w"> </span><span class="mi">102334155</span> <span class="n">Fib</span><span class="w"> </span><span class="mi">45</span><span class="p">:</span><span class="w"> </span><span class="mi">1134903170</span> <span class="n">Command</span><span class="p">:</span><span class="w"> </span><span class="n">_quit</span> </code></pre></div> <p>Great! We just used AcCoreConsole to calculate Fibonacci numbers.</p> <h1 id="closing">Closing</h1> <p>The main point of this post is the usage of Command Line Arguments to customise the execution of a given script running in AcCoreConsole.</p> <p>This allows for many interesting use-cases: we can, for example, run three different AcCoreConsoles, each with a different number as an argument; that would make the calculations in parallel as opposed to serially.</p> <p>As a matter of fact, I am doing just that; next post will start introducing what I call <strong>OwnACCCL</strong> (OwnAcCoreConsoleLauncher). Which takes care of starting the AcCoreConsoles with the proper arguments and not exhausting the system&rsquo;s resources while at it.</p>2016-03-14T00:00:00Zurn:uuid:e080f626-b1a5-3acb-9eae-0a1d7ca7990c<h1 id="introduction">Introduction</h1> <p>It has been quite a while since I last updated this blog and in between a lot has changed personally, professionally and in technology. For instance: German is now the language I speak the most and it has taken its toll on my English, I apologise for that in advance.</p> <p>Another thing that has changed is my preference of technology when it comes to AutoCAD automation: back when I wrote <a href="[[en/blog/2012-AutoCAD-automation.html]]">this post</a> it was Lisp, nowadays I use mostly <a href="http://usa.autodesk.com/adsk/servlet/index?id=18162650&amp;siteID=123112" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">.Net plugins</a>.</p> <blockquote> <p>The downside [of Lisp, back in 2013 my go-to AutoCAD automation tech] is that it&rsquo;s quite a mess to have a GUI for the scripts or routines you develop. I mean, sure, it can be done (there&rsquo;s DCL after all) but it&rsquo;s not as flexible or easy as one would hope. Luckily, for most use cases a simple custom toolbar and text input will make users happy.</p> </blockquote> <p>Turns out, all those issues with GUI development along with some caveats with batch scripting (on hundreds and thousands of DWG files) made Lisp more of a burden than a blessing.</p> <p>Also, <a href="http://through-the-interface.typepad.com/through_the_interface/2012/02/the-autocad-2013-core-console.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AcCoreConsole</a> happened and Autodesk has been investing in cloud technologies heavily, so <a href="https://developer.autodesk.com/api/autocadio/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AutocadIO</a> and <a href="https://developer.autodesk.com/api/view-and-data-api/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">View and Data</a> APIs will be coming strong.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#why-net">Why .Net?</a><ul> <li><a href="#performance-and-flexibility">Performance and flexibility</a></li> <li><a href="#better-tools-and-support">Better tools and support</a></li> <li><a href="#purpose-oriented-routines">Purpose oriented routines</a></li> <li><a href="#packaging-distribution-and-deployment">Packaging, distribution and deployment</a></li> </ul> </li> <li><a href="#accoreconsole-and-the-cloud">AcCoreConsole and the Cloud</a></li> <li><a href="#closing">Closing</a></li> </ul> </div> <h1 id="why-net">Why .Net?</h1> <h2 id="performance-and-flexibility">Performance and flexibility</h2> <p>Autodesk invested very heavily in creating a powerful, flexible, yet simple .Net API for AutoCAD. It allows developers to do nearly everything that is possible with ObjectARX (the low level C++ API) with a higher level language like C#, F# or VB.Net.</p> <h2 id="better-tools-and-support">Better tools and support</h2> <p>If you want to write Lisp for Autocad, you will most likely use Notepad++ or the Visual Lisp IDE, which has probably not received significant update since before year 2000; it looks like it&rsquo;s basically supported for backwards compatibility and to avoid annoying the remaining Lispers amongst us.</p> <p>With .Net, you can use Visual Studio and its debugging features which are, in my opinion, far better.</p> <p>It is also easier to structure, maintain and reuse code thanks to shared class libraries.</p> <h2 id="purpose-oriented-routines">Purpose oriented routines</h2> <p>Most of my Lisp routines were very generic and defined a couple AutoCAD commands with the most common options. These routines could be quickly extended to do <em>exactly</em> what the user wanted with Lisp one-liners; my experience so far has been that end-users <em>never</em> do that and they end up forgetting commands they don&rsquo;t use that often.</p> <p>The reason for that is that most end-users have no experience with simple programming, left alone with Lisp; you can&rsquo;t really blame them.</p> <p>Which is why I now focus on providing users with a GUI application that allows them to perform a specific task and adjust the parameters for that in the process. This is much easier in .Net, specially when using WPF for the GUIs.</p> <p>That being said, I still provide commands that allow programmatic usage of the routines; that means I sometimes use Lisp as some kind of <em>meta-scripting</em> to further automate .Net routines.</p> <h2 id="packaging-distribution-and-deployment">Packaging, distribution and deployment</h2> <p>Common issues with Lisp scripts were:</p> <ul> <li>Users found routine installation too complicated.</li> <li>It was difficult to provide users with updates.</li> <li>As long as users were in our office, everything worked fine because of custom AutoCAD workspaces; remote or in-client-premises workers were sometimes not as lucky.</li> </ul> <p>Some of these issues were addressed by Autodesk with the introduction of the Autoloader (see the <a href="http://adndevblog.typepad.com/autocad/2013/01/autodesk-autoloader-white-paper.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">white paper</a>), but others (e.g. updates) persist and are quite difficult do solve with Lisp but not so in .Net.</p> <h1 id="accoreconsole-and-the-cloud">AcCoreConsole and the Cloud</h1> <p>Back in 2013, Autodesk had already been separating AutoCAD&rsquo;s GUI from the logic; one of the reasons for that, was to provide a Mac version of AutoCAD. As a result of that separation, the <a href="http://through-the-interface.typepad.com/through_the_interface/2012/02/the-autocad-2013-core-console.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AcCoreConsole</a> was born.</p> <p>The <a href="http://through-the-interface.typepad.com/through_the_interface/2012/02/the-autocad-2013-core-console.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AcCoreConsole</a> is a headless, minimalistic version of AutoCAD, that can fully interact with a DWG database. For regular users, this means nothing; for developers however, this opened up a world of possibilities.</p> <p>Suddenly, running a Lisp script in a few hundred files was as easy as preparing a small <code>.bat</code> file that called the AcCoreConsole with the right arguments and invoked the script. All with the performance gains of not having any GUI and not having to render each opened drawing &mdash; these performance gains are <em>huge</em>.</p> <p>This, along with the rise of Amazon Web Services, gave some very clever people in Autodesk the base idea for <a href="https://developer.autodesk.com/api/autocadio/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AutocadIO</a> and <a href="https://developer.autodesk.com/api/view-and-data-api/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">View and Data</a>.</p> <p><a href="https://developer.autodesk.com/api/autocadio/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AutocadIO</a> is basically a way of running scripts massively in the cloud and <a href="https://developer.autodesk.com/api/view-and-data-api/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">View and Data</a> is a way of accessing or displaying drawings in a browser.</p> <p>The potential of these APIs both in and outside of the engineering world is enormous and they will surely gain importance in the next couple years.</p> <p>A very cool example prepared by <a href="https://about.me/keanw" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Kean Walmsley</a> is <a href="http://www.jigsawify.com/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Jigsawify</a>; information on some design decisions and technical details can be found on <a href="http://through-the-interface.typepad.com/through_the_interface/autocad-io/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">his blog</a>.</p> <h1 id="closing">Closing</h1> <p>This post serves as a bit of an update and introduction for the work I&rsquo;ve been doing in the past few months, stay tuned.</p>2013-01-31T00:00:00Zurn:uuid:2d6a60ce-93dd-3eba-af25-efecb97bd7c3<h1 id="introduction">Introduction</h1> <p>If you&rsquo;re a somewhat advanced AutoCAD user, you probably fully understand blocks and its usage. If that&rsquo;s the case, you probably should skip to the next part of the series on <strong>blocks</strong>.</p> <p>Basically, a block is a way of grouping objects (e.g. lines, texts, circles, other blocks, etc.), giving such group a name and it allows for easy manipulation of a big amount of objects.</p> <p>On this part, we&rsquo;ll see some advantages of using blocks and lastly but more importantly: <strong>block attributes</strong>.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#advantages">Advantages</a><ul> <li><a href="#smaller-file-size">Smaller file size</a></li> <li><a href="#instant-update-of-symbols">Instant update of symbols</a></li> <li><a href="#conceptual-and-graphic-separation">Conceptual and graphic separation</a></li> </ul> </li> <li><a href="#block-attributes">Block Attributes</a><ul> <li><a href="#what-are-attributes">What are attributes?</a></li> <li><a href="#example">Example</a></li> <li><a href="#the-catch">The catch</a></li> </ul> </li> <li><a href="#closing">Closing</a></li> </ul> </div> <h1 id="advantages">Advantages</h1> <p>Use of blocks has several advantages, here are some I came up with:</p> <h2 id="smaller-file-size">Smaller file size</h2> <p>The <strong>block definition</strong> is saved just once and every graphic instance of a block (called <strong>block reference</strong>) consists only of basic properties like: block name, insertion point, scale (x,y,z) and rotation (plus, the general graphic object properties). That means that when a block is used several times, less information has to be stored in the file.</p> <h2 id="instant-update-of-symbols">Instant update of symbols</h2> <p>Again, because the block definition is saved just once, if you need to modify a symbol you have used a hundred times, you need only to modify the block definition in order to reflect those changes <em>consistently</em> and <em>instantly</em> across the drawing.</p> <h2 id="conceptual-and-graphic-separation">Conceptual and graphic separation</h2> <p>If a drawing is complex and <em>layers</em> are not enough for conceptual separation, it may be useful to create blocks for things that represent different parts of the same object. Done correctly, it can avoid confusion and create a better workflow.</p> <h1 id="block-attributes">Block Attributes</h1> <h2 id="what-are-attributes">What are attributes?</h2> <p>Attributes are a way of having some text associated with a block, the beautiful thing of attributes is that, unlike the other parts of a block (excluding dynamic blocks), they can change from one block reference to another.</p> <p>These attributes may or may not be visible, constant, you can change their position, even change their aspect for each block reference, they are quite flexible.</p> <h2 id="example">Example</h2> <p>Consider a valve and its <strong>TAG</strong> number, it may be desirable to use a block for the symbol but texts are something static that looks exactly the same in all of the instances. One solution could be to use a different block for each <em>tag</em>, but that&rsquo;d defeat the point of using blocks. Here is where attributes come handy, we just add one to the block definition, place it where we want it, insert it and change the text at will.</p> <p><img alt="valves" src="/media/img/valves.gif" title="Valves" /></p> <h2 id="the-catch">The catch</h2> <p>The flexibility of attributes comes with a cost, since you are able to relocate them, change their colour, text style, angle, alignment, etc. for each block reference, there&rsquo;s a bit of a disconnection between the block definition and the block reference when it comes to attributes.</p> <p>For instance, say you define a block <code>valve</code> without the <em>tag</em> attribute, make a couple insertions of the block and then realise you need that tag attribute. So you go to the block definition, add it and save the definition.</p> <p>What happens to the <em>existing</em> block references? Absolutely nothing, they won&rsquo;t have your <em>tag</em> attribute. Similarly, relocating an attribute or changing its aspect won&rsquo;t affect the existing block references. Instead, all of the new ones will be exactly as the block definition.</p> <p>There&rsquo;s a way to force a global update of a particular attribute natively with AutoCAD, it&rsquo;s under: Modify / Object / Attribute / Block Attribute Manager. The downside is that it will reset <em>all</em> of the properties for a given attribute, that is, if you relocated the attribute in a cluttered zone so that it&rsquo;s visible, it&rsquo;ll go back to the default position and overlap with something else, so be careful!</p> <p>You could, of course, write your own Lisp routines to update just a given property like colour or layer.</p> <h1 id="closing">Closing</h1> <p>In a few follow up posts, I&rsquo;ll cover how to create and modify blocks, how to insert them from an existing file, how to access and modify its attributes, and a few other things, all with <strong>lisp scripting</strong>. Stay tuned.</p>2012-06-27T00:00:00Zurn:uuid:957e84bc-b449-34ed-a4d0-5f7022cc50ad<h1 id="introduction">Introduction</h1> <p>As you can check on my CV, I&rsquo;ve been working as a draughtsman/IT guy/CAD manager for around five years now.</p> <p>We spend most of our time &ldquo;drawing&rdquo; things with <a href="https://en.wikipedia.org/wiki/AutoCAD" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Autodesk&rsquo;s AutoCAD</a>. Be it a P&amp;ID, an electric diagram, civil, structural or piping drafts, a 3D model, you name it!</p> <p>Being a somewhat small company, in five years we&rsquo;ve faced different challenges, like getting projects that would require more human hours than we have the means to cover — either by lack of personnel or deadlines.</p> <p>Sometimes we&rsquo;ve solved those challenges by getting more people, sometimes by working more hours than usual. Sometimes though those things are just not possible — something <em>else</em> is needed.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#automation-in-autocad">Automation in AutoCAD</a><ul> <li><a href="#small-sample">Small sample</a></li> </ul> </li> <li><a href="#conclusion">Conclusion</a></li> <li><a href="#further-reading">Further reading</a></li> </ul> </div> <h1 id="automation-in-autocad">Automation in AutoCAD</h1> <p>That something <em>else</em>, would be automation in AutoCAD. That is, using some amount of programming to make tasks easier, faster and less monotonous.</p> <p>There are plenty of APIs for AutoCAD, the eldest (and my favourite!) being <a href="https://en.wikipedia.org/wiki/Lisp_programming_language" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Lisp</a> (more accurately <a href="https://en.wikipedia.org/wiki/AutoLISP" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AutoLisp/Visual Lisp</a>).</p> <p>Other options include VBA, .NET and <a href="https://en.wikipedia.org/wiki/ObjectARX" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ObjectARX</a>. VBA for AutoCAD is deprecated though, so that leaves us with either .NET and ObjectARX as alternatives.</p> <p>I mentioned that my favourite option is <strong>Lisp</strong> and that it&rsquo;s the oldest; the thing is that ever since the Visual Lisp extensions, it&rsquo;s incredibly easy to program in a somewhat object-oriented way and to manipulate graphic objects without having to worry too much about AutoCAD&rsquo;s inner functioning.</p> <p>The downside is that it&rsquo;s quite a mess to have a GUI for the scripts or routines you develop. I mean, sure, it can be done (there&rsquo;s DCL after all) but it&rsquo;s not as flexible or easy as one would hope. Luckily, for most use cases a simple custom toolbar and text input will make users happy.</p> <p>If you really need GUIs or deep control of what&rsquo;s going on under the hood, I&rsquo;d strongly recommend learning about the <a href="https://en.wikipedia.org/wiki/ObjectARX" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ObjectARX</a> API. It&rsquo;s well-documented and it&rsquo;s incredibly powerful — you have to program in C++ though.</p> <h2 id="small-sample">Small sample</h2> <p>Here are some bits from what I usually have on my <code>acaddoc.lsp</code> file. That is, the customisations that are loaded with each drawing.</p> <p>Most are really silly things that happen to save little time per single use but one gets to use quite a lot depending on the kind of work currently at hand.</p> <p>You may download this file <a href="/media/lsp/small-sample.lsp">here</a>.</p> <div class="codehilite"><pre><span></span><code><span class="c1">; small-sample.lsp: Is a small sample of things that can be done with</span> <span class="c1">; Visual Lisp. It includes part of Evilham&#39;s acaddoc.lsp.</span> <span class="c1">;</span> <span class="c1">; LICENSE:</span> <span class="c1">; Copyright (c) 2012, Evilham (https://evilham.com) </span> <span class="c1">; BSD 2-Clause copyright and disclaimer apply.</span> <span class="c1">; See: http://www.opensource.org/licenses/bsd-license.php</span> <span class="c1">; This loads the Visual Lisp extensions for AutoLisp</span> <span class="p">(</span><span class="nv">vl-load-com</span><span class="p">)</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">c:</span><span class="o">``</span><span class="p">()</span> <span class="c1">; Toggle isometric / orthogonal axis (called snap in AutoCAD)</span> <span class="w"> </span><span class="p">(</span><span class="nv">setvar</span><span class="w"> </span><span class="ss">&#39;SNAPSTYL</span><span class="w"> </span><span class="p">(</span><span class="nb">*</span><span class="w"> </span><span class="p">(</span><span class="nb">-</span><span class="w"> </span><span class="p">(</span><span class="nv">getvar</span><span class="w"> </span><span class="ss">&#39;SNAPSTYL</span><span class="p">)</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="mi">-1</span><span class="p">)))</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">c:&lt;&lt;</span><span class="p">(</span><span class="nb">/</span><span class="w"> </span><span class="nv">z</span><span class="p">)</span> <span class="c1">; Print the Z coordinate of a given point:</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">z</span><span class="w"> </span><span class="p">(</span><span class="nb">nth</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">(</span><span class="nv">getpoint</span><span class="w"> </span><span class="s">&quot;\nPoint to get z from: &quot;</span><span class="p">)))</span> <span class="w"> </span><span class="p">(</span><span class="nb">princ</span><span class="w"> </span><span class="p">(</span><span class="nv">strcat</span><span class="w"> </span><span class="s">&quot;\nz: &quot;</span><span class="w"> </span><span class="p">(</span><span class="nv">rtos</span><span class="w"> </span><span class="nv">z</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">2</span><span class="p">)))</span> <span class="w"> </span><span class="p">(</span><span class="nb">princ</span><span class="p">))</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">ss-&gt;vla-objectlist</span><span class="p">(</span><span class="nv">ss</span><span class="w"> </span><span class="nb">/</span><span class="w"> </span><span class="nv">lst</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="nv">lim</span><span class="p">)</span> <span class="c1">; Convert a selection set to a list of vla-objects</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="mi">-1</span><span class="w"> </span><span class="nv">lim</span><span class="w"> </span><span class="p">(</span><span class="nv">sslength</span><span class="w"> </span><span class="nv">ss</span><span class="p">))</span> <span class="w"> </span><span class="p">(</span><span class="nv">while</span><span class="w"> </span><span class="p">(</span><span class="nb">&lt;</span><span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="p">(</span><span class="nb">1+</span><span class="w"> </span><span class="nv">i</span><span class="p">))</span><span class="w"> </span><span class="nv">lim</span><span class="p">)</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">lst</span><span class="w"> </span><span class="p">(</span><span class="nb">cons</span><span class="w"> </span><span class="p">(</span><span class="nv">vlax-ename-&gt;vla-object</span><span class="w"> </span><span class="p">(</span><span class="nv">ssname</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="nv">i</span><span class="p">))</span><span class="w"> </span><span class="nv">lst</span><span class="p">)))</span> <span class="w"> </span><span class="p">(</span><span class="nb">reverse</span><span class="w"> </span><span class="nv">lst</span><span class="p">))</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">txtnum</span><span class="p">(</span><span class="nv">ss</span><span class="w"> </span><span class="nv">prefix</span><span class="w"> </span><span class="nv">suffix</span><span class="w"> </span><span class="nv">nstart</span><span class="w"> </span><span class="nv">nstep</span><span class="w"> </span><span class="nv">ndecimals</span><span class="w"> </span><span class="nb">/</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="nv">n</span><span class="w"> </span><span class="nv">obj</span><span class="p">)</span> <span class="c1">; Takes a selection set / vla-object list, two strings (prefix/suffix)</span> <span class="c1">; and three numbers nstart, nstep, ndecimals.</span> <span class="c1">; It puts in the text/mtext objects&#39; TextString property the following:</span> <span class="c1">; (strcat prefix NUM suffix)</span> <span class="c1">; where NUM is nstart + POS_IN_QUEUE * nstep. With ndecimals decimals.</span> <span class="c1">; If ss is a selection set, convert it to a list.</span> <span class="w"> </span><span class="p">(</span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="nb">=</span><span class="w"> </span><span class="p">(</span><span class="k">type</span><span class="w"> </span><span class="nv">ss</span><span class="p">)</span><span class="w"> </span><span class="ss">&#39;PICKSET</span><span class="p">)</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="p">(</span><span class="nv">ss-&gt;vla-objectlist</span><span class="w"> </span><span class="nv">ss</span><span class="p">)))</span> <span class="c1">; If ss is not a list at this point. Or nstart, nstep, ndecimals are not all</span> <span class="c1">; numbers, set ss to nil. That skips the code and avoids errors.</span> <span class="w"> </span><span class="p">(</span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="nb">not</span><span class="w"> </span><span class="p">(</span><span class="nb">and</span><span class="w"> </span><span class="p">(</span><span class="nb">listp</span><span class="w"> </span><span class="nv">ss</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="nb">numberp</span><span class="w"> </span><span class="nv">nstart</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="nb">numberp</span><span class="w"> </span><span class="nv">nstep</span><span class="p">)</span> <span class="w"> </span><span class="p">(</span><span class="nb">numberp</span><span class="w"> </span><span class="nv">ndecimals</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">ndecimals</span><span class="w"> </span><span class="p">(</span><span class="nv">fix</span><span class="w"> </span><span class="nv">ndecimals</span><span class="p">))))</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="no">nil</span><span class="p">))</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span> <span class="w"> </span><span class="p">(</span><span class="nv">foreach</span><span class="w"> </span><span class="nv">obj</span><span class="w"> </span><span class="nv">ss</span> <span class="w"> </span><span class="p">(</span><span class="k">if</span> <span class="w"> </span><span class="p">(</span><span class="nb">not</span><span class="w"> </span><span class="p">(</span><span class="nv">vl-catch-all-error-p</span><span class="w"> </span> <span class="w"> </span><span class="p">(</span><span class="nv">vl-catch-all-apply</span> <span class="w"> </span><span class="ss">&#39;vlax-put-property</span> <span class="w"> </span><span class="p">(</span><span class="nb">list</span><span class="w"> </span><span class="nv">obj</span> <span class="w"> </span><span class="ss">&#39;TextString</span> <span class="w"> </span><span class="p">(</span><span class="nv">strcat</span><span class="w"> </span><span class="nv">prefix</span> <span class="w"> </span><span class="p">(</span><span class="nv">rtos</span><span class="w"> </span><span class="p">(</span><span class="nb">+</span><span class="w"> </span><span class="nv">nstart</span><span class="w"> </span><span class="p">(</span><span class="nb">*</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="nv">nstep</span><span class="p">))</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="nv">ndecimals</span><span class="p">)</span> <span class="w"> </span><span class="nv">suffix</span><span class="p">)))))</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="p">(</span><span class="nb">1+</span><span class="w"> </span><span class="nv">i</span><span class="p">))))</span> <span class="w"> </span><span class="nv">i</span><span class="p">)</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">c:txtnum</span><span class="p">(</span><span class="nb">/</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="nv">prefix</span><span class="w"> </span><span class="nv">suffix</span><span class="p">)</span> <span class="c1">; Asks for a prefix and a suffix.</span> <span class="c1">; Calls txtnum with nstart=1 nstep=1 ndecimals=0</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="p">(</span><span class="nv">ssget</span><span class="p">)</span> <span class="w"> </span><span class="nv">prefix</span><span class="w"> </span><span class="p">(</span><span class="nv">getstring</span><span class="w"> </span><span class="s">&quot;Prefix: &quot;</span><span class="p">)</span> <span class="w"> </span><span class="nv">suffix</span><span class="w"> </span><span class="p">(</span><span class="nv">getstring</span><span class="w"> </span><span class="s">&quot;Suffix: &quot;</span><span class="p">)</span> <span class="w"> </span><span class="p">)</span> <span class="w"> </span><span class="p">(</span><span class="nv">txtnum</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="nv">prefix</span><span class="w"> </span><span class="nv">suffix</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span> <span class="w"> </span><span class="p">(</span><span class="nb">princ</span><span class="p">))</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">r:gen</span><span class="p">(</span><span class="nv">ang</span><span class="w"> </span><span class="nb">/</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="nv">po</span><span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="nv">lim</span><span class="p">)</span> <span class="c1">; Rotates all selected items by ang </span> <span class="w"> </span><span class="p">(</span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="nb">and</span><span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">ss</span><span class="w"> </span><span class="p">(</span><span class="nv">ss-&gt;vla-objectlist</span><span class="w"> </span><span class="p">(</span><span class="nv">ssget</span><span class="p">)))</span> <span class="w"> </span><span class="p">(</span><span class="k">setq</span><span class="w"> </span><span class="nv">po</span> <span class="w"> </span><span class="p">(</span><span class="nv">vlax-make-variant</span> <span class="w"> </span><span class="p">(</span><span class="nv">vlax-safearray-fill</span> <span class="w"> </span><span class="p">(</span><span class="nv">vlax-make-safearray</span> <span class="w"> </span><span class="nv">vlax-vbDouble</span> <span class="w"> </span><span class="o">&#39;</span><span class="p">(</span><span class="mi">0</span><span class="w"> </span><span class="o">.</span><span class="w"> </span><span class="mi">2</span><span class="p">))</span> <span class="w"> </span><span class="p">(</span><span class="nv">getpoint</span><span class="w"> </span><span class="s">&quot;Base point: &quot;</span><span class="p">))))</span> <span class="w"> </span><span class="p">(</span><span class="nb">numberp</span><span class="w"> </span><span class="nv">ang</span><span class="p">))</span> <span class="w"> </span><span class="p">(</span><span class="nv">foreach</span><span class="w"> </span><span class="nv">obj</span><span class="w"> </span><span class="nv">ss</span> <span class="w"> </span><span class="p">(</span><span class="nv">vl-catch-all-apply</span> <span class="w"> </span><span class="ss">&#39;vlax-invoke-method</span> <span class="w"> </span><span class="p">(</span><span class="nb">list</span> <span class="w"> </span><span class="nv">obj</span> <span class="w"> </span><span class="ss">&#39;Rotate</span> <span class="w"> </span><span class="nv">po</span> <span class="w"> </span><span class="nv">ang</span><span class="p">)))))</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">deg-&gt;rad</span><span class="p">(</span><span class="nv">ang</span><span class="p">)</span> <span class="c1">; Conversion from degrees to radians.</span> <span class="w"> </span><span class="p">(</span><span class="nb">*</span><span class="w"> </span><span class="p">(</span><span class="nb">/</span><span class="w"> </span><span class="nv">ang</span><span class="w"> </span><span class="mf">180.0</span><span class="p">)</span><span class="w"> </span><span class="nv">pi</span><span class="p">))</span> <span class="c1">; The following commands rotate by 90, 180 and 270 degrees respectively:</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">c:r1</span><span class="p">()</span><span class="w"> </span><span class="p">(</span><span class="nv">r:gen</span><span class="w"> </span><span class="p">(</span><span class="nv">deg-&gt;rad</span><span class="w"> </span><span class="mi">90</span><span class="p">))</span><span class="w"> </span><span class="p">(</span><span class="nb">princ</span><span class="p">))</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">c:r2</span><span class="p">()</span><span class="w"> </span><span class="p">(</span><span class="nv">r:gen</span><span class="w"> </span><span class="p">(</span><span class="nv">deg-&gt;rad</span><span class="w"> </span><span class="mi">180</span><span class="p">))</span><span class="w"> </span><span class="p">(</span><span class="nb">princ</span><span class="p">))</span> <span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">c:r3</span><span class="p">()</span><span class="w"> </span><span class="p">(</span><span class="nv">r:gen</span><span class="w"> </span><span class="p">(</span><span class="nv">deg-&gt;rad</span><span class="w"> </span><span class="mi">270</span><span class="p">))</span><span class="w"> </span><span class="p">(</span><span class="nb">princ</span><span class="p">))</span> <span class="p">(</span><span class="nb">princ</span><span class="p">)</span> </code></pre></div> <p>Some of these commands look really silly, like <code>r1</code>, <code>r2</code> and <code>r3</code>, however once you get used to them it&rsquo;s much faster to just type <code>r1</code>, select the objects, and click on the base point than having to <em>also</em> type in the degrees or activating <code>ORTHO</code> and clicking on the good direction (also minding the fact that <code>OSNAP</code> may get you a different point and hence a wrong angle).</p> <p>In others, like <code>txtnum</code>, you&rsquo;ll notice how a much more generic function is also defined. That&rsquo;s meant to allow for quick in-place modifications to satisfy slightly different needs.</p> <p>For example, if you wanted the text &ldquo;X meters&rdquo; with X starting at 0 and increasing by 0.5 each time, you could just type:</p> <div class="codehilite"><pre><span></span><code><span class="p">(</span><span class="nv">txtnum</span><span class="w"> </span><span class="p">(</span><span class="nv">ssget</span><span class="p">)</span><span class="w"> </span><span class="s">&quot;&quot;</span><span class="w"> </span><span class="s">&quot; meters&quot;</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.5</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span> </code></pre></div> <p>And if it happens to be something you need a lot in a session, just assign that to a temporary alias like this:</p> <div class="codehilite"><pre><span></span><code><span class="p">(</span><span class="nb">defun</span><span class="w"> </span><span class="nv">c:&lt;1</span><span class="p">()</span><span class="w"> </span><span class="p">(</span><span class="nv">txtnum</span><span class="w"> </span><span class="p">(</span><span class="nv">ssget</span><span class="p">)</span><span class="w"> </span><span class="s">&quot;&quot;</span><span class="w"> </span><span class="s">&quot; meters&quot;</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.5</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="nb">princ</span><span class="p">))</span> </code></pre></div> <p>And if you <em>really</em> use it a lot, just add that line to your <code>acaddoc.lsp</code> and now you have yet another silly command to make your life easier.</p> <h1 id="conclusion">Conclusion</h1> <p>There&rsquo;s much power in AutoCAD&rsquo;s APIs, basically the limit between what you can and cannot do is in your imagination (albeit it&rsquo;s cliché, it&rsquo;s also mostly true).</p> <p>Any seemingly simple task that is bothering you because it&rsquo;s too boring (read, easy and mechanical) can most likely be automated in plenty of different ways! Heck, even pretty complex things can be automated (up to a certain point) given enough analysis and understanding of the needs.</p> <p>If you find yourself in such a case, do <a href="/en/about/contact">drop me a line</a>! If you provide me with a good description of what you have to do (hopefully with a file example; <strong>example</strong>, I won&rsquo;t do your job for you!), how you <em>think</em> you can automate it (I reserve the right to do it in a totally different way ;)), and I happen to: find it interesting enough, have the time and disposition to do what you&rsquo;re asking for; I may as well just do it!</p> <h1 id="further-reading">Further reading</h1> <p>It has been a while since last time I needed online help developing for AutoCAD, so I can&rsquo;t remember that many pages; I&rsquo;ll be adding some resources that will help you get started with automation in AutoCAD. So far I&rsquo;ve remembered the following:</p> <ul> <li><a href="http://www.afralisp.net" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Afralisp</a>: good place full of tutorials and guides. Beginner-friendly!</li> <li><a href="http://docs.autodesk.com/ACD/2011/ENU/filesALG/WSfacf1429558a55de1a7524c1004e616f8b-5bb9.htm" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">AutoCAD Help</a>: Official documentation. Whenever you have a doubt or are looking for something, go there first!</li> </ul>2012-05-28T00:00:00Zurn:uuid:c93235e0-26d5-3f9c-9c2a-b0dcb3924d7b<h1 id="introduction">Introduction</h1> <p>At first, I wanted to start blogging about things related to my job but then I realised how introducing the topic out of the blue would have required explaining <em>How I got into programming</em> and how I use it at work.</p> <p>So, here is my attempt at doing just that.</p> <p>I just want to add, that I program for fun and because it makes my life easier. Quite often someone else&rsquo;s as well. That does mean that I program at work, but as a mean to help getting my job (or someone else&rsquo;s) done <strong>faster</strong> <em>and</em> <strong>better</strong>, i.e. it&rsquo;s not my main function — at least it isn&rsquo;t as of this writing.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#early-years">Early years</a><ul> <li><a href="#logo-parenthesis">Logo parenthesis</a></li> </ul> </li> <li><a href="#maturing-and-serious-programming">Maturing and serious programming</a></li> <li><a href="#at-work">At work</a></li> <li><a href="#summing-up">Summing up</a></li> </ul> </div> <h1 id="early-years">Early years</h1> <p>I belong to the new generations —which means that my <em>early years</em> are actually kind of the new days— hence I have no cool stories about computers that needed a whole room in an University, had no experience with <a href="http://puzzlesbyjoe.com/programming/why-i-love-programming-then/" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">keypunch cards</a>; heck, I hadn&rsquo;t even been conceived by the time the internet started to get mainstream!</p> <p>That means that my very first experience with a computer… Was actually an IBM PC! Yep, a somewhat <em>small</em> thing with 64MB RAM and a 15&rdquo; screen that was able to handle a 800x600 pixel resolution (and 16bit colour depth!).</p> <p>As the curious kid I was, the first thing I did when we got that thing (running Windows 95!) was to… try and find out what to do with it. Yeah sure, it turned on, you could move the mouse around, make a few drawings on Paint or whatever but… these things had to be able to do something else.</p> <p>It wasn&rsquo;t long after its arrival that I learned by heart every single configuration that was available and got bored of the computer. Luckily, a time after that I received a copy of <a href="http://www.nostalgia8.nl/logoversies.htm#pc" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">some version of Logo</a>.</p> <p><em>Now</em> the fun started! Why draw geometric figures that won&rsquo;t be precise with Paint, when I had the opportunity of drawing <em>anything</em> I could imagine just by telling that agreeable turtle how to move?</p> <p>Maybe it was a hidden desire to rule the world and have everyone do as I said but it was a damn good feeling to see that turtle do as commanded. Even when it made something unexpected because, hey, <em>I</em> had told it to do <em>that</em> even if it wasn&rsquo;t what I wanted.</p> <p>In other words, it wasn&rsquo;t the turtle that was an idiot, the problem was the 7 or 8 years old creature between the chair and the keyboard — and at the time I <em>knew</em> it as well.</p> <p>Later on, I discovered that it wasn&rsquo;t only that turtle&rsquo;s nature, it was computer&rsquo;s nature to do <em>exactly</em> as they&rsquo;re told (even if you tell them wrong!); the little dictator inside of me was <em>very</em> pleased.</p> <h2 id="logo-parenthesis">Logo parenthesis</h2> <p>While writing this, nostalgia kicked in and I found a version of <a href="http://www.nostalgia8.nl/logoversies.htm#pc" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">logo writer</a>. Here&rsquo;s a little something I did in the time needed to remember syntax and basic commands:</p> <p><img alt="logo_hex" src="/media/img/logo_hex.gif" title="Something simple in Logo" /></p> <p>And here&rsquo;s the code for that:</p> <div class="codehilite"><pre><span></span><code>cg pu setpos [-200 -95] pd setc 8 repeat 125 [repeat 6 [left 120 repeat 7 [fd 20 right 60]] \ pu fd 60 left 60 fd 40 right 120 fd 20 left 60 pd] pu home setc 1 pd </code></pre></div> <p>As a side note, this turtle&rsquo;s space is topologically equivalent to a donut!</p> <h1 id="maturing-and-serious-programming">Maturing and serious programming</h1> <p>While starting high school, I felt I had tons of time in my hands and learned how to program in <em>Pascal</em> and <em>Basic</em> (because it&rsquo;s what I had at hand!), a couple years later discovered <em>Visual Basic</em> and learned to love it, hate it and eventually forgot it — I thought, erroneously, that I&rsquo;d never need it again.</p> <p>After that, I went to the University (not <em>this</em> time, the <em>first</em> time) and learned about the existence of <em>Linux</em>. <em>Free Software</em> philosophy, <em>bash</em>, <em>Python</em> amongst other things followed that discovery. I almost immediately fell in love with the Operative System —specially when one of the best professors I&rsquo;ve ever had introduced me to <em>Debian</em>—. Have used nearly nothing else for my daily life since then.</p> <p>When I got back to study at another University, notions of scientific programming turned out to be part of the Mathematics curriculum which got me to learn how to program in <em>C</em>.</p> <p>Currently, I&rsquo;m at yet <em>another</em> University (this time just an abroad semester) where I get to learn how to program re-usable, generic and efficient scientific software in <em>C++</em> and some <em>Java</em> which I had already learned for personal purposes.</p> <h1 id="at-work">At work</h1> <p>I&rsquo;m lazy… yep, not a good thing to say (specially if the section is called <em>&ldquo;At <strong>work</strong>&ldquo;</em>) but there&rsquo;s more to it than just the definition of lazy. The thing is: I strongly dislike doing things inefficiently.</p> <p>The way I see it: the faster I finish doing the things I don&rsquo;t enjoy as much, the faster I get to do something more interesting — or even <em>nothing</em> at all!</p> <p>That would be optimal in an objective-driven environment, which sadly is not the case at my current job, therefore I&rsquo;m just… well, more productive.</p> <p>So, how do I get to be more productive? I just assume that for every single repetitive thing that has to be done than once manually, someone will probably make a mistake at some point — most likely more than once and each time in different sneaky ways.</p> <p>If the cost in time of automating the task (and then finishing the task in this more automatic way) is roughly equal to the time it takes someone to do the task by hand (including an error check). I just go for it and automate it… Not only I get to have some fun, but I get to be sure there are no errors (or know the kind of errors there may be) and the best thing: it may even be useful later and save us a few hours!</p> <p>At first, of course, I had no idea how to do such things, nor was I able to estimate the time cost of a task accurately, the latter ability came with time and experience, the former was product of my already mentioned insatiable curiosity and a few hours of research plus tons of hours of practise — most of those hours were my own personal time or dead time at a company.</p> <h1 id="summing-up">Summing up</h1> <p>I had the privilege of being in touch with computers from an early age and always had an interest for programming, being something that somehow suits my personality and way of doing things.</p> <p>My studies have brought me somewhat closer to the programming world, and by chance my job allows me to do some programming somewhat regularly… Because, who on their right mind would argue against doing something in a day rather than three or four?</p>2012-05-09T00:00:00Zurn:uuid:0203eaf3-68c3-341d-8f58-257283168c5c<h1 id="introduction">Introduction</h1> <p>At the company I work for, being sick of making clean Windows installs, we decided to willingly violate Windows XP&rsquo;s EULA for the greater good and put together a few open-source tools (basically <code>ntfsclone</code>, <code>ntfsreloc</code>, <code>ntfsresize</code>, <code>gparted</code> and of course, Linux), wrote a couple of witty scripts and came out with a &ldquo;free&rdquo; and nearly legal way of (re)installing Windows on our machines.</p> <p>Such a method consists basically of having in each machine besides the live Windows installation, a striped out Linux system with a backup image of its Windows (legally registered!). Of course, to save time, we sometimes use that same image to install Windows in more than one than one machine and once it&rsquo;s been installed, we change the license data and create a new internal backup image with its own license info.</p> <p>So, I have that set up on my machine as well, except that I have a full, lovely, amazingly useful <a href="http://debian.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Debian</a> installation. The problem is, that I can&rsquo;t be bothered to close, abandon whatever I&rsquo;m doing and leave my happy place just to boot 5 minutes into Windows, figure out how to do something or test a new script and boot back into Linux to resume my other activities.</p> <p>Here comes <strong>Virtualisation</strong> to the rescue, being something I had played with in the past, it wasn&rsquo;t totally new and I already knew about the different options out there and their pros and cons.</p> <p>So I decided to give it a shot, but once again, making a fresh Windows install with all of the software needed to make it useful… is just too much of a burden.</p> <h1 id="table-of-contents">Table of Contents</h1> <div class="toc"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#issue">Issue</a></li> <li><a href="#solution">Solution</a><ul> <li><a href="#analysis">Analysis</a></li> <li><a href="#hard-drives">Hard drives</a></li> <li><a href="#master-boot-record">Master Boot Record</a></li> <li><a href="#partition-table">Partition Table</a></li> <li><a href="#real-case-mbr">Real case MBR</a></li> <li><a href="#generating-the-mbr">Generating the MBR</a></li> <li><a href="#joining-the-new-mbr-and-the-image">Joining the new MBR and the image</a></li> <li><a href="#use-the-image">Use the image</a></li> </ul> </li> <li><a href="#conclusion">Conclusion</a></li> </ul> </div> <h1 id="issue">Issue</h1> <p>Summing up, I&rsquo;ve got a Linux installation (which will be the Host OS) and a gzipped <code>ntfsclone</code> Windows XP image (which will, of course, be the Guest OS).</p> <p>That being, nearly the equivalent of having a <em>live</em> Windows installation, and wanting to migrate it to a Virtual Machine.</p> <p>There are already several articles about how to do that, but none of the ones I found solved a very simple issue:</p> <blockquote> <p>You can&rsquo;t just get the image of a disk partition and boot it!</p> </blockquote> <p>As a matter of fact, the lovely guys at <a href="http://virtualbox.org" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">VirtualBox</a> already tell you <a href="https://virtualbox.org/wiki/Migrate_Windows" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">that exactly</a>:</p> <blockquote> <p>Either pull the drive from the windows machine or copy the data with a low level image tool (like dd) to a USB drive or other removable media. If making an image, DO NOT image just the partition, this will not work!</p> </blockquote> <p>What they seem to be suggesting here, is that you make the image of the full hard drive (as opposed of just one partition), just to get the piece of it you want. That may mean having a 240 Gb of raw data, instead of just the 25 Gb you&rsquo;re interested in… That&rsquo;s nearly 90% inefficiency.</p> <h1 id="solution">Solution</h1> <h2 id="analysis">Analysis</h2> <p>To get around this, we need to understand why there is this problem to begin with.</p> <p>You&rsquo;ll see, it&rsquo;s not as simple as <em>that</em> virtualisation software not wanting to boot your image because it is a faulty, buggy or incomplete program (as many would dare to suggest without digging in any further!); the problem here, is how hard drives work, how they were designed and how a <em>real</em> computer understands them.</p> <p>There are many good articles around, and it&rsquo;s not my intention at all to duplicate that information, so I&rsquo;m just going to make a quick introduction to the topics, in order for the solution to make a bit of sense.</p> <h2 id="hard-drives">Hard drives</h2> <p>So, nowadays, everyone knows that a hard drive can have several partitions that look like &ldquo;different hard drives&rdquo; inside of the Operative System, but the information about the different partitions, their format, size, position in the physical hard drive, etc. has to be stored <em>somewhere</em>.</p> <p>Where? Well, most likely you&rsquo;ve heard about the infamous <a href="http://en.wikipedia.org/wiki/Partition_table" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Partition Table</a> or <a href="http://en.wikipedia.org/wiki/Master_boot_record" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Master Boot Record (MBR)</a>, and I say <strong>infamous</strong> because probably the one time you heard about those things, you had to curse a lot due to data loss or all those wasted hours.</p> <p>There we have it, there&rsquo;s a mystical thing at the very beginning of our hard drive describing where our partitions are and how they are!</p> <p>Then, when we try to get our Virtual Machine to boot that partition image we made, it&rsquo;ll complain about it not being a properly formatted disk or something amongst those lines. Of course, there&rsquo;s no MBR!</p> <h2 id="master-boot-record">Master Boot Record</h2> <p>It&rsquo;s pretty well <a href="http://en.wikipedia.org/wiki/Master_boot_record" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">explained</a> on Wikipedia, but it&rsquo;s full of historical data and things that, whilst being interesting, are not related to our goal. I&rsquo;d recommend then, taking a look at <a href="http://www.datarescue.com/laboratory/partition.htm" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">these</a> <a href="http://thestarman.pcministry.com/asm/mbr/PartTables.htm" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">articles</a>.</p> <p>In short, the MBR is a 512 byte long section with a standard structure:</p> <ul> <li>Code area (0x000&mdash;0x1BD)</li> <li>Partition Table (0x1BE&mdash;0x1FD)</li> <li>Boot Record Signature (0x1FE-0x1FF).</li> </ul> <p>Those hex numbers in parentheses, correspond to the <strong>offset</strong> within the MBR in which the sections are located, which is also the absolute offset.</p> <p>We&rsquo;ll see later that we only have to worry about the Partition Table, so let&rsquo;s take a look into it.</p> <h2 id="partition-table">Partition Table</h2> <p>The Partition Table is really where the information about our disk partitions is written, it has enough room to define <strong>four</strong> partitions called <strong>primary</strong> partitions, one of those can be an <strong>extended</strong> partition, which will contain another partition table with information about all the <strong>logical</strong> partitions, but we don&rsquo;t really care much about it right now, if interested read the articles above or make a quick internet search.</p> <p>This sector then, has also a standard structure:</p> <ul> <li>Entry for Primary Partition #1 (0x1BE&mdash;0x1CD).</li> <li>Entry for Primary Partition #2 (0x1CE&mdash;0x1DD).</li> <li>Entry for Primary Partition #3 (0x1DE&mdash;0x1ED).</li> <li>Entry for Primary Partition #4 (0x1EE&mdash;0x1FD).</li> </ul> <p>That means, that whatever defines the first primary partition, is between sectors 0x1BE and 0x1CD of the MBR.</p> <p>Those entries have, of course, a structure that is better explained <a href="http://thestarman.pcministry.com/asm/mbr/PartTables.htm" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">here</a>, but here it goes for completeness&rsquo; sake:</p> <ul> <li>Partition State: 0x80 if it&rsquo;s the boot partition, 0x00 otherwise (1 byte).</li> <li>Starting sector CHS coordinates (3 bytes).</li> <li>Partition Type (1 byte).</li> <li>Ending sector CHS coordinates (3 bytes).</li> <li>Starting sector LBA coordinates (4 bytes).</li> <li>Partition length in sectors (4 bytes).</li> </ul> <p>What are those CHS, LBA things you ask. Well, in þe old times, it was actually needed to refer to a disk sector by its <a href="http://en.wikipedia.org/wiki/Cylinder-head-sector#CHS_to_LBA_mapping" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">CHS coordinates (Cylinder, Head, Sector)</a> which is hardware-dependant. However, nowadays software cares more about LBA (Logical Block Addressing) because it&rsquo;s easier and the abstraction layers do the hard part.</p> <p>Also, as <a href="http://lists.freebsd.org/pipermail/freebsd-questions/2004-January/033376.html" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">Dan Strick</a> said on the FreeBSD mail list (and I believe it just because my BIOS agrees):</p> <blockquote> <p>Modern BIOS geometry most frequently uses 255 heads and 63 sectors/track because that maximizes the addressable part of the disk drive using the basic int13 function.</p> </blockquote> <h2 id="real-case-mbr">Real case MBR</h2> <p>Cool, we now know that there are three things we need, and roughly how they are, but it was all too abstract, so, as an instructive exercise, why don&rsquo;t you go to your terminal and execute</p> <div class="codehilite"><pre><span></span><code><span class="gp">$ </span>dd<span class="w"> </span><span class="k">if</span><span class="o">=</span>/dev/sda<span class="w"> </span><span class="nv">count</span><span class="o">=</span><span class="m">1</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>hd<span class="w"> </span><span class="p">|</span><span class="w"> </span>less </code></pre></div> <p>Note that you may get into permission errors, just turn root, use sudo or get privileges to the disk group or whatever helps you get raw access to the disk. Also note that if you mess up the <code>if=</code> and write <code>of=</code> instead, you may be killing your MBR :), read <code>man dd</code> for more info.</p> <p>So, mine looks a bit like this (I skipped a part as it&rsquo;s mostly incomprehensible):</p> <div class="codehilite"><pre><span></span><code><span class="nl">00000000</span><span class="w"> </span><span class="mh">eb</span><span class="w"> </span><span class="mh">63</span><span class="w"> </span><span class="mh">90</span><span class="w"> </span><span class="mh">d0</span><span class="w"> </span><span class="mh">bc</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">7c</span><span class="w"> </span><span class="mh">8e</span><span class="w"> </span><span class="mh">c0</span><span class="w"> </span><span class="mh">8e</span><span class="w"> </span><span class="mh">d8</span><span class="w"> </span><span class="mh">be</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">7c</span><span class="w"> </span><span class="mh">bf</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">.c....|......|..</span><span class="p">|</span> <span class="nl">00000010</span><span class="w"> </span><span class="mh">06</span><span class="w"> </span><span class="mh">b9</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">fc</span><span class="w"> </span><span class="mh">f3</span><span class="w"> </span><span class="mh">a4</span><span class="w"> </span><span class="mh">50</span><span class="w"> </span><span class="mh">68</span><span class="w"> </span><span class="mh">1c</span><span class="w"> </span><span class="mh">06</span><span class="w"> </span><span class="mh">cb</span><span class="w"> </span><span class="mh">fb</span><span class="w"> </span><span class="mh">b9</span><span class="w"> </span><span class="mh">04</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">.......Ph.......</span><span class="p">|</span> <span class="nl">00000020</span><span class="w"> </span><span class="mh">bd</span><span class="w"> </span><span class="mh">be</span><span class="w"> </span><span class="mh">07</span><span class="w"> </span><span class="mh">80</span><span class="w"> </span><span class="mh">7e</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">7c</span><span class="w"> </span><span class="mh">0b</span><span class="w"> </span><span class="mh">0f</span><span class="w"> </span><span class="mh">85</span><span class="w"> </span><span class="mh">0e</span><span class="w"> </span><span class="mh">01</span><span class="w"> </span><span class="mh">83</span><span class="w"> </span><span class="mh">c5</span><span class="w"> </span><span class="mh">10</span><span class="w"> </span><span class="p">|</span><span class="s">....~..|........</span><span class="p">|</span> <span class="nl">00000170</span><span class="w"> </span><span class="mh">be</span><span class="w"> </span><span class="mh">95</span><span class="w"> </span><span class="mh">7d</span><span class="w"> </span><span class="mh">e8</span><span class="w"> </span><span class="mh">34</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">be</span><span class="w"> </span><span class="mh">9a</span><span class="w"> </span><span class="mh">7d</span><span class="w"> </span><span class="mh">e8</span><span class="w"> </span><span class="mh">2e</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">cd</span><span class="w"> </span><span class="mh">18</span><span class="w"> </span><span class="mh">eb</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="p">|</span><span class="s">..}.4...}.......</span><span class="p">|</span> <span class="nl">00000180</span><span class="w"> </span><span class="mh">47</span><span class="w"> </span><span class="mh">52</span><span class="w"> </span><span class="mh">55</span><span class="w"> </span><span class="mh">42</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">47</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="mh">6f</span><span class="w"> </span><span class="mh">6d</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">48</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">64</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="p">|</span><span class="s">GRUB .Geom.Hard </span><span class="p">|</span> <span class="nl">00000190</span><span class="w"> </span><span class="mh">44</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">73</span><span class="w"> </span><span class="mh">6b</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">52</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">64</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">45</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">6f</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="p">|</span><span class="s">Disk.Read. Error</span><span class="p">|</span> <span class="nl">000001a0</span><span class="w"> </span><span class="mh">0d</span><span class="w"> </span><span class="mh">0a</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">bb</span><span class="w"> </span><span class="mh">01</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">b4</span><span class="w"> </span><span class="mh">0e</span><span class="w"> </span><span class="mh">cd</span><span class="w"> </span><span class="mh">10</span><span class="w"> </span><span class="mh">ac</span><span class="w"> </span><span class="mh">3c</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">75</span><span class="w"> </span><span class="mh">f4</span><span class="w"> </span><span class="mh">c3</span><span class="w"> </span><span class="p">|</span><span class="s">...........&lt;.u..</span><span class="p">|</span> <span class="nl">000001b0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">f7</span><span class="w"> </span><span class="mh">a4</span><span class="w"> </span><span class="mh">85</span><span class="w"> </span><span class="mh">a3</span><span class="w"> </span><span class="mh">2f</span><span class="w"> </span><span class="mh">d2</span><span class="w"> </span><span class="mh">80</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="p">|</span><span class="s">.........J..... </span><span class="p">|</span> <span class="nl">000001c0</span><span class="w"> </span><span class="mh">21</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">17</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">08</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">80</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="p">|</span><span class="s">!...............</span><span class="p">|</span> <span class="nl">000001d0</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">83</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">73</span><span class="w"> </span><span class="mh">0a</span><span class="w"> </span><span class="mh">80</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">92</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">04</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="p">|</span><span class="s">......s....i....</span><span class="p">|</span> <span class="nl">000001e0</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">17</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">05</span><span class="w"> </span><span class="mh">74</span><span class="w"> </span><span class="mh">84</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">c1</span><span class="w"> </span><span class="mh">3e</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="p">|</span><span class="s">.......t...&gt;....</span><span class="p">|</span> <span class="nl">000001f0</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">05</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="mh">bf</span><span class="w"> </span><span class="mh">84</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">c8</span><span class="w"> </span><span class="mh">1c</span><span class="w"> </span><span class="mh">10</span><span class="w"> </span><span class="mh">55</span><span class="w"> </span><span class="mh">aa</span><span class="w"> </span><span class="p">|</span><span class="s">..............U.</span><span class="p">|</span> </code></pre></div> <p>The interesting part is at offset 0x1b0, which is the row in which the partition table starts, notice the section at 0x1B8, where we see <code>f7 a4 85 a3 2f d2</code>, that&rsquo;d be this disk&rsquo;s identifier (I must confess I don&rsquo;t know if, or how this is important) and right after that, starting at 0x1BE, we find the start of the partition table.</p> <p>If we try the same thing (hexdump the first 512 bytes) on our image (again, some bits have been skipped):</p> <div class="codehilite"><pre><span></span><code><span class="nl">00000000</span><span class="w"> </span><span class="mh">eb</span><span class="w"> </span><span class="mh">52</span><span class="w"> </span><span class="mh">90</span><span class="w"> </span><span class="mh">4e</span><span class="w"> </span><span class="mh">54</span><span class="w"> </span><span class="mh">46</span><span class="w"> </span><span class="mh">53</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">08</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">.R.NTFS .....</span><span class="p">|</span> <span class="nl">00000010</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">f8</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">3f</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">08</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">........?.......</span><span class="p">|</span> <span class="nl">00000020</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">80</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">80</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">f8</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">7f</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">................</span><span class="p">|</span> <span class="nl">00000030</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">0c</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">8e</span><span class="w"> </span><span class="mh">f0</span><span class="w"> </span><span class="mh">1b</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">................</span><span class="p">|</span> <span class="nl">00000180</span><span class="w"> </span><span class="mh">eb</span><span class="w"> </span><span class="mh">f2</span><span class="w"> </span><span class="mh">c3</span><span class="w"> </span><span class="mh">0d</span><span class="w"> </span><span class="mh">0a</span><span class="w"> </span><span class="mh">45</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">6f</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">64</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">6c</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="p">|</span><span class="s">.....Error de le</span><span class="p">|</span> <span class="nl">00000190</span><span class="w"> </span><span class="mh">63</span><span class="w"> </span><span class="mh">74</span><span class="w"> </span><span class="mh">75</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">64</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">64</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">73</span><span class="w"> </span><span class="mh">63</span><span class="w"> </span><span class="mh">6f</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">0d</span><span class="w"> </span><span class="p">|</span><span class="s">ctura de disco..</span><span class="p">|</span> <span class="nl">000001a0</span><span class="w"> </span><span class="mh">0a</span><span class="w"> </span><span class="mh">46</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">6c</span><span class="w"> </span><span class="mh">74</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">4e</span><span class="w"> </span><span class="mh">54</span><span class="w"> </span><span class="mh">4c</span><span class="w"> </span><span class="mh">44</span><span class="w"> </span><span class="mh">52</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">0d</span><span class="w"> </span><span class="mh">0a</span><span class="w"> </span><span class="mh">4e</span><span class="w"> </span><span class="p">|</span><span class="s">.Falta NTLDR...N</span><span class="p">|</span> <span class="nl">000001b0</span><span class="w"> </span><span class="mh">54</span><span class="w"> </span><span class="mh">4c</span><span class="w"> </span><span class="mh">44</span><span class="w"> </span><span class="mh">52</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">63</span><span class="w"> </span><span class="mh">6f</span><span class="w"> </span><span class="mh">6d</span><span class="w"> </span><span class="mh">70</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">6d</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">64</span><span class="w"> </span><span class="mh">6f</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">TLDR comprimido.</span><span class="p">|</span> <span class="nl">000001c0</span><span class="w"> </span><span class="mh">0d</span><span class="w"> </span><span class="mh">0a</span><span class="w"> </span><span class="mh">50</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="mh">73</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">6f</span><span class="w"> </span><span class="mh">6e</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">43</span><span class="w"> </span><span class="mh">74</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">6c</span><span class="w"> </span><span class="mh">2b</span><span class="w"> </span><span class="p">|</span><span class="s">..Presione Ctrl+</span><span class="p">|</span> <span class="nl">000001d0</span><span class="w"> </span><span class="mh">41</span><span class="w"> </span><span class="mh">6c</span><span class="w"> </span><span class="mh">74</span><span class="w"> </span><span class="mh">2b</span><span class="w"> </span><span class="mh">53</span><span class="w"> </span><span class="mh">75</span><span class="w"> </span><span class="mh">70</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">70</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">65</span><span class="w"> </span><span class="p">|</span><span class="s">Alt+Supr para re</span><span class="p">|</span> <span class="nl">000001e0</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">6e</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">63</span><span class="w"> </span><span class="mh">69</span><span class="w"> </span><span class="mh">61</span><span class="w"> </span><span class="mh">72</span><span class="w"> </span><span class="mh">0d</span><span class="w"> </span><span class="mh">0a</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">iniciar.........</span><span class="p">|</span> <span class="nl">000001f0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">83</span><span class="w"> </span><span class="mh">9f</span><span class="w"> </span><span class="mh">ad</span><span class="w"> </span><span class="mh">c0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">55</span><span class="w"> </span><span class="mh">aa</span><span class="w"> </span><span class="p">|</span><span class="s">..............U.</span><span class="p">|</span> </code></pre></div> <p>Which doesn&rsquo;t look like a partition table… Now, that&rsquo;d explain why our virtualisation software refuses to boot it!</p> <h2 id="generating-the-mbr">Generating the MBR</h2> <p>As mentioned before, we only have to worry about the partition table, but we do need a valid code area; luckily, there is already some software available to do it for us. That&rsquo;d be <a href="http://ms-sys.sourceforge.net" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">ms-sys</a>, which, by the way is not packaged by Debian due to license issues (citation needed; read it long ago, can&rsquo;t be arsed to look for it now) but it&rsquo;s just a matter of downloading the source code and compiling.</p> <p><code>ms-sys</code> has several options, the one I&rsquo;m interested in is <code>-m</code>. Now, turns out, <code>ms-sys</code> needs a file to write the data, so let&rsquo;s create a zeroed one.</p> <div class="codehilite"><pre><span></span><code><span class="gp">$ </span>dd<span class="w"> </span><span class="k">if</span><span class="o">=</span>/dev/zero<span class="w"> </span><span class="nv">of</span><span class="o">=</span>mymbr<span class="w"> </span><span class="nv">count</span><span class="o">=</span><span class="m">2048</span> <span class="gp">$ </span>./ms-sys<span class="w"> </span>-f<span class="w"> </span>-m<span class="w"> </span>mymbr </code></pre></div> <p>Notice the -f argument, if it weren&rsquo;t there, <code>ms-sys</code> would complain about the file not being a disk device, but it&rsquo;s ok, we know (or hope we know) what we&rsquo;re doing. Also, we created a 1MB zeroed file (<code>count=2048</code> in <code>dd</code>), that&rsquo;s because it&rsquo;ll be the start of our image, and leaving 1MB at the beginning seems to be a sane thing to do (e.g. <code>gparted</code> does it that way).</p> <p>Having done that, we get:</p> <div class="codehilite"><pre><span></span><code><span class="nl">00000180</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">................</span><span class="p">|</span> <span class="p">*</span> <span class="nl">000001b0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">2c</span><span class="w"> </span><span class="mh">44</span><span class="w"> </span><span class="mh">63</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">.....,Dc........</span><span class="p">|</span> <span class="nl">000001c0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">................</span><span class="p">|</span> <span class="p">*</span> <span class="nl">000001f0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">55</span><span class="w"> </span><span class="mh">aa</span><span class="w"> </span><span class="p">|</span><span class="s">..............U.</span><span class="p">|</span> <span class="nl">00000200</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">................</span><span class="p">|</span> </code></pre></div> <p>That is, no disk identifier, no partition table, but filled in code area and Boot Record Signature; not bad.</p> <p>We just have to fill in the missing data with a hex editor (e.g. <code>ghex</code>).</p> <p>As for the disk identifier, I guess we can fill in those bytes (0x1B8&mdash;0x1BD) pseudo-randomly, but have really no clue if that&rsquo;s what dedicated software do :).</p> <p>So, as for the Partition Table, we just need to fill in the first entry (0x1BE&mdash;0x1CD), as a single partition is all we need.</p> <ul> <li>Partition State: 0x80 it&rsquo;ll be the boot partition.</li> <li>Starting sector: 0x002021 the partition will start at 1MB, see details for CHS encoding <a href="http://thestarman.pcministry.com/asm/mbr/PartTables.htm#Decoding" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">here</a>.</li> <li>Partition Type: 0x07 for NTFS, use <code>fdisk</code> and then <code>l</code> for more options.</li> <li>Ending sector: odds are, your partition is big enough as to not fit in these three bytes, in those cases 0xFEFFFF is what should be there.</li> <li>Starting sector: 0x00080000 that&rsquo;d be 2048 as stored on a little-endian computer, it&rsquo;s 2048 because our partition will start after 1MB (2048 sectors of 512 bytes).</li> <li>Partition length: this will vary depending on your partition size, first find out the size of your partition in bytes and then divide it by 512, or better yet, find the size of your partition in sectors! Hint: <code>man fdisk</code>, <code>man ls</code>. This field must be encoded as stored on a little-endian computer as well.</li> </ul> <p>After all that mess, my partition entry looks like this:</p> <div class="codehilite"><pre><span></span><code><span class="nl">000001b0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">2c</span><span class="w"> </span><span class="mh">44</span><span class="w"> </span><span class="mh">63</span><span class="w"> </span><span class="mh">f2</span><span class="w"> </span><span class="mh">aa</span><span class="w"> </span><span class="mh">cd</span><span class="w"> </span><span class="mh">f3</span><span class="w"> </span><span class="mh">12</span><span class="w"> </span><span class="mh">83</span><span class="w"> </span><span class="mh">80</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">.....,Dc........</span><span class="p">|</span> <span class="nl">000001c0</span><span class="w"> </span><span class="mh">20</span><span class="w"> </span><span class="mh">21</span><span class="w"> </span><span class="mh">07</span><span class="w"> </span><span class="mh">fe</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">ff</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">08</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">d8</span><span class="w"> </span><span class="mh">0b</span><span class="w"> </span><span class="mh">54</span><span class="w"> </span><span class="mh">02</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s"> !..........T...</span><span class="p">|</span> <span class="nl">000001d0</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="mh">00</span><span class="w"> </span><span class="p">|</span><span class="s">................</span><span class="p">|</span> </code></pre></div> <h2 id="joining-the-new-mbr-and-the-image">Joining the new MBR and the image</h2> <p>So, we make a copy of the <code>mymbr</code> file as <code>myimg.hdd</code> for example. Remember that we created this file as a zeroed 1MB file and then edited the first 512 bytes corresponding to the MBR.</p> <p>And then, we create, extract, convert or whatever the image, and add it to that file using <code>dd</code>, in my case:</p> <div class="codehilite"><pre><span></span><code><span class="gp">$ </span>gunzip<span class="w"> </span>-c<span class="w"> </span>Image.gz<span class="w"> </span><span class="p">|</span><span class="w"> </span>ntfsclone<span class="w"> </span>-r<span class="w"> </span>-O<span class="w"> </span>-<span class="w"> </span>-<span class="w"> </span><span class="p">|</span><span class="w"> </span>dd<span class="w"> </span><span class="nv">of</span><span class="o">=</span>myimg.hdd<span class="w"> </span><span class="nv">bs</span><span class="o">=</span><span class="m">1048576</span><span class="w"> </span><span class="nv">seek</span><span class="o">=</span><span class="m">1</span> </code></pre></div> <p>The <code>gunzip</code> and <code>ntfsclone</code> parts are just because that&rsquo;s how I have the image already, in practise you just need to pass the raw data to <code>dd</code> via standard input or create the image directly by indicating the input file (see <code>man dd</code>). Notice the arguments <code>bs=1048576 seek=1</code> for <code>dd</code>, here, we&rsquo;re telling <code>dd</code> to start writing on <code>myimg.hdd</code> after 1MB, leaving our 512 byte long MBR plus some zero data intact; by the way, by increasing the block size, the whole process is considerably faster.</p> <p>Also, do note that we can overwrite the MBR of this newly created virtual hard drive at any time:</p> <div class="codehilite"><pre><span></span><code><span class="gp">$ </span>dd<span class="w"> </span><span class="k">if</span><span class="o">=</span>mymbr<span class="w"> </span><span class="nv">of</span><span class="o">=</span>myimg.hdd<span class="w"> </span><span class="nv">count</span><span class="o">=</span><span class="m">1</span><span class="w"> </span><span class="nv">conv</span><span class="o">=</span>notrunc </code></pre></div> <p>Note that if you leave out the <code>conv=notrunc</code> parameter, you&rsquo;ll lose all your precious data.</p> <h2 id="use-the-image">Use the image</h2> <p>Now just use whatever virtualisation solution you want with this raw image or maybe even convert it to another format (like <code>vdi</code>), it&rsquo;s a perfectly valid virtual hard drive with a single partition.</p> <h1 id="conclusion">Conclusion</h1> <p>It does look like quite a mess, but creating a virtual hard drive with a bootable partition from an image or a real hard drive just takes around two minutes, that is, not taking into account the time-consuming <code>dd</code> step, but then again, there we just have to sit back and relax.</p> <p>Just as a side note, this does not guarantee by any means a migration from a live installation to a Virtual Machine, it does guarantee however that the virtualisation software will <em>try</em> to boot that partition.</p> <p>As a matter of fact, my migration was &ldquo;unsuccessful&rdquo; at first as I got in VirtualBox the dreadful BSOD, but I could boot using <code>kvm</code> &mdash; albeit, the guest was pretty slow.</p> <p>It was caused by the IDE/ATA drivers. So I booted with <code>kvm</code> and used the <code>MergeIDE</code> solution mentioned <a href="https://virtualbox.org/wiki/Migrate_Windows" referrerpolicy="no-referrer" rel="noopener noreferrer" target="_blank">here</a>. After doing that, I&rsquo;m able to boot into that image from VirtualBox and it actually runs fast in <code>kvm</code>.</p>