2014-07-01

iPXE - The Versatile Boot Loader

iPXE is a lesser known Open Source PXE boot loader which offers many interesting features:

Talk & Article

Since iPXE plays a role in the ImmobilienScout24 boot automation I gave a talk about it at the LinuxTag 2014. The talk is half an hour long and gives a quick introduction into iPXE. It covers build, configuration & scripting and shows how to develop boot scripts in iPXE with a very short feedback cycle.



Download the slides to the talk and the audio recording as a podcast.

At the conference the German Linux Magazin became interested in the topic and asked me to write an article about iPXE:

Der vielseitige Netzwerk-Bootloader I-PXE
Linux Magazin 08/2014


Demo Scripts

For the article I created a bunch of demo scripts that are available on Gist. To try them out follow these steps:
  1. Install QEMU, usually part of your Linux distro but also available for other platforms.
  2. Download my pre-built iPXE boot kernel ipxe.lkrn
  3. Start QEMU with ipxe.lkrn and the URL to the demo script:
    qemu -kernel ipxe.lkrn -append \ 'dhcp && chain http://goo.gl/j8MbXI'
  4. Try out the various options. The login will accept any password that is the reverse of the username.
This demo script looks like that:

And the QEMU boot looks like that:
ipxe-qemu-demo2-menu.png

Try it out

Anybody struggling with PXELINUX should most definitively check out iPXE to see if it provides a better alternative to their needs.

2014-06-26

automirror - Automate Linux Screen Mirroring


I do a lot of pair working and many times I connect a large TV or projector to my laptop for others to see what I am doing.

Unfortunately the display resolution of my laptop never matches that of the other display, and Linux tends to choose 1024x768 as the highest compatible resolution. This is of course totally useless for doing any real work.

My preferred solution for this problem is to use X scaling to bridge the resolution gap between the different screens.

Since none of the regular display configuration tools support scaling, I ended up typing this line very often:

xrandr --output LVDS1 --mode 1600x900 --output HDMI3 --mode 1920x1080 --scale-from 1600x900

Eventually I got fed up and decided to automate the process, the result is automirror, a little Bash script that automatically configures all attached displays in a mirror configuration. automirror is available on https://github.com/schlomo/automirror.

Typical Use Cases

Connecting a Full HD 1920x1080 display via HDMI to my 1600x900 laptop. In this case automirror will simply configure the HDMI device with 1920x1080 and scale the 1600x900 laptop display. As a result I stay with the full resolution on my laptop display and it also looks nice on the projector.

Another case is where I work with a 1920x1200 computer monitor and add the 1920x1080 projector as a second display. Again the common resolution offered by both devices is 1024x768. automirror will recognize my 1920x1200 display as primary display and scale it to 1920x1080 on the secondary display, which is not really noticeable.

It is recommended to configure a hot key to run automirror so that one can run it even if the display configuration is heavily mwessed up. In rare cases it might be neccessary to run automirror more than once so that xrandr will configure the displays correctly.

2014-06-20

Granting root access in a DevOps world

At the 2014-06 Berlin DevOps Meetup this week we had an interesting fish bowl discussion about

What is the risk of giving DEVs root access in production?

Since I suggested the topic I was asked to give a short introduction into the topic:


The discussion that followed was suprising in several aspects:
  • A major concern is safeguarding the production data, but nobody had a really good solution for that. Many people have more problems with Developers seeing live customer data than with Develops changing something in production.
  • "Nobody should have root" was proposed by a security specialist, but he had no practical working example for this approach.
  • The question is tightly coupled to the degree of automation. The more automation you have the less need for anybody (Dev or Ops) to use their root privileges.
  • Not everybody having root access knows what to do with it, Developers are sometimes afraid of using their power if granted root.
  • This is mostly a question for larger companies and classical IT organizations. Small companies and start ups just give root to everybody who knows what to do.
For me that was the first time having this discussion when nobody tried to prove that Developers should in principle not get root access. The Test Driven Infrastructure fish bowl at the Berlin DevOps Meetup 2013-12 last year also touched upon this topic and the discussion was much more against giving root access to Developers.

My personal opinion is that in a DevOps world people are in the focus of our interest. The official title or organizational position should matter less than what the people are doing. We should therefore
give root access to people based on
  • Trust to act in our common interest
  • Commitment to fix everything they brake
  • Skills to tread carefully in our production environment

2014-06-13

My SMART TV - Linux For The Win

I love my "smart" TV - it got Linux inside which is the base for a whole range of nice hacks.

TV Router

The most important one is that the TV is actually a wireless router that provides Internet via Ethernet to my TV rack. Usually the Ethernet connection is used by the Playstation or a Raspberry Pi.
The original reason for this hack was simple: The Playstation 3 has a really really bad Wifi reception which made watching Netflix nearly impossible and the unavoidable PS3 updates painfully long. The USB Wifi adapter connected to the TV has a much better reception, sharing it with the PS3 solved all the performance problems.

Samsung Linux TV

And here comes the good part. The TV (Samsung LE32C650) runs Linux inside and there is an Open Source project (SamyGO) that "opens up" the TV firmware and extends this Linux with useful tools.

In my case I only had to enable IP forwarding, configure a static IP on the Ethernet interface (eth0) and start a DHCP server on it. The Samsung kernel already included IP forwarding (thanks!) and the DHCP server is part of Busybox that comes with SamyGO.

NFS

Another benefit from rooting the TV is the option to add NFS support. The TV has a great media player that plays almost all file formats, even with subtitles and multiple audio tracks. The player can fast forward/rewind and even remembers the last playback position for each video. But all of these nice features only work when playing videos from USB storage, not over DLNA.

Thanks to SamyGO it is possible to mount a NFS share onto a directory on a USB stick. The TV thinks that the NFS share is on the USB stick and happily plays all the videos with all the fancy features.

Wife Acceptance Factor

Back in 2010, when I bought the TV, this was a really cool solution with a high WAF because both watching TV and videos from our collection work with the same remote control. Nowadays I would probably just attach a Raspberry Pi (with OpenELEC) to the TV and enjoy the seamless integration thanks to HDMI CEC. But is is still nice to know that I can extend my TV to better serve our needs.

I can only hope that the next TV will be equally hack friendly.

2014-05-28

Win-Win: Employer Branding and Corporate Social Responsibility

Does your company care about employer branding? Probably yes.

Does your company care about corporate social responsibility? Probably yes.

Does your company combine these two to create a win-win situation? Most likely not!

Take my employer ImmobilienScout24 as a typical example: The about us page mentiones that ImmobilienScout24 is a great place to work (4th in our region) and the CSR team talks about the social engagement, e.g. blood donations or the social day where all employees donate their work time to non-profit organizations.

However, there is no obvious connection between these two things.

I would like to suggest a simple way how to combine both employer branding and corporate social responsibility:

A company should make it a priority to support charitable organizations and social projects related to their own employees.

Examples:
  • Sponsor non-profit organizations or neighborhood/community projects that employees are involved with.
  • On social day, go to schools and kindergartens where employees are parents.
  • Involve employees who are in the red cross or similar organizations to organize the annual blood drive.
  • Support local or neighborhood charity organizations instead of global ones.
Basically the idea is that CSR related activities should be geared around the employees private life and activities.

This will create a win-win situation and especially help to retain employees because they get additional fulfillment and satisfaction from their employer supporting their social engagement.

There is no added costs involved, it is enough to change the way how CSR budgets are spent.

I mostly hear these arguments against this idea:
  1. CSR spending must be charitable beyond doubt, employee projects could be too narrowly orientated to count as generally charitable.
  2. Employee-oriented sponsoring would lead to envy between colleagues.
  3. The danger of personal enrichment or employees taking personal advantage is too high.
  4. Niche projects and small target groups would get too much funding compared.
  5. Employees who are less outspoken or less engaged would be disadvantaged.
All these arguments are most certainly valid and represent the fear that "something could go wrong". Of course sponsoring a large and well-established institution is much easier and safer, but also much less gratifying. And much less worthy of press attention and less outstanding.

I believe that all these concerns can be adressed by establishing simple rules related to funding:
  • Communicate the concept of employee-oriented CSR funding to all employees so that everybody understands the value of making CSR spending more personal and more related to the people.
  • Make CSR funding very transparent - from the internal application through the reasons given till the detailed spending report.
  • Publish follow-ups on past fundings to ensure sustainable spending and to give positive examples.
  • Make a very visible call for participation to invite all employees to suggest organizations and projects they care about.
  • Not every single project must be charitable for the general population - all projects taken together should have a sufficiently wide spread.
With these rules a company can easily resolve the concerns preventing the benefical combination of CSR spending and employer branding.

The following links discuss this idea in part without drawing the obvious conclusion that smarter CSR funding could improve employer branding for free:
Image: © Can Stock Photo Inc. / ribah2012 and / mindscanner

2014-05-22

Adding Custom Menus for Linux Desktops

The "Start Menu" of a Linux Desktop usually comes with a predefined set of categories that make up the sub menus. If you have a lot of custom applications then you might want to group them under a dedicated sub menu instead of having them spread out over all the menu categories.

Adding sub menus and new categories on Linux Desktops is defined in the Desktop Menu Specification in Appendix C. It turns out that it is really simple and the following example from ImmobilienScout24 can serve as a base for your own custom menu.

You will need the following parts:
  1. A Desktop file using a custom category
  2. A Directory file defining the icon and description for the new sub menu
  3. The icon for the sub menu
  4. An XML file describing how to integrate the new sub menu into the menu structure and which categories of Desktop files to show in the new menu
The Desktop file describes the menu entry, in this example the VPN client:
The important part here is the Categories entry which specifies a generic category (Network) and a new custom category (X-IS24). The Desktop Menu Specification states that custom categories must start with X-. The Desktop file usually goes to /usr/share/applications.

The Directory file also conforms to the Desktop Entry Specification but is of Type Directory:
The XML file is placed usually in /etc/xdg/menus/applications-merged and extends the menu structure with the new sub menu, tying together the categories and the Directory file:
In this case we also exclude the X-IS24 category from the Network category so that our menu entries will not show up in several sub menus.

KDE, Gnome Classic, XFCE and other desktops with a regular menu all follow the same standards and show the new sub menu. Unity and Gnome 3 seem to have a fixed set of build-in categories and don't show the new sub menu as a new category.

2014-05-15

Simple Video Presentation with Raspberry Pi

Playing videos in an endless loop is a common problem:
  • Product demos at a trade show or fair
  • Infomercials in a public place or foyer
  • Background fun at a party
  • ...
When I faced this problem at the last LinuxTag we did not want to take a full blown computer with us but make do with a Raspberry Pi. The question was how to turn the Pi into a simple video player with a minimum amount of fuss.

The solution is simple and elegant:
  1. Install OpenELEC (an XBMC distribution) on a SD card
  2. Boot it up once in the Pi to initialize the storage partition
  3. Add the following file in the storage partition as .xbmc/userdata/autoexec.py
  4. Add any amount of multimedia files in the storage partition under videos/
  5. Boot up the Pi and enjoy your videos
You can also interrupt the playback and use OpenELEC normally. To go back to the automatic playback simply reboot the system.

And here is our booth with the demo videos in front:

2014-05-02

Simple file patching with sed

Patching configuration files is like the bread-and-butter job of every configuration management. In our package-based deployment world we try to minimize the patching to the absolute minimum, usually to "enable" modularized configuration patterns.

The best example is the Apache Webserver, where we have a wrapper RPM package with a %post script that simply replaces (and not patches) the upstream configuration with a few include lines:

Sadly there is still a lot of software that does not support includes in its configuration. For these we of course have to patch the existing configuration and use this short and simple config patcher in our RPM %post scripts, for example like this for sshd_config:

The trick of this snippet is that in the end the changed parts are always at the top of the file. It is also important to always embed some information about the cause of the patch so that one can easily find out who or what is reponsible for the file. The %-variables are filled in by RPM and provide precise information about which package caused this change.

2014-04-04

Automated OpenSSH Configuration Tests



When developing or fine-tuning OpenSSH configurations the testing can be quite tiresome: Change configuration, restart server, run manual tests, repeat. Not to forget the many times when restarting the SSH server does not work and you lock yourself out of your test server.

When writing a Linux Magazin article about SSH key management I wanted to show how to use OpenSSH PKI in a repeatable way. The result is an automated test suite for OpenSSH configuration:
$ ./run_demo.sh   ... lots of info output running through ... 
SSH PKI Demo Test Results:
Succeeded create-ca-keySucceeded create-host-keySucceeded sign-host-keySucceeded create-user-root-keySucceeded sign-user-root-keySucceeded create-user-unpriv-keySucceeded sign-user-unpriv-keySucceeded test-trusting-known-hosts-via-cert-and-login-with-passwordSucceeded test-that-hostname-in-cert-must-match-target-hostSucceeded test-login-with-root-key-trusted-by-certSucceeded test-that-username-in-cert-must-match-target-userSucceeded test-revoked-ca-key-prevents-loginSucceeded test-revoked-user-key-prevents-loginSucceeded test-revoked-host-key-prevents-connectionSucceeded in running all tests, congratulations!
It does not require root permissions and creates a fake environment where it can start an SSH server and connect a client to it. The test also creates the required SSH CA Certificate, host and users keys to serve as a practical example of how to use OpenSSH PKI.

Based on this script it is very easy to write your own tests that verify other aspects of OpenSSH configuration as part of your Test Driven Infrastructure.

The code is available on my GitHub repository: https://github.com/schlomo/openssh-config-test

2014-03-24

Opening a Window to a Wider World

When I bought a new Chromebook Acer C720 last week I got confirmation that times are changing: It has only an HDMI connector, no more VGA. Luckily, at ImmobilienScout24 we are also adapting and last month our big projector got an upgrade to Full HD with 16:9 Wide Screen. And you can now connect the computer through HDMI, too.

Since me myself so much got used to creating presentations in 4:3 I took the opportunity to remind myself and everybody else why it really pays to pay attention to this little detail.

Video is in German with English subtitles.