Apache mod_rewrite evilness (with dynamic vhosts and .htaccess rewrite rules)

At my new $job, we have a SVN repository for the websites we are maintaining. We devised a workflow to work with it: each developer has one or more branches for himself. The merge of their features is done in the trunk. Once everything seems to work, we merge into the "preproduction" branch and finally in the "production" branch.

On the developement web server, I wanted them to be able access every branch with their web browser. Initially, there was a "svn.mywebsite.com" virtual host and each branch was accessible through an URL-path within it. Unfortuntaly, for "historical" reason, the web site doesn't work correctly if set in an URL sub-directory (and we are currently writing a new version of this website, so we actually don't want to spend time fixing it). I am therefore doomed to create a virtual host for each SVN trunk/tag/branch.

Here is the relevant part of the initial configuration I wrote:

<VirtualHost *:80>
    ServerName   svn.mywebsite.com
    ServerAlias *.svn.mywebsite.com

    DocumentRoot /var/empty

    RewriteEngine on

    RewriteCond %{HTTP_HOST} ^trunk\.svn\.mywebsite\.com$
    RewriteRule $(.*)        /home/www-data/svn/project/trunk$1       [L]

    RewriteCond %{HTTP_HOST} ^([^.]+).branches\.svn\.mywebsite\.com$
    RewriteRule $(.*)        /home/www-data/svn/project/branches%1$1  [L]

    RewriteCond %{HTTP_HOST} ^([^.]+).tags\.svn\.mywebsite\.com$
    RewriteRule $(.*)        /home/www-data/svn/project/tags%1$1      [L]

</VirtualHost>

So far it's easy and it would have worked if there wasn't the following RewriteRule in the .htaccess at the root of the project:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

The problem with this rule is that if we request a "virtual URL" (which does not match a physical file in the hierarchy), index.php is called with the original URL in the query string, which results in an internal redirect within Apache.

I save you from the RewriteLog, but let's say you try: http://trunk.svn.mywebsite.com/virtual-url.

• Initially the ${REQUEST_URI} is "/virtual-url". The vhost rewrite rules are applied, which redirect to the filesystem path: /home/www-data/svn/project/trunk/virtual-url.



• Then we reach the per-directory (.htaccess) rewrite rules which, given the file doesn't exist, redirect to /home/www-data/svn/project/trunk/index.php with the following query string q=virtual-url.



• Here is the first trap: an internal redirect is done within Apache, which restarts the rewrite rules evaluation from the beginning, with ${REQUEST_URI} set to /home/www-data/svn/project/trunk/index.php, while the ${HTTP_HOST} is still the same. So the directory will be prepended twice if we do not put a safeguard: basically checking that $REQUEST_URI doesn't contain /home/www-data/svn/project/.



• But the true evilness is here: we cannot rewrite to a full filesystem path in a per-directory rewrite rule. The subsequent internal redirect will invariably think that this is an URL path, that is it will try to serve a page as if you had requested: http://trunk.svn.mywebsite.com/home/www-data/svn/project/trunk/index.php. Because of the safeguard above, the dynamic vhost magic will not apply, and Apache will try to reach this file from the vhost's DocumentRoot and you will get a 404.
  
  The workaround for this is trick Apache into thinking the content of ${REQUEST_URI} is a full filesystem path if the latter looks like a filesystem path :-). Contrary to the per-directory rewrite rules, the vhost rewrite rules are able to redirect to a full filesystem path. So just match the whole content and redirect to it.

<VirtualHost *:80>
    ServerName   svn.mywebsite.com
    ServerAlias *.svn.mywebsite.com

    DocumentRoot /var/empty

    RewriteEngine on

    RewriteRule ^(/home/www-data/svn/project/.*)       $1             [L]

    RewriteCond %{HTTP_HOST} ^trunk\.svn\.mywebsite\.com$
    RewriteRule $(.*)        /home/www-data/svn/project/trunk$1       [L]

    RewriteCond %{HTTP_HOST} ^([^.]+).branches\.svn\.mywebsite\.com$
    RewriteRule $(.*)        /home/www-data/svn/project/branches%1$1  [L]

    RewriteCond %{HTTP_HOST} ^([^.]+).tags\.svn\.mywebsite\.com$
    RewriteRule $(.*)        /home/www-data/svn/project/tags%1$1      [L]

</VirtualHost>

The first rewrite rule matches a ${REQUEST_URI} containing the a filesystem path. This is not exactly a rewrite, this is just a trick to trigger the mod_rewrite evaluation of the substitution.

Installing full-ZFS server at OVH

OVH is a french web hosting service in France, that provides dedicated servers (and many other things). It is great because they offer an infrastructure which brings you low-cost but yet professional facilities for less than 20 euros a month. They provide Linux, FreeBSD and even Solaris: you can of course ask for your server to be installed with this but the real great thing is the netboot feature that will boot the same OS as the one which is installed on your server.

The FreeBSD installation is UFS based. It is nonetheless possible to migrate in on ZFS with little wizardry. It is best the do this with a fresh installation, but is should be possible to do so as long as you use less than the half of you hard drive. However, you have to move everything into the first physical half of the hard drive (it is easier when the server has just been installed, as you just have to keep the root partition).

The procedure is the following: You move all your data in a (small) transient partition at the end of the disk. Then a ZFS partition is created at the beginning of the disk, and again move your data there. You can then destroy the transient partition and create a physical swap partition in its stead. Indeed, although FreeBSD can use a ZFS vdev as swap, it cannot dump to it. Therefore this procedure creates a real partition for swap.

Your FreeBSD is booted. Go to the OVH manager and in the "Netboot" page and select "rescue-pro". Then reboot you server, wait for a while, you should receive a mail with the root password of your netbooted server.

Once connected on it, create a partition large enough to hold all your data at the end of the hard drive. We will copy them here in order to be able to install the ZFS partition at the beginning of the disk.

rescue-bsd# fdisk /dev/ad0
******* Working on device /dev/ad0 *******
[...]

Media sector size is 512
Warning: BIOS sector numbering starts with sector 1
Information from DOS bootblock is:
The data for partition 1 is:
sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
    start 63, size 488397105 (238475 Meg), flag 80 (active)
        beg: cyl 1/ head 0/ sector 1;
        end: cyl 655/ head 0/ sector 63
The data for partition 2 is:

The data for partition 3 is:

The data for partition 4 is:


rescue-bsd# bsdlabel /dev/ad0s1
# /dev/ad0s1:
8 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a: 20971520        0    4.2BSD     4096 16384    64 
  b:  2097152 20971520      swap                    
  c: 488397105        0    unused        0     0         # "raw" part, don't edit
  d: 465328433 23068672    4.2BSD        0     0     0 

rescue-bsd# mount /dev/ad0s1a /mnt/
rescue-bsd# df -k /mnt/
Filesystem 1024-blocks   Used   Avail Capacity  Mounted on
/dev/ad0s1a    10154158 495960 8845866     5%    /mnt
rescue-bsd# umount /mnt/

We have a swap partition on /dev/ad0s1b and an empty filesystem on /dev/ad0s1d. The root partition only uses 500 MB. We are going to create a partition at the end of the disk to copy the content of it. Thus this partition must be large enough. But this partition should also large enough to hold the swap partition you want on your system eventually. In this example I want 1 GB of swap.

So let's create a 1 GB partition at the end of the disk. 1 GB is 1024*1024*1024/512 = 2097152 sectors. The disk is 488397105 sectors wide, so the partition would start at 488397105 - 2097152 = 486299953. A good practice is to align the partition to a 4 KB boundary: 486299953 % 4096 = 2353, so we will use 486299953 - 2353 = 486297600 for first sector of the partition. Given the end of the disk is 488397105, the partition size will be 488397105 - 486297600 = 2099505 sectors.

rescue-bsd# bsdlabel /dev/ad0s1 > /tmp/ad0.label
rescue-bsd# vi /tmp/ad0.label
[...]

rescue-bsd# cat /tmp/ad0.label
# /dev/ad0s1:
8 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a: 20971520         0    4.2BSD     4096 16384    64 
  b: 2099505  486297600    4.2BSD     4096 16384    64              
  c: 488397105        0    unused        0     0         # "raw" part, don't edit

rescue-bsd# bsdlabel -R /dev/ad0s1 /tmp/ad0.label
rescue-bsd# newfs /dev/ad0s1b 
/dev/ad0s1b: 1025.1MB (2099504 sectors) block size 16384, fragment size 2048
        using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
 160, 376512, 752864, 1129216, 1505568, 1881920

rescue-bsd# mount /dev/ad0s1b /mnt
rescue-bsd# cd /mnt
rescue-bsd# dump -0af - /dev/ad0s1a | restore -rf -
  DUMP: Date of this level 0 dump: Sat Oct  8 10:07:58 2011
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/ad0s1a to standard output
  DUMP: mapping (Pass I) [regular files]
  DUMP: mapping (Pass II) [directories]
  DUMP: estimated 499089 tape blocks.
  DUMP: dumping (Pass III) [directories]
  DUMP: dumping (Pass IV) [regular files]
[...]
  DUMP: finished in 131 seconds, throughput 3816 KBytes/sec
  DUMP: DUMP IS DONE
rescue-bsd# cd
rescue-bsd# umount /mnt

Now we can remove the first partition and create a big ZFS partition spanning from the beginning of the disk to the beginning of the second partition we have just created.

rescue-bsd# gpart show ad0s1
=>        0  488397105  ad0s1  BSD  (233G)
          0   20971520      1  freebsd-ufs  (10G)
   20971520  465326080         - free -  (222G)
  486297600    2099505      2  freebsd-ufs  (1.0G)

rescue-bsd# gpart delete -i 1 ad0s1
ad0s1a deleted
rescue-bsd# gpart show ad0s1
=>        0  488397105  ad0s1  BSD  (233G)
          0  486297600         - free -  (232G)
  486297600    2099505      2  freebsd-ufs  (1.0G)

rescue-bsd# gpart add -s 486297600 -t freebsd-zfs ad0s1
ad0s1a added
rescue-bsd# gpart show ad0s1
=>        0  488397105  ad0s1  BSD  (233G)
          0  486297600      1  freebsd-zfs  (232G)
  486297600    2099505      2  freebsd-ufs  (1.0G)

Now let's create the ZFS pool. But the OVH netboot only provides a read-only root filesystem, so we have to tell zpool(8) to put the cache file into /tmp (this file will be needed to import the pool at boot time). We must also to tell the ZFS layer to temporary mount the pool into /mnt, so it won't try to mount the root of the pool as /.

rescue-bsd# kldload opensolaris
rescue-bsd# kldload zfs
rescue-bsd# zpool create -o cachefile=/tmp/zpool.cache -o altroot=/mnt zroot /dev/ad0s1a
rescue-bsd# zpool export zroot

Install the various bootcodes. The MBR bootcode should already be there anyway. The ZFS bootcode is somewhat strange because it consists actually of two parts that must be written at different places (note that the first dd(1) uses /dev/ad0s1 while the second one uses /dev/ad0s1a):

rescue-bsd# gpart bootcode -b /boot/boot0 ad0
bootcode written to ad0
rescue-bsd# dd if=/boot/zfsboot of=/dev/ad0s1 count=1 bs=512
rescue-bsd# dd if=/boot/zfsboot of=/dev/ad0s1b skip=1 seek=1024 bs=512

Then re-import the pool with the same options used during its creation and create the datasets for the base filesystem (I'm using the same layout as described on the FreeBSD wiki):

rescue-bsd# zpool import -o cachefile=/tmp/zpool.cache -o altroot=/mnt zroot 
rescue-bsd# zfs set checksum=fletcher4 zroot
rescue-bsd# zfs set mountpoint=none zroot
rescue-bsd# zfs create -o mountpoint=/ zroot/rootfs
rescue-bsd# zpool set bootfs=zroot/rootfs zroot
rescue-bsd# zfs create -o compression=on -o exec=on -o setuid=off zroot/rootfs/tmp
rescue-bsd# chmod 1777 /mnt/tmp/
rescue-bsd# zfs create zroot/rootfs/usr
rescue-bsd# zfs create zroot/rootfs/usr/home
rescue-bsd# ln -s /usr/home /mnt/home
rescue-bsd# zfs create -o compression=lzjb -o setuid=off zroot/rootfs/usr/ports
rescue-bsd# zfs create -o compression=off -o exec=off -o setuid=off zroot/rootfs/usr/ports/distfiles
rescue-bsd# zfs create -o compression=off -o exec=off -o setuid=off zroot/rootfs/usr/ports/packages
rescue-bsd# zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/rootfs/usr/src
rescue-bsd# zfs create zroot/rootfs/var
rescue-bsd# zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/rootfs/var/crash
rescue-bsd# zfs create -o exec=off -o setuid=off zroot/rootfs/var/db
rescue-bsd# zfs create -o compression=lzjb -o exec=on -o setuid=off zroot/rootfs/var/db/pkg
rescue-bsd# zfs create -o exec=off -o setuid=off zroot/rootfs/var/empty
rescue-bsd# zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/rootfs/var/log
rescue-bsd# zfs create -o compression=gzip -o exec=off -o setuid=off zroot/rootfs/var/mail
rescue-bsd# zfs create -o exec=off -o setuid=off zroot/rootfs/var/run
rescue-bsd# zfs create -o compression=lzjb -o exec=on -o setuid=off zroot/rootfs/var/tmp
rescue-bsd# chmod 1777 /mnt/var/tmp

Note that I've activated compression on some datasets as in the FreeBSD wiki, but on a low-end box with little CPU power, I advise to turn it off.

Now let's copy our data to the ZFS partition.

rescue-bsd# mount /dev/ad0s1b /media
rescue-bsd# cd /media
rescue-bsd# find . | cpio -dump /mnt/
rescue-bsd# cd
rescue-bsd# umount /media
rescue-bsd# zfs set readonly=on zroot/rootfs/var/empty

Note that cpio(1) does not handle file flags set by chflags(8). Your system will be able to boot, but some security seatbelt won't be here until you perform an installworld.

Let's create the swap partition instead of the transient UFS filesystem:

rescue-bsd# gpart show ad0s1
=>        0  488397105  ad0s1  BSD  (233G)
          0  486297600      1  freebsd-zfs  (232G)
  486297600    2099505      2  freebsd-ufs  (1.0G)

rescue-bsd# gpart delete -i 2 ad0s1
ad0s1b deleted
rescue-bsd# gpart add -t freebsd-swap ad0s1
ad0s1b added
rescue-bsd# gpart show ad0s1
=>        0  488397105  ad0s1  BSD  (233G)
          0  486297600      1  freebsd-zfs  (232G)
  486297600    2099505      2  freebsd-swap  (1.0G)

Now we need to configure the system to be able to boot from ZFS:

rescue-bsd# echo 'zfs_load="YES"' > /mnt/boot/loader.conf
rescue-bsd# echo 'vfs.root.mountfrom="zfs:zroot/rootfs"' >> /mnt/boot/loader.conf
rescue-bsd# cp /tmp/zpool.cache /mnt/boot/zfs/
rescue-bsd# vi /mnt/etc/fstab
[...]
rescue-bsd# cat /mnt/etc/fstab
# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad0s1b             none            swap            sw      0       0
proc                    /proc           procfs  rw              0       0

Et voilà! You can reboot your server (don't forget to deactivate netbooting from the OVH web interface).

Configuring FreeBSD with dual console

This post is short as I intend to use it more as a reminder than a full-fledged article.

As an introduction for the un-educated reader, here is a simple paste of the boot(8) manpage:


By default, a three-stage bootstrap is employed, and control is automati-
cally passed from the boot blocks (bootstrap stages one and two) to a
separate third-stage bootstrap program, loader(8). This third stage pro-
vides more sophisticated control over the booting process than it is pos-
sible to achieve in the boot blocks, which are constrained by occupying
limited fixed space on a given disk or slice.


In summary: boot0 -> boot2 -> loader -> kernel

The first stage (boot0) cannot be configured, as the code as to fit in 512 bytes. It will simply use the default system console (the screen).

However the following things can be configured more or less independently:
- boot2 (stage 2);
- loader(8) (stage 3);
- the kernel;
- login(8).

Configuring boot2

boot2 is configured through /boot.config. This file contains the flags documented in boot(8), as though they were given on the boot2 prompt. Therefore if you want to see boot2 output on both your screen and the serial console, you have to put "-D" in it.


shell# cat /boot.config
-D


Configuring loader(8)

loader(8) is configured through /boot/loader.conf. The console variable can be set either "vidconsole", "comconsole" or "vidconsole,comconsole" to have both "comconsole,vidconsole" works too, we will see the difference later)


shell# grep ^console /boot/loader.conf
console="vidconsole,comconsole"


Configuring the kernel

/boot/loader.conf also contains variables that will set kenv variables, which will define the kernel behaviour. See this comment in /boot/defaults/loader.conf:


##############################################################
### Kernel settings ########################################
##############################################################

# The following boot_ variables are enabled by setting them to any value.
# Their presence in the kernel environment (see kenv(1)) has the same
# effect as setting the given boot flag (see boot(8)).

#boot_askname="" # -a: Prompt the user for the name of the root device
#boot_cdrom="" # -C: Attempt to mount root file system from CD-ROM
#boot_ddb="" # -d: Instructs the kernel to start in the DDB debugger
#boot_dfltroot="" # -r: Use the statically configured root file system
#boot_gdb="" # -g: Selects gdb-remote mode for the kernel debugger
#boot_multicons="" # -D: Use multiple consoles
#boot_mute="" # -m: Mute the console
#boot_pause="" # -p: Pause after each line during device probing
#boot_serial="" # -h: Use serial console
#boot_single="" # -s: Start system in single-user mode
#boot_verbose="" # -v: Causes extra debugging information to be printed
#init_path="/sbin/init:/sbin/oinit:/sbin/init.bak:/rescue/init:/stand/sysinstall"
# Sets the list of init candidates
#init_shell="/bin/sh" # The shell binary used by init(8).
#init_script="" # Initial script to run by init(8) before chrooting.
#init_chroot="" # Directory for init(8) to chroot into.



So basically, the kernel defaults to use the screen only, but you can override this by setting the boot_multicons variable:


shell# grep ^boot_multicons /boot/loader.conf
boot_multicons="YES"


How the whole stuff works

Actually when you configure one stage, subsequent stages will use the same settings unless configured to do differently. So in the end you just have to configure boot2.

Userland output

Contrary to the other parts, userland boot output can only be sent to one device at time. Even when configured with the above settings, the userland boot output will only appear on screen.

Actually, the kernel will pick the first entry from the console kenv variable to sent userland output to. So if you are not often behind the screen and you prefer to see the userland boot output on the serial console:


shell# grep ^console /boot/loader.conf
console="comconsole,vidconsole"


Configuring login(8)

Not seeing the userland boot output on one console or the other doesn't mean it is unusable. FreeBSD is configured by default to spawn a login: prompt on the screen. You can easily configure it to spawn another one one the serial console, as explained in this chapter on the handbook:


shell# grep ttyu0 /etc/ttys
ttyu0 "/usr/libexec/getty std.9600" dialup on secure



That's all.

Debian KVM console on a headless server

At work I use a Debian KVM with an encrypted root filesystem as a workstation (our physical workstations run Windows) running on a headless server. This means that I have to use the QEMU' VNC console to enter the password for the root filesystem very early in the boot process.

Unfortunately VNC is unsecure and anyway QEMU only binds VNC on 127.0.0.1. It would be easy to create an SSH tunnel, but this is administratively prohibited here and it is cumbersome to temporarily modify sshd_config(5) each time. So I tried a Netfilter DNAT rule as a workaround but Linux' network stack contains a very annoying line of code which checks that packets destined 127.0.0.1 comes from 127.0.0.1 as well. If you see some logs like this, you have probably been biten by it too:

Jun  2 18:14:20 srv kernel: martian destination 127.0.0.1 from 10.1.2.2, dev br0

So I gave up VNC and configured the KVM domain to use the serial port like any other headless server.

Supposedly your VM is already running so we will make the changes here first. There are three things to be told to use the serial console, which are in time-order:

• the bootloader (GRUB here);


• the kernel;


• init(8) for the login prompt.

On Debian, the first two things can be done easily through /etc/default/grub.

# Bootloader part.
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"

# Kernel command-line ("quiet" has no matter in our business):
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,9600n8 quiet"

Then regen the grub.cfg:

# upgrade-grub

If you do not use Debian, here is the relevant part of the generated /boot/grub/grub.cfg:

serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1
if terminal_input serial ; then true ; else
  # For backward compatibility with versions of terminal.mod that don't
  # understand terminal_input
  terminal serial
fi
if terminal_output serial ; then true ; else
  # For backward compatibility with versions of terminal.mod that don't
  # understand terminal_output
  terminal serial
fi

menuentry "Linux 2.6.32-trunk-amd64" {
        insmod ext2
        set root='(hd0,1)'
        search --no-floppy --fs-uuid --set 9245a9e3-8ea5-4170-a19b-17d10051c107
        echo    Loading Linux 2.6.32-trunk-amd64 ...
        linux   /vmlinuz-2.6.32-trunk-amd64 root=/dev/mapper/vg0-root ro  console=tty0 console=ttyS0,9600n8 quiet
        echo    Loading initial ramdisk ...
        initrd  /initrd.img-2.6.32-trunk-amd64
}

Regarding the login prompt on serial console, edit /etc/inittab:

T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100

Now your VM is configured, let's configure your KVM domain. Dump the configuration of your vm, and change the <serial> and <console> part to use a PTY (you can choose an arbitrary PTY, /dev/pts/24 here, as it seems to be redefined each time the VM is started). Other interfaces are possible, like TCP, pipe, stdio... (see the libvirt domain XML format) but I chose PTY because it can be easily attached using screen(1) and cannot be easily snooped:

# virsh dumpxml mykvm > mykvm.xml
# vi mykvm.xml
   <serial type='pty'>
     <source path='/dev/pts/24'/>
     <target port='0'/>
   </serial>
   <console type='pty' tty='/dev/pts/24'>
     <source path='/dev/pts/24'/>
     <target port='0'/>
   </console>

Then stop your VM, redefine your KVM domain and restart it:

# virsh shutdown mykvm      # or run shutdown(8) inside the VM
# virsh undefine mykvm
# virsh define mykvm.xml
# virsh start mykvm

You can attach the console using:

# virsh console mykvm

To detach, use Ctrl + $


If you attach quickly enough after starting it, you will even see the Grub menu!

Quick n' Dirty Linux WPA-PSK Wireless AP

On saturday evening, there was a party at home. One of the guests poured her glass of champagne on the ADSL modem lended by my ISP. Undoubtly it wasn't champagne-proof. I have about a week to wait before getting a new one. Fortunately I have my 3G connection but only one person can use it at a given time... and we are two at home. So I have created a very quick and dirty access-point to share my 3G connection. This post has two purpose: record how I did it and show how it eventually turned out to be really easy. Ironically, it was more difficult to configure a new wireless connection on Windows XP than creating the AP.

I am assuming you are running mac80211 wireless stack, which is standard from recent kernels 2.6.30+). You will need hostapd and ISC's DHCPd.

First set up your wireless interface as you would with any other wired interface:

# ifconfig wlan0 inet 192.168.10.1 netmask 0xffffff00 up


Next, configure /etc/hostapd/hostapd.conf:

driver=nl80211
interface=wlan0
channel=13
ssid=3g2wifi
auth_algs=1
wpa=1
wpa_passphrase=XXXXXXXX


And run it:

# hostapd /etc/hostapd/hostapd.conf


From now on, you can configure a smartphone or another computer with this wireless network and see DHCP traffic when using tcpdump -ni wlan0. You may enable debugging with hostapd's -d flag if it doesn't work.

Next step is to provide connectivity to the Internet through 3G (interface ppp0). We have to masquerade the computers behind the access-point (I assume there are no filtering rules):

# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o ppp0 -j MASQUERADE
# sysctl net.ipv4.conf.all.forwarding=1


Here you can manually configure the IPv4 layer on another computer, setting the DNS servers to the ones provided by you 3G provider, and it should work.

But the sugar on the cake would be to have a DHCP server, to minimize manual configuration. This is straightforward. Here is my /etc/dhcp3/dhcpd.conf (note that I used Google's open DNS resolvers for example purpose):

subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.20 192.168.10.30;
option routers 192.168.10.1;
option domain-name-servers 4.4.4.4, 4.4.8.8;
}


Start the DHCP server:

# dhcpd3 -cf /etc/dhcp3/dhcpd.conf wlan0


And voila! Now good luck if you have to configure a Windows 7 computer to use this connection :).

column.sh - columizator

It has been a long time since I've last written on this blog. I am indeed very busy by my work so I don't have much time to write. Nonetheless a positive aspect of this is that I happen to write some tools for me to alleviate some tasks.

I am pretty sure that many if not all of you have already been annoyed by the output format such as vmstat(8), iostat(8), ... They are great commands because they produce very valuable information but they are often very difficult to read, especially on busy servers when you need them most, because of the misalignment. We cannot blame them because it is the Unix way of doing thing: do one thing and do it well. It's not their job to pretty print the output. The "column" script exposed here will realign the output for you.

This command acts like a standard Unix command: it may be used alone or as a filter. It takes one mandatory argument, namely a keyword that will be used to recognize the «caption» line.

jlehen@warg:~$ ./column -h
Pretty-print columns, for iostat or vmstat.
OS: All.

Usage: column [-g] 

Keyword is used to identify the caption line.  This may be an
awk/nawk regex (thus don't forget to escape "/").
Options:
 -g     Change the output to what I called "giant mode".
        This is useful for iostat with an awful lot of disks.

Let's take an example. Here is a classical vmstat(8) output on a busy Solaris server:

05:26:32   kthr      memory            page            disk          faults      cpu
05:26:32   r b w   swap  free  re  mf pi po fr de sr m0 m1 m2 m1   in   sy   cs us sy id
05:26:32   0 29 0 139019936 26258128 4776 17739 38816 8 0 0 0 4 4 4 0 29969 129465 33184 21 25 54
05:26:33   0 40 0 138993232 26235120 5240 19492 47250 39 31 0 0 7 7 7 0 30665 133160 34489 23 25 51
05:26:34   0 28 0 139002648 26230848 4878 18717 36828 16 16 0 0 3 3 3 0 31368 144148 35850 22 24 54
05:26:35   1 26 0 138978136 26211456 4046 14760 30778 8 8 0 0 4 4 4 0 26295 158433 27845 20 20 61
05:26:36   0 29 0 138980472 26212968 4469 15525 33361 23 16 0 0 4 4 4 0 25826 118810 27653 21 19 60
05:26:37   0 22 0 139004424 26227824 4208 16734 29367 8 8 0 0 4 4 4 0 24879 122903 28154 23 19 58
05:26:38   0 18 0 139010608 26232864 3958 15324 27984 0 0 0 0 2 2 2 0 22422 105347 23563 17 17 66
05:26:39   0 25 0 139022192 26237584 4076 15124 27770 31 31 0 0 2 2 2 0 25046 115101 26467 17 17 65
05:26:40   0 21 0 139035416 26248720 5205 15215 38873 0 0 0 0 1 1 1 0 26961 131668 28818 22 18 60
05:26:41   0 17 0 139014056 26239552 5132 17257 31959 0 0 0 0 0 0 0 0 23780 116586 25043 18 19 63
05:26:42   0 13 0 139028280 26250352 3661 17215 17719 23 16 0 0 3 3 3 0 22048 110885 23717 15 17 67
05:26:43   0 11 0 138993472 26220968 3796 19241 16468 0 0 0 0 0 0 0 0 21640 115744 23173 18 15 66
05:26:44   0 12 0 138972904 26199192 2607 14008 15327 8 8 0 0 2 2 2 0 20428 120489 21064 18 15 67
05:26:45   0 11 0 138973008 26194376 2122 9228 21017 23 23 0 0 5 5 5 0 24543 123981 25423 20 16 64
05:26:46   2 12 0 138977112 26194960 1929 12010 23333 0 0 0 0 1 1 1 0 32145 144927 34596 26 16 59
05:26:47   1 21 0 139032632 26240256 2361 11192 32759 16 16 0 0 2 2 2 0 36018 204602 39325 27 21 51
05:26:49   1 25 0 139043840 26245952 2628 9895 35478 24 24 0 0 3 3 3 0 32645 136756 34903 26 20 54
05:26:50   0 23 0 139043552 26246304 1942 9952 21395 0 0 0 0 0 0 0 0 24948 121252 25918 21 14 66
05:26:51   0 19 0 139053752 26249176 1949 7929 26141 0 0 0 0 6 7 7 0 24490 113321 26220 19 14 67

This is difficult to read because of the large amount of memory and swap. Let's look at the same output now filtered through column (keyword used to match caption line is "swap"):

05:26:32   kthr      memory            page            disk          faults      cpu
05:26:32 r b  w swap      free     re   mf    pi    po  fr  de sr m0   m1  m2  m1 in    sy     cs    us sy id
05:26:32 0 29 0 139019936 26258128 4776 17739 38816 8   0   0  0  4    4   4   0  29969 129465 33184 21 25 54
05:26:33 0 40 0 138993232 26235120 5240 19492 47250 39  31  0  0  7    7   7   0  30665 133160 34489 23 25 51
05:26:34 0 28 0 139002648 26230848 4878 18717 36828 16  16  0  0  3    3   3   0  31368 144148 35850 22 24 54
05:26:35 1 26 0 138978136 26211456 4046 14760 30778 8   8   0  0  4    4   4   0  26295 158433 27845 20 20 61
05:26:36 0 29 0 138980472 26212968 4469 15525 33361 23  16  0  0  4    4   4   0  25826 118810 27653 21 19 60
05:26:37 0 22 0 139004424 26227824 4208 16734 29367 8   8   0  0  4    4   4   0  24879 122903 28154 23 19 58
05:26:38 0 18 0 139010608 26232864 3958 15324 27984 0   0   0  0  2    2   2   0  22422 105347 23563 17 17 66
05:26:39 0 25 0 139022192 26237584 4076 15124 27770 31  31  0  0  2    2   2   0  25046 115101 26467 17 17 65
05:26:40 0 21 0 139035416 26248720 5205 15215 38873 0   0   0  0  1    1   1   0  26961 131668 28818 22 18 60
05:26:41 0 17 0 139014056 26239552 5132 17257 31959 0   0   0  0  0    0   0   0  23780 116586 25043 18 19 63
05:26:42 0 13 0 139028280 26250352 3661 17215 17719 23  16  0  0  3    3   3   0  22048 110885 23717 15 17 67
05:26:43 0 11 0 138993472 26220968 3796 19241 16468 0   0   0  0  0    0   0   0  21640 115744 23173 18 15 66
05:26:44 0 12 0 138972904 26199192 2607 14008 15327 8   8   0  0  2    2   2   0  20428 120489 21064 18 15 67
05:26:45 0 11 0 138973008 26194376 2122 9228  21017 23  23  0  0  5    5   5   0  24543 123981 25423 20 16 64
05:26:46 2 12 0 138977112 26194960 1929 12010 23333 0   0   0  0  1    1   1   0  32145 144927 34596 26 16 59
05:26:47 1 21 0 139032632 26240256 2361 11192 32759 16  16  0  0  2    2   2   0  36018 204602 39325 27 21 51
05:26:49 1 25 0 139043840 26245952 2628 9895  35478 24  24  0  0  3    3   3   0  32645 136756 34903 26 20 54
05:26:50 0 23 0 139043552 26246304 1942 9952  21395 0   0   0  0  0    0   0   0  24948 121252 25918 21 14 66
05:26:51 0 19 0 139053752 26249176 1949 7929  26141 0   0   0  0  6    7   7   0  24490 113321 26220 19 14 67

The -g option is meant to be used when the output is giant. For instance, when a system has a lot of disks, the iostat(8) command prints so much lines that the caption line is swept out of your terminal immediately..

Let's take a sample output of iostat(8). I won't show a lot of disks because it is worthless, but keep in mind than when there are tenths or hundreds of disks, the caption line no longer appear on the screen:

                  extended device statistics
device      r/s    w/s   kr/s   kw/s wait actv  svc_t  %w  %b
md0         5.0    8.1   36.3  155.5  0.0  0.1    6.7   0   6
md1         3.0    8.1   20.2  155.5  0.0  0.1    7.3   0   6
md2         2.0    8.1   16.2  155.5  0.0  0.1    5.1   0   4
md10        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md11        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md12        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md50        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md51        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md52        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md60        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md61        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
md62        0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
ramdisk1    0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
sd0         0.0    0.0    0.0    0.0  0.0  0.0    0.0   0   0
[...]

Filtering with column -g actv (using "device" would be useless as the very first line also contains it):

                  extended device statistics
device:md0      r/s:5.0  w/s:8.1 kr/s:36.3  kw/s:155.5 wait:0.0 actv:0.1 svc_t:6.7   %w:0 %b:6
device:md1      r/s:3.0  w/s:8.1 kr/s:20.2  kw/s:155.5 wait:0.0 actv:0.1 svc_t:7.3   %w:0 %b:6
device:md2      r/s:2.0  w/s:8.1 kr/s:16.2  kw/s:155.5 wait:0.0 actv:0.1 svc_t:5.1   %w:0 %b:4
device:md10     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md11     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md12     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md50     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md51     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md52     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md60     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md61     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:md62     r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:ramdisk1 r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
device:sd0      r/s:0.0  w/s:0.0 kr/s:0.0   kw/s:0.0   wait:0.0 actv:0.0 svc_t:0.0   %w:0 %b:0
[...]

This nice script is available here.
Beware that is used /bin/sh. If you want to use it on Solaris, use /bin/ksh instead. I have yet to find a shebang line that will work on *BSD, Linux and Solaris. If you know one, contact me on < jeremie le-hen org > (up to you to but the "@" and "." where you think it best fits...).

Bash prompt trick: cheap emulation of tcsh's pwd trailing component

I started Unix with Linux where Bash has always been the default shell, at least in my own reckoning. Hence I've always been using Bash as I never found the necessity nor the motivation to really switch to another shell.

When FreeBSD turned to be my favorite operating system, I had a chance to fiddle with tcsh. One thing I really liked was the "%c" prompt sequence, a.k.a. "trailing component of the current working directory". Basically, "%c02" in "/home/jlh/a/b" expands to something like "/<2>/a/b". Since then, I've always missed this sequence in Bash, as "\w" often expands to something far too long and "\W" is often not enough.

Therefore I implemented a function to mimic this behaviour in tcsh. I devised it to only use builtins so as to be cheap (read inexpensive, not lousy). Indeed, I think it would be really stupid to spawn many processes each time Enter is hit in my shell. Here it is:

traildir() {
    local n=$1 dir=$2
    local sl tildedir homelen shifted  traildir

    sl=/
    tildedir=${dir#$HOME}
    if ! [[ "$tildedir" == "$dir" ]]; then
            tildedir="~$tildedir"
            sl=
    fi

    set -- ${HOME//\// }
    homelen=$#

    shifted=0
    set -- ${tildedir//\// }
    if [[ $# -gt $n ]]; then
            shifted=$(($# - $n))
            shift $shifted
            [[ -z "$sl" ]] && shifted=$(($shifted + $homelen - 1))
            traildir="<$shifted>/$@"
    else
            traildir="$sl$@"
    fi

    echo ${traildir// /\/}
}

Then, you just have to set, for example:

TRAILPWD=2
export PS1='\u@\h:$(traildir $TRAILPWD $PWD) \#\$'


And that's it! Ok it still forks a process each time you hit enter, but it's not possible to achieve it less expensively with Bash anyway. Note that the example above uses a neat trick: if you need more trailing components in your prompt for your current task, just set TRAILPWD to the desired value.

Addendum on 2009/06/22

A smaller but less resilient version of this prompt is:

export PS1='\u@\h:$(set -- ${PWD//\// }; n=$(($# - $TRAILPWD)); s=; [[ $n -le 0 ]] && s=/ || shift $n; d="$@"; echo $s${d// /\/}) \#\$'


One advantage of this one is that is only relies on an environment variable, thus is inherited across forks. This is useful for instance if you call bash through sudo(8) and you wish to use the same prompt. This is impossible with the function-based prompt.