Ab Herbst muss man auch seinen PC rooten

Wer noch nichts davon gehört hat: Mit Windows 8 hat Microsoft die BIOS- und Systemhersteller „überzeugt“, dass PC nur dann mit Windows 8 geliefert werden dürfen, wenn diese SecureBoot unterstützen und per Default aktiviert haben. Gnädigerweise erlaubt Microsoft den Herstellern, SecureBoot abschaltbar zu machen. Wie einfach das geht, und ob es überhaupt implementiert wird, bleibt aber den Herstellern überlassen. Soweit so schlecht.

Fedora hat sich jetzt entschieden, über das Microsoft-Programm ihren Bootloader zu signieren, damit man in Zukunft Fedora booten (und installieren) kann, ohne SecureBoot auszuschalten.

Booting from an USB disk – even when your system doesn’t support it

I like using VMware Fusion on my Mac, but it has one shortcoming: it cannot boot from USB devices. You can use disk images (floppy, CD/DVD and harddisk) as well as a physical optical drive, but USB devices are not available. That’s unfortunate if you want to use VMware to prepare a hard disk for a machine, and want to test booting off that system before installing it in the machine.

When I install a new FreeBSD machine, I often start out from an existing FreeBSD machine and install directly from that running system, instead of booting off an install DVD. Obviously, using a virtual machine for this bootstrapping system, together with a USB hard disk adapter, is very convenient. But without being able to boot the VM off that USB disk, testing can be cumbersome.

I was very happy to come across Plop, a boot manager with many features. The most interesting one for me is it’s support for booting off USB devices without BIOS support. Plop includes its own U/O/EHCI driver, supporting standard USB 1.1 and USB 2.0 devices and ports.

Also very important: Plop can be run off a CD or floppy image, so you don’t need to (re-)configure your main hard disk. If I feel adventurous, I might look into patching the Plop BIOS extension into VMware, making booting even easier. For the time being, I’m using the floppy image, since none of my virtual (nor physical) machines have floppy drives any more.

Also, when you have an older machine which BIOS does not support booting off USB devices, Plop might be very helpful!

Getting sshd to start as early as possible

In FreeBSD, sshd by default gets started quite late in the boot process, about the same time a console will show the login prompt. There’s quite a few services that can make trouble and hang before that. Annoyingly, you can’t fix a stuck system via ssh, since it’s not started yet. But as it turns out, sshd can be started quite a bit earlier than FreeBSD does by default.

The rcorder keywords in /etc/rc.d/sshd normally look like this:

# PROVIDE: sshd
# REQUIRE: LOGIN cleanvar
# KEYWORD: shutdown

Change the rcorder keywords like so:

# PROVIDE: sshd
# REQUIRE: NETWORKING cleanvar
# BEFORE: mountcritremote
# KEYWORD: shutdown

 

Now sshd will be started right after the network has been configured.

Note that starting sshd before certain parts of the system are ready might give you temporary or permanent errors. For example, starting sshd before the user home directories are mounted might cause problems with logins. However, if your machine has all critical filesystems on local disks, making these changes should not pose any problems, and will allow you to log in while the rc scripts are still running, giving you the opportunity to fix any misbehaving services.

Running bash as root’s shell only when it’s not broken

I like bash, mostly for its interactive features over FreeBSD’s standard Bourne-compatible shell, ash.

Setting bash as the default shell for the root user however has a big downside: if you ever break bash or any of the libraries it depends on, you can’t log in as root anymore to fix it. I’ve tried quite a few ways to work around this, and I think I’ve finally figured out a good solution: leave the root shell as /bin/sh, and add this snippet at the end of /root/.profile:

[ -z "$BASH" ] && /usr/local/bin/bash -c 'true' && exec /usr/local/bin/bash

This will start bash, but only if the shell sourcing .profile isn’t bash, and bash can actually successfully be executed.

In FreeBSD 9, ash has apparently grown command name completion. Together with the editing functions (already available in FreeBSD 7), this might allow me to switch to ash as the default shell.

 

FreeBSD, CUPS and iPad printing

For the longest time, I couldn’t get CUPS configured on my FreeBSD server successfully. Between CUPS access rules, foomatic drivers and avahi announcements, I had terrible trouble making heads or tails of the nondescript error messages I was getting.

Spurned on by the arrival of an iPad, I finally sat down and worked through configuring CUPS and avahi. So I don’t have to go through all the fiddling again, here’s a recipe of what I did.

sudo per Wählscheibe

Netter Hack: wie man eine alte Wählscheibe als Eingabegerät für PAM und sudo umfunktionieren kann. Wenn jetzt Andreas endlich mal seine Stromschleifenschnittstelle bauen würde, würde ich auch den passenden Treiber für den Fernschreiber fertig machen…

http://hackaday.com/2011/02/01/rotary-dial-authenticates-sudo-commands/

Prepaid Mobile Data in France

For a recent two-week vacation in France, I wanted to get the netbook and the iPhones (SIM-locked) online, without having to hunt down hotel wifi or other hotspots. Unfortunately, the situation is not quite as simple as in Germany, where there’s many reasonable priced options. Here’s what I managed to find out.

Orange offers a prepaid data plan (“journée Internet max”) for 3 Euros a day, but by various accounts, it is limited to web access only (no email etc.), and might even have restrictions on the sites you can browse to. I didn’t try that. Orange also offers an iPad option.

SFR offers a special “iPhone 3G” tariff that seemed quite interesting at first: full web access as well as email, in multiple packages up to 20 euros for 20 days and 500MB. They specifically claim that it only can be used with an iPhone. To get it, you buy a pre-paid SIM card (SFR La Carte) from any of the SFR stores, and one of the iPhone 3G recharges (see the bottom of that page). The recharge is a long number that you can punch in at a voice prompt after dialling 952. I had a French speaker help me with that. At least in Paris, most of the SFR store people I’ve encountered speak passable or very good English, and they were all friendly and helpful, and did help with the activation. You then configure your device to use APN “wapsfr”, and off you go.

With the iPhone package, data connections are indeed limited, but a lot more that I originally thought: surfing was limited to the SFR mobile portal (m.sfr.fr). Whether this was due to the fact that I was using a Mifi to establish the data connection, or due to some real limitation on the part of SFR, I’m not sure, but I’ve read elsewhere that others have encountered this block as well.

Even when accessing the mobile portal, you must use Safari on your iPhone, or make your other browser appear as an iPhone. For Safari, enable the Developer menu, and change the User Agent to one of the Mobile Safari entries. I believe there’s a number of Firefox Add-ons that allow you to change the User Agent.

The good news is that email access via IMAP and SMTP worked just fine, with all our accounts configured.

To get full internet access, I used OpenVPN from the netbook to connect to my server running on one of the ports usually used for email. This way, I could move all the internet traffic through the VPN, and have full internet access from the laptop.

Finally, to be able to browse from the iPhones as well, I used tinyproxy on the netbook to enable the iPhones to use the netbook as a proxy that connects through the VPN. This gave us full internet access throughout our journey.

Getting things purchased and activated was a bit of an adventure, but was fairly straightforward in the end. I was positively surprised by the coverage (minimum EDGE, mostly HSPA), even though we went to some slightly remote places (small villages on the Loire, Mont Saint Michel). All the descriptions claimed that services were limited to “France métropolitaine”. Also, I was surprised that we seemingly didn’t exceed the 500MB limit, even though the traffic counter on the Mifi claimed we had.

I can recommend this only to people very familiar with networking technology and the willingness to spend a couple of hours in the hotel room fiddling, instead of on the streets of Paris. So plan to bring your favorite geek along for the ride 🙂

Where’s the doctor now?

The oldest, still running science fiction TV series, Doctor Who, has the Doctor jumping through time and space. A lot.

Now David McCandless has collected all of them in a huge dataset on his blog, waiting for someone to visualize them. As David writes in the Guardian,

I really wanted to do a mega-visualisation of all of the Time Lord’s journeys. But faced the cosmic task of trawling through well over 200 episodes, logging every time TARDIS was hurled through time and space.

Can’t wait for the results to show up!