Hey there!


How to disable spotlight on MacOS

So, few weeks after having this MacBook Air with horrid screen, I figured out that there is a small issue with RAM. 2 tasks permanently eating 2GB of RAM, effectively reducing 8GB of RAM this machine has, to only 6GB (which sadly isn’t enough these days, especially not for a power user, who wants to use Firefox and also some other programs – Mozilla expects that firefox is all you need, so it deliberately uses all free RAM you have :)).

The problem was with these 2:

  • Kernel task – obviously a kernel, but why does it need 1GB? I need to figure that out later
  • mdm_store – process belonging to “spotlight” which is some searching / suggestion feature I will never use

So I found some information about spotlight and people who wanted to disable to protect privacy. While I completely don’t care about that, I do care about my RAM, so here is how you can kill it permanently. Open a terminal and put there:

Here we go, 1GB of RAM back for use!




Why I hate wireless

There is this new ongoing trend, forced by Apple and companies that follow Apple, that everything must be wireless. Your headphones, your charger, phone, everything. No more cables.

Sure this is a step forward, no more cables, sounds really cool – but is the technology we have now ready for it? I don’t think so, for multiple reasons:

Batteries

Everything that is wireless must have a battery inside, otherwise it will not operate since it needs power. Can we create batteries that are eco-friendly and last forever? Nope.

For each wireless gadget we need to create a battery, which is actively harming environment, the battery adds to complexity and weight of the item and it is soon (within 5 years) going to wear out and whole thing becomes unusable. Not a big deal for large corporations like Apple that wish their consumers renewed (buy new) gadgets every year or two. The battery waste (old batteries) are also not very eco-friendly.

Energy efficiency

Wireless charging is least efficient charging that was ever invented. Not that typical charging was efficient, even that is wasting lot of energy, from total energy produced by power plant that is taken by a charger, only few percent is actual energy stored in a battery. But it’s even worse with wireless, the charger consumes huge amount of power just to store tiny amount of it in battery and it’s extremely slow.

 

These 2 things combined make wireless one of most disastrous innovation from ecological point of view – just image what would happen if everyone switched to wireless gadgets, the vast amount of used batteries and energy overhead from wireless charging would put huge impact on environment. Wireless may be a future, but technology is not yet there to use it in eco-friendly manner.




Optimizing Ansible for high performance

So, I have made a custom Ansible setup for more than 4000 servers in 12 different countries across the planet, and that gave me some insight into how to make it perform better.

First of all, sadly Ansible doesn’t yet support “proxy / caching servers” as in servers that you could use to execute playbook through. You can configure SSH proxy server, but that won’t help with performance. Only way to execute playbook from another server is to install Ansible there as well, sync the playbooks somehow and execute from this host.

Anyway, now for the performance hacks.

Redis caching

Major boost in performance. Simply install redis server on same host as Ansible and put this to configuration of ansible:

This will put all facts of every server you connect to into redis cache and next time you execute anything on that server (within 1 day), ansible will not gather facts again, but it would take them from redis cache.

Pipelining

Minor boost. But slightly helps:

Multithreading

Major boost, but not very stable, often causes troubles. Putting more than 20 makes Ansible quite unstable.

Example config

This config works pretty well to me:

 




How to install mdadm to XenServer 7

Based on https://discussions.citrix.com/topic/378478-xenserver-7-raid1-mdadm-after-install-running-system/

This post is basically just a backup of that forum post in case it become dead link




Letsencrypt kung-fu

Let’s encrypt CLI client is by far the most shittiest software ever invented, there is probably no doubt about it, but sadly, it’s the only interface that is supported, and unless you want to pay money for SSL certificate you need to live with that.

First of all – yes, their client (without asking or telling you) WILL run sudo and WILL use root and most likely WILL install garbage on your server that you don’t want to have there. If you never used letsencrypt client before, run it on testing VM first, before it desecrates your favorite web server with random garbage you don’t want there.

The letsencrypt client is written for dumb people, and it is based on undocumented black magic that I will try to uncover here a bit. The client basically works with a component called “certbot” which is a software that run on your server and does something to prove that you really own the domains for which you want to generate your SSL certificate. Because letsencrypt staff doesn’t want to bother you with technicalities they created this crap of a software to deal with them for you, in their own way, like it or not. It uses so called ACME (Automatic Certificate Management Environment) protocol to verify that you are owner. This thing is not a rocket science, and in a nutshell all it does is publish some data used to prove your ownership through your webserver, usually located on webroot/.well_known, their counter-party server will try to locate these by accessing your.domain/.well_known and in order to make it possible to verify your domain without modifications to your webserver, all you need to do is to create a central webroot and then make a symlink from all domain webroots to this one (just ln -s /var/www/letsencryptshite/.well_known /var/www/your.uber.tld/.well_known).

Once you do that, always pass these 2 parameters to their “software”:

I also strongly recommend you to maintain a comma separated list of all domains for which you want to get your certificate and store it somewhere like /etc/letsencrypt/domains because you will need to provide this list very often.

Now a little cheat sheet:

Renewing all domains

This can even be in your cron

You may need to restart / reload your web server after doing this, since the certificate will be overwritten, and Apache seems to be caching it somehow.

Adding or remove a domain and regenerate certificate

Modify your /etc/letsencrypt/domains list and run

Common locations:

/etc/letsencrypt – root of this thing’s config

/etc/letsencrypt/live – symlinks to current certificates, that’s where you can find chains for your domains

Example apache config that uses letsencrypt cert

 




Why SPF doesn’t solve anything in regards of e-mail spoofing

If you ever thought that having an SPF record would effectively prevent anyone from spoofing a delivery of e-mail from your domain, you were terribly wrong. It wouldn’t. This whole “sender policy framework” is built on top of flawed ancient SMTP protocol that never was designed with slightest security in mind.

Majority of all e-mail clients will display value stored in “From” of e-mail header as a sender of your e-mail. That is exactly the “sender” that SPF doesn’t check. SPF is checking the “envelope sender” which is something entirely else, and sadly, almost never displayed anywhere in e-mail clients.

Basically, delivering an e-mail on behalf of anyone that would pass SPF is as easy as spoofing the From in the mail header and sending this from a mail server that has its own IP in its own SPF record.

This 3rd domain would be a part of “envelope sender” which is however not visible anywhere in the mail client (unless you open original source) and SPF check would check against this domain. The spoofed domain that would be visible in mail client wouldn’t be checked anywhere though and most of users would be easily tricked by this.

There are ways to make this harder to do, such as implementing DMARC policies or DKIM, but again, most of regular users would easily be tricked. Nobody cares if e-mail was digitally signed or not, unless you explicitly tell them to do that.

As of now there is only one working protection when it comes to e-mails and that is: DO NOT TRUST THEM. Whatever e-mail you received, from whoever, may be a fake. Even GPG signature could be a fake if someone steals the private key of victim somehow. So yes, if someone is asking you for money in e-mail, or whatever else, better call them, or meet them in person. It can save you lot of troubles.




Gentoo quick setup (for advanced gentoo users)

  • May 8, 2016
  • Linux

This is an excerpt from gentoo handbook containing only the stuff that really matters, with no extra stuff:

Prepare your disks

Do I need to explain how? 🙂 if yes, this is not for you

Mount them

Prepare stage3

Chroot

Emerge setup

Kernel

Initramfs

Pick one

Filesystems

Just edit /etc/fstab

Networking

Grub

 




systemd cheat sheet

Services overview and unit files

The available unit files can be seen in /usr/lib/systemd/system/ and /etc/systemd/system/

Start / stop

Checking status

By default it should be possible to view the output of every unit using journal – journalctl

Enable / disable service

Power management

Modifying system

  • /usr/lib/systemd/system/: units provided by installed packages
  • /etc/systemd/system/: units installed by the system administrator

When you modify the unit file, you always need to run:

See https://wiki.archlinux.org/index.php/systemd for more information




New blog

Heya, I have decided to move from blogger to my own blog for couple of reasons. The biggest one was that blogger doesn’t support custom code formatters and I often need that when I am posting source codes.

I also got my own domain now 🙂

The contents of previous blog were imported back here and I will post new stuff here only.

Thank you for using my blog, I hope you will find it useful!




How to encrypt whole filesystem on Gentoo using LUKS

I struggled for days following outdated and incorrect gentoo wiki: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS

Finally I figured out how to do that so I will share it here for future reference. This guide however may not work on future gentoo versions.

Note that primary difference between suggestions on Gentoo wiki is that disk is encrypted with -d – option which is necessary for it to work with dracut and genkernel generated initramfs which always use that option to open it.

Setup:

In this guide I have 1 physical disk with 2 partitions:
/dev/sda1 for /boot
/dev/sda2 for LVM with 2 LV’s
* root – /
* swap

Step 1:

Create an image of whole current filesystem for backup purpose

Step 2:

Before you reboot, prepare your initramfs so that it’s ready to work with luks, I am using dracut, there is high chance you won’t boot after encrypting so prepare it for debugging as well:

dracut -a crypt --install "bash vim"

Step 3:

Create an image of your root fs (boot from livecd)

dd if=<device> of=original_fs.iso

Store it on external disk.

Step 4:

Create a keyfile you will need to decrypt the filesystem, you can store this file on /boot partition, it will be encrypted with password:

openssl rand -base64 48 | gpg --symmetric --cipher-algo aes --armor > key.gpg

Step 5:

Encrypt sda2, this will wipe all data on it:

gpg -qd /boot/key.gpg | cryptsetup luksFormat -d - /dev/sda2

Step 6:

Mount the device and setup LV disks

Restore the fs:

dd if=original_fs.iso of=/dev/mapper/vg-root 

Step 7:

Mount fs

mount /dev/vg/root /mnt 

Now update /etc/fstab to contain proper stuff

Step 8:

Update /etc/default/grub and add kernel parameters:

rd.luks.uuid=<UUID of /dev/sda2> rd.luks.key=key.gpg:/dev/sda1:/dev/sda2

Now reboot and pray. It may fail, if you wait about 5 minutes, dracut might fall into recovery console which you can use to investigate what is wrong, try to mount the device by hand.