Monday, June 30, 2014

Replicating Fedora Machines using Kickstart

Sometimes one wants to install more machines the same as one that is already working.  Replication is one point where Linux is light years ahead of the competition.

Using Kickstart, you can roll out thousands of identically configured machines (with hardware that may be completely different) in a jiffy - Kickstart will automatically install the correct device drivers.

The Skinny

I usually do it manually, since it is too simple to bother scripting:
  • Save file /root/anaconda-ks.cfg
  • Save /etc/yum.repos.d with tar -zcvf yum.repos.d.tgz /etc/yum.repos.d
  • Save the packages list with yum list installed > packages
Use the saved kickstart file to install the new machine, untar the repos and run yum -y install $(cat packages) or yum -y install < packages

Booting Kickstart

Kickstart is the remote control system of the Red Hat Anaconda installer.

A Kickstart installation requires access to the Linux installation media on a local CD-ROM drive or hard drive, or over the network using HTTP or NFS.

If you need just one or two new machines, then do it manually.  If you need hundreds or thousands, then it is worth modifying the Kickstart file to make installation completely hands free.

To use a Kickstart file to install a system:
  1. Boot the system from a Live CD or USB schtick. If you need to modify the boot command, press Esc to access the command line.
  2. If you have not customized the boot medium to use Kickstart, use the ks option to specify the location of the Kickstart file.

    For example, the following boot command specifies that the Kickstart file is on the boot CD:
    boot: linux ks=cdrom:/ks.cfg
    If the Kickstart file is located on an NFS server, you might use a boot command such as the following:
    boot: linux ksdevice=em1 ip=dhcp ks=nfs:
    where ksdevice=em1 specifies the network interface and ip=dhcp specifies that DHCP should be used to configure this interface.
That is all there is to Kickstart - it works.

Synchronizing Two Machines

If you have two existing machines and you want to ensure that they have the same packages installed, then you can use dnf or yum:

Get the list of installed packages on one machine (sort, just makes it nice):
$ rpm -qa --qf "%{name}.%{arch}\n" | sort > packages.lst
Install missing packages from the list on the other machine:
$ sudo dnf install $(cat packages.lst)

Do it both ways and they will end up the exact same.

La Voila!

    Friday, June 27, 2014

    Ramadan Kareem

    Fortunately, it only hits 50 degrees Celsius a few days in the year.

    BTW, Lulu Hypermarket seems to be the only place that sells big black umbrellas in summer.

    Actually even hotter than John Fogerty rambled on about:

    Thursday, June 19, 2014

    Franz Kafka strikes again

    In a case seemingly from the pen of the late Czech writer Franz Kafka, the United States Court of Appeals for the Seventh Circuit has ruled against terrorism suspect Adel Daoud, saying that he and his attorneys cannot access the evidence gathered against him.

    Daoud, an American citizen, was arrested in a FBI sting operation in Chicago, for attempting to bomb a bar.

    When Daoud’s lawyers discovered that this case involved secret evidence that they had not been privy to, they eventually asked the court to notify them if any evidence gathered had been done so under a Foreign Intelligence Surveillance Court (FISC) order.

    I commend the FBI for catching idiots like this, but this is not how the justice system is supposed to work.  Secret trials are a ridiculous perversion.

    Friday, June 13, 2014

    Streamripper on Fedora 20

    I live in a desert oasis, right behind a huge radio tower, yet the only radio station that I can reliably pick up is Abu Dhabi Classic, which I guess comes from this stupid tower.  That gets rather trying after a while.  The internet connection at home is fibre - everything comes over that - TV and net.  Therefore, to get something to listen to in my car, I record internet radio streams onto a USB stick using streamripper.

    Streamripper works like magic.  It somehow avoids recording commercials (well, at least, the vast majority of them) and it will not save the same song multiple times.  The main problem with it is getting the stream descriptors into a working format.  I used to use streamtuner as my interface to the network radios and it includes streamripper, so the combination was perfect.  Lately however, streamtuner doesn't work and I am too lazy to fix it myself. (Update: I got streamtuner to work using a special RPM made by a kind soul on  The problems are due to missing Python libraries in the spec file).

    # yum install streamripper -y

    So, now I play music with iTunes on my Mac, make a playlist of the most palateable radio stations and then export the playlist to m3u (select m3u in a dropdown), then copy and paste the URLs into a script for streamripper, something like this:

    #! /bin/bash
    cd /home/herman/Music
    streamripper &
    streamripper &
    streamripper &
    streamripper &

    and leave it running for a couple of days in a Fedora 20 virtual machine on the Mac.  Obviously, the more streams you rip in parallel, the faster your collection will grow and it is easy to get ten of them going simultaneously.  In one hour, you can amass music for a fade free cross country trip.

    The result is an eclectic mix of music, enough for a year of ordinary driving around, before it drives me nuts again.

    Thursday, June 12, 2014

    Encryption Test

    So, how can one tell whether something is encrypted?

    One way is to try to compress a chunk of the encrypted data.  If it compresses at all, then the encryption is suspect.

    Let's test the encryption of the swap partition.

    # swapon
    /dev/dm-0 partition 3.8G 151.2M -1

    # dd if=/dev/dm- of=swaptest bs=1M count=1
    1+0 records in
    1+0 records out
    1048576 bytes (1.0 MB) copied, 0.011246 s, 93.2 MB/s

    # ls -al swaptest
    -rw-r--r--. 1 root root 1048576 Jun 12 08:50 swaptest

    # gzip -9 swaptest

    # ls -al swaptest.gz
    -rw-r--r--. 1 root root 1044778 Jun 12 08:50 swaptest.gz

    Hmm, it actually compressed a little bit, so my swap encryption is suspect, probably due to some repeating headers, but if it reduced by half, then it would have been clear that there is no encryption at all.

    Let's look at the swaptest file with hexedit and see whether there is readable stuff in there:

    # dd if=/dev/dm- of=swaptest bs=1M count=1

    # hexedit swaptest

    00000FB4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....................
    00000FC8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....................
    00000FDC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....................
    00000FF0 00 00 00 00 00 00 53 57 41 50 53 50 41 43 45 32 42 B4 A7 26 ......SWAPSPACE2B..&
    00001004 59 5F 1E FC 09 62 95 E2 DC A4 9D 5D DE 08 5C 6D 96 06 A0 FD Y_...b.....]..\m....
    00001018 20 E3 62 AE 92 5B 7D A6 68 20 4E 43 72 84 6B E9 AE CF 7F F3 .b..[}.h NCr.k.....
    0000102C C9 98 4A 78 8D 84 B6 7E 44 93 43 86 C5 C7 B2 1A CE A6 82 91 ..Jx...~D.C.........
    00001040 50 CE 42 93 BD 22 F2 E7 C9 5A 37 21 62 4A 2E FD 6D A5 34 17 P.B.."...Z7!bJ..m.4.

    OK, that explains it. The first kilobyte is zeroes, which will compress nicely.  After that, it looks OK - whew!

    Saturday, June 7, 2014


    The latest compromise found in OpenSSL is not a backdoor by itself, but it provides a great DIY Kit to subvert the system and it is conveniently built right into the Windows software API:

    OpenSSL should not be lightly discarded, it should be thrown, with great force and the programmers who are responsible for subverting it cannot be trusted ever again.

    OpenBSD needs your support to reconstruct this crucial piece of security software the right way - please donate:

    Friday, June 6, 2014

    Lies, damned lies and site statistics

    Everyone who has to deal with computers, have to deal with the mess that is Windows from time to time.  My main beef with Windows is that one cannot fix it when it is broken and I don't like being beholden to an incompetent 3rd party.

    Conventional wisdom says that Windows is used primarily by clueless home users and cheapskate businesses, while true card carrying computer geeks prefer some sort of UNIX.  A year ago, that was true and my site visitors always were about 70% Windows.

    Lately, my site visit statistics show some interesting trends though.  During the week the visitors are 40% Macs, while during the weekend, it is 40% Linux.

    Could it be that both corporate and home users are smartening up and are abandoning Windows in favour of Mac and Linux?