Monday, December 11, 2017

Be Careful With Your SSD On Linux

My laptop has an SSD instead of a spinning hard disk.  The first laptop I had with an SSD was a company-issued ThinkPad with either a 32GB or 64GB SSD.  It was entirely too small for what I was doing at the time.  After that, I always chose capacity over speed for my laptop hard disk.

Skip to now and SSDs for laptops are entirely usable capacity-wise.  So my ThinkPad now has a 1TB SSD in it.  It came with one when I bought it, but I recently had to replace it because it failed.  SSDs are great, but you can beat them up rather quickly if you're not careful.

On my laptop I also use the LUKS encryption for my /home volume.  I don't encrypt the entire laptop because I don't really care that my man pages are encrypted or my cups configuration file is encrypted.  Just the stuff in /home is important to me.  What I failed to do was make sure I open the LUKS device with --allow-discards on the cryptsetup(8) command.

The --allow-discards option enables TRIM or UNMAP on the underlying device, though it's probably TRIM in nearly every case.  Without getting in to the technical details, this enables the kernel to handle unused blocks differently on an SSD than on a spinning hard disk.  TL;DR, this is important to not wear out the flash memory quickly.

So that's what happened to me.  And the failure was interesting too because the laptop just started acting very strangely until eventually write operations failed and then it started lying and saying the device was full.

Make sure you're unlocking LUKS volumes on SSDs with --allow-discards.  Every distribution is a little different, but a common method us defining the device in /etc/crypttab with the options you need to use.

Monday, October 9, 2017

AOL Instant Messenger Shutting Down

After 20 years or so, AOL Instant Messenger is shutting down.  Not really a surprise.  A lot of instant messaging services have come and gone.  I still have an AIM account that is named after an FCC callsign I was granted in 2000 but no longer have.  At the time it was easy to communicate with less techy friends and family and it was easy to use on Linux with programs like gaim.

I currently use it through a program called bitlbee and then interact with that through irssi.

While AIM is shutting down, I still have Facebook Messenger, Google Hangouts, and regular IRC on FreeNode.  I also use email.

Remember ICQ?  It's apparently still running and I think people are using it.  Implementations come and go but there will always be a way to do instant messaging in some capacity.  People seem to like that.  Right now I am working on a more integrated and reliable setup for my Facebook Messenger+Google Hangouts+IRC setup so I can move between computers and networks and have everything move between clients.  Yeah, that'll totally work.

Friday, October 6, 2017

Hold On Let Me Start the Recording

"Hold on, let me just start the recording...ok, you're good."

During meetings and conference calls, I find it common for large meetings to have someone insist on recording the call.  Or in the case of video conferencing, recording the session as a movie.  But why?

I assume the thought process is that those who can't make the meeting will listen to or watch the recording later.  I can say with 100% certainty that I have never done that.  Has anyone?  If you didn't have time for a 1 hour meeting, what makes anyone think that I will somehow have a separate hour somewhere to listen to the recording?

If the recordings are being kept for logging purposes...ugh, there are better ways.  How much of the call will be people asking if they can be heard, for others to go on mute, and nonsense chatter while waiting for the moderator to join?  ALL CALLS!  The recording is unedited, so the later listener fortunately has an opportunity to relive this hour of unproductivity.

Stop recording calls.  If you're trying to catch people up later, write up minutes.  It's far more effective.  If you're recording it because someone is giving a demo or presentation, have them make an edited webinar recording elsewhere and pass that around.

Thursday, October 5, 2017

Encrypted /home Volumes

On my laptops and workstations, I keep my /home volume encrypted using LUKS (Linux Unified Key Setup).  This is the sort of thing that you should do, regardless of your operating system.  I set up my systems to carry a separate /home volume from the rest of the filesystem.  I leave everything else on the system on unencrypted volumes because I see no value in keeping executables, libraries, and system configuration files encrypted.  For configuration files I do care about, I put them in /home/etc and link them back to the expected path.

Recently I upgraded the kernel on my laptop to a newer version.  I build and install my own kernels because I'm a Linux greybeard and that's what I've always done.  I also like to stay moderately up to date on happenings in the kernel.  I used to read LKML, but I just don't have the time anymore.

When I build a new kernel, I start with the configuration file for the one I am currently running.  I do make olddefconfig and then run make menuconfig to look through any new things.  Occasionally this process will cause existing configuration options to be lost.  The defconfig step isn't flawless, but that's ok.

My recent upgrade had this happen specifically with regard to the AES-NI modules in the kernel.  Intel processors come with CPU instructions for AES encryption functionality and software using these instructions significantly speeds up encryption operations.  It's instructions like this that help LUKS volume encryption work transparently and not impact overall system performance.  If you lack these instructions, the kernel will continue to function for LUKS support just fine, but you will notice things move more slowly.

When I rebooted and entered my passphrase to unlock /home, the system just waited.  And waited and waited and waited.  I had never had this happen to me before, so my first thought was the filesystem was damaged or the LUKS header was damaged or something like that.  I was able to boot from USB media and unlock everything and ultimately tracked it down to the missing AES-NI modules.

So, today's lesson is when using LUKS volume encryption on Linux on an x86_64 system, you want CONFIG_CRYPTO_AES_NI_INTEL set to either y or m depending on how you run your system.  Setting this option in the kernel config will bring in more things, but that's fine.

Monday, July 17, 2017

Informed Delivery

I know the idea of receiving email from the post office is probably not high on your list of things you'd like to get working, but I came across Informed Delivery yesterday and the idea looks interesting.

In the United States, the Postal Service is the sole authorized agency responsible for and required to provide uniform postal service to all citizens regardless of geography and at a uniform price.  Your opinions of whether or not this is a reasonable agency to have or how the US Postal Service is run are of no interest to me.  I have opinions to that you likely don't care about.  One thing we can probably agree on is that the Postal Service has to compete with technological advancements while still meeting their legal obligations and that can be very difficult.

Things that didn't exist when the Postal Service was created:  UPS, FedEx, DHL, email, or telephones.  The Postal Service has to compete with all of these and still provide what are effectively baseline services that many people take for granted.

So enough of that, what is Informed Delivery?  I don't know, but I signed up.  As explained, it seems to be a system where you can get emails (opt-in) indicating what mail is headed your way.  Expecting something important?  They could, in theory, scan it and notify you on the sending end and you'll know it's en route.  The possibilities for this service seem interesting, but I'll remain somewhat cautious as to what they will implement.  What would be nice is if I could go to a web page and uncheck the things I don't want delivered, say, on a weekly basis.  Reduce what the letter carriers have to move around and let me filter my physical mail somehow.  We'll see.

Monday, July 10, 2017

Using ssh-agent for Remote Login Sessions

I work on a lot of remote systems via ssh logins.  It's very common for me to be remotely logged in to several systems throughout the day.  Not everything I do is from my workstation's login session.

A lot of the things I do, such as source code control with git, rely on ssh keys.  I have passphrases on my keys so every time I use git, ssh will prompt for the passphrase -or- will ask the running ssh-agent for the credentials.  On my graphical workstations, I have my X sessions set up to start ssh-agent upon log in and add all of the keys in ~/.ssh to the agent.  That way things like git push and git pull work quickly and without prompting me for the passphrase.  When I log out, the session goes away.

This does not work for remote sessions.  Once I log in to a system, I cannot use the agent running on my workstation.  I have added a block to my ~/.zshrc file to start an ssh-agent if one is not already running.  This handles interactive shell logins via ssh or at the console.  There are many ways to do this, but here's how I'm doing it (lines broken for posting here, anywhere there is a backslash, join it with the previous line and remove the backslash):

if [ -d "${HOME}/.ssh" ] && \
   [ ! -f "${HOME}/.noagent" ] && \
   [ -z "${TMUX}" ]; then
    # Start the SSH agent
    if [ -z "${SSH_AGENT_PID}" ] && \
       ( [ -z "${SSH_AUTH_SOCK}" ] || \
         [ ! -r "${SSH_AUTH_SOCK}" ] ); then
        eval $(ssh-agent)

        for pubkey in ${HOME}/.ssh/*.pub ; do
            privkey="$(basename ${pubkey} .pub)"
            [ -f ${HOME}/.ssh/${privkey} ] && \
                ssh-add ${HOME}/.ssh/${privkey}

Like I said, there are many ways to do this, but this is how I managed it.  I will walk through how this works:
  1. First, you need to have ~/.ssh.  I should modify this to make sure you have at least one public key, but I've made that assumption here because that will always be the case for.
  2. I also honor the ~/.noagent file in my home directory.  I can disable this entire block by touch ~/.noagent and it will skip right over it.  This file does not require anything in it, just that it exists.
  3. The test for ${TMUX} is important to ensure that each new pane I open in tmux does not start a new ssh-agent.  If you are using GNU screen, I am sure there's a similar test.
  4. The nested if will then check to see if an existing agent is running.  That's the test for SSH_AGENT_PID and SSH_AUTH_SOCK.  If those exist, I am going to assume ssh-agent is running because I otherwise do not use those environment variables,
  5. The eval line runs ssh-agent (which will background itself) and then sources in its stdout, which contains the SSH_AGENT_PID and SSH_AUTH_SOCK environment variables.
  6. The for loop iterates over all of your public keys and will add each one to the agent if there is a corresponding private key.  This part is interactive as ssh-add will prompt you for the passphrase for each key.
Another thing to note with zsh, which is the shell I'm using, is to avoid having this block in both ~/.zshrc and ~/.zprofile.  If you have both files and they are different, put this block in ~/.zprofile.  If you have one and the other is a symlink to the other, get rid of the symlink because the block will execute twice on interactive shell logins.

Lastly, you should make sure you kill the agent when you log out of your session.  For zsh, I add this to my ~/.zlogout file:

# Kill any running ssh-agent for this session
[ -z "${SSH_AGENT_PID}" ] || ssh-agent -k

Other shells have other mechanisms of running commands on logout.

So it's not perfect, but it does get me an agent running in my remote login sessions and that was my main goal.  I may make some tweaks to this over time, but for now this is what I'm using.

Sunday, July 2, 2017

Default Sorting and Threading in Thunderbird

I've recently set up Thunderbird at work for my email.  I was a long time console email user starting first with elm, then pine, the mutt, then pine again, then mailx, then mutt again.  Eventually I started using gmail and since we use that at work as well, the web interface became the path to least resistance.  But I've never really liked it.

Perhaps I've grown to a point where I don't find setting up mutt and maintaining a stack of support programs fun anymore.  Or maybe it's that when I find I need to slightly change something, I have to dig around online for a long time trying to figure out one obscure setting.  But I really think it's the searching archived mail that has caused to favor the web email client and now Thunderbird.

As I iron out the kinks with having my email in Thunderbird, I've collected some notes on how to change behavior for some things.  First on my list was getting it to sort email the way I prefer and thread messages correctly.  I found I could change this for each folder for an IMAP account, but the settings didn't seem to stick consistently.  Thunderbird offered no obvious default, so I poked around online and found that you can change the defaults via the config editor.

This is similar to the about:config editor in Firefox.  Access it through the Preferences dialog though.  There's a button for Config Editor.  The usual warning stops you, but proceed on.  Here are the changes I made:
  • By default, I want all IMAP folders polled for new messages, not just the Inbox.  Set mail.check_all_imap_folders_for_new to true.
  • I'm not sure what the default sort type is for mailnews, but everyone online seems to insist that having it set to 18 is what you want.  So I changed mailnews.default_sort_type to 18 (technically I didn't because it was already 18).
  • I prefer email messages to be sorted by date in descending order, so I changed mailnews.default_sort_order to 2.
  • I prefer email messages to always show threaded conversations, so I changed mailnews.default_view_flags to 1.
Now any other accounts I add will behave this same way.  I still have some other settings I want to tweak, but this is what I've done so far.